Re: Unblock attachment

rab ngl · ‎03-31-2018

Hello,

Lately we receive mails with the below attachment. This is recognized as gzip and executable file and is therefore blocked by our mail filters.

.emz
.wmz
.mso

How to skip these filetype?

Thanks.

Mathew Huynh · ‎03-31-2018

Hello Rab ngl,

If the file-type list do not contain these extensions, then you would need to create the filter condition to look at it by the attachment filename instead and run a skip filters action.

Essentially if the drop down does not contain them your filter would be: [this is message filter condition syntax]
Skip_filters:
if attachment-filename =="(?i)\\.(emz|wmz|mso)$"
{
skip-filters();
}
.

This would skip all message filters under it.

If you are doing the block at content filter level.
Condition -> attachment file name -> Contains -> (?i)\.(emz|wmz|mso)$
Then action is skip remaining content filters.

(If the attachments are being stopped at the antispam or antivirus or so services - you need to skip them using the message filter as well by adding for example:
skip-spamcheck();
skip-viruscheck();
skip-outbreak();

I hope this helps.

Regards,
matthew

rab ngl · ‎03-31-2018

Hi Mathew,

Thanks for your feedback.
I am doing it at content filter level. I have many filters already applied, and the file-type block filter is in the first position. If the action is skip remaining content filters, the other filters will be skipped.

Let's say there is an malicious email contains two attachments, emz and exe file, so it will match the emz filter and the skip the executable file-type filter, then the email will be delivered to users.

Is there any other ways so that the other filters will not be skipped?

Mathew Huynh · ‎04-01-2018

Hey Rab ngl,

This would require creative use of filters then.
For example; first filter on filetype rule instead of dropping/taking action you will put a custom header for example we'll call it Executable Filter for namesake: [I recommend to modify these header names if you take it into consideration]
Condition are the restricted attachments.
Other Header -> Add -> X-File-Executable: Yes

Then second filter looks for the emz/mso/wmz and inserts Other header -> X-File-Unblock: Yes

Then the third filter where:
If X-File-Executable: No (AND) X-File-Unblock: Yes -> Skip remaining content filters
The forth filter:
If X-File-Executable: Yes -> Quarantine/Drop

For example; the reason why it's ordered this way ensure if the email contains ANY attachments then from your Executable rule, it will get stopped.
If the emails contain ONLY the attachments from the unblocked rule, it'll skip.

(I suggest testing in a controlled environment before going into full production).

Regards,
matthew

MohdZulFahmiHassan06801 · ‎03-24-2022

Hi

How to add this filter on esa, i only know config on webui

if attachment-filename =="(?i)\\.(emz|wmz|mso)$"
{
skip-filters();
}

regards

Mathew Huynh · ‎03-27-2022

Hey MohdZulFahmiHassan,

That type of setup is done via the command line only as it's the message filter syntax.

https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/b_ESA_Admin_Guide_11_1/b_ESA_Admin_Guide_chapter_01000.html

This skip-filters(); at the message filter will only skip remaining message filters, it won't skip all the other scanners.

Now if you want to make the same rule via a content filter, you can definitely do so - but keep in mind the skip-filters(); at the content filter means skip remaining content filter under your filter setup.

Regards,

Mathew