Chapter 8 - Using file filtering

  • Article

 

Applies to: Microsoft Antigen

The Antigen for SMTP Gateways file filter feature provides the ability to search for attachments with a specific name, type, and size within an e-mail message. If the file filter finds a match, the file filter can be configured to perform actions on the attachment, such as delete, quarantine, notify, and report the detected file. The file filter offers a flexible means to detect file attachments within e-mail messages and other Outlook items, including Tasks and Schedules (such as meetings and appointments).

Mechanics of file filtering

File filtering can be configured to assess several aspects of an attached file: actual file type, file extension and name, and file size. By using these criteria, you can filter files in a variety of ways.

Filtering by file type

If you want to filter certain file types, you can create the filter * and set the File Types selection to the exact file type you want to filter.

For example: Create the filter * and set the File Types to MP3. This will ensure that all MP3 files are filtered, regardless of their file name or extension.

One advantage of setting a generic * filter and associating it with a certain file type (For example, EXEFILE) is that this prevents the potential of users bypassing the filter by simply changing the extension of a file.

Note

If you want to filter Microsoft Office Excel® files, you will need to enter .xls or in the File Names box and then select both WINEXCEL1 and DOCFILE in the File Types list. Excel 1.x files are WINEXCEL1 file types but newer versions of Excel are DOCFILE file types.
For Microsoft Office 2007 documents (Word, Excel, and PowerPoint®), you should use the proper file extension in the File Names box, and then select OPENXML in the File Types list.

Filtering by extension

If you want to filter any file that has a certain extension, you can create a generic filter for the extension and then set the File Types selection to All Types. Filter matching is not case-sensitive.

For example: Create the filter *.exe* and then set the File Types selection to All Types. This will ensure that all files with an .exe extension are filtered.

Important

When creating generic file filters to stop all of a certain type of file (for example, .exe files), it is recommended that you write the filter in this format: .exe. The second asterisk (*) prevents files with extra characters appended after the file extension from bypassing the filter.

Filtering by name

If you want to filter all files with a certain name, you can create a filter by using the file name and setting the File Types selection to All Types. Filter matching is not case-sensitive.

For example: If a virus uses an attached file named payload.doc, you can create the filter payload.doc and set the File Types selection to All Types. This will ensure that any file named payload.doc is filtered, regardless of the file type.

Detecting file attachments by name is also useful when there is a new virus outbreak and the administrator knows the name of the file where the virus resides before the virus scanners are updated to detect it. A perfect example of this is the Melissa worm. The worm resided in a file named List.doc and could have been detected if the administrator had used file filtering before the virus scanners could detect it.

Configuring the file filter

You can configure the file filter by file names, file types, or file sizes.

To configure the file filter

  1. Click FILTERING in the Shuttle Navigator.

  2. Select the File icon. The File Filtering pane appears on the right.

  3. In the upper work pane, select the scan job for which you would like to create the file filter.

  4. To detect file attachments with a particular file name, add the file name to the File Names section of the work pane by clicking Add, typing the file name that you want to detect, and pressing ENTER.

    Optionally, you can configure Antigen to filter files based on their size. To detect files by size, when typing the file name, specify a comparison operator (=, >, <, >=, <=) and a file size (in KB, MB, or GB) after the file name. There should be no spaces between the file name and the operator, or between the operator and the file size.

    Examples:

    *.bmp>=1.2MB all .bmp files larger than or equal to 1.2 megabytes

    *.com>150KB all .com files larger than 150 kilobytes

    *>5GB all files larger than 5 gigabytes

    Note

    For additional buttons you can use when configuring file names, see About file names buttons.

  5. Specify the list of File Types that can be associated with the selected File Name. You can select one or more File Types from the list, or select All Types located below the list. If the File Type that you want to associate with the selected File Name is not available in the list, then select All Types. (For a description of the file types listed in the selection box, see Appendix E - File types overview.)

    The All Types selection configures Antigen to filter based only on the file name and file extension. By selecting All Types, Antigen will be configured to detect the selected file name regardless of the file type. This prevents users from bypassing the filter simply by changing the extension of a file.

    If you know the file type that you are searching for, Antigen will work more efficiently if you select the appropriate file type rather than All Types. For example, if you want to filter all EXE files, you can create the filter * and then set File Types to EXEFILE.

  6. Ensure that the File Filter is set to Enabled. It is enabled by default.

  7. Indicate the Action to take if there is a filter match.

  8. Indicate whether to Send Notifications for the selected file name. This does not affect reporting to the Virus Incidents log. In addition, you must also configure the notifications (see Chapter 14 - Using e-mail notifications). It is disabled by default.

  9. Indicate whether to Quarantine Files for the selected file name. It is enabled by default. Enabling quarantine causes deleted attachments and purged messages to be stored, making it possible for you to recover them. However, worm-purged messages are not recoverable.

  10. Optionally, you can specify Deletion Text, which is used to replace the contents of an infected file during a delete operation. The default deletion text informs you that an infected file was removed, along with the name of the file and the name of the filter. To create your own custom message, click Deletion Text.

    Note

    Antigen provides keywords that can be used in the deletion text field to obtain information from the message in which the infection was found. For more information about this feature, see Appendix C - Using keyword substitution macros.

  11. Click Save.

You can also create a filter list that contains multiple file filters. After you have created the list, the steps for configuring the filter list are the same as in the preceding procedure, except you must select the filter list rather than a filter name.

To create a file filter list

  1. Click the Filter Lists icon in the FILTERING section of the Shuttle Navigator.

  2. In the List Types section, select Files.

  3. In the List Names section, click Add.

  4. Type a name for the new list, and then press ENTER. The empty list appears in the List Names section.

  5. With the new list name selected, click Edit. The Edit Filter List dialog box appears. Use the dialog box to add file filters to the list.

  6. In the Include In Filter section, click Add.

  7. Type the file names to be included in the filter list. Press ENTER when you have finished typing. You can have as many file names as you want, but each must be entered separately.

    The Exclude from Filter field is used to enter file names that should never be included on the relevant list. This prevents these entries from accidentally being added when importing a list from a text file. For more information on importing files, see "Importing new items into a filter list" and "Exporting sender-domains filters, file filters, and subject line filters" in Chapter 9 - Using content filtering.

  8. When you are finished adding items, click OK. The file names you just entered appear, alphabetically, in the pane next to List Names.

  9. Click Save.

Note

You can change the name of a list by selecting the list in the List Names box and then pressing F2.

Action

Choose the action that you want Antigen for SMTP Gateways to perform when a file filter is matched.

Note

You must set the action for each file filter that you configure. The Action setting is not global.

Action Description

Skip: Detect Only

Records the number of messages that meet the filter criteria, but allows messages to route normally. If, however, Delete Corrupted Compressed, Delete Corrupted Uuencode Files, or Delete Encrypted Compressed Files is selected in General Options, a match to any of those conditions causes the item to be deleted.

Delete: Remove Contents

Deletes the file attachment. The detected file attachment is removed from the message and a text file is inserted in its place. The text file contains the string that was configured using the Deletion Text button. Delete: Remove Contents is the default value.

Purge: Eliminate Message

Deletes the message from your mail system. When you select this option, a warning appears informing you that if there is a filter match, the message will be purged and unrecoverable. Click Yes to continue.

Note   If the Quarantine Files box is selected, however, purged messages are quarantined and can then be recovered from the quarantine database.

Identify: Tag message

The subject line or message header of the detected message can be tagged with a customizable word or phrase. This tag can be modified for each scan job by clicking the Tag Text button on the Scan Job Settings work pane and then modifying the text. The same tag, however, will be used for all filters associated with the particular scan job.

About file names buttons

The following buttons below the File Names section let you edit or delete a file name from the list. You can also change the order in which file names are filtered.

Button Description

Edit

Enables you to edit an existing file name from the File Names section. Select the file name that you want to edit, and then click Edit. A dialog box appears that enables you to edit the selected file name. After you have completed making the necessary edits, click Save to submit or Cancel to undo.

Delete

Enables you to remove a file name from the File Names section. Select the file name that you want to delete, click Delete, and then click Save.

[Up Arrow], [Down Arrow]

Enables you to change the order in which file names are filtered. In the lower pane, select the file name that you want to reorder, and then click the UP ARROW or DOWN ARROW buttons (on the same line with File Names) to change the ranking to your preference.

Matching patterns in the file name with wildcard characters

Use wildcard characters to have your filter match patterns in the file name, rather than a specific file name. You can use any of the following to refine your filters.

Wildcard character Description

*

Used to match any number of characters in a file name. You can use multiple asterisks. The following are some examples of its usage:

  • Single—Any of these single wildcard character patterns detects veryevil.doc: veryevil.*, very*.doc, very*, *il.doc
  • Multiple—Any of these multiple wildcard character patterns detects eicar.com: e*c*r*om, ei*.*, *car.*

Note   Use multiple asterisks to filter file attachments with multiple extensions. For example: love*.*.* matches multiple extensions.

?

Used to match any single character in a name where a single character may change. For example: virus?.exe finds virusa.exe, virus1.exe, or virus$.exe. However, this filter does not catch virus.exe.

[set]

A list of characters and ranges, enclosed in square brackets [abcdef]. Any single character in the specified set is matched. For example: klez[a-h].exe finds kleza.exe through klezh.exe.

[^set]

Used to exclude characters that you know are not used in the file name. For example: klez[^m-z].exe does not find klezm.exe through klezz.exe.

[range]

Used to indicate several possible values in a set. It is specified by a starting character, a hyphen (-), and an ending character. For example:

klez[ad-gp].exe matches kleza.exe, klezd.exe, klezf.exe, and klezp.exe but not klezb.exe or klezr.exe.

\char

Indicates that special characters are used literally. (The characters are: * ? [ ] - ^ < >.) The backslash is called an escape character, and indicates that a reserved control character should be taken literally, as a text character. For example: If you enter *hello*, you would typically expect to match hello anywhere in the file name. If you enter *\*hello\**, you match *hello*. If you enter *\*hello\?\**, you match *hello?*.

Note   You must use a backslash before each special character.

Using directional file filters

When using the file filter in conjunction with the SMTP Scan Job, it is possible to configure a filter so that it checks only inbound or outbound messages. This is accomplished by adding a prefix to the file name when you enter it in the File Names work pane.

(For information about the inbound, outbound, and internal designations, see Chapter 6 - Configuring SMTP Scan Jobs.)

Note

There are no spaces between the prefix and the file name.

The options are:

  • Inbound Filtering—Adding a prefix to the file name with the <in> directive instructs Antigen for SMTP Gateways to apply this filter only to inbound messages. For example: <in>filename
  • Outbound Filtering—Adding a prefix to the file name with the <out> directive instructs Antigen for SMTP Gateways to apply this filter only to outbound messages. For example: <out>filename
  • Inbound, Outbound, and Internal Filtering—If no prefix is appended to the file name, then the filter is applied to all messages, regardless of direction. For example: filename

About filtering container files

Container files can be broadly described as complex files that can be divided into various parts. Antigen for SMTP Gateways can scan the following container files for filter matches:

  • PKZip (.zip)
  • GNU Zip (.gzip)
  • Self-Extracting .zip archives (.exe)
  • Zip files (.zip)
  • Java archive (.jar)
  • TNEF (Winmail.dat)
  • Structured storage (for example, .doc, .xls, or .ppt)
  • Open XML (for example, .docx, .xlsx, or .pptx)
  • MIME (.eml)
  • SMIME (.eml)
  • UUEncode (.uue)
  • UNIX tape archive (.tar)
  • RAR archive (.rar)
  • MACBinary (.bin)

Antigen for SMTP Gateways scans all parts of the container file and repacks the file as necessary. For example, if you configure a file filter to delete all .exe files, Antigen for SMTP Gateways deletes .exe files inside container files (replacing them with the deletion text) but leaves all other files in the container intact.

Note

Antigen for SMTP Gateways cannot scan password protected files or encrypted files. Although Antigen for SMTP Gateways does not decrypt such files, the files are always passed to the antivirus scanners in their entirety in their encrypted form.

Excluding the contents of a container file from file filtering

To exclude the contents of a .zip (container file) from being scanned for filter matches, specify the name of the .zip file in the file filter list and set the action to Skip. Ordering of the filter in the list is not important. If the name of the .zip file is in the file filter list and its action is set to Skip, file filters will not be applied to the contents of the container. The file will, however, be scanned for viruses. If you want to skip all .zip files, create the filter *.zip, and then set the action to Skip.

Note

By default, this functionality applies only to .zip and .jar files. If you want to enable this functionality for other archive types (TAR, GZIP, RAR, Macintosh, SMIME, and self-extracting .zip archives), you can set the SkipFileFilterWithinCompressedInternet DWORD registry value. After creating the registry value, it should be set to 1 to disable file filtering in the specified archive type. (For the location of this registry key, see Appendix B - Setting registry keys.)
OPENXML files (for example, Office 2007 files) are ZIP container files, but they are not affected by the ZIP container settings.

Using file filtering to block most file types

You can use file filters to block some file types and permit others. The files permitted through in this example are Microsoft Office files. The filters in the example block all file attachments, with the exception of Office documents for messages entering your organization from the Internet. It takes two file filters for this to work properly.

Note

Be sure to create the file filter that permits Office documents through first, because the filters are applied, in order, from top to bottom.

To create a file filter that permits Office documents

  1. Click FILTERING in the left navigation shuttle, and then click the File icon. The File Filtering work pane appears on the right.

  2. Create a new filter by following these steps:

    1. Click Add.
    2. Type <in>* as the file name, and then press ENTER.
    3. Clear All Types in the File Types section, and then click Yes to confirm.
    4. Select the DOCFILE, OPENXML, and TNEFFILE file types. (TNEFFILE is required because it is the wrapper around file attachments for internal mail.)
    5. Set the Action parameter to Skip: detect only.
    6. Clear the Quarantine Files check box.
    7. Click Save.

To create a file filter that blocks all types of files

  1. Click FILTERING in the left navigation shuttle, and then click the File icon. The File Filtering work pane appears to the right.

  2. Create a new filter by following these steps:

    1. Click Add.
    2. Type <in>* as the file name, and then press ENTER.
    3. Ensure that All Types is selected in the File Types section.
    4. Set the action to Block or Purge, as desired.
    5. Select Quarantine Files.
    6. Select Send Notifications.
    7. Click Save.

Note

The Skip: detect only action in the first filter will generate an Incident log entry for almost every attachment that is received.
If you would like this filter to apply to all email messages and not solely to inbound messages, remove "<in>" from each of the filters.

Using filter set templates

Filter set templates can be created for use with any scan job. A single filter set template can be associated with any or all of the scan jobs, and you can also create multiple filter set templates for use on different servers or different scan jobs. For information about creating and configuring filter set templates, see "Using filter set templates" in Chapter 9 - Using content filtering.

About international character sets

Support for file filtering by name in Antigen for SMTP Gateways extends beyond the English character set. For example, messages with an attachment that includes Japanese characters, words, or phrases are handled in the same manner as are messages with attachments that have only English character sets.

About statistics logging

The Incidents work pane contains statistics counters that log the number of attachments that meet specified criteria and therefore cause the messages to which they are attached to be purged. These counters can also be found in the Performance Monitor utility.

Chapter 7 - Using templates

Chapter 9 - Using content filtering