I use the following filter, which redirects messages with potentially unsafe attachments to a special mailbox, where they can be retrieved if absolutely necessary.

attachment-filter: if (recv-listener == "InboundMail") AND (attachment-filename
==
"(?i)\\.(386|exe|ad|ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|exe|hlp|hta|inf|ins|isp|js|jse|msc|msi|msp|mst|pcd|pif|reg|scr|sct|shb|shs|vb|vbe|vbs|vss|vst|vsw|ws|wsc|wsf|wsh)$") {
alt-rcpt-to ("attachmentfilter@mydomain.com");
deliver();
}


Mike

We block
cer;ade;adp;bas;bat;chm;cmd;com;cpl;crt;exe;hlp;hta;inf;ins;isp;lnk;mdb;mde;msc;msi;msp;mst;pcd;reg;scr;url;sys;drv;arj;tar;

But we do it in the Exchange backend as we want to allow zipped files to contain these. From what I've tried, if I set up attachment blocking on the Ironport it won't allow zip files through with any of these file types included.

Now if Ironport had the option to "allow zip's" we'd move this attachment blocking to the Ironport and strip them out before virus scanning.

Did anyone notice that IronPort matches attachments when using the attachment_filename filter rule even when the attachment is inside a password protected .zip file.

I know IronPort didn't used to do this match inside password protected .zip file, does anyone know when this started?

We drop on a long list like shown above, using message filters, not content filters.

Erich

The ironports will allow you to block by extension and allow that extension in a zip file. We are accomplishing this by running "scanconfig" and setting the depth to 0.

The Scanconfig command only applies to how Ironport handles filters... it has nothing to do with antivirus, so AV will still unzip your zip files to be scanned.

Also, the reason I think that ironport blocks within password protected zip files is because with version 9.0 of Winzip, you can open zip files without the password. You only need the password on extraction... so if you are matching on file pattern (ex: *.exe) it will see those patterns inside the zip and drop them.

We block 
cer;ade;adp;bas;bat;chm;cmd;com;cpl;crt;exe;hlp;hta;inf;ins;isp;lnk;mdb;mde;msc;msi;msp;mst;pcd;reg;scr;url;sys;drv;arj;tar;

But we do it in the Exchange backend as we want to allow zipped files to contain these. From what I've tried, if I set up attachment blocking on the Ironport it won't allow zip files through with any of these file types included.

Now if Ironport had the option to "allow zip's" we'd move this attachment blocking to the Ironport and strip them out before virus scanning.

We block the following:

.ade Access Project Extension (Microsoft)
.adp Access Project (Microsoft)
.app Executable Application
.asp Active Server Page
.bas BASIC Source Code
.bat Batch Processing
.cer Internet Security Certificate File
.chm Compiled HTML Help
.cmd DOS CP/M Command File, Command File for Windows NT
.com Command
.cpl Windows Control Panel Extension (Microsoft)
.crt Certificate File
.csh csh Script
.exe Executable File
.fxp FoxPro Compiled Source (Microsoft)
.hlp Windows Help File
.hta Hypertext Application
.inf Information or Setup File
.ins IIS Internet Communications Settings (Microsoft)
.isp IIS Internet Service Provider Settings (Microsoft)
.its Internet Document Set, Internation Translation
.js JavaScript Source Code
.jse JScript Encoded Script File
.ksh UNIX Shell Script
.lnk Windows Shortcut File
.mad Access Module Shortcut (Microsoft)
.maf Access (Microsoft)
.mag Access Diagram Shortcut (Microsoft)
.mam Access Macro Shortcut (Microsoft)
.maq Access Query Shortcut (Microsoft)
.mar Access Report Shortcut (Microsoft)
.mas Access Stored Procedures (Microsoft)
.mat Access Table Shortcut (Microsoft)
.mau Media Attachment Unit
.mav Access View Shortcut (Microsoft)
.maw Access Data Access Page (Microsoft)
.mda Access Add-in (Microsoft), MDA Access 2 Workgroup (Microsoft)
.mdb Access Application (Microsoft), MDB Access Database (Microsoft)
.mde Access MDE Database File (Microsoft)
.mdt Access Add-in Data (Microsoft)
.mdw Access Workgroup Information (Microsoft)
.mdz Access Wizard Template (Microsoft)
.msc Microsoft Management Console Snap-in Control File (Microsoft)
.msi Windows Installer File (Microsoft)
.msp Windows Installer Patch
.mst Windows SDK Setup Transform Script
.ops Office Profile Settings File
.pcd Visual Test (Microsoft)
.pif Windows Program Information File (Microsoft)
.prf Windows System File
.prg Program File
.pst MS Exchange Address Book File, Outlook Personal Folder File (Microsoft)
.reg Registration Information/Key for W95/98, Registry Data File
.scf Windows Explorer Command
.scr Windows Screen Saver
.sct Windows Script Component, Foxpro Screen (Microsoft)
.shb Windows Shortcut into a Document
.shs Shell Scrap Object File
.tmp Temporary File/Folder
.url Internet Location
.vb VBScript File or Any VisualBasic Source
.vbe VBScript Encoded Script File
.vbs VBScript Script File, Visual Basic for Applications Script
.vsmacros Visual Studio .NET Binary-based Macro Project (Microsoft)
.vss Visio Stencil (Microsoft)
.vst Visio Template (Microsoft)
.vsw Visio Workspace File (Microsoft)
.ws Windows Script File
.wsc Windows Script Component
.wsf Windows Script File
.wsh Windows Script Host Settings File

Well, having seen Mr.X's list, I guess I should feel better about what my company blocks.

Like my company Mr. X gets most of his list from the defaults in Outlook 2003.

http://office.microsoft.com/en-us/assistance/HA011402971033.aspx

But those aren't the files I worry about as outlook theoretically won't auto open them anymore.

The problem we run into is what do you do when there is a legitimate business need for one of these blocked attachments. Do you just let them through or do you filter them somehow?

In AsyncOS 5.5.1 its no longer possible to set depth=0 in scanconfig
How can I now allow .ZIP but drop executable filetypes?

Is there a way I could filter file type in .zip in AsyncOS 5.5.1?

Thanks.

We block:
.cmd, .ade, .adp, .bas, .bat, .chm, .com, .cpl, .crt, .asf, .exe, .hlp, .hta, .inf, .ins, .isp, .js, .wmv, .jse, .lnk, .mdb, .mde, .msc, .msi, .msp, .mst, .pcd, .pif, .reg, .scr, .sct, .shs, .shb, .url, .vb, .vbe, .wsc, .wsf, .wsh, .MIDI, .MPEG3, .MP3, .mpe, .mpg, .MPEG, .AIF, .VOL, .AU, .WAV, .RM, .GM, .AVI, .mp4.

Some from a security point of view some from a bandwidth point of view.