Messaging Gateway

 View Only
  • 1.  Deleting emails having *.exe files in *.zip attachments

    Posted Jul 20, 2011 02:42 AM

    I'm currently using Symantec Messaging Gateway 9.5.1

    How do I do as mentioned in title to inbound emails?



  • 2.  RE: Deleting emails having *.exe files in *.zip attachments

    Broadcom Employee
    Posted Jul 20, 2011 11:44 AM
    You can't specify this level of granularity. You can only delete .exe files and/or .zip files. You can't tell us to delete a .exe only if it is inside a ZIP container.


  • 3.  RE: Deleting emails having *.exe files in *.zip attachments

    Posted Jul 20, 2011 09:21 PM

    In that case, do you have any suggestions to prevent infections from such instances?

    .exe files are already set to delete but the problem is when these .exe files are within .zip files.

    And so it happens that one of my colleagues ran the .exe within the .zip from "DHL" informing that her package was delivered to the wrong address. *facepalm



  • 4.  RE: Deleting emails having *.exe files in *.zip attachments

    Broadcom Employee
    Posted Jul 21, 2011 11:25 AM

    The content filtering rule will look inside of containers if you configure it correctly. I would suggest using the Executable Files attachment list for a content filtering rule since it includes a wide variety of executable files.



  • 5.  RE: Deleting emails having *.exe files in *.zip attachments

    Posted Jul 21, 2011 10:35 PM

    Sorry Davis, you confused me there with both comments.

    Could you give me a pointer on configuring the content filtering rule to look for Executable Files inside Archive Files?

    I'm currently putting them in quarantine if the following condition is met.

     

    If text in From/To/Cc/Bcc Address part of the message contains 1 or more occurrences of "dhl.com"
    AND If the file metadata is in the attachment list "Archive Files"

     

    If I use this condition:

     
    I can't add Executable Files unless I manually type them all out. That's the closest I can find that probably looks into containers.
     
    Thanks.


  • 6.  RE: Deleting emails having *.exe files in *.zip attachments

    Posted Jul 22, 2011 07:28 AM

    Hi Enzo,

    If you create a rule to delete executables, we should still be able to identify an exe even if it is contained in a zip file. We won't be able to do this if the zip file is password protected.  So really you should be able to create a rule as you mentioned above, but choose the 'Executable Files' attachment list instead of the 'Archive Files' attachment list.

    Kevin



  • 7.  RE: Deleting emails having *.exe files in *.zip attachments

    Posted Jul 24, 2011 09:51 PM

    Hi KevK76,

     

    Thanks for the info.

    I'll test it out.



  • 8.  RE: Deleting emails having *.exe files in *.zip attachments

    Posted Jul 25, 2011 02:00 AM

    Checked the audit logs and noticed all emails with *.xlsx were caught as executable files (or the embedded *.bin rather).

     

    Suspect attachments:

    And all of them were legitimate email.



  • 9.  RE: Deleting emails having *.exe files in *.zip attachments

    Broadcom Employee
    Posted Jul 25, 2011 12:11 PM

    You must have upgraded from an old version of the Brightmail. This was an issue in 8.0.3 that we resolved by removing 'Extension is bin' from the Executable Attachments list. If you simply performed an upgrade this would be preserved in case you wanted this functionality.

     

    You just need to remove it fromt he list and that will stop us from triggering on .bin files.



  • 10.  RE: Deleting emails having *.exe files in *.zip attachments

    Posted Jul 25, 2011 09:24 PM

    That's right, it was an upgrade from an old version.

    Thanks for the tip, I'll delete *.bin and continue monitoring.