ESA Attachment Whitelisting

Unanswered Question
Jun 26th, 2014
User Badges:

We have some new ESAVs installed and currently testing some content filtering, we are using version 8.5.5 build 280.

We have a number of other ironport devices installed so I thought I would reference how we have done it in the past with attachment filtering using content filters. We use a whitelist to only allow a very specific set of document types through our gateways, and everything else gets put in a quarantine.

 

For example: Allowed_Attachment_Filter

 

If (attachment-filetype != “pdf”) AND (attachment-filetype != “doc”)

{

               quarantine(“Banned Attachments”);

}

 

The problem we am having is that the rule is matching emails that contain no attachments which is not the behaviour I expect.

So is this an issue with the version or is this not the way to do a whitelist? As I said, there are already other ironports in production running this config which are apparently working.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Robert Sherwin Fri, 06/27/2014 - 13:08
User Badges:
  • Cisco Employee,

I would have to recommend that the filter actually be:

Allowed_Attachment_Filter:
If (attachment-size > 0 ) AND ((attachment-type != "application/pdf" ) AND (attachment-type != "application/doc" )){
             quarantine("Banned Attachments");
}

 

This way, the filter is scanning for an active attachment w/ "attachment-size" is greater than 0 --- so, this will not catch against the emails w/o attachments...

And then changing to the "attachment-type" is actually reading the attachment as tagged w/ the email...

So... example of blocked...

Fri Jun 27 15:43:51 2014 Info: Start MID 140 ICID 460
Fri Jun 27 15:43:51 2014 Info: MID 140 ICID 460 From: <[email protected]>
Fri Jun 27 15:43:51 2014 Info: MID 140 ICID 460 RID 0 To: <[email protected]>
Fri Jun 27 15:43:51 2014 Info: MID 140 Message-ID '<[email protected]>'
Fri Jun 27 15:43:51 2014 Info: MID 140 Subject 'asdadfskjlasdl;fjk'
Fri Jun 27 15:43:51 2014 Info: MID 140 ready 140282 bytes from <[email protected]>
Fri Jun 27 15:43:51 2014 Info: MID 140 attachment 'SWIFT=20Beta=20Round=201=20Release=20Notes.doc'
Fri Jun 27 15:43:51 2014 Info: MID 140 matched all recipients for per-recipient policy DEFAULT in the inbound table
Fri Jun 27 15:43:52 2014 Info: MID 140 interim verdict using engine: CASE spam negative
Fri Jun 27 15:43:52 2014 Info: MID 140 using engine: CASE spam negative
Fri Jun 27 15:43:52 2014 Info: MID 140 interim AV verdict using Sophos CLEAN
Fri Jun 27 15:43:52 2014 Info: MID 140 antivirus negative 
Fri Jun 27 15:43:52 2014 Info: MID 140 quarantined to "Banned Attachments" (message filter:Allowed_Attachment_Filter)

Looking @ MID 140:

From [email protected] Fri Jun 27 15:43:51 2014
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: ArcBAJ/IrVOsEAYB/2dsb2JhbAANTZFLnTYBAQEBAQEGmxRxhAodLFw7ETEZrwGHQZZjF4VkjFWBFgEEkg+ITocvkCo
X-IronPort-AV: E=Sophos;i="5.01,562,1400040000"; 
   d="doc'32?scan'32,208,32";a="140"
Received: from unknown (HELO [172.16.6.1]) ([172.16.6.1])
  by myesa_2.local with ESMTP; 27 Jun 2014 15:43:51 -0400
From: Robert Sherwin <[email protected]>
Content-Type: multipart/mixed; boundary="Apple-Mail=_17CE8CEE-3CDB-488C-812D-3F701F599050"
Subject: testing w/ attachment
Message-Id: <[email protected]>
Date: Fri, 27 Jun 2014 15:43:59 -0400
To: "Robert Sherwin (robsherw)" <[email protected]>
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\))
X-Mailer: Apple Mail (2.1878.2)


--Apple-Mail=_17CE8CEE-3CDB-488C-812D-3F701F599050
Content-Disposition: attachment;
        filename="SWIFT Beta Round 1 Release Notes.doc"
Content-Type: application/msword;
        x-unix-mode=0644;
        name="SWIFT Beta Round 1 Release Notes.doc"
Content-Transfer-Encoding: base64

 

So --- even w/ my attachment ".doc", it was scanned as "msword"...  you'll need to pay close attention to the docs that come through, and assure that the content-type is correctly matching... may need to further tweak the filter to work as expected...

 

I hope this helps!

-Robert

 

(*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

dj_hyperion Sun, 06/29/2014 - 22:46
User Badges:

HI Robert,

Thanks for the follow up.

I would like this to work within Content Filters not Message Filters which I am assuming your reply is talking about as I cannot find a Content Filter Condition that deals with attachment size alone. There is Message Size but this is inclusive of everything not just the attachment, or am I wrong on this?

I have been testing a filter combination where a message filter looks for attachment size > 0 and insert a header named "Attachment-Found". Then in content filter if the "Attachment-Found" header exists perform the whitelist attachment check and then remove header. This works ok but I wonder about the possible performance of this check?

Also, before your reply i was testing around with look for the Content-Type header. Looking for "multipart/mixed" as the indicator if there is an attachment. This worked but I am not sure if it be good enough? Thoughts?

 

Cheers,

Ryan

dj_hyperion Sun, 11/23/2014 - 17:40
User Badges:

Hello,

After testing the whitelisting it has been found to behave in an unexpected way that basically makes this unusable. If you attach 2 files to an email, 1 pdf and 1 exe, using the above logic the email will still pass through.

If you have interest plese see:

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117821-problemsolution-esa-00.html

Actions

This Discussion