Cisco Cisco Email Security Appliance C160 Guía Del Usuario
9-88
Cisco AsyncOS 9.1 for Email User Guide
Chapter 9 Using Message Filters to Enforce Email Policies
Attachment Scanning
In the following example, a message is dropped if the attachment is not an .exe executable file type.
However, the filter will not perform any action on the message if there is at least one attachment with
the file type you want to filter out. For example, the following filter drops any message with an
attachment that is not an
However, the filter will not perform any action on the message if there is at least one attachment with
the file type you want to filter out. For example, the following filter drops any message with an
attachment that is not an
.exe
file type:
If a message has multiple attachments, the Email Security appliance does not drop the message if at least
one of the attachments is an
one of the attachments is an
.exe
file, even if the other attachments not
.exe
files.
Dropping Attachments by Dictionary Matches
This
drop-attachments-where-dictionary-match
action strips attachments based on matches to
dictionary terms. If the terms in the MIME parts considered to be an attachment match a dictionary term
(and the user-defined threshold is met), the attachment is stripped from the email. The following example
shows attachment drops if words in the “secret_words” dictionary are detected in the attachment. Note
that the threshold for the matches is set to one:
(and the user-defined threshold is met), the attachment is stripped from the email. The following example
shows attachment drops if words in the “secret_words” dictionary are detected in the attachment. Note
that the threshold for the matches is set to one:
Quarantining Protected Attachments
The
attachment-protected
filter tests whether any attachment in the message is password protected.
You might use this filter on incoming mail to ensure that the attachments are scannable. According to
this definition, a zip file containing one encrypted member along with unencrypted members will be
considered protected. Similarly, PDF file that has no open password will not be considered protected,
even though it may restrict copying or printing with a password. The following example shows protected
attachments sent to a policy quarantine:
this definition, a zip file containing one encrypted member along with unencrypted members will be
considered protected. Similarly, PDF file that has no open password will not be considered protected,
even though it may restrict copying or printing with a password. The following example shows protected
attachments sent to a policy quarantine:
exe_check: if (attachment-filetype != "exe") {
drop();
}
Data_Loss_Prevention: if (true) {
drop-attachments-where-dictionary-match("secret_words", 1);
}
quarantine_protected:
if attachment-protected
{
quarantine("Policy");
}