Friday, 8 February 2019

IronPort: Blacklisted Attachments

In the next few posts, we will be discussing how to make use of the Email Security Appliance, IronPort, to enhance your enterprise email security. We start today with the list of attachment file extensions you should block.

By blocking these extensions, we mean that emails with such extensions must be quarantined in a specific IronPort "Quarantine" folder.


1) we create a new quarantine and  call it "Attachments_Blacklist_Q". This allows you to later release any false positive emails and also to grab those attachments for malware analysis.


2) Then we create a new "Incoming Content Filter" and call it "Attachments_Blacklist".


3) Withing the new content filter, we add a new "Conditionfor blocking all executables by "File Type". 




Please remember that this is not enough and we have to add all potentially malicious file extensions explicitly.

4) We add the following regular expressions:


^(?i).{1,}\.exe$
^(?i).{1,}\.bat$
^(?i).{1,}\.scr$
^(?i).{1,}\.com$
^(?i).{1,}\.cmd$
^(?i).{1,}\.pif$
^(?i).{1,}\.dll$
^(?i).{1,}\.cpl$
^(?i).{1,}\.msc$
^(?i).{1,}\.inf$
^(?i).{1,}\.reg$
^(?i).{1,}\.appx$
^(?i).{1,}\.appxbundle$
^(?i).{1,}\.application$
^(?i).{1,}\.gadget$
^(?i).{1,}\.msi$
^(?i).{1,}\.msp$
^(?i).{1,}\.lnk$
^(?i).{1,}\.mcl$
^(?i).{1,}\.url$
^(?i).{1,}\.appref-ms$
^(?i).{1,}\.vbs$
^(?i).{1,}\.vbe$
^(?i).{1,}\.js$
^(?i).{1,}\.jse$
^(?i).{1,}\.wsf$
^(?i).{1,}\.wsh$
^(?i).{1,}\.wsc$
^(?i).{1,}\.sct$
^(?i).{1,}\.hta$
^(?i).{1,}\.xap$
^(?i).{1,}\.wince$
^(?i).{1,}\.windowslivegroup$
^(?i).{1,}\.jar$
^(?i).{1,}\.x$
^(?i).{1,}\.tgz$
^(?i).{1,}\.z$
^(?i).{1,}\.r[0-9]{2}$
^(?i).{1,}\.xz$
^(?i).{1,}\.uue$
^(?i).{1,}\.lzh$
^(?i).{1,}\.ace$
^(?i).{1,}\.bz$
^(?i).{1,}\.bz2$
^(?i).{1,}\.cab$
^(?i).{1,}\.gz$
^(?i).{1,}\.iso$
^(?i).{1,}\.lha$
^(?i).{1,}\.tar$
^(?i).{1,}\.taz$
^(?i).{1,}\.tbz$
^(?i).{1,}\.tbz2$
^(?i).{1,}\.txz$
^(?i).{1,}\.uu$
^(?i).{1,}\.xxe$
^(?i).{1,}\.rev$
^(?i).{1,}\.001$
^(?i).{1,}\.arj$
^(?i).{1,}\.tzx$
^(?i).{1,}\.bzip2$
^(?i).{1,}\.cpio$
^(?i).{1,}\.fat$
^(?i).{1,}\.hfs$
^(?i).{1,}\.ntfs$
^(?i).{1,}\.swm$
^(?i).{1,}\.tpz$
^(?i).{1,}\.vhd$
^(?i).{1,}\.vhdx$
^(?i).{1,}\.wim$
^(?i).{1,}\.xar$
^(?i).{1,}\.squashfs$
^(?i).{1,}\.zipx$
^(?i).{1,}\.vmdk$
^(?i).{1,}\.tz$
^(?i).{1,}\.mim$
^(?i).{1,}\.hqx$
^(?i).{1,}\.bhx$
^(?i).{1,}\.b64$
^(?i).{1,}\.wjf$
^(?i).{1,}\.wzmul$
^(?i).{1,}\.alz$
^(?i).{1,}\.pl$
^(?i).{1,}\.py$
^(?i).{1,}\.pyc$
^(?i).{1,}\.pyd$
^(?i).{1,}\.pyz$
^(?i).{1,}\.chm$
^(?i).{1,}\.hlp$
^(?i).{1,}\.shs$
^(?i).{1,}\.wiz$
^(?i).{1,}\.pwz$
^(?i).{1,}\.accde$
^(?i).{1,}\.fxp$
^(?i).{1,}\.xlam$
^(?i).{1,}\.slk$
^(?i).{1,}\.wbk$
^(?i).{1,}\.ppz9$
^(?i).{1,}\.ppp9$
^(?i).{1,}\.air$
^(?i).{1,}\.fmx$
^(?i).{1,}\.odex$
^(?i).{1,}\.dex$
^(?i).{1,}\.apk$
^(?i).{1,}\.app$
^(?i).{1,}\.dmg$
^(?i).{1,}\.applescript$
^(?i).{1,}\.osx$
^(?i).{1,}\.xip$
^(?i).{1,}\.ipa$
^(?i).{1,}\.elf$
^(?i).{1,}\.deb$
^(?i).{1,}\.rpm$

In the next post, we will explain reasons behind blocking each of these file extensions.

5) In The "Actions" section, click "Add Action", then select the quarantine folder created in Step 1.



6) Finally, we assign our new content filter to the default policy in the "Incoming Mail Policies" page and commit the changes.



N.B. Please note this requires very careful testing so that you don't cause any business disruption.

No comments:

Post a Comment