Cisco Cisco Email Security Appliance X1070 Guida Alla Risoluzione Dei Problemi

Contributed by Tomki Camp and Enrico Werner, Cisco TAC Engineers.
Jun 26, 2014

Introduction
What are the differences between the body−contains and attachment−contains filter rules?
     body−contains
     attachment−contains

This document describes the differences between the body−contains and attachment−contains filter rules on
the Cisco Email Security Appliance (ESA).

What are the differences between the body−contains and
attachment−contains filter rules?

Both the body−contains and the attachment−contains filter rules scan the content of a message; however,
there are some differences.  

The body−contains() filter rule scans the inbound email and all of its attachments for a particular pattern that
is defined by its parameter. Unlike the other rules, it only operates in a unary form.

The scanning logic can be modified with the scanconfig command in the CLI in order to define the MIME
types that should or should not be scanned. By default, the system scans all of the attachments except for
those with a MIME type of video/*, audio/*, image/*, or anything that appears to be a PDF file.

The system scans the archive attachments, such as .zip or .gzip attachments that contain multiple files. You
can set the number of nested, archived attachments to scan, such as a .zip that is contained within a .zip.

The attachment−contains filter rule is similar to the body−contains(), but it  attempts to avoid scanning the
entire body of the message. That is, it attempts to scan only that part that the user would view as being an
attachment.

Updated: Jun 26, 2014

Document ID: 117856