This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Custom rule for True File Type Detection

Hi!

How do we create true file type rule based in below sample list.

 

Thanks!

Mar



This thread was automatically locked due to age.
  • Many of those are already include in the normal file type rule.  Just check out the firs tab and the are listed

    Like .bat and .com etc

    You will need to be mindful on some of the other types.  The sea uses true file type checking, you will not be able to explicitly make a mime type rule..

    That been said the appliance can read mime files.

    For example if you

    Copy con file.exe

    Test

    ‘Z

    Then mime encode it as a .wav file.. first off the appliance will know that the file contains..  txt and exe and wav..

    The appliance will also see that the file is actually a text file and only renamed to a .exe in this case it would also trigger a suspicious rule because the attachment  does not match the ttf as its called a .wav file

    In regards to scanning on the mime type as well, its kind of moot because its already triggered multiple ttf detections.

    Only the full pure message for unix program will allow you to scan extension, ttf and mimetype and put it all into a single rule.  For the sea, concentrate on file types and extensions ..

    I would use a quarantine and continue action .   This will deliver a message split with no attachment thus alerting the user and providing a way to release it.. keep in mind users can not release keywords or viruse rules ..