Email Appliance (Read Only)

Discussions Custom rule for True File Type Detection

Email Appliance (Read Only) requires membership for participation - click to join

Thread Info

State Not Answered
Locked Locked
Replies 1 reply
Subscribers 3 subscribers
Views 2617 views
Users 0 members are here

Options

Suggested

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Custom rule for True File Type Detection

Malantod over 4 years ago

Hi!

How do we create true file type rule based in below sample list.

Thanks!

Mar

This thread was automatically locked due to age.

Parents

0 Red_Warrior over 4 years ago

Many of those are already include in the normal file type rule. Just check out the firs tab and the are listed

Like .bat and .com etc

You will need to be mindful on some of the other types. The sea uses true file type checking, you will not be able to explicitly make a mime type rule..

That been said the appliance can read mime files.

For example if you

Copy con file.exe

Test

‘Z

Then mime encode it as a .wav file.. first off the appliance will know that the file contains.. txt and exe and wav..

The appliance will also see that the file is actually a text file and only renamed to a .exe in this case it would also trigger a suspicious rule because the attachment does not match the ttf as its called a .wav file

In regards to scanning on the mime type as well, its kind of moot because its already triggered multiple ttf detections.

Only the full pure message for unix program will allow you to scan extension, ttf and mimetype and put it all into a single rule. For the sea, concentrate on file types and extensions ..

I would use a quarantine and continue action . This will deliver a message split with no attachment thus alerting the user and providing a way to release it.. keep in mind users can not release keywords or viruse rules ..
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Red_Warrior over 4 years ago

Many of those are already include in the normal file type rule. Just check out the firs tab and the are listed

Like .bat and .com etc

You will need to be mindful on some of the other types. The sea uses true file type checking, you will not be able to explicitly make a mime type rule..

That been said the appliance can read mime files.

For example if you

Copy con file.exe

Test

‘Z

Then mime encode it as a .wav file.. first off the appliance will know that the file contains.. txt and exe and wav..

The appliance will also see that the file is actually a text file and only renamed to a .exe in this case it would also trigger a suspicious rule because the attachment does not match the ttf as its called a .wav file

In regards to scanning on the mime type as well, its kind of moot because its already triggered multiple ttf detections.

Only the full pure message for unix program will allow you to scan extension, ttf and mimetype and put it all into a single rule. For the sea, concentrate on file types and extensions ..

I would use a quarantine and continue action . This will deliver a message split with no attachment thus alerting the user and providing a way to release it.. keep in mind users can not release keywords or viruse rules ..
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data