Identifying Javascript attachments via Content Filtering

book

Article ID: 178875

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

 

Resolution

One of the primary vectors for downloaded malware are "downloader" scripts and macros. While these scripts are not in and of themselves malware, they provide a means by which malware is placed on the target system. One popular mechanism for these downloader scripts is via Javascript attachments to email messages. These attachments can be identified by Messaging Gateway (SMG) as follows.

  1. Configure at attachment list for Javascript files
  2. Configure a content fitlering (CF) rule to identify messages with these attachments and act on them

Setting up the Attachment List

  1. Log into the SMG control center as an admin account with "Manage Policies" access
  2. Open the Content -> Attachment Lists page
  3. Click "Add"
  4. Name the attachment list something meaningful like "Javascript"
  5. Select the second radio button and add the "If the MIME-type contains javascript" attachment type rule
  6. Select the second radio button and add the "If the MIME-type contains js" attachment type rule
  7. Select the second radio button and add the "Extension is js" attachment type rule
  8. Click "Save"

When complete your attachment list should appear as follows:

Configuring the CF Policy

  1. Select the Content tab
  2. Click "Add" to add a new policy
  3. Select the Blank policy template
  4. Give the policy a meaningful name like "Javascript: Quarantine"
  5. Ensure that "Disable decomposition of files" is unchecked
  6. Apply to "Inbound" messages
  7. Select Any for the conditions to be met
  8. Click Add under policy conditions
  9. Select the "Attachment or Body Part" radio button
  10. Select the "Is in attachment list" radio button
  11. Select the new attachment list from the pulldown menu on the right
  12. Click Add Condition
  13. The policy condition should appear as follows

  14. Under Actions click Add
  15. Configure the desired policy action such as "Hold message in Spam Quarantine"
  16. Select the desired policy groups to apply the CF rule to
  17. Click Save
  18. The final policy should appear as follows

Attachments