Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

malware in unusual archives

Good Morning,

We've recently seen malware executables, in archive files, dropping through the ESA, even though there is a policy to quarantine all executables.

 

I suspect it's because the archives are an unusual type - ARJ - and may be specifically designed to evade ESA content scanning.

Do you know of a list of the archive types the ESA opens for content scanning? we can then build a failsafe policy for any archives that

are not content scanned.

 

Regards,

Ed

Everyone's tags (1)
1 REPLY
New Member

ARJ isn't too big an issue if

ARJ isn't too big an issue if your recipients' desktops can't decrypt it, but we've had the same issue with ZIP/EXE which again our rules should have stopped regardless of malignancy. Unlike the ARJs, Message Tracking couldn't see these at all. In the end we were given the following CLI message filter to fix things:

 

Add_attachment_header:

If (attachment-filename == "^.+$")

{

Insert-header("X-Attachment-filename", "$filenames");

}

.

 

Seems to have done the trick, but as it was an invisible problem to start with I'm depending on sightings to be sure. We're going up from 7.5.1 in the near future to dodge the EOL on Sophos.

41
Views
0
Helpful
1
Replies
CreatePlease login to create content