Cisco Cisco Email Security Appliance X1070 故障排查指南

Contributed by Cisco TAC Engineers.
Oct 13, 2014

How do I capture and block embedded hyperlinks that have executables?

You can use a message filter to scan the body and any HTML attachments. Usually, these emails come in via
HTML emails.  In order for the scanning engine to detect it, you must use the body−contains condition. If you
only process outbound mail, then you can use 'only−body−contains' condition.

The following message filter will look for any length hyperlink that ends with an executable. Once the
condition is met, two actions will activate. The first action will be to notify the  local administrator by sending
an email to admin@example.com. 

The second will be a final action of dropping the email. The email does not need to be drop, but instead can be
quarantined.  Removing the action below of 'drop();' can be replaced with the action of 'quarantine('Policy');'. 

The quarantine must be defined, otherwise the filter engine will not allow the filter. You can either use the
default Policy quarantine, or create your own quarantine (please refer to quarantines in the manual to create or
delete quarantines).

Block_exe_urls: if body−contains("://\\S*\\.exe(\\s|\\b|$)")

{

notify ("admin@example.com");

drop();

}

You can also use this version that removed the bad URLs from the body and replaced them with URL
REMOVED.

remove_exe_urls: if body−contains("://\\S*\\.exe(\\s|\\b|$)")

{

edit−body−text("://\\S*\\.exe(\\s|\\b|$)", "URL REMOVED");

}