ESA Attachment Whitelisting

dj_hyperion · ‎06-26-2014

We have some new ESAVs installed and currently testing some content filtering, we are using version 8.5.5 build 280.

We have a number of other ironport devices installed so I thought I would reference how we have done it in the past with attachment filtering using content filters. We use a whitelist to only allow a very specific set of document types through our gateways, and everything else gets put in a quarantine.

For example: Allowed_Attachment_Filter

If (attachment-filetype != “pdf”) AND (attachment-filetype != “doc”)

{

quarantine(“Banned Attachments”);

}

The problem we am having is that the rule is matching emails that contain no attachments which is not the behaviour I expect.

So is this an issue with the version or is this not the way to do a whitelist? As I said, there are already other ironports in production running this config which are apparently working.

Robert Sherwin · ‎06-27-2014

I would have to recommend that the filter actually be:

Allowed_Attachment_Filter:
If (attachment-size > 0 ) AND ((attachment-type != "application/pdf" ) AND (attachment-type != "application/doc" )){
quarantine("Banned Attachments");
}

This way, the filter is scanning for an active attachment w/ "attachment-size" is greater than 0 --- so, this will not catch against the emails w/o attachments...

And then changing to the "attachment-type" is actually reading the attachment as tagged w/ the email...

So... example of blocked...

Fri Jun 27 15:43:51 2014 Info: Start MID 140 ICID 460
Fri Jun 27 15:43:51 2014 Info: MID 140 ICID 460 From: <robsherw@cisco.com>
Fri Jun 27 15:43:51 2014 Info: MID 140 ICID 460 RID 0 To: <robsherw@cisco.com>
Fri Jun 27 15:43:51 2014 Info: MID 140 Message-ID '<F58DA584-6536-4AC9-B042-80D5FF93C6B4@cisco.com>'
Fri Jun 27 15:43:51 2014 Info: MID 140 Subject 'asdadfskjlasdl;fjk'
Fri Jun 27 15:43:51 2014 Info: MID 140 ready 140282 bytes from <robsherw@cisco.com>
Fri Jun 27 15:43:51 2014 Info: MID 140 attachment 'SWIFT=20Beta=20Round=201=20Release=20Notes.doc'
Fri Jun 27 15:43:51 2014 Info: MID 140 matched all recipients for per-recipient policy DEFAULT in the inbound table
Fri Jun 27 15:43:52 2014 Info: MID 140 interim verdict using engine: CASE spam negative
Fri Jun 27 15:43:52 2014 Info: MID 140 using engine: CASE spam negative
Fri Jun 27 15:43:52 2014 Info: MID 140 interim AV verdict using Sophos CLEAN
Fri Jun 27 15:43:52 2014 Info: MID 140 antivirus negative
Fri Jun 27 15:43:52 2014 Info: MID 140 quarantined to "Banned Attachments" (message filter:Allowed_Attachment_Filter)

Looking @ MID 140:

From robsherw@cisco.com Fri Jun 27 15:43:51 2014
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: ArcBAJ/IrVOsEAYB/2dsb2JhbAANTZFLnTYBAQEBAQEGmxRxhAodLFw7ETEZrwGHQZZjF4VkjFWBFgEEkg+ITocvkCo
X-IronPort-AV: E=Sophos;i="5.01,562,1400040000";
d="doc'32?scan'32,208,32";a="140"
Received: from unknown (HELO [172.16.6.1]) ([172.16.6.1])
by myesa_2.local with ESMTP; 27 Jun 2014 15:43:51 -0400
From: Robert Sherwin <robsherw@cisco.com>
Content-Type: multipart/mixed; boundary="Apple-Mail=_17CE8CEE-3CDB-488C-812D-3F701F599050"
Subject: testing w/ attachment
Message-Id: <F58DA584-6536-4AC9-B042-80D5FF93C6B4@cisco.com>
Date: Fri, 27 Jun 2014 15:43:59 -0400
To: "Robert Sherwin (robsherw)" <robsherw@cisco.com>
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\))
X-Mailer: Apple Mail (2.1878.2)

--Apple-Mail=_17CE8CEE-3CDB-488C-812D-3F701F599050
Content-Disposition: attachment;
filename="SWIFT Beta Round 1 Release Notes.doc"
Content-Type: application/msword;
x-unix-mode=0644;
name="SWIFT Beta Round 1 Release Notes.doc"
Content-Transfer-Encoding: base64

So --- even w/ my attachment ".doc", it was scanned as "msword"... you'll need to pay close attention to the docs that come through, and assure that the content-type is correctly matching... may need to further tweak the filter to work as expected...

I hope this helps!

-Robert

(*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

Cheers,
Robert Sherwin

dj_hyperion · ‎06-29-2014

HI Robert,

Thanks for the follow up.

I would like this to work within Content Filters not Message Filters which I am assuming your reply is talking about as I cannot find a Content Filter Condition that deals with attachment size alone. There is Message Size but this is inclusive of everything not just the attachment, or am I wrong on this?

I have been testing a filter combination where a message filter looks for attachment size > 0 and insert a header named "Attachment-Found". Then in content filter if the "Attachment-Found" header exists perform the whitelist attachment check and then remove header. This works ok but I wonder about the possible performance of this check?

Also, before your reply i was testing around with look for the Content-Type header. Looking for "multipart/mixed" as the indicator if there is an attachment. This worked but I am not sure if it be good enough? Thoughts?

Cheers,

Ryan

dj_hyperion · ‎11-23-2014

Hello,

After testing the whitelisting it has been found to behave in an unexpected way that basically makes this unusable. If you attach 2 files to an email, 1 pdf and 1 exe, using the above logic the email will still pass through.

If you have interest plese see:

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117821-problemsolution-esa-00.html