Video Screencast Help
Search Video Help Close Back
to help
Not able to make it to Vision this year? Get a sampling in the Best of Vision on Demand group.

Deleting emails having *.exe files in *.zip attachments

Created: 19 Jul 2011 | 9 comments
enzo81's picture
enzo81
0 0 Votes
Login to vote

I'm currently using Symantec Messaging Gateway 9.5.1

How do I do as mentioned in title to inbound emails?

Discussion Filed Under:
, , ,

Comments

TSE-JDavis's picture
20
Jul
2011
1 Vote +1
Login to vote
TSE-JDavis
Symantec Employee
Accredited

You can't specify this level

You can't specify this level of granularity. You can only delete .exe files and/or .zip files. You can't tell us to delete a .exe only if it is inside a ZIP container.

enzo81's picture
20
Jul
2011
0 Votes 0
Login to vote
enzo81

In that case, do you have any

In that case, do you have any suggestions to prevent infections from such instances?

.exe files are already set to delete but the problem is when these .exe files are within .zip files.

And so it happens that one of my colleagues ran the .exe within the .zip from "DHL" informing that her package was delivered to the wrong address. *facepalm

TSE-JDavis's picture
21
Jul
2011
1 Vote +1
Login to vote
TSE-JDavis
Symantec Employee
Accredited

The content filtering rule

The content filtering rule will look inside of containers if you configure it correctly. I would suggest using the Executable Files attachment list for a content filtering rule since it includes a wide variety of executable files.

enzo81's picture
21
Jul
2011
0 Votes 0
Login to vote
enzo81

Sorry Davis, you confused me

Sorry Davis, you confused me there with both comments.

Could you give me a pointer on configuring the content filtering rule to look for Executable Files inside Archive Files?

I'm currently putting them in quarantine if the following condition is met.

 

If text in From/To/Cc/Bcc Address part of the message contains 1 or more occurrences of "dhl.com"
AND If the file metadata is in the attachment list "Archive Files"

 

If I use this condition:

  Text in this specific part of the message: [Select message part]Attachment contentBcc: addressBodyCc: addressEnvelope HELOEnvelope recipientEnvelope senderFrom: addressFrom/To/Cc/Bcc AddressMessage headerSubjectTo: addressTo/Cc/Bcc Address
Header name:
  The message header: existsdoes not exist
  containsdoes not contain    or more occurrences of
 
I can't add Executable Files unless I manually type them all out. That's the closest I can find that probably looks into containers.
 
Thanks.
KevK76's picture
22
Jul
2011
1 Vote +1
Login to vote
KevK76
Symantec Employee
Accredited

Rule

Hi Enzo,

If you create a rule to delete executables, we should still be able to identify an exe even if it is contained in a zip file. We won't be able to do this if the zip file is password protected.  So really you should be able to create a rule as you mentioned above, but choose the 'Executable Files' attachment list instead of the 'Archive Files' attachment list.

Kevin

enzo81's picture
24
Jul
2011
0 Votes 0
Login to vote
enzo81

Hi KevK76,   Thanks for the

Hi KevK76,

 

Thanks for the info.

I'll test it out.

enzo81's picture
24
Jul
2011
0 Votes 0
Login to vote
enzo81

Checked the audit logs and

Checked the audit logs and noticed all emails with *.xlsx were caught as executable files (or the embedded *.bin rather).

 

Suspect attachments:

xl/printersettings/printersettings1.bin

And all of them were legitimate email.

TSE-JDavis's picture
25
Jul
2011
2 Votes +2
Login to vote
TSE-JDavis
Symantec Employee
Accredited

You must have upgraded from

You must have upgraded from an old version of the Brightmail. This was an issue in 8.0.3 that we resolved by removing 'Extension is bin' from the Executable Attachments list. If you simply performed an upgrade this would be preserved in case you wanted this functionality.

 

You just need to remove it fromt he list and that will stop us from triggering on .bin files.

enzo81's picture
25
Jul
2011
0 Votes 0
Login to vote
enzo81

That's right, it was an

That's right, it was an upgrade from an old version.

Thanks for the tip, I'll delete *.bin and continue monitoring.

Technical Support

Symantec.com

Store

Community Stats

Total Content Items
Members
270,005