Export (0) Print
Expand All

Filtering files by file type

 

Applies to: Forefront Protection for Exchange

Topic Last Modified: 2010-05-11

You can filter e-mail attachments of a certain file type. To filter by file type, create the filter list using the Filter files of specific types AND with specific name patterns option. Set the Filter criteria - by file type selection to the exact file type you want to filter, and in the Filter criteria - by file name section, type an asterisk (*) as the file name.

For example, you can set the file type to Windows Executable (exe), and then type * as the file name. This ensures that all executable (exe/dll) files are filtered regardless of their file name or extension.

One advantage of using the * wildcard and associating it with a specific file type (for example, Windows Executable (exe)) is that it prevents users from bypassing the filter by changing the extension or name of a file. Also, FPE works more efficiently if you select the appropriate file type rather than selecting all file types.

For more information about file types you can use in creating file filters, see File types used in creating file filters.

NoteNote:
For Microsoft Office 2007 documents (for example: Word, Excel, and PowerPoint), you should use the proper file extension in the Filter criteria - by file type box and then in the Filter criteria - by file type list, click Microsoft Office OpenXML.
NoteNote:
Embedded files within a Microsoft Office 2007 (OpenXML) file are not filtered. For example, if you create a file filter list that filters .wmf file extensions (*.wmf), and a .wmf file is embedded within an Office 2007 (OpenXML) file, the *.wmf file is not filtered. You can use the following Windows PowerShell extended option to enable the filtering of embedded files within an Office 2007 (OpenXML) file:
New-FseExtendedOption -Name EnableOOXMLFilter -Value true. However, if you enable file filtering for OpenXML files in this manner, the entire contents of the OpenXML file are deleted, not just the .wmf file, and an "UnwritableCompressedFile" incident is logged.

You can use file filter lists in order to block some file types and permit others. For example, you can create filter lists that block all files, with the exception of Microsoft Office documents. It takes two file filter lists for this to work properly; the steps for creating these two filter lists are described in the following procedures.

NoteNote:
Be sure to create the file filter list that permits attached Office documents first, then the file filter list that blocks all files. This is because the filter lists are applied in the order that they were created (from oldest to newest). If at any time you have changed the order of your file filter lists for the transport scan, you can reorder them so that the first procedure executes first; for details about how to do this, see “Changing the order of file filter lists” in Viewing and managing filter lists.
To create a file filter list that permits Office files
  1. In the Forefront Protection 2010 for Exchange Server Administrator Console, click Protection Settings, and then under the Filters section, click Configure.

  2. In the Filters – Filter Lists pane, click the Create button.

  3. In the Select Filter Type dialog box, select File and then click Next.

  4. In the Select Your Goal dialog box, select Filter files of specific types AND with specific name patterns and then click Next.

  5. In the Select File Types dialog box, specify the filter list name and file types:

    1. In the Filter list name box, type a name for the new list.

    2. In the Filter criteria - by file type section, select all Microsoft Office file types (for example, Microsoft Office OpenXML). Under Other Applications, select the Microsoft Transport Neutral Encapsulation Format file type, and then click Next. The TNEF file type is required because it is the wrapper around file attachments for internal mail.

  6. In the Select File Names dialog box, in the Filter criteria - by file name section, type <in>* as the file name, click Add, and then click Next. Using <in>* filters all inbound files, regardless of the file name or extension.

  7. In the Target dialog box, configure how you want the filter list to be applied to the Hub/Edge Transport Scan:

    1. Using the Enabled drop-down list, select Yes.

    2. Using the Action drop-down list, select Skip detect.

    3. Using the Quarantine files drop-down list, select No. This avoids adding a large number of quarantined items to the database.

    4. Click Create.

      The filter list you just created appears on the Filters – Filter Lists pane.

Next, create a filter list to block all files. As long as the file filter list that permits Office files through executes first, Office files are permitted and all other files are purged.

To create a filter list that blocks all types of files
  1. In the Forefront Protection 2010 for Exchange Server Administrator Console, click Protection Settings, and then under the Filters section, click Configure.

  2. In the Filters – Filter Lists pane, click the Create button.

  3. In the Select Filter Type dialog box, select File and then click Next.

  4. In the Select Your Goal dialog box, select Filter files with specific name patterns and then click Next.

  5. In the Select File Names dialog box, specify the filter list name and file name:

    1. In the Filter list name box, type a name for the new list.

    2. In the Filter criteria - by file name section, type <in>* as the file name, click Add, and then click Next.

  6. In the Target dialog box, configure how you want the filter list to be applied to the Hub/Edge Transport Scan:

    1. Using the Enabled drop-down list, select Yes.

    2. Using the Action drop-down list, select Purge.

    3. Using the Quarantine files drop-down list, select Yes.

    4. Click Create.

      The filter list you just created appears on the Filters – Filter Lists pane.

ImportantImportant:
The Skip detect action in the first filter list generates an incident log entry for almost every attachment received. Also, TNEF is used for all internal Microsoft Exchange e-mail, so if you create these filters on a Hub server, you will generate an event for every e-mail. This can quickly overwhelm your server and inflate your incidents database to an unmanageable size. You can ease this problem by making sure the file name of the first filter list is <in>*. Thus, this filter list would only be applied to inbound e-mail, although a lot of events are still generated. Also, if you select to quarantine files in the second filter list, you will likely get a lot of quarantined files.
 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft