Cisco Cisco Email Security Appliance C160 Mode D'Emploi
9-78
Cisco AsyncOS 8.5 for Email User Guide
Chapter 9 Using Message Filters to Enforce Email Policies
Attachment Scanning
In the following example, the “executable” pre-defined group of attachments is extended to include more
attachment names. (Note that this action will not examine the attachments’ file type.)
attachment names. (Note that this action will not examine the attachments’ file type.)
The
drop-attachments-by-name
action supports non-ASCII characters.
Note
The
drop-attachments-by-name
action matches the regular expression against the filename captured
from the MIME header. The filename captured from the MIME header may contain trailing spaces.
In the following example, a message is dropped if the attachment is not an .exe executable filetype.
However, the filter will not perform any action on the message if there is at least one attachment with
the file type you want to filter out. For example, the following filter drops any message with an
attachment that is not an
However, the filter will not perform any action on the message if there is at least one attachment with
the file type you want to filter out. For example, the following filter drops any message with an
attachment that is not an
.exe
file type:
If a message has multiple attachments, the Email Security appliance does not drop the message if at least
one of the attachments is an
one of the attachments is an
.exe
file, even if the other attachments not
.exe
files.
Dropping Attachments by Dictionary Matches
This
drop-attachments-where-dictionary-match
action strips attachments based on matches to
dictionary terms. If the terms in the MIME parts considered to be an attachment match a dictionary term
(and the user-defined threshold is met), the attachment is stripped from the email. The following example
shows attachment drops if words in the “secret_words” dictionary are detected in the attachment. Note
that the threshold for the matches is set to one:
(and the user-defined threshold is met), the attachment is stripped from the email. The following example
shows attachment drops if words in the “secret_words” dictionary are detected in the attachment. Note
that the threshold for the matches is set to one:
Quarantining Protected Attachments
The
attachment-protected
filter tests whether any attachment in the message is password protected.
You might use this filter on incoming mail to ensure that the attachments are scannable. According to
this definition, a zip file containing one encrypted member along with unencrypted members will be
this definition, a zip file containing one encrypted member along with unencrypted members will be
strip_all_dangerous: if (true) {
drop-attachments-by-filetype ('Executable');
drop-attachments-by-name('(?i)\\.(cmd|pif|bat)$');
}
exe_check: if (attachment-filetype != "exe") {
drop();
}
Data_Loss_Prevention: if (true) {
drop-attachments-where-dictionary-match("secret_words", 1);
}