By blocking these extensions, we mean that emails with such extensions must be quarantined in a specific IronPort "Quarantine" folder.
1) we create a new quarantine and call it "Attachments_Blacklist_Q". This allows you to later release any false positive emails and also to grab those attachments for malware analysis.
2) Then we create a new "Incoming Content Filter" and call it "Attachments_Blacklist".
3) Withing the new content filter, we add a new "Condition" for blocking all executables by "File Type".
Please remember that this is not enough and we have to add all potentially malicious file extensions explicitly.
4) We add the following regular expressions:
^(?i).{1,}\.exe$
^(?i).{1,}\.bat$
^(?i).{1,}\.scr$
^(?i).{1,}\.com$
^(?i).{1,}\.cmd$
^(?i).{1,}\.pif$
^(?i).{1,}\.dll$
^(?i).{1,}\.cpl$
^(?i).{1,}\.msc$
^(?i).{1,}\.inf$
^(?i).{1,}\.reg$
^(?i).{1,}\.appx$
^(?i).{1,}\.appxbundle$
^(?i).{1,}\.application$
^(?i).{1,}\.gadget$
^(?i).{1,}\.msi$
^(?i).{1,}\.msp$
^(?i).{1,}\.lnk$
^(?i).{1,}\.mcl$
^(?i).{1,}\.url$
^(?i).{1,}\.appref-ms$
^(?i).{1,}\.vbs$
^(?i).{1,}\.vbe$
^(?i).{1,}\.js$
^(?i).{1,}\.jse$
^(?i).{1,}\.wsf$
^(?i).{1,}\.wsh$
^(?i).{1,}\.wsc$
^(?i).{1,}\.sct$
^(?i).{1,}\.hta$
^(?i).{1,}\.xap$
^(?i).{1,}\.wince$
^(?i).{1,}\.windowslivegroup$
^(?i).{1,}\.jar$
^(?i).{1,}\.x$
^(?i).{1,}\.tgz$
^(?i).{1,}\.z$
^(?i).{1,}\.r[0-9]{2}$
^(?i).{1,}\.xz$
^(?i).{1,}\.uue$
^(?i).{1,}\.lzh$
^(?i).{1,}\.ace$
^(?i).{1,}\.bz$
^(?i).{1,}\.bz2$
^(?i).{1,}\.cab$
^(?i).{1,}\.gz$
^(?i).{1,}\.iso$
^(?i).{1,}\.lha$
^(?i).{1,}\.tar$
^(?i).{1,}\.taz$
^(?i).{1,}\.tbz$
^(?i).{1,}\.tbz2$
^(?i).{1,}\.txz$
^(?i).{1,}\.uu$
^(?i).{1,}\.xxe$
^(?i).{1,}\.rev$
^(?i).{1,}\.001$
^(?i).{1,}\.arj$
^(?i).{1,}\.tzx$
^(?i).{1,}\.bzip2$
^(?i).{1,}\.cpio$
^(?i).{1,}\.fat$
^(?i).{1,}\.hfs$
^(?i).{1,}\.ntfs$
^(?i).{1,}\.swm$
^(?i).{1,}\.tpz$
^(?i).{1,}\.vhd$
^(?i).{1,}\.vhdx$
^(?i).{1,}\.wim$
^(?i).{1,}\.xar$
^(?i).{1,}\.squashfs$
^(?i).{1,}\.zipx$
^(?i).{1,}\.vmdk$
^(?i).{1,}\.tz$
^(?i).{1,}\.mim$
^(?i).{1,}\.hqx$
^(?i).{1,}\.bhx$
^(?i).{1,}\.b64$
^(?i).{1,}\.wjf$
^(?i).{1,}\.wzmul$
^(?i).{1,}\.alz$
^(?i).{1,}\.pl$
^(?i).{1,}\.py$
^(?i).{1,}\.pyc$
^(?i).{1,}\.pyd$
^(?i).{1,}\.pyz$
^(?i).{1,}\.chm$
^(?i).{1,}\.hlp$
^(?i).{1,}\.shs$
^(?i).{1,}\.wiz$
^(?i).{1,}\.pwz$
^(?i).{1,}\.accde$
^(?i).{1,}\.fxp$
^(?i).{1,}\.xlam$
^(?i).{1,}\.slk$
^(?i).{1,}\.wbk$
^(?i).{1,}\.ppz9$
^(?i).{1,}\.ppp9$
^(?i).{1,}\.air$
^(?i).{1,}\.fmx$
^(?i).{1,}\.odex$
^(?i).{1,}\.dex$
^(?i).{1,}\.apk$
^(?i).{1,}\.app$
^(?i).{1,}\.dmg$
^(?i).{1,}\.applescript$
^(?i).{1,}\.osx$
^(?i).{1,}\.xip$
^(?i).{1,}\.ipa$
^(?i).{1,}\.elf$
^(?i).{1,}\.deb$
^(?i).{1,}\.rpm$
In the next post, we will explain reasons behind blocking each of these file extensions.
5) In The "Actions" section, click "Add Action", then select the quarantine folder created in Step 1.
6) Finally, we assign our new content filter to the default policy in the "Incoming Mail Policies" page and commit the changes.
N.B. Please note this requires very careful testing so that you don't cause any business disruption.
No comments:
Post a comment