Pages

Friday, 8 February 2019

IronPort: Blacklisted Attachments

In the next few posts, we will be discussing how to make use of the Email Security Appliance, IronPort, to enhance your enterprise email security. We start today with the list of attachment file extensions you should block.

By blocking these extensions, we mean that emails with such extensions must be quarantined in a specific IronPort "Quarantine" folder.


1) we create a new quarantine and  call it "Attachments_Blacklist_Q". This allows you to later release any false positive emails and also to grab those attachments for malware analysis.


2) Then we create a new "Incoming Content Filter" and call it "Attachments_Blacklist".


3) Withing the new content filter, we add a new "Conditionfor blocking all executables by "File Type". 




Please remember that this is not enough and we have to add all potentially malicious file extensions explicitly.

4) We add the following regular expressions:


^(?i).{1,}\.exe$
^(?i).{1,}\.bat$
^(?i).{1,}\.scr$
^(?i).{1,}\.com$
^(?i).{1,}\.cmd$
^(?i).{1,}\.pif$
^(?i).{1,}\.dll$
^(?i).{1,}\.cpl$
^(?i).{1,}\.msc$
^(?i).{1,}\.inf$
^(?i).{1,}\.reg$
^(?i).{1,}\.appx$
^(?i).{1,}\.appxbundle$
^(?i).{1,}\.application$
^(?i).{1,}\.gadget$
^(?i).{1,}\.msi$
^(?i).{1,}\.msp$
^(?i).{1,}\.lnk$
^(?i).{1,}\.mcl$
^(?i).{1,}\.url$
^(?i).{1,}\.appref-ms$
^(?i).{1,}\.vbs$
^(?i).{1,}\.vbe$
^(?i).{1,}\.js$
^(?i).{1,}\.jse$
^(?i).{1,}\.wsf$
^(?i).{1,}\.wsh$
^(?i).{1,}\.wsc$
^(?i).{1,}\.sct$
^(?i).{1,}\.hta$
^(?i).{1,}\.xap$
^(?i).{1,}\.wince$
^(?i).{1,}\.windowslivegroup$
^(?i).{1,}\.jar$
^(?i).{1,}\.x$
^(?i).{1,}\.tgz$
^(?i).{1,}\.z$
^(?i).{1,}\.r[0-9]{2}$
^(?i).{1,}\.xz$
^(?i).{1,}\.uue$
^(?i).{1,}\.lzh$
^(?i).{1,}\.ace$
^(?i).{1,}\.bz$
^(?i).{1,}\.bz2$
^(?i).{1,}\.cab$
^(?i).{1,}\.gz$
^(?i).{1,}\.iso$
^(?i).{1,}\.lha$
^(?i).{1,}\.tar$
^(?i).{1,}\.taz$
^(?i).{1,}\.tbz$
^(?i).{1,}\.tbz2$
^(?i).{1,}\.txz$
^(?i).{1,}\.uu$
^(?i).{1,}\.xxe$
^(?i).{1,}\.rev$
^(?i).{1,}\.001$
^(?i).{1,}\.arj$
^(?i).{1,}\.tzx$
^(?i).{1,}\.bzip2$
^(?i).{1,}\.cpio$
^(?i).{1,}\.fat$
^(?i).{1,}\.hfs$
^(?i).{1,}\.ntfs$
^(?i).{1,}\.swm$
^(?i).{1,}\.tpz$
^(?i).{1,}\.vhd$
^(?i).{1,}\.vhdx$
^(?i).{1,}\.wim$
^(?i).{1,}\.xar$
^(?i).{1,}\.squashfs$
^(?i).{1,}\.zipx$
^(?i).{1,}\.vmdk$
^(?i).{1,}\.tz$
^(?i).{1,}\.mim$
^(?i).{1,}\.hqx$
^(?i).{1,}\.bhx$
^(?i).{1,}\.b64$
^(?i).{1,}\.wjf$
^(?i).{1,}\.wzmul$
^(?i).{1,}\.alz$
^(?i).{1,}\.pl$
^(?i).{1,}\.py$
^(?i).{1,}\.pyc$
^(?i).{1,}\.pyd$
^(?i).{1,}\.pyz$
^(?i).{1,}\.chm$
^(?i).{1,}\.hlp$
^(?i).{1,}\.shs$
^(?i).{1,}\.wiz$
^(?i).{1,}\.pwz$
^(?i).{1,}\.accde$
^(?i).{1,}\.fxp$
^(?i).{1,}\.xlam$
^(?i).{1,}\.slk$
^(?i).{1,}\.wbk$
^(?i).{1,}\.ppz9$
^(?i).{1,}\.ppp9$
^(?i).{1,}\.air$
^(?i).{1,}\.fmx$
^(?i).{1,}\.odex$
^(?i).{1,}\.dex$
^(?i).{1,}\.apk$
^(?i).{1,}\.app$
^(?i).{1,}\.dmg$
^(?i).{1,}\.applescript$
^(?i).{1,}\.osx$
^(?i).{1,}\.xip$
^(?i).{1,}\.ipa$
^(?i).{1,}\.elf$
^(?i).{1,}\.deb$
^(?i).{1,}\.rpm$

In the next post, we will explain reasons behind blocking each of these file extensions.

5) In The "Actions" section, click "Add Action", then select the quarantine folder created in Step 1.



6) Finally, we assign our new content filter to the default policy in the "Incoming Mail Policies" page and commit the changes.



N.B. Please note this requires very careful testing so that you don't cause any business disruption.

5 comments:

  1. We'll pick a devoted task aide who is qualified in your assignment help companies subject and field of study, and they'll make a unique, incredible piece that will dazzle the peruser.

    At the point when we dole out the essayist to do your paper, you can address them straightforwardly and pose inquiries, get refreshes, or submit more directions.

    ReplyDelete
  2. Greetings:
    Useful article thanks. I realize it's a few years old, but reaching out to see if you ever adapted the idea to how to block attachments that do not have extensions. We've been getting hit hard with this recently. The files are actually HTML and have a redirect to a shortened URL to nowhere good. When users attempt to open, Windows pops up the helpful offer to use an app on their system and if they select a browser, the redirect does it's intended job.

    ReplyDelete
  3. Are you unhappy with the way your foundation looks? Does it seem as if it's not lasting as long as it used to? Rammafoundation is here to help! Our foundation repair Edmonton services use advanced technologies and innovative methods to restore your foundation to its former glory. We use a variety of formulas and techniques that are tailored specifically for your specific needs, so you can feel confident that your foundation will look great for years to come. Contact us today and let us help you get the foundation repair Edmonton you need!

    ReplyDelete
  4. An Introduction to Data Loss Prevention (DLP) . Redmond teams can name-drop DLP capabilities ...In today's security world, a topic that many spend an inordinate amount of time acquiring is similar to the phrase: "There are two types of organizations Buy An Assignment- Assignmentsquare.co.uk - those who track security incidents and... Posted by Sammy Singh on Thursday, 28 January 2019 A Week of Security – Changing Login Details There's been an uptick in cyber attacks around the world...

    ReplyDelete