Cisco Cisco Email Security Appliance C680 User Guide
9-78
User Guide for AsyncOS 9.7 for Cisco Email Security Appliances
Chapter 9 Using Message Filters to Enforce Email Policies
Attachment Scanning
Defang URL, Based on URL Category
The syntax of a filter using the
url-category-defang
action is:
<msg_filter_name>:
if <condition>
{
url-category-defang([‘<category-name1>’,’<category-name2>’,…, ‘<category-name3>’],
’<url_white_list>’, <unsigned-only>);
}
Redirect URL to Cisco Security Proxy, Based on URL Category
The syntax of a filter using the
url-category-proxy-redirect
action is:
<msg_filter_name>:
if <condition>
{
url-category-proxy-redirect([‘<category-name1>’,’<category-name2>’,…,
‘<category-name3>’], ’<url_white_list>’, <unsigned-only>);
}
No Operation
The No Operation action performs a no-op, or no operation. You can use this action in a message filter
if you do not want to use any of the other actions such as Notify, Quarantine, or Drop. For example, to
understand the behavior of a new message filter that you created, you can use the No Operation action.
After the message filter is operational, you can monitor the behavior of the new message filter using the
Message Filters report page, and fine-tune the filter to match your requirements.
if you do not want to use any of the other actions such as Notify, Quarantine, or Drop. For example, to
understand the behavior of a new message filter that you created, you can use the No Operation action.
After the message filter is operational, you can monitor the behavior of the new message filter using the
Message Filters report page, and fine-tune the filter to match your requirements.
The following example shows how to use No Operation action in a message filter.
Attachment Scanning
The Email Security appliance uses Content Scanner to strip attachments from messages that are
inconsistent with your corporate policies, while still retaining the ability to deliver the original message.
inconsistent with your corporate policies, while still retaining the ability to deliver the original message.
You can filter attachments based on their specific file type, fingerprint, or based on the content of the
attachment. Using the fingerprint to determine the exact type of attachment prevents users from
renaming a malicious attachment extension (for example,
attachment. Using the fingerprint to determine the exact type of attachment prevents users from
renaming a malicious attachment extension (for example,
.exe
) to a more commonly used extension (for
example,
.doc
) in the hope that the renamed file would bypass attachment filters.
When you scan attachments for content, the Content Scanner extracts data from attachment files to
search for the regular expression. It examines both data and metadata in the attachment file. If you scan
an Excel or Word document, the attachment scanning engine can also detect the following types of
embedded files: .exe, .dll, .bmp, .tiff, .pcx, .gif, .jpeg, .png, and Photoshop images.
search for the regular expression. It examines both data and metadata in the attachment file. If you scan
an Excel or Word document, the attachment scanning engine can also detect the following types of
embedded files: .exe, .dll, .bmp, .tiff, .pcx, .gif, .jpeg, .png, and Photoshop images.
new_filter_test: if header-repeats ('subject', X, 'incoming') {no-op();}