Attachment Filename filtering

From GWAVA4

Jump to: navigation, search

Contents

[edit]

Introduction

To block malware or potential policy violations, it is useful to filter on the filename of attachments. See also Fingerprinting for a filter method that does not depend on the filename.

Attachment filename filtering operates on the filename. It thus can be bypassed by a knowledgeable or malicious user with a simple rename. Fingerprinting ignores the filename and attempts to identify the type of file by the contents.

Both have their uses. Specific file type blocking is an important feature of GWAVA that should be approached with the multiple mechanisms available. Often this is used as a preemptive measure against common virus types that may not be detectable immediately by your virus scanner until a signature update has been created and delivered to you. You might also have a policy in place to ensure certain objectionable or time wasting material is not delivered to your users.

Expand the folder for the server you want to configure, expand Manage scanners, expand the appropriate scanner, expand Scanning configuration, then click on Attachment types.

To turn on attachment filename filtering, check the "Enable attachment blocking event" box.

TIP: If you chose "Stop Viruses" when you installed your scanner, this section will already be pre-configured for you and populated with common malware extensions (exe, bat, com, etc.) In addition, Fingerprinting and Viruses will also be activated and pre-configured.
NOTE: As you make changes to your configuration, the disk icon Image:SaveButton.gif in the upper right corner of the page will become active and the words SAVE CHANGES will appear. Do not forget to click the icon to save your changes before moving to another page, or your changes will be lost. Some searching and filtering options will also warn you that you must SAVE your CHANGES or lose them.

Image:Attachment_Blocking_1.jpg

[edit]

Adding New Attachment Filenames

To add a new attachment filename to the list, enter the attachment filename in the Add new attachment field. The wild card character * can be used, therefore to block all files ending with EXE, you would enter *.exe. The entries are not case sensitive. See Data Input Types for a complete description of your input options.

Next, select the services that you would like to apply to this new attachment type by checking the box under the appropriate service icon.

TIP: Move your mouse pointer over the icon to display the name (Block messages, Notify the sender, etc).

Finally, click the green plus sign (Image:Attachment_Blocking_plus.jpg)to add the new type.

Image:Attachment_Blocking_2.jpg

[edit]

Removing Entries

You can remove an entry by clicking the red X (Image:Attachment_Blocking_14.jpg) next to the appropriate entry.

[edit]

Editing Existing Entries

To edit an entry, click on the entry and change the text. You may also toggle any of the services, edit any of the notes, and adjust any of the addresses or exceptions.

[edit]

Pagination

If more than 50 entries exist, you may use the VCR-style controls (Image:GMANPagination.jpg) to move between pages.

[edit]

Switching between Services, Notes, Addresses, and Exceptions

You switch between viewing the associated services, notes, etc. for the entry by clicking on the scroll arrows (Image:Attachment_Blocking_L_arrow.jpg or Image:Attachment_Blocking_R_arrow.jpg).

[edit]

Services

A service will be triggered when a message is received that contains the specified filename entry.

Image:Attachment_Blocking_3.jpg Block Messages - blocks the message.

Image:Attachment_Blocking_4.jpg Notify Sender - sends a notification message to the sender.

Image:Attachment_Blocking_5.jpg Notify Recipient - sends a notification message to the recipient.

Image:Attachment_Blocking_6.jpg Notify Administrator - sends a notification message to the administrator.

Image:Attachment_Blocking_7.jpg Notify Defined Address(es) - sends a notification message to the address(es) defined in the Address section (see "Addresses" below).

Image:Attachment_Blocking_8.jpg Quarantine Messages - stored the message in the Quarantine Management System (QMS). This is useful for future examination by the administrator or end users, and for releasing the message in the QMS system or in Digests. Quarantining a message does not necessarily imply the message is blocked.

NOTE: Multistate services are disabled by default. Choose the Image:PreferencesButton.gif Preferences button on the upper right to enable or disable Multistate services.
[edit]

Notes

You may enter notes associated with each entry for your own purposes by selecting Notes with the scroll arrows (Image:Attachment_Blocking_L_arrow.jpg or Image:Attachment_Blocking_R_arrow.jpg).

These notes have no effect on the processing of the entry; they are for your private use.

Image:Attachment_Blocking_9.jpg

[edit]

Defined Addresses

If you want to send a notification message to a specific group of individuals each time this entry triggers an event, you must do two things:

  • Turn on the Notify Defined Address(es) service Image:Attachment_Blocking_7.jpg.
  • Specify the address list in the Addresses section.

To add an address(es), select Addresses using the scroll arrows (Image:Attachment_Blocking_L_arrow.jpg or Image:Attachment_Blocking_R_arrow.jpg). Click the Edit button (Image:Attachment_Blocking_edit.jpg). Type the appropriate user's address and click Add (Image:Attachment_Blocking_add.jpg). Repeat process to add additional addresses. Click OK (Image:Attachment_Blocking_ok.jpg) when finished. As always, save your changes!

Image:Attachment_Blocking_10.jpg

[edit]

Exceptions

You can create two types of exceptions for attachment types: Source Exceptions and Destination Exceptions. If you don't want your entry to apply to a particular source (From: ), then you create a source exception. If you don't want your entry to apply to a particular destination (To: ), then you create a destination exception. Both of these exception types will apply to inbound and outbound mail, thus you can create source exceptions for internal addresses, as well as external addresses. The same applies for destination exceptions.

To add an exception, select either Source Exceptions or Dest. Exceptions using the scroll arrows (Image:Attachment_Blocking_L_arrow.jpg or Image:Attachment_Blocking_R_arrow.jpg). Click the Edit button (Image:Attachment_Blocking_edit.jpg). Type the desired address for your exception, then click Add (Image:Attachment_Blocking_add.jpg). Repeat process to add additional exceptions. Click OK (Image:Attachment_Blocking_ok.jpg) when finished. Save changes.

Image:Attachment_Blocking_11.jpg

NOTE: If you want to see what exceptions a particular address or address pattern has been assigned, see Managing exceptions.
[edit]

Filtering and Searching

You can choose which items to display by using Filter. The default filter is Show All, displaying all items. You can choose to display only items with specific attributes by selecting the desired attribute from the Filter drop down box. For example, if you want to only look at entries that have Administrator Notifications turned on, then select Administrator Notification under SERVICES in the drop down box (see image below). You can filter by each of the six services or by defined fields (Notes, Exceptions, etc).

Image:Attachment_Blocking_12.jpg

You can search for specific criteria using the Search feature. Searches only apply to the filter entry itself, not notes, addresses, services, etc.

Image:Attachment_Blocking_13.jpg

Retrieved from "http://gwavasupport.securesites.net/wiki/index.php/Attachment_Filename_filtering"
Personal tools