Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 1 reply
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 2725 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Additional policy - zip file attachment question.

MurMan

Hi All,

I have created additional policy (inbound) in Sophos Email Appliance for quarantine zip file attachment.  The setting as below screen capture( fig 1 and 2). But one email with Excel attachment which hit this policy and quarantine. Do anyone have any ideas about this situation? Many Thanks.

Fig 1

Fig 2

Fig 3



This thread was automatically locked due to age.
Parents
  • 0

    if you have created a rule such as ..

    *.zip

    then it is possible that you may get some unusual hits. The reason is because the scanning engine really doesn't care what the file is called.. it uses true file type detection so it will scan the file "as-is" not what its called. 

     

    For example.. here is the output from a zip file with some html documents in it. 

    -bash-4.2$ pmx-list-true-filetypes peace.zip
    peace.zip:
    extensions:
    .???
    .gif
    .htm
    .html
    .ole2
    .xht
    .xhtml
    .zip

    filetypes:
    Archive/PK ZIP
    Container/OLE
    Document/WordPerfect
    Image/GIF
    Script/Markup/HTML

    the actual file is just a .zip file, however savi sees ALL of the components of each element within the file.   In your case "something" in that spreadsheet is zipped.

    If you are looking for an exact breakdown you would need to submit the sample to file submissions under the support section of sophos.com

Reply
  • 0

    if you have created a rule such as ..

    *.zip

    then it is possible that you may get some unusual hits. The reason is because the scanning engine really doesn't care what the file is called.. it uses true file type detection so it will scan the file "as-is" not what its called. 

     

    For example.. here is the output from a zip file with some html documents in it. 

    -bash-4.2$ pmx-list-true-filetypes peace.zip
    peace.zip:
    extensions:
    .???
    .gif
    .htm
    .html
    .ole2
    .xht
    .xhtml
    .zip

    filetypes:
    Archive/PK ZIP
    Container/OLE
    Document/WordPerfect
    Image/GIF
    Script/Markup/HTML

    the actual file is just a .zip file, however savi sees ALL of the components of each element within the file.   In your case "something" in that spreadsheet is zipped.

    If you are looking for an exact breakdown you would need to submit the sample to file submissions under the support section of sophos.com

Children
No Data
Unfiltered HTML