Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2519
Views
0
Helpful
2
Replies

Advice on content filter configuration

GRAHAM CAREY
Level 1
Level 1

‎02-21-2012 01:12 AM

Looking for some advice with a content filter setup. I have a requirement as follows:

If a mail is sent to a specific recipient with of type pdf, it should be delivered immediately, without any further processing. If it doesn't have a pdf attached, it should have normal scanning applied to it.

I tried configuring it with one content filter to check for pdf. I then added one incoming mail policy to check for the specified recipients, and apply this filter to them.

I am finding though that any mail sent the recipients is delivered without scanning. It seems that if the policy matches the recipient, it applies the content filter, regardless of whether it has a pdf attached.

It seems the only way to do it is to configure 2 content filters and apply both to the incoming policy. One filter checks for pdf and delivers. The other checks for 'not pdf' and applies spam and av scanning.

There must be a cleaner way to set this up?

Labels:
Preview file
35 KB
Preview file
59 KB
0 Helpful
2 Replies 2

Andreas Mueller
Level 4
Level 4

‎02-23-2012 05:03 AM

Hello Graham,

content filters are placed after spam and virusscanning, as displayed on the mail policy table, so this approach won't work the way you want. The only way you'd archive this is to use message filters, with two conditions of recipient matching (or dictionary matching on rcpt-to)  AND attachment being PDF, as actions use skip-spamcheck() and skip-viruscheck().  There's a drawback on this though, as message filters are placed before mail splintering takes place, the actions will apply to all other recipients of that message as well. Also, have you thought of a situation if a message does not contains more than one attachment, and only one of these is a PDF?

Regards,

Andreas

0 Helpful

Tze Tai Mak
Level 1
Level 1

‎02-23-2012 06:50 AM

Hi, Graham.

Is there any special reason why you want to skip antispam and antivirus scanning if PDF attachment is found? It is very dangerous since there are now a lot of virus/outbreak email attack with malicious PDF file attachment targetting vulnerability of PDF reader. Conventional antivirus signature may not be updated fast enough to catch them. That's why we have our Outbreak filter to have an additional protection.

My proposed solution:-

1. Add a new incoming mail policy for that specific recipient(s)

2. In this new incoming mail policy, configure antispam scanning to add a custom header only (e.g. X-IPAS, choose deliver action instead of quarantine/drop).

3. add a content filter that if (attachment-filetype is PDF), choose deliver() action (means skipping remaining content filters)

3. add next content filter that if (header(X-IPAS)), take quarantine or drop action. (adding X-IronPort-Quarantine header will put the message into spam quarantine).

4. (Optional but better not) configure antivirus scanning setting to add header only, and add content filters like above two.

Note: This is better not to skip antispam and antivirus scanning completely.

I have another solution but it involves looping of emails back into IronPort. You probably don't want to take this option and thus I skip the details.

Tommy

0 Helpful
Customers Also Viewed These Support Documents