6 Replies Latest reply on May 30, 2013 8:53 PM by kmcin11

    MSME 8.0 - Problem: File Filtering occurring in zipped files

    kmcin11

      Hi,

       

      We recently moved from Symantec to MSME 8 on our Exchange servers and have run into a rather serious issue.

       

      While it was possible to block certain file extensions (such as .exe, .bin, .001 etc) when attached directly to an email but letting them pass through when in a zipped file, I have not been able to figure out how to do so with MSME 8.0.

       

      WIthin the Scanner Settings, I have created a File Filtering rule which includes a list of blocked extensions in the master policy. When one is found, it is swapped with an alert. Unfortunately MSME also looks into zipped files and strips it of any files which end in a pattern listed in the file filtering rule.

       

      Within the Scanner Control, the lowest number I can set the nesting level to is 2, and even though I set the basic options within the Shared Resource to NOT scan archive files, it still blocks any file found to be a match to any of the entries in the FIle Filtering rule.

       

      Some screenshots:

      FileFiltering1.jpg

      FileFiltering2.jpg

      FileFiltering3.jpg

       

      How do I get MSME to exlude zip files when it comes to the File Filtering list?

       

      Thanks for any tips.

       

      K

        • 1. Re: MSME 8.0 - Problem: File Filtering occurring in zipped files
          Attila Polinger

          Hi,

           

          did you use content filtering rules on Symantec Mail Security to block individual files from emails but leave archives (ZIP) alone?

           

          I think this is also possible with MSME 8. Another option to use password protected zips in emails.

           

          As for the Scanner options - Scan archive files item, this should mean "virus scanning".

          The file filtering rule section also applies to files in archives. the scanner Control could be for protection of the scanner engine for getting into a loop when scanning archives with lots of nesting or broken archives (where the end of nest cannot be reached).

           

          Attila

          • 2. Re: MSME 8.0 - Problem: File Filtering occurring in zipped files
            kmcin11

            Hi Attila,

             

            Thanks for your response.

             

            Yes, we used Symantec before to block certain file extensions but exclude zipped files from being checked, even though they may have contained extensions that were on the blocked list. This is how users were able to get items such as executables from one user to another.

             

            We have ~3,700 users and need to figure out how to get MSME to function in this exact manner since we will have a hard time re-educating all these users to use a different approach, such as sending password protected zip files. 

             

            You stated that my desired outcome should also be possible with MSME, but how? Do you have any tips?

             

            Thanks,


            K

            • 3. Re: MSME 8.0 - Problem: File Filtering occurring in zipped files
              Attila Polinger

              Hi K,

               

              what I was hinting at is that with MSME you may also create content filter rules rather than using the file filtering policy page, to block email with unwanted attachment names (or types), and this could make it possible not to check files inside the compressed attachments as opposed to direct file filtering.

               

              There is a DLP and compliance dictionaries page where - according to the manual - you can filter for file names in email. Please see MSME Product guide p. 88. I hope this is okay for the purpose you are after.

               

              Attila

              • 4. Re: MSME 8.0 - Problem: File Filtering occurring in zipped files
                kmcin11

                Hi Attila,

                 

                Thanks for your response.

                 

                I am still at a loss for where I should find a content filter in MSME 8.0 which will only filter files of a certain format when they are attached to an email directly. I am not looking to filter for certain words (like some companies surely do) or block certain extensions no matter what, but I would like users to be able to send such file formats in zipped format without issues, as it was possible before when we used Symantec.

                 

                As it stands, users are not able to send, for instance, an .mht or a .exe file no matter how they package it, but in some cases it is necessary in our environment to zip such files in order to get them from point A to point B. The policy I set up is exactly like the one you are referring to, from page 88 on in the product guide of MSME 8.0.

                 

                Any additional help will be greatly appreciated.

                 

                Thanks,

                 

                K

                • 5. Re: MSME 8.0 - Problem: File Filtering occurring in zipped files
                  Attila Polinger

                  Hello,

                   

                  I am still at a loss for where I should find a content filter in MSME 8.0 which will only filter files of a certain format when they are attached to an email directly.

                  According to the manual you can specify file formats in email attachment filtering ( in p. 88 - Par. 13), could you verify this? That is, like, "executables" and not ".EXE, .COM" etc.

                   

                  I think there is not a possibility to exclude .ZIP in a way that MSME won't search for specified forbidden file/formats therein, so you seem to make do with sending compressed files protected by a password.

                   

                  Attila

                  • 6. Re: MSME 8.0 - Problem: File Filtering occurring in zipped files
                    kmcin11

                    Hi Attila,

                     

                    That is an option within MSME, but not suitable for my needs since I need to stick to what the Secure Technical Implementation Guide for the DoD says. It tells me to add specific endings, such as *.ade *.crt *.jse *.msi *.scr *.wsh *.dir and so on.

                     

                    Thank you for taking the time to research this issue, I really appreciate it.

                     

                    K