The MEG 7.6.3 software is now out and customers have been using it for a while. I thought I would take a little time today to tell everyone about one of the new features present in this software version.
We know that many times, customers see archives come in with innocuous-sounding names but which then happen to contain malicious or unwanted content. While we can usually block such content, in the event of a 0-day exploit we may not always know about the malware in time to block it from coming in. Should such an unhappy event happen, however, how is an admin to know who in their environment was exposed to this unknown malware?
That's where this new feature comes in. With this new feature, the MEG appliance will look through archives attached to email and extract the filenames of each file inside the attachment. When the admin then looks at the Message Search, they can see up to 11 of those file names (10 if there's more than 11), and a link for more if there's more than 11. That link will then allow the admin to look at the full list of files inside the archive. This also allows the admin to search through the GUI for filenames inside of attachments. For instance, if a piece of malware were to get through the appliance, and we know that it's inside an innocuous archive, but is named exploit.exe, we could search through the gui for all archives which contain exploit.exe, and thus see who already received it. Also, policy could be built to block exploit.exe, even though it's inside archive.zip.
It's worth noting that, at this time, the following archive formats are supported by this feature:
For additional information about this feature, I recommend viewing the November MEG TechTalk recording in which Marcelo and I detail this and the other new features in MEG 7.6.3. That TechTalk can be found at https://community.mcafee.com/videos/2061.