Chapter 3: Configuring File and Keyword Filters

  • Article

 

Applies to: Forefront Security for Office Communications Server

Businesses are concerned about instant messages and attachments that contain inappropriate language or confidential corporate information, that break rules about file types, or that violate other corporate policies. Forefront Security for Office Communications Server offers three types of filters to help address this concern: file, keyword, and content filters.

  • File filters can be set to screen the external characteristics of an attachment—its name, its type (.exe, .gif, etc.), and its size. For example, you may not want employees to attach .exe or .mp3 files, or files over a size limit you specify.
  • Keyword filters screen the contents of an IM or an attachment to expose those that, for example, contain offensive or inappropriate language or confidential business information.
  • Content filters screen IM and attachments based on sender or recipient and domain address criteria, helping manage the flow of messages to and from the enterprise.

Forefront Security for Office Communications Server filters are the first line of defense, and are applied before virus scanning. Only after message text and attachments pass the scrutiny of these filters are they scanned further. Inappropriate content or potentially dangerous attachments detected by the filters can be blocked, deleted, quarantined, etc., depending on the type of filter and how you configure it. Filters can also be configured to notify both administrators and users of the filtering results. To improve system performance, administrators can set up lists of safe e-mail addresses and domains that need not be subject to filtering.

Note

This evaluation guide covers file and keyword filtering. For information on content filtering see the Content filtering section in the Forefront Security for Office Communications Server User Guide.

In this chapter

  • Configuring file filters
    • To create and enable a file filter
    • Optimizing file filters
  • Configuring a keyword filter
    • To create a keyword filter list
    • To enable a keyword filter list
  • Setting the action for file and keyword filters
  • Creating lists of allowed senders and recipients
    • To create a list of allowed senders and recipients
    • To enable a list of allowed senders and recipients

Configuring file filters

You can use file filters to search for attached files by specifying a name, extension, or size. If the IM scan job finds a match, the file filter can be configured to take a variety of actions including deleting, blocking, or quarantining the filtered attachment.

Note

For more information about configuring file filters, such as using wildcard characters or filtering container files (e.g., .zip or .jar), see the File filtering section in the Forefront Security for Office Communications Server User Guide.

To create and enable a file filter

The following procedure uses the example of specifying a filter that catches any .exe file, no matter what the file extension appears to be.

To create and enable a file filter:

  1. Under FILTERING, click File.

    440d9bab-7544-4d32-90e2-3cc4b5e7d1e1

  2. Under Name, select the scan job that the filter will apply to.

  3. Make sure that State is set to Enabled, and that File Filtering is On.

    If it is not, click OPERATE at screen left, and then click Run Job. Make sure File Filtering is checked, and then click Enable. This enables file filtering for the IM Scan Job.

  4. Click Add.

    The filters work through a combination of file name and file type, so you will specify both elements in the next steps.

  5. Under File Names, type the file name or extension you want the filter to look for, and press ENTER.

    You can use a full file name (for example, file.exe) or wildcards (as in our example, *.*).

    Note

    For details on using wildcards, see “Matching patterns in the file name with wildcard characters” in the File filtering section of the Forefront Security for Office Communications Server User Guide.

    a4601735-c6e7-453e-ba60-a78663d4f53e

  6. In the File Types section, associate the File Name filter with file types.

    In our example, we are specifying a filter for any .exe file no matter what the file name appears to be. For other examples and further explanation about how to specify file filters, see Optimizing file filters.

  7. Make sure the File Filter is set to Enabled.

    This enables the specific file filter.

  8. Under Action, choose what you want the filter to do when it finds a file that meets the criteria you specified above.

    For information about these choices, see Setting the action for file and keyword filters.

  9. To notify the administrator when the filter detects an attachment that meets your criteria, check the Send Notifications box.

    Find out how to create a notification.

  10. To save copies of blocked attachments for later inspection, check the Quarantine Files box.

    For information on quarantining, see Using the Quarantine Database.

  11. Click Save.

Optimizing file filters

The file filter offers a flexible means to detect file attachments within messages so you can address the specific protection needs of your environment.

Filtering by actual file type (regardless of the extension)

Forefront Security for Office Communications Server can filter files by determining their actual file type rather than looking at the file extension. This bars attempts to bypass a filter by changing the file extension.

Example: To catch all executables (even if they have a .doc or .bmp extension, for example), type *.* in the File Names entry field. For File Types, check the .EXE box, and clear the All Types box.

Filtering by extension

You may want to block files with a certain extension—say, if your company does not permit sharing of .mp3 files.

Example: To catch all .mp3 files, type *.MP3* in the File Names entry field and check the All Types box. (The second asterisk prevents files with characters appended after the file extension from bypassing the filter.)

Filtering by name

You may want to filter all files with a certain name—for example, when there is an outbreak of a new virus, you may know the name of the file that contains the virus before your virus scanners are updated to detect it. A perfect example was the Melissa worm, which was embedded in a file named list.doc.

Example: To filter any file named payload.doc, no matter what the type, type payload.doc in the File Names entry field. For File Types, check the All Types box.

Filtering either inbound or outbound IM

This is useful If you want to check only inbound or only outbound messages. To set this filter, prefix the file name with <in> or <out>. There should be no spaces between the prefix and the file name.

Examples:

  • <in>test.doc: Detects the file named test.doc only on inbound messages.
  • <out>test.doc: Detects the file named test.doc only on outbound messages.

Filtering by file size

File filters can be set to block files of a certain size, using standard comparison operators ( =, <, >, <=, >=) and file size designations (KB, MB, GB). These can be combined with file name and file type conventions. There should be no spaces in the string.

Examples:

  • *.bmp>=1.2MB: Detects any .bmp file equal to or larger than 1.2 MB.
  • <in>*.com>150KB: Finds any inbound .com file larger than 150 KB.
  • *.*>5GB: Detects any file larger than 5 GB.

Filtering compressed files

The IM scan job can filter compressed files and various compressed formats (such as PKZIP, WinZip, or GZIP) with the exception of password-protected compressed files. It can also look for files embedded in other files—for example, specific image file types embedded in Word documents. It can unpack .zip and other container files, remove specific contents from within them, and then repack them.

Example: Consider a .zip file that contains a .doc file and an .exe file. If you create a file filter to block .exe files, then Forefront Security for Office Communications Server would unpack the .zip file and remove the .exe file. It would then replace it with a text file that includes the deletion text message, and repackage the .zip file, which would then be scanned for viruses.

Configuring a keyword filter

Keyword filtering analyzes the contents of both IM and attached files to identify unwanted or prohibited content, which you identify by creating keyword filter lists, based on words, phrases, or sentences.

Configuring a keyword filter requires two steps: First, you create the keyword list. Then you enable the filter to specify what Forefront Security for Office Communications Server will do when the filters identify a file. You must create a separate list for each category—racial discrimination, sexual discrimination, spam, and so on. (Forefront Security for Office Communications Server provide example lists for profanity.)

Note

For information about syntax rules for building keyword lists, profanity filters, and other keyword filter specifics, see the Keyword filtering section in the Forefront Security for Office Communications Server User Guide.

To create a keyword filter list

To create a keyword filter list:

  1. Under FILTERING, click Filter Lists.

    5810c40d-bc72-4d21-a4b1-99a3c07f59c3

  2. Under List Types, click Keywords.

  3. Click Add.

  4. Type a name for the new list, and press ENTER.

  5. With the new list name selected, click Edit.

  6. Under Include in Filter, click Add.

    0449c473-30e4-44e8-8116-13df0a5eae90

  7. Type the keywords or phrases you want to include in the list, pressing ENTER after each one.

  8. In the Exclude from Filter section, type keywords or phrases that should never be included on the keyword list.

    This prevents these words and phrases from accidentally being added when importing a list from a text file.

  9. Click OK when you have completed the list.

    Now you are ready to enable the keyword filter, following the instructions below.

To enable a keyword filter list

After you create the list, you must enable the keyword filter.

To enable a keyword filter list:

  1. Under FILTERING at screen left, click Keyword.

    13337204-cfe3-4f83-be2d-b7355a55c996

  2. Under Name, select the scan job that the filter will apply to.

  3. Make sure that State is set to Enabled, and that Keyword Filtering is On.

    If it is not, click OPERATE at screen left, and then click Run Job. Make sure Keyword Filtering is checked, and then click Enable. This enables keyword filtering for the IM Scan Job.

  4. Under Keyword Fields, click Message or Text File.

  5. Under Filter Lists, select the filter list you have created.

    95f8b1e4-1fbe-4a2e-b55e-e629b96f6ded

  6. Make sure the Filter is set to Enabled.

    This enables the specific keyword filter list.

  7. Under Action, choose what you want the filter to do when it finds a file that meets the criteria you specified above.

    For information about these choices, see Setting the action for file and keyword filters.

  8. To notify the administrator or sender when the keyword filter identifies an attachment or message that contains one of the keywords you specified, check the Notify Admin/Sender box.

  9. To save copies of blocked attachments for later inspection, check the Quarantine box.

    For information on quarantining, see Using the Quarantine Database.

  10. Indicate what combination of messages and attachments you want to scan by checking or clearing the Inbound, Outbound, and Internal boxes.

  11. Select the minimum number of Unique Keyword Hits that will trigger the action specified in Step 7.

    In our example, we have set the Minimum Unique Keyword Hits to “2”. This means that two of the three keywords or phrases listed must appear in the document for the filter to take action. If, for instance, “Fabrikam Inc.” and “Top Secret” are both detected, then Forefront Security for Office Communications Server would filter it. But if “Fabrikam Inc.” was in the message twice and neither of the other terms appeared, it would not.

  12. Click Save.

Setting the action for file and keyword filters

You can specify what action you want scan engines to take (as outlined in the table below) when they find an IM or attachment that is infected with a virus, breaks a rule about file types, or violates corporate policies.

Action Description

Skip: detect only

Records the messages or attachments that meet the filter criteria, but routes the messages normally.

Use this feature to identify specific files without blocking them. For example, your company may be considering a policy against sharing certain types of files (say, .mp3) and you want to see if it is actually a problem.

File filters only: Delete: remove contents (default)

Deletes the attachment. Automatically replaces the contents of the attachment with a text file (known as deletion text) that gives the name of the infected file and of the filter.

Block

Prevents the IM message or attachment from reaching the recipient. Informs the recipient that the infected file has been blocked and gives the name of the virus or disallowed term.

Creating lists of allowed senders and recipients

You can set up lists of e-mail addresses or domains that you do not want the IM Scan Job to filter.(These lists have no effect on scanning for viruses.) Before applying filters, Forefront Security for Office Communications Server will check the address or domain against the list of those allowed to send and receive IM. If the address or domain appears on the list, it will bypass any enabled filtering operations.

Configuring a list of allowed senders and recipients requires two steps. First you create the list of those senders and recipients you want to allow, and then you enable it.

To create a list of allowed senders and recipients

To create a list of allowed senders and recipients:

  1. Under FILTERING, click Filter Lists.

    248662cc-4786-444f-82b5-92974d04cd80

  2. Under List Types, click Allowed Sndr/Recp Lists.

  3. Click Add.

  4. Type a name for the new list, and press ENTER.

  5. With the new list name selected, click Edit.

  6. Under Include in Filter, click Add.

    e37165e1-bdfe-492c-bdba-4ed44166999d

  7. Type any e-mail addresses (someone@example.com) or domains (*****example) you want to include in the list, pressing ENTER after each one.

  8. In the Exclude from Filter section, type addresses or domains that should never be included on the list of allowed senders.

    This prevents these addresses and domains from accidentally being added when importing a list from a text file.

  9. Click OK when you have completed the list.

    Now you are ready to enable the list of allowed senders and recipients following the instructions below.

To enable a list of allowed senders and recipients

After you have created a list of allowed senders and recipients, you must enable it.

To enable a list of allowed senders and recipients:

  1. Under FILTERING, click Allowed Sndr/Recp Lists.

    89b09d02-ca95-4af1-968c-5215642ce22a

  2. Under Name, select the scan job that the filter will apply to.

  3. Make sure that State is set to Enabled, and that File Filtering, Keyword Filtering, and Content Filtering are On.

    If they are not, click OPERATE at screen left, and then click Run Job. Make sure Keyword Filtering and Content Filtering are checked, and then click Enable.

  4. Under Sender/Recipient Lists, select the name of the list.

  5. Under List State, make sure the state is set to Enabled.

  6. Under Skip Scanning for, indicate what types of filtering the allowed sender/recipient list should apply to.

    You can choose any combination of content, keyword, or file filtering. To select all three types, check the All Types box.

  7. Click Save.