Attachment Blocking

Unanswered Question
May 17th, 2011

Good Morning,

We are looking at using our Ironport system to block attachments and move them to Policy Quarantine.  We currently use another product but the licensing will expire shortly.

In looking at using the Ironport, we have ran into some issues of it not quarantining everything that we want.  We have setup the Incoming Content filter to use the "File Info" for Executables, but it is not quarantining everything.  Some of the things not put in quarantine are files with the following extension:  .com, .bat and .reg just to name a few.

In our environment, we don't allow executables and multimedia files to be received directly by our users.  We would like to know what others are doing in this situation and is  there a "plug-in" that can be added to quarantine more attachments?

Thanks,

Doug

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
chsmith3 Tue, 05/17/2011 - 18:00

Hi Doug,

Currently there is ot a plug-in for this functionality. It should be possible through existing functionality that is already included with the appliance.

One thing to keep in mind with "attachment file info" is that there are multiple options that can be used.

File Name:

File Type:

Mime Type:

The file name rule probably being the least desirable in that it only matches the name of the file.

Using the file rule type allows you to choose several preset options. This is a much better choice than file name in that we look at the finger print of the file. The preset list is not always a one filts all. Careful consideration was taken to group specific types together to minimize making the filter too complex.

In your case if .com and .bat files are getting through these should fall under executables. To block multiplle file types such as executables and say image files and or compressed archives you may need to include multiple conditions.

Using Mime type goes a bit further but does require some understanding of mime types.

This rule is similar to the attachment-type rule, except only the MIME type given by the MIME attachment is  evaluated. (The appliance does not try to “guess” the type of the file  by its extension if there is no explicit type given.)

All that said I guess the first thing you need to verify is that you have the appropriate rules set in the filter so that it matches the desired file types. If its still not matching it may be worth opening an SR with support so we can take a look at what you have set up and what the logs indicate.

Christopher C Smith

CSE

Cisco IronPort Customer Support

doug.l.maxfield Wed, 05/18/2011 - 12:41

Christopher,

Thanks for the response.

I going to try to go a different route.  Instead of trying to determine what to block, I writing the filter to basically only allow attachments that we want and move the rest to Policy Quarantine.  But, there is one drawback to this approach.  Example:  If I allow .pdf files to be received but not .zip, if a sender "zips" multiple .pdf files together, how would I allow this in?

Here is what I currently have for an Inbound Content Filter:

Allowed_Attachments:

if (attachment-filetype != "Document") AND (attachment-filetype != "Image") AND (attachment-filetype != "Text") AND (attachment-filename != ".ics|.vcf|.msg|.eml|.emz$")

{

quarantine ("Policy"); notify ("$EnvelopeSender", "***** Your E-mail  to "our company" has been Held *****",  "emailaddress@domain.com", "Blocked_Attachment_Notification");

}

This works to get in what I want and moves the rest to Policy Quarantine.  Just need to figure out the "zip" issue that has allowed files in it.

Thanks,

Doug

andmuell Thu, 05/19/2011 - 08:29

Hello Doug,

attachment whitelists are also a bit tricky, because of the problems with ZIP archives etc., as you have figured out already, plus another issue that I will describe later.   Usually, my suggestion would be that you write a filter for the allowed file types,  and add a "Skip Remaining Content Filter" action (called "Delivery" action in  older versions) at the end. Then add another filter that has no conditions, and just a quarantine action. This way it does not matter if an allowed attachment comes in an archive or not. Unfortunatelely there is a major drawback to this, too, in case the message contains multiple attachments (or multiple files in a ZIP archive), the message will get trough as long as one allowed file is present.

Basically, the main problem here is that you want an exception when a ZIP archive contains allowed file types only. This everything but easy, my suggestion would be that you stick with the filter you have in place already, and create exceptions for the false positives ( .com, .bat and .reg, etc.) in a previous filter instead.

Regards,

Andreas

Actions

Login or Register to take actions

This Discussion

Posted May 17, 2011 at 8:21 AM
Stats:
Replies:3 Avg. Rating:
Views:691 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard