Mechanics of file filtering

  • Article

 

Applies to: Forefront Security for Exchange Server

File filtering can be configured to assess several aspects of an attached file: the file name and extension, the actual file type, and the file size. By using these criteria, administrators can filter files in a variety of ways.

Filtering by file type

If you want to filter certain file types, you can create the filter *.* and set the File Types selection to the exact file type you want to filter.

For example: Create the filter *.* and set the File Types to MP3. This ensures that all MP3 files are filtered no matter what their file name or extension.

One advantage of setting a generic filter (for example, *.*) and associating it with a certain file type (for example, EXE) is that it prevents the potential of users bypassing the filter by simply changing the extension of a file.

Filtering by extension

If you want to filter any file that has a certain extension, you can create a generic filter for the extension and set the File Types selection to All Types. Filter matching is not case-sensitive.

For example: Create the filter *.exe* and set the File Types selection to All Types. This ensures that all files with an .exe extension are filtered.

Filtering by name

If you want to filter all files with a certain name, you can create a filter using the file name and set the File Types selection to All Types. Filter matching is not case-sensitive.

For example: If a virus uses an attached file named payload.doc, you can create the filter payload.doc and set the File Types selection to All Types. This ensures that any file named payload.doc is filtered no matter what the file type.

Filtering by file size

The Forefront Security for Exchange Server file filter can also be configured to filter files based on their size. To detect files by size, specify a comparison operator (=, >, <, >=, <=) and a file size in kilobytes (KB), megabytes (MB), or gigabytes (GB). These are placed immediately after the file name. For example, the filter *.bmp>=1.2MB filters all .bmp files larger than or equal to 1.2 megabytes.

The General Options setting Max Container File Size specifies the maximum container file size (in bytes) that FSE will attempt to clean or repair in the event that it discovers an infected file.