How to determine why a File Type filtering rule triggered against message content

book

Article ID: 178964

calendar_today

Updated On:

Products

Mail Security for Microsoft Exchange

Issue/Introduction

 

Resolution

A file type filtering rule has triggered against a file that does not have the extension listed in the file type rule, how to do I determine why a File Type filtering rule triggered against message content in Symantec Mail Security for Microsoft Exchange (SMSMSE) 7.5.5 and later?

The file type filtering rules do not use the file extension of the file in question to trigger against files. Instead they use the "File Signature", also known as the "magic number". In addition, the file type filtering rules will examine contents inside container files (which includes Office documents).

To determine how a particular piece of content was seen as a file type filtering violation. 

For this example, we will examine a .docx file with embedded content that triggered the "Windows Installer package (.msi) portion of the rule Executable File Rule. A similar process can be taken for other file types that triggered other file type filtering rules.

  1. Release the file in question from the quarantine to a convenient location.
  2. Rename the file extension to .zip. This will allow the file to be broken apart into its component parts for examination.
  3. Locate the embedded content. For this example it was located in "example file.docx\word\embeddings\oleObject1.bin"
  4. Open the file in a Hex editor. For this example the file has been opened in Notepad++.
  5. Choose Plugins -> Hex-Editor -> View in HEX from the menu.
  6. The file signature will show up in the header of the file:

    Note: in some cases the file signature is embedded within the file, it is not always located at the beginning of the header
  7. Search a file signature repository such as filesignatures.net for this file signature. In this case, this file signature corresponds to a .msi file:

Why the example file is triggering the File Type Filtering policy “Executable Files -> MSI”

During normal scanning, all container files (of which docx is a type) are broken down into their component parts, and those parts are evaluated against the enabled rules for SMSMSE. When a File Type Filtering rule is enabled in SMSMSE, all of these component parts headers are examined for their “file signature” to determine their true type. If the file signature matches one of the prohibited types, the item is flagged as having violated the policy. In this case, the file signature represented the file as a Microsoft Installer Package, and the Executable File Type filtering rule was configured to block Microsoft Installer Packages:

The extension labelled in the file name is irrelevant for the purposes of these rules, these rules are based on how the header of the file represents the file type, which is more accurate than the file extension for the purposes of evaluating the true file type.

Possible actions to avoid this behavior

There are several options to allow these files to pass:

  • Disable the Executable File Rule.
  • Uncheck the “Windows Installer Package” option in the configuration of the Executable file rule.
  • Change the rule to apply only to “Inbound” messages (Assuming these are internal messages and not inbound from the outside).
  • Whitelist the sender, either by explicit SMTP address or domain by changing the settings on the “Users” tab of the Executable file rule:

Any one of these options will allow the file to pass, it is up to the security policy individual organization exactly where and how these policies should be applied.

Attachments