cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1615
Views
0
Helpful
5
Replies

Unblock attachment

rab ngl
Beginner
Beginner

Hello,

 

Lately we receive mails with the below attachment. This is recognized as gzip and executable file and is therefore blocked by our mail filters.

 

.emz
.wmz
.mso

 

How to skip these filetype?

 

Thanks.

5 Replies 5

Mathew Huynh
Cisco Employee
Cisco Employee
Hello Rab ngl,

If the file-type list do not contain these extensions, then you would need to create the filter condition to look at it by the attachment filename instead and run a skip filters action.

Essentially if the drop down does not contain them your filter would be: [this is message filter condition syntax]
Skip_filters:
if attachment-filename =="(?i)\\.(emz|wmz|mso)$"
{
skip-filters();
}
.

This would skip all message filters under it.

If you are doing the block at content filter level.
Condition -> attachment file name -> Contains -> (?i)\.(emz|wmz|mso)$
Then action is skip remaining content filters.

(If the attachments are being stopped at the antispam or antivirus or so services - you need to skip them using the message filter as well by adding for example:
skip-spamcheck();
skip-viruscheck();
skip-outbreak();

I hope this helps.

Regards,
matthew

Hi Mathew,

Thanks for your feedback.
I am doing it at content filter level. I have many filters already applied, and the file-type block filter is in the first position. If the action is skip remaining content filters, the other filters will be skipped.

Let's say there is an malicious email contains two attachments, emz and exe file, so it will match the emz filter and the skip the executable file-type filter, then the email will be delivered to users.

Is there any other ways so that the other filters will not be skipped?

Hey Rab ngl,

This would require creative use of filters then.
For example; first filter on filetype rule instead of dropping/taking action you will put a custom header for example we'll call it Executable Filter for namesake: [I recommend to modify these header names if you take it into consideration]
Condition are the restricted attachments.
Other Header -> Add -> X-File-Executable: Yes

Then second filter looks for the emz/mso/wmz and inserts Other header -> X-File-Unblock: Yes

Then the third filter where:
If X-File-Executable: No (AND) X-File-Unblock: Yes -> Skip remaining content filters
The forth filter:
If X-File-Executable: Yes -> Quarantine/Drop

For example; the reason why it's ordered this way ensure if the email contains ANY attachments then from your Executable rule, it will get stopped.
If the emails contain ONLY the attachments from the unblocked rule, it'll skip.

(I suggest testing in a controlled environment before going into full production).

Regards,
matthew

Hi

How to add this filter on esa, i only know config on webui

 

if attachment-filename =="(?i)\\.(emz|wmz|mso)$"
{
skip-filters();
}

 

regards

Hey MohdZulFahmiHassan,

 

That type of setup is done via the command line only as it's the message filter syntax.

https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/b_ESA_Admin_Guide_11_1/b_ESA_Admin_Guide_chapter_01000.html

 

This skip-filters(); at the message filter will only skip remaining message filters, it won't skip all the other scanners.

 

Now if you want to make the same rule via a content filter, you can definitely do so - but keep in mind the skip-filters(); at the content filter means skip remaining content filter under your filter setup.

 

Regards,

Mathew

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers