Chapter 12 - Using file filtering

Mechanics of file filtering

File filtering can be configured to assess several aspects of an attached file: the file name and extension, the actual file type, and the file size. By using these criteria, you can filter files in a variety of ways.

Filtering by file type

If you want to filter certain file types, you can create the filter * and set the File Types selection to the exact file type that you want to filter.

For example, you can create the filter * and set the File Types to MP3. This will ensure that all MP3 files are filtered, regardless of their file name or extension.

One advantage of setting a generic * filter and associating it with a certain file type (for example, EXEFILE) is that this prevents users from bypassing the filter simply by changing the extension of a file.

Note:
If you want to filter Microsoft Office Excel® files, you must enter .xls or in the File Names box, and then select both WINEXCEL1 and DOCFILE in the File Types list. Excel 1.x files are WINEXCEL1 file types, but newer versions of Excel are DOCFILE file types. For Microsoft Office 2007 documents (Word, Excel, and PowerPoint®), you should use the proper file extension in the File Names box, and then select OPENXML in the File Types list.

Note:

If you want to filter Microsoft Office Excel® files, you must enter *.xls or * in the File Names box, and then select both WINEXCEL1 and DOCFILE in the File Types list. Excel 1.x files are WINEXCEL1 file types, but newer versions of Excel are DOCFILE file types.
For Microsoft Office 2007 documents (Word, Excel, and PowerPoint®), you should use the proper file extension in the File Names box, and then select OPENXML in the File Types list.

Filtering by extension

If you want to filter any file that has a certain extension, you can create a generic filter for the extension and then set the File Types selection to All Types. Filter matching is not case-sensitive.

For example: Create the filter *.exe* and then set the File Types selection to All Types. This will ensure that all files with an .exe extension will be filtered.

Important:
When creating generic file filters to stop all of a certain type of file (for example, .exe files), it is recommended that you write the filter in this format: *.exe. The second asterisk () will prevent files with extra characters appended after the file extension from bypassing the filter.

Filtering by name

If you want to filter all files with a certain name, you can create a filter by using the file name and setting the File Types selection to All Types. Filter matching is not case-sensitive.

For example: If a virus uses an attached file named payload.doc, you can create the filter payload.doc and set the File Types selection to All Types. This will ensure that any file named payload.doc will be filtered, regardless of the file type.

Detecting file attachments by name is also useful when there is a new virus outbreak and the administrator knows the name of the file where the virus resides before the virus scanners are updated to detect it. A perfect example of this is the Melissa worm. The worm resided in a file named List.doc and could have been detected if the administrator had used file filtering before the virus scanners could detect it.

Configuring the file filter

You can configure the file filter by file names, file types, or file sizes.

To configure the file filter

Click FILTERING in the Shuttle Navigator.
Select the File icon. The File Filtering pane appears on the right.
In the upper work pane, select the scan job for which you would like to create the file filter.
To detect file attachments with a particular file name, add the file name to the File Names section of the work pane by clicking Add, typing the file name that you want to detect, and pressing ENTER.

Optionally, you can configure Antigen to filter files based on their size. To detect files by size, when typing the file name, specify a comparison operator (=, >, <, >=, <=) and a file size (in KB, MB, or GB) after the file name. There should be no spaces between the file name and the operator, or between the operator and the file size.

Examples:

*.bmp>=1.2MB all .bmp files larger than or equal to 1.2 megabytes

*.com>150KB all .com files larger than 150 kilobytes

*>5GB all files larger than 5 gigabytes

Note:
For additional buttons that you can use when configuring file names, see About file names buttons.
Specify the list of File Types that can be associated with the selected File Name. You can select one or more File Types from the list, or select All Types located below the list. If the File Type that you want to associate with the selected File Name is not available in the list, then select All Types. (For a description of the file types listed in the selection box, see Appendix E - File types list overview.)

The All Types selection configures Antigen to filter based only on the file name and file extension. By selecting All Types, Antigen will be configured to detect the selected file name regardless of the file type. This prevents users from bypassing the filter simply by changing the extension of a file.

If you know the file type that you are searching for, Antigen will work more efficiently if you select the appropriate file type rather than All Types. For example, if you want to filter all EXE files, you can create the filter * and then set File Types to EXEFILE.
Ensure that the File Filter is set to Enabled. It is enabled by default.
Indicate the Action to take if there is a filter match.
Indicate whether to Send Notifications for the selected file name. This does not affect reporting to the Virus Incidents log. In addition, you must also configure the notifications (see Chapter 18 - Using e-mail notifications). It is disabled by default.
Indicate whether to enable Quarantine Files for the selected file name. It is enabled by default. Enabling quarantine causes deleted attachments and purged messages to be stored, making it possible for you to recover them. However, worm-purged messages are not recoverable.

Note:
For additional buttons that you can use when configuring file names, see About file names buttons.

Optionally, you can specify Deletion Text, which is used to replace the contents of an infected file during a delete operation. The default deletion text informs you that an infected file was removed, along with the name of the file and the name of the filter. To create your own custom message, click Deletion Text.

Note:
Antigen provides keywords that can be used in the deletion text field to obtain information from the message in which the infection was found. For more information about this feature, see Appendix C - Using keyword substitution macros.

Click Save.

You can also create a filter list that contains multiple file filters. After you have created the list, the steps for configuring the filter list are the same as in the preceding procedure, except you must select the filter list rather than a filter name.

To create a file filter list

Click the Filter Lists icon in the FILTERING section of the Shuttle Navigator.
In the List Types section, select Files.
In the List Names section, click Add.
Type a name for the new list, and then press ENTER. The empty list appears in the List Names section.
With the new list name selected, click Edit. The Edit Filter List dialog box appears. Use the dialog box to add file filters to the list.
In the Include In Filter section, click Add.
Type the file names to be included in the filter list. Press ENTER when you have finished typing. You can have as many file names as you want, but each must be entered separately

The Exclude from Filter field is used to enter file names that should never be included on the relevant list. This prevents these entries from accidentally being added when importing a list from a text file. For more information on importing files, see "Importing new items into a filter list" and "Exporting sender-domains filters, file filters, and subject line filters" in Chapter 13 - Using content filtering.
When you are finished adding items, click OK. The file names you just entered appear, alphabetically, in the pane next to List Names.
Click Save.

Note:
You can change the name of a list by selecting the list in the List Names box and then pressing F2.

Action

Choose the action that you want Antigen to perform when a file filter is matched.

Note:
You must set the action for each file filter that you configure. The Action setting is not global.

Action	Description
Skip: Detect Only	Records the number of messages that meet the filter criteria, but allows messages to route in the usual way. If, however, Delete Corrupted Compressed, Delete Corrupted Uuencode Files, or Delete Encrypted Compressed Files is selected in General Options, a match to any of those conditions will cause the item to be deleted.
Delete: Remove Contents	Deletes the file attachment. The detected file attachment will be removed from the message and a text file will be inserted in its place. The text file will contain the string that was configured by using the Deletion Text button. Delete: Remove Contents is the default value.
Purge: Eliminate Message	Deletes the message from your mail system. When you select this option, a warning will appear informing you that if there is a filter match, the message will be purged and unrecoverable. Click Yes to continue. Note: If the Quarantine Files box is checked, purged messages will be quarantined and can then be recovered from the quarantine database. When running VSAPI 2.0, the Realtime Scan Job can purge only outbound messages, but the SMTP Scan Job can purge inbound and outbound messages. Inbound and outbound purging by the Realtime Scan Job is available when running VSAPI 2.5.
Identify: Tag message	The subject line or message header of the detected message can be tagged with a customizable word or phrase. This tag can be modified for each scan job by clicking Tag Text on the Scan Job Settings work pane and then modifying the text. The same tag, however, will be used for all filters associated with the particular scan job. This action is available only for the SMTP Scan Job. When the Antigen Spam Manager is enabled and Antigen is installed on an Exchange 2003 server, the Tag message action also enables you to set the SCL property in Exchange 2003 and move tagged messages to the ASM Junk Mail folder. For more information on these features, see Chapter 17 - Antigen Spam Manager overview.

About file names buttons

The following buttons below the File Names section let you edit or delete a file name from the list. You can also change the order in which file names are filtered.

Button	Description
Edit	Enables you to edit an existing file name from the File Names section. Select the file name that you want to edit, and then click Edit. A dialog box appears that enables you to edit the selected file name. After you have completed making the necessary edits, click Save to submit or Cancel to undo.
Delete	Enables you to remove a file name from the File Names section. Select the file name that you want to delete, click Delete, and then click Save.
[Up Arrow], [Down Arrow]	Enables you to change the order in which file names are filtered. In the lower pane, select the file name that you want to reorder, and then click the UP ARROW or DOWN ARROW buttons (on the same line with File Names) to change the ranking to your preference.

Matching patterns in the file name with wildcard characters

Use wildcard characters to have your filter match patterns in the file name, rather than a specific file name. You can use any of the following characters to refine your filters.

Wildcard	Description
*	Match any number of characters in a file name. You can use multiple asterisks. The following are some examples of its usage: Single: Any of these single wildcard character patterns would detect veryevil.doc: veryevil., very.doc, very, il.doc. Multiple: Any of these multiple wildcard character patterns would detect eicar.com: ecrom, ei., car.. Note: Use multiple asterisks to filter file attachments with multiple extensions. For example: love..
?	Match any single character in a name where a single character may change. For example: virus?.exe would find virusa.exe, virus1.exe, or virus$.exe. Note This filter would not catch virus.exe.
[set]	A list of characters and ranges, enclosed in square brackets [abcdef]. Any single character in the specified set will be matched. For example: klez[a-h].exe would find kleza.exe through klezh.exe.
[^set]	Exclude characters that you know are not used in the file name. For example: klez[^m-z].exe would not find klezm.exe through klezz.exe.
[range]	Indicate several possible values in a set. It is specified by a starting character, a hyphen (-), and an ending character. For example: klez[ad-gp].exe would match kleza.exe, klezd.exe, klezf.exe, and klezp.exe, but not klezb.exe or klezr.exe.
\char	Indicates that special characters are used literally. (The characters are: * ? [ ] - ^ < >.) The backslash is called an escape character, and it indicates that a reserved control character should be taken literally, as a text character. For example: If you enter hello, you would typically expect to match hello anywhere in the file name. If you enter \hello\*, you would match hello. If you enter \hello\?\, you would match hello?*. Note: You must use a backslash before each special character.

Using directional file filters

When you use the file filter in conjunction with the SMTP Scan Job, you can configure a filter so that it checks only inbound or outbound messages. This is accomplished by adding a prefix to the file name when you enter it in the File Names work pane.

(For information about the inbound, outbound, and internal designations, see Chapter 8 - Configuring SMTP Scan Jobs.)

Note:
There are no spaces between the prefix and the file name.

Inbound Filtering—Prefixing the file name with the <in> directive instructs Antigen to apply this filter only to inbound messages.

<in>filename

Outbound Filtering—Prefixing the file name with the <out> directive instructs Antigen to apply this filter only to outbound messages.

<out>filename

Inbound, Outbound, and Internal Filtering—If no prefix is appended to the file name, then the filter is applied to all messages, regardless of direction.

filename

Filtering container files

Container files can be broadly described as complex files that can be broken down into various parts. Antigen can scan the following container files for filter matches:

PKZip (.zip)
GNU Zip (.gzip)
Self-Extracting .zip archives (.exe)
Zip Files (.zip)
Java archive (.jar)
TNEF (Winmail.dat)
Structured storage (for example, .doc, .xls, or .ppt)
Open XML (for example, .docx, .xlsx, or .pptx)
MIME (.eml)
SMIME (.eml)
Uuencode (.uue)
UNIX tape archive (.tar)
RAR archive (.rar)
MACBinary (.bin)

Antigen will scan all parts of the container file, and then repack the file as necessary. For example, if you configure a file filter to delete all .exe files, Antigen will delete .exe files inside container files (replacing them with the Deletion Text), but will leave all other files in the container intact.

Note:
Antigen cannot scan password-protected files or encrypted files. Although Antigen does not decrypt such files, the files are always passed to the antivirus scanners in their entirety in their encrypted form.

Excluding the contents of a container file from file filtering

To exclude the contents of a .zip file (container file) from being scanned for filter matches, specify the name of the .zip file in the file filter list, and then set the action to Skip. The order of the filter in the list is not important. If the name of the .zip file is in the file filter list and its action is set to Skip, file filters are not applied to the contents of the container. The file is, however, scanned for viruses. If you want to skip all .zip files, create the filter: *.zip, and then set the action to Skip.

By default, this functionality applies only to .zip and .jar files. If you would like to enable this functionality for other archive types (TAR, GZIP, RAR, Macintosh, SMIME, and Self-Extracting .zip archives), you can set the following DWORD registry values:

Scan job	DWORD registry value
Realtime Scan Job	SkipFileFilterWithinCompressedRealtime
Manual Scan Job	SkipFileFilterWithinCompressedManual
Internet Scan Job	SkipFileFilterWithinCompressedInternet

For the location of these registry keys, see Appendix B - Setting registry values. After creating each registry value, the value should be set to 1 to disable file filtering in the specified archive type.

Note:
OPENXML files (For example, Office 2007 documents) are ZIP container files, but they are not affected by the ZIP container settings.

Using file filtering to block most file types

You can use file filters to block some file types and permit others. The files permitted through in this example are Microsoft Office files. The filters in the example block all file attachments, with the exception of Office documents, for messages entering your organization from the Internet. It takes two file filters for this to work properly.

Note:
Be sure to create the file filter that permits Office documents through first, as the filters are applied, in order, from top to bottom.

To create a file filter that permits Office documents through

Click FILTERING in the left navigation shuttle, and then click the File icon. The File Filtering work pane appears on the right.
Create a new filter by following these steps:
1. Click Add.
2. Type <in>* as the file name, and then press ENTER.
3. Clear All Types in the File Types section, and then click Yes to confirm.
4. Select the DOCFILE, OPENXML, and TNEFFILE file types. (TNEFFILE is required because it is the wrapper around file attachments for internal mail.)
5. Set the Action parameter to Skip: detect only.
6. Clear the Quarantine Files check box.
7. Click Save.

To create a file filter that blocks all types of files

Click FILTERING in the left navigation shuttle, and then click the File icon. The File Filtering work pane appears on the right.
Create a new filter by following these steps:
1. Click Add.
2. Type <in>* as the file name, and then press ENTER.
3. Ensure that All Types is selected in the File Types section.
4. Set the action to Block or Purge, as desired.
5. Select Quarantine Files.
6. Select Send Notifications.
7. Click Save.

Note:
The Skip: detect only action in the first filter will generate an Incident log entry for almost every attachment that is received. If you would like this filter to apply to all e-mail messages and not solely to inbound messages, remove "<in>" from each of the filters.

Using filter set templates

Filter set templates can be created for use with any scan job. A single filter set template can be associated with any or all of the scan jobs, and you can also create multiple filter set templates for use on different servers or different scan jobs. For information on creating and configuring filter set templates, see “Using filter set templates” in Chapter 13 - Using content filtering.

About international character sets

Support for file filtering by name in Antigen extends beyond the English character set. For example, messages with attachments that include Japanese characters, words, or phrases are handled in the same manner as are messages with attachments that have only English character sets.

About statistics logging

The Incidents work pane contains statistics counters that log the number of attachments that meet specified criteria and therefore cause the messages to which they are attached to be purged. These counters can also be found in the Performance Monitor utility.

Chapter 11 - Using templates

Chapter 13 - Using content filtering