Configuring executable file detection

Article Id: 181276
Status: Published
Updated On: 06-06-2016 03:01
Legacy Id: HOWTO82402
Products:
Mail Security for Microsoft Exchange
Issue/Introduction:

 

Resolution:

Risks can be found in the file types that contain executable code. You can enhance threat detection by identifying executable files. When you enable the Executable File Rule, Mail Security detects executable files and takes the actions that you specify. Mail Security determines if a file is a true executable file by analyzing the file contents, rather than looking at the file name extension.

Note:

Mail Security can determine the true file type of a well-formed binary file. The true file type of a binary file variant cannot always be accurately determined.

The Executable File Rule recognizes the following executables:

  • MSDOS/Windows *.exe files

  • MSDOS/Windows object library files

  • MSDOS/Windows programs

  • MSDOS device drivers

  • /x86-win-16-com

To configure executable file detection

  1. In the console on the primary navigation bar, click Policies.

  2. In the sidebar under Content Enforcement, click File Filtering Rules.

  3. In the content area, in the File Filtering Rules table, on the Executable File Rule row, click the box under the Status column, and use the drop-down menu to select Enabled.

    This rule is enabled by default.

  4. In the preview pane, in the Action to take list, use the drop-down menu to select one of the following to specify the action to take when an executable file is detected:

    • Delete entire message

    • Delete attachment/message body and replace with text

    • Quarantine entire message and replace with text

    • Quarantine attachment/message body and replace with text

    • Log only

    The default setting is: Quarantine entire message and replace with text.

  5. In the Replacement text box, type your customized message if you want to replace the message or the attachment body with a text message.

    The default text is: Symantec Mail Security replaced %attachment% with this text message. The original file contained %violation% and was %action%.

    See Alert and notification variables

  6. To send email notifications about the detection, check one or more of the following:

    • Notify administrators

      Click the down arrow and type your customized text in the Subject line box and the Message body box.

      The default subject line and message body text is as follows:

      • Default subject line text: Administrator Alert: Symantec Mail Security detected a message containing prohibited attachment

      • Default message body text: Location of the message: %location% Sender of the message: %sender% Subject of the message: %subject% The attachment(s) "%attachment" and/or the message was %action%. This was done due to the following Symantec Mail Security settings: Scan %scan% Rule: %rule%

    • Notify internal sender

      Click the down arrow and type your customized text in the Subject line box and the Message body box. The default subject line and message body text is as follows:

      • Default subject line text: Symantec Mail Security detected a prohibited attachment in a message sent from your address

      • Default message body text: Subject of the message: %subject% Recipient of the message %recipient%

    • Notify external sender

      Click the down arrow and type your customized text in the Subject line box and the Message body box. The default subject line and message body text is as follows:

      • Default subject line text: Symantec Mail Security detected a prohibited attachment in a message sent from your address

      • Default message body text: Subject of the message %subject% Recipient of the message %recipient%

      See Alert and notification variables

  7. On the toolbar, click Deploy changes to apply your changes.

    See Deploying settings and changes to a server or group