Block potentially malicious files with a Data Protection policy

Products

Email Security.cloud

Issue/Introduction

Resolution

Learn how to create a policy in Symantec Email Security.cloud Data Protection to restrict commonly exploited filetypes by extension.

Create a policy to block files

In the Symantec.cloud portal, navigate to Services > Data Protection.
Create a new Data Protection policy, and configure it as follows:
- Name: Restricted file files
- Apply to: Inbound email only. Other options are available, which depend on the scope you desire.
- Execute if: All rules are met
- Action: Redirect to Administrator. Other actions are available, which depend on the result you intend.
- Administrator email: Configure a non-production administrator email address. This must be non-production address because Data Protection policy administrators are automatically whitelisted from all Data Protection policies to avoid mail loops.
- Notifications: None
Add a new Rule, and configure it as follows:
- Name: Restricted files
- Set it to: ANY conditions are met
1. Add a new condition, Attachment Filename List.
  - Click Create a new filename List.
  - Name: Potential Malicious files
    
    The following entries are typical files blocked by Outlook 2010, but you can add more or remove some of the extensions as per your needs.
    - *.ade
      *.adp
      *.app
      *.asp
      *.bas
      *.bat
      *.cer
      *.chm
      *.cla
      *.class
      *.cmd
      *.cnt
      *.com
      *.cpl
      *.crt
      *.csh
      *.der
      *.exe
      *.fxp
      *.gadget
      *.grp
      *.hlp
      *.hpj
      *.hta
      *.inf
      *.ins
      *.isp
      *.its
      *.jar
      *.js
      *.jse
      *.ksh
      *.lnk
      *.link
      *.mad
      *.maf
      *.mag
      *.mam
      *.maq
      *.mar
      *.mas
      *.mat
      *.mau
      *.mav
      *.maw
      *.mcf
      *.mda
      *.mdb
      *.mde
      *.mdt
      *.mdw
      *.mdz
      *.msc
      *.msh
      *.msh1
      *.msh1xml
      *.msh2
      *.msh2xml
      *.mshxml
      *.msi
      *.msp
      *.mst
      *.ocx
      *.ops
      *.osd
      *.pcd
      *.pif
      *.pl
      *.plg
      *.prf
      *.prg
      *.ps1
      *.ps1xml
      *.ps2
      *.ps2xml
      *.psc1
      *.psc2
      *.pst
      *.reg
      *.scf
      *.scr
      *.sct
      *.sh
      *.shb
      *.shs
      *.url
      *.vb
      *.vbe
      *.vbp
      *.vbs
      *.vsmacros
      *.vsw
      *.ws
      *.wsc
      *.wsf
      *.wsh
      *.xbap
      *.xnk

The following list of file extensions are optional:

*.dll
*.docm
*.gz
*.htm
*.html
*.pptm
*.rar
*.sfx
*.tar
*.tmp
*.xlsm
*.zip
Click Save.
Condition options:
- Attachment filename: matches any of the filenames in the selected lists

Note: This section is optional; you can implement this policy if you have a source which needs to send you these types of files. We will only add a Sender Domain list as an example, but you can add or use a Sender Group where you list email addresses instead. Data Protection happens after the antivirus scan. If files are detected as malicious, they'll be blocked by the Antivirus service.

Add a new Rule, and configure it as follows:
- Name: Valid file senders
- Set it to: ANY conditions are met
1. Add a new condition, Sender Domain List
  - Click Create a new Domain List.
  - Name: Approved file senders
  - In this list we’ll add source domains deemed valid for the file restrictions above.
    - example.com
    - businesspartner.net
  - Click Save.
  - Condition options:
    - Domain of the sender: is in none of the selected lists