A file type filtering rule has triggered against a file that does not have the extension listed in the file type rule, how to do I determine why a File Type filtering rule triggered against message content in Symantec Mail Security for Microsoft Exchange (SMSMSE) 7.5.5 and later?
The file type filtering rules do not use the file extension of the file in question to trigger against files. Instead they use the "File Signature", also known as the "magic number". In addition, the file type filtering rules will examine contents inside container files (which includes Office documents).
To determine how a particular piece of content was seen as a file type filtering violation.
For this example, we will examine a .docx file with embedded content that triggered the "Windows Installer package (.msi) portion of the rule Executable File Rule. A similar process can be taken for other file types that triggered other file type filtering rules.
Why the example file is triggering the File Type Filtering policy “Executable Files -> MSI”
During normal scanning, all container files (of which docx is a type) are broken down into their component parts, and those parts are evaluated against the enabled rules for SMSMSE. When a File Type Filtering rule is enabled in SMSMSE, all of these component parts headers are examined for their “file signature” to determine their true type. If the file signature matches one of the prohibited types, the item is flagged as having violated the policy. In this case, the file signature represented the file as a Microsoft Installer Package, and the Executable File Type filtering rule was configured to block Microsoft Installer Packages:
The extension labelled in the file name is irrelevant for the purposes of these rules, these rules are based on how the header of the file represents the file type, which is more accurate than the file extension for the purposes of evaluating the true file type.
Possible actions to avoid this behavior
There are several options to allow these files to pass:
Any one of these options will allow the file to pass, it is up to the security policy individual organization exactly where and how these policies should be applied.