Block potentially malicious files with a Data Protection policy

book

Article ID: 178860

calendar_today

Updated On:

Products

Email Security.cloud

Issue/Introduction

 

Resolution

Learn how to create a policy in Symantec Email Security.cloud Data Protection to restrict commonly exploited filetypes by extension.

Create a policy to block files

  1. In the Symantec.cloud portal, navigate to Services > Data Protection.
  2. Create a new Data Protection policy, and configure it as follows:
     
    • Name: Restricted file files
    • Apply to: Inbound email only. Other options are available, which depend on the scope you desire.
    • Execute if: All rules are met
    • Action: Redirect to Administrator. Other actions are available, which depend on the result you intend.
    • Administrator email: Configure a non-production administrator email address. This must be non-production address because Data Protection policy administrators are automatically whitelisted from all Data Protection policies to avoid mail loops.
    • Notifications: None
       
  3. Add a new Rule, and configure it as follows:
    • Name: Restricted files
    • Set it to: ANY conditions are met
       
    1. Add a new condition, Attachment Filename List.
      • Click Create a new filename List.
      • Name: Potential Malicious files

        The following entries are typical files blocked by Outlook 2010, but you can add more or remove some of the extensions as per your needs.
         
        • *.ade
          *.adp
          *.app
          *.asp
          *.bas
          *.bat
          *.cer
          *.chm
          *.cla
          *.class
          *.cmd
          *.cnt
          *.com
          *.cpl
          *.crt
          *.csh
          *.der
          *.exe
          *.fxp
          *.gadget
          *.grp
          *.hlp
          *.hpj
          *.hta
          *.inf
          *.ins
          *.isp
          *.its
          *.jar
          *.js
          *.jse
          *.ksh
          *.lnk
          *.link
          *.mad
          *.maf
          *.mag
          *.mam
          *.maq
          *.mar
          *.mas
          *.mat
          *.mau
          *.mav
          *.maw
          *.mcf
          *.mda
          *.mdb
          *.mde
          *.mdt
          *.mdw
          *.mdz
          *.msc
          *.msh
          *.msh1
          *.msh1xml
          *.msh2
          *.msh2xml
          *.mshxml
          *.msi
          *.msp
          *.mst
          *.ocx
          *.ops
          *.osd
          *.pcd
          *.pif
          *.pl
          *.plg
          *.prf
          *.prg
          *.ps1
          *.ps1xml
          *.ps2
          *.ps2xml
          *.psc1
          *.psc2
          *.pst
          *.reg
          *.scf
          *.scr
          *.sct
          *.sh
          *.shb
          *.shs
          *.url
          *.vb
          *.vbe
          *.vbp
          *.vbs
          *.vsmacros
          *.vsw
          *.ws
          *.wsc
          *.wsf
          *.wsh
          *.xbap
          *.xnk

The following list of file extensions are optional:

  • *.dll
    *.docm
    *.gz
    *.htm
    *.html
    *.pptm
    *.rar
    *.sfx
    *.tar
    *.tmp
    *.xlsm
    *.zip
  • Click Save.
  • Condition options:
    • Attachment filename: matches any of the filenames in the selected lists

Note: This section is optional; you can implement this policy if you have a source which needs to send you these types of files. We will only add a Sender Domain list as an example, but you can add or use a Sender Group where you list email addresses instead. Data Protection happens after the antivirus scan. If files are detected as malicious, they'll be blocked by the Antivirus service.
  

  1. Add a new Rule, and configure it as follows:
    • Name: Valid file senders
    • Set it to: ANY conditions are met
       
    1. Add a new condition, Sender Domain List
      • Click Create a new Domain List.
      • Name: Approved file senders
      • In this list we’ll add source domains deemed valid for the file restrictions above.
         
        • example.com
        • businesspartner.net
           
      • Click Save.
      • Condition options:
        • Domain of the sender: is in none of the selected lists
           

Additional information