Blocking email attachments based on their file name or extension using Norton AntiVirus for Microsoft Exchange

Article:TECH78795  |  Created: 2000-01-12  |  Updated: 2006-01-18  |  Article URL http://www.symantec.com/docs/TECH78795
Article Type
Technical Solution


Environment

Issue



You want to use Norton AntiVirus for Microsoft Exchange (NAVMSE) to block email attachments based on their file name or extension in VAPI or MAPI/VAPI combo mode.


Solution



Norton AntiVirus for Microsoft Exchange 2.0x through 2.1x, enable you to create a list of files to be handled as though they were infected. If a file name or extension matches one of the entries in the list, then it will be handled according the options set for infected files. The virus information reported for the attachment will be "UNAUTHORIZED FILE."

This page describes how to block specific attachments; the email message will still be delivered, but without the attachment. For instructions on blocking entire email messages that contain unauthorized files, see the document How to delete email and its attachment with Norton AntiVirus for Microsoft Exchange.


Note: If the Microsoft Exchange Information Store contains a large number of infected attachments, then see the document How to remove a large number of infected attachments from the Microsoft Exchange Information Store for instructions on purging the infected messages.


The following example will block three entries, files based on the extension (*.vbs), the file name (virus.txt) and the extension (*.jpg.exe).


WARNING: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Modify only the keys that are specified.


  1. Open the Registry Editor, and then navigate to the following registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\NAVMSE\2.1\BlockingPolicy\Attachment
  2. Specify the total number of file names and extensions to be excluded. In this example, a total of three entries, a file name and two extensions are to be blocked.
    1. Right-click AttachmentNamesCount, and then click Modify.
    2. Change the base to Decimal, type 3 in Value data window, and then click OK.


      WARNING: Care should be taken here. The Registry Editor defaults to hexadecimal, but it is easy to assume decimal. A change from 9 to 10 in hexadecimal is a change from 9 to 16 in decimal. When modifying the AttachmentNamesCount value, make sure you select decimal.

  3. Create a new String Value for each file name or extension in the list. Follow the naming convention of AttachmentNamesX, where X represents sequential integers. The following registry entries illustrate the correct sequence, AttachmentNamesX always starts with 0 and run sequentially:
    AttachmentNames0
    AttachmentNames1
    AttachmentNames2


    To create a String Value for *.vbs, virus.txt and *.jpg.exe
    1. In left pane, right-click Attachment, point to New, and then click String Value.
    2. Type AttachmentNames0 as new String Value, and then press Enter.
    3. Right-click AttachmentNames0, click Modify, type *.vbs as the Value data, and then click OK.
    4. Repeat steps A through C to create a second String Value for AttachmentNames1 with a Value data of virus.txt.
    5. Repeat steps A through C to create a third String Value for AttachmentNames2 with a Value data of .jpg.exe.


      WARNING: If you remove an entry from the list, then be sure that the remaining entries are renumbered sequentially. Do not leave any gaps in the numbering.

  4. To configure NAVMSE to search for the specified extension or file name within compressed files, set the Value data to 1. Setting the Value data to 0 will prevent NAVMSE from searching within compressed files. (Optional)
    1. Right-click AllowsChecksWithinArchives, and then click Modify.
    2. Type 1 in the Value data window to search for the specified compressed files.
  5. Stop and then restart the NAV for Microsoft Exchange service, or run NaveUpdate.exe to have the new settings take effect. NaveUpdate.exe is found in the installed directory along with all the NAVMSE executables.


    Note: If you test the blocked extensions by creating a file and naming it using a blocked extension, then make sure the file is not 0 KB.

The following are examples of how to setup blocked extensions including double extensions.
*.txt.vbs
*.jpg.exe
*.mp3.bat
*.jpg


Note: File name comparisons are not case-sensitive.


The following registry keys and values are created after the first save of any option settings after installation:

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\NAVMSE\2.1\BlockingPolicy\Attachment


Note: The 2.1 key in the registry path above may vary depending on your version of NAVMSE.


"UseRegularExpressions"=dword:00000000
"AttachmentNamesCount"=dword:00000000
"AllowsChecksWithinArchives"=dword:00000001



Note: If Norton AntiVirus for Exchange is uninstalled, and then reinstalled or updated, then the registry keys created to block files by extension will be lost. Suggest exporting the registry key prior to uninstall or reinstall. When the uninstall or reinstall is completed import the registry key back into the registry.







Legacy ID



2000071215411354


Article URL http://www.symantec.com/docs/TECH78795


Terms of use for this information are found in Legal Notices