Sign in
Microsoft.com
 
Forefront Server Security TechCenter
 
 
 
Forefront Server Security TechCenter > Forefront Server Security Forums > Antigen > File Filtering Problem - Body of Message
Ask a questionAsk a question
Search Forums:
 

QuestionFile Filtering Problem - Body of Message

  • Wednesday, October 28, 2009 12:52 PMrewsteruk Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    I am testing Antigen for SMTP gateways.

    I am trying to configure the server to block ALL attachments, except for certain types, here is what I have configured (which based on example from Chapter 8 of the Antigen guide):

    <in>*
    File Types: only these checked BMPFILE, DOCFILE, GIFFILE, JPEG, OPENXMLFILE, PNGFILE, RTFFILE, TEXT, TIFFILE, TNEFFILE, UNICODE, WINEXCEL1, WINWORD1&2, WINWRITE
    Action: Skip: detect only
    General Send Notifications and Quarantine unchecked

    <in>*
    File Types: All Types selected
    Action: Delete: remove contents
    General: Quarantine Files

    I have sent through an email with an attachment A90ExQuickStart.pdf from a Hotmail account, but this is breaks down to 3 incidents:

    1 removed file "A90ExQuickStart.pdf" FILE FILTER= <in>*
    2 removed file "body of message" FILE FILTER= <in>*

    In the logs the Body of Message is detected as fileType of 33 (FOBTYPE_TEXT_PLAIN)

    I am used to GFI Mail essentials where the body of message would be delivered with a text message saying the attachment has been removed, if I add a rule <in>Body Of Message  , Action Skip: detect only , General Send Notifications and Quarantine unchecked, then this acts the same way as GFI, is this a correct way to get this to work? Should the file scanner be checking the body of message anyway?

    Paul

    Here are the diagnostic logs:


    Tue Oct 27 15:50:12 2009 ( 2832- 2844), "DIAGNOSTIC: Begin scanning SMTP message"

    Tue Oct 27 15:50:12 2009 ( 2832- 2844), "DIAGNOSTIC: Begin scanning SMTP Inbound message named: Tester 15:50"

    Tue Oct 27 15:50:27 2009 ( 2832- 2844), "INFORMATION: AVE multi engine manager enabled"

    Tue Oct 27 15:50:27 2009 ( 2832- 2844), "INFORMATION: Loading MultiMapper (10908, F000000)"

    Tue Oct 27 15:51:33 2009 ( 2832- 2844), "DIAGNOSTIC: Check allowed senders is scanning the sender address "paulrewston@hotmail.com" from the message named "Tester 15:50" located in the "Inbound" folder using the Antigen Scan Engine"

    Tue Oct 27 15:51:33 2009 ( 2832- 2844), "DIAGNOSTIC: Check allowed senders has finished scanning the sender address "paulrewston@hotmail.com" from the message named "Tester 15:50" located in the "Inbound" folder using the Antigen Scan Engine with hr(0x00000000) ulBypassTypes(0x00000000)"

    Tue Oct 27 15:51:33 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS scanner is performing the AseScan test on the message named "Tester 15:50" located in the "Inbound" folder"

    Tue Oct 27 15:51:34 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS scanner has finished the AseScan test with hResult(0x00000000)"

    Tue Oct 27 15:51:34 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS scanner detected a FileType of 33 (FOBTYPE_TEXT_PLAIN)"

    Tue Oct 27 15:51:34 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS Virus scanner is scanning the file named "Body of Message" from the message named "Tester 15:50" located in the "Inbound" folder"

    Tue Oct 27 15:51:34 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS Virus scanner has finished scanning the file named "Body of Message" from the message named "Tester 15:50" located in the "Inbound" folder with hResult(0x000C0100)"

    Tue Oct 27 15:51:34 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS File Filter scanner is scanning the file named "Body of Message" from the message named "Tester 15:50" located in the "Inbound" folder using the Antigen Scan Engine"

    Tue Oct 27 15:51:34 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS File Filter scanner has finished scanning the file named "Body of Message" from the message named "Tester 15:50" located in the "Inbound" folder using the Antigen Scan Engine with hResult(0x015C0101)"

    Tue Oct 27 15:51:34 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS scanner is attempting to delete the file named "Body of Message""

    Tue Oct 27 15:51:35 2009 ( 2832- 2836), "INFORMATION: Internet scan found virus:

       Folder: SMTP Messages\Inbound

       Message: Tester 15:50

       File: Body of Message

       Incident: FILE FILTER=  <in>*

       State: Removed"

    Tue Oct 27 15:51:35 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS scanner detected a FileType of 33 (FOBTYPE_TEXT_PLAIN)"

    Tue Oct 27 15:51:35 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS Virus scanner is scanning the file named "Body of Message" from the message named "Tester 15:50" located in the "Inbound" folder"

    Tue Oct 27 15:51:35 2009 ( 2316- 2360), "Changed Time: 2009/10/27 15:51:35"

    Tue Oct 27 15:51:35 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS Virus scanner has finished scanning the file named "Body of Message" from the message named "Tester 15:50" located in the "Inbound" folder with hResult(0x000C0100)"

    Tue Oct 27 15:51:35 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS File Filter scanner is scanning the file named "Body of Message" from the message named "Tester 15:50" located in the "Inbound" folder using the Antigen Scan Engine"

    Tue Oct 27 15:51:35 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS File Filter scanner has finished scanning the file named "Body of Message" from the message named "Tester 15:50" located in the "Inbound" folder using the Antigen Scan Engine with hResult(0x015C0101)"

    Tue Oct 27 15:51:35 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS scanner is attempting to delete the file named "Body of Message""

    Tue Oct 27 15:51:36 2009 ( 2832- 2836), "INFORMATION: Internet scan found virus:

       Folder: SMTP Messages\Inbound

       Message: Tester 15:50

       File: Body of Message

       Incident: FILE FILTER=  <in>*

       State: Removed"

    Tue Oct 27 15:51:36 2009 ( 2316- 2360), "Changed Time: 2009/10/27 15:51:36"

    Tue Oct 27 15:51:36 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS scanner detected a FileType of 47 (FOBTYPE_PDFFILE)"

    Tue Oct 27 15:51:36 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS Virus scanner is scanning the file named "A90ExQuickStart.pdf" from the message named "Tester 15:50" located in the "Inbound" folder"

    Tue Oct 27 15:51:36 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS Virus scanner has finished scanning the file named "A90ExQuickStart.pdf" from the message named "Tester 15:50" located in the "Inbound" folder with hResult(0x000C0100)"

    Tue Oct 27 15:51:36 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS File Filter scanner is scanning the file named "A90ExQuickStart.pdf" from the message named "Tester 15:50" located in the "Inbound" folder using the Antigen Scan Engine"

    Tue Oct 27 15:51:36 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS File Filter scanner has finished scanning the file named "A90ExQuickStart.pdf" from the message named "Tester 15:50" located in the "Inbound" folder using the Antigen Scan Engine with hResult(0x015C0101)"

    Tue Oct 27 15:51:36 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS scanner is attempting to delete the file named "A90ExQuickStart.pdf""

    Tue Oct 27 15:51:36 2009 ( 2832- 2836), "INFORMATION: Internet scan found virus:

       Folder: SMTP Messages\Inbound

       Message: Tester 15:50

       File: A90ExQuickStart.pdf

       Incident: FILE FILTER=  <in>*

       State: Removed"


     

All Replies

  • Wednesday, October 28, 2009 1:00 PMChristian Groebner [MVP]MVPUsers MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    Hi,

    I would do that in another way.

    Create a filterlist for files that blocks all (*.*) and on the exclusions side enter the extensions you would allow. Set the filterrule to purge and everything should do well.

    Greetings

    Christian
    Christian Groebner MVP Forefront
     
  • Wednesday, October 28, 2009 3:41 PMrewsteruk Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    For some reason when I try to add a file filter the Antigen Administrator crashes with Event ID 1000, so will need to investigate that too.

    Would the method you suggest show the same issue described above with scanning the Body of Message as a file? as the filter rule that purges everything else seems to cause this issue, which is why I added the <in>Body of Message rule.

    Paul
     
  • Wednesday, October 28, 2009 3:57 PMChristian Groebner [MVP]MVPUsers MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    Hi,

    my method is only looking at attached files.

    Greetings

    Christian
    Christian Groebner MVP Forefront
     
  • Wednesday, November 04, 2009 3:41 PMrewsteruk Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    Hi Christian

    Can I just ask another question.

    In the filter list "LC", I have on the include side i have typed *.* , in the exclude the files I want ie *.pdf*, *.docx* etc etc

    Then in the FILE section I have seleted the LC list, what do I do with the File Types check boxes, I presume that I would leave the All Types ticked as these check the container to see if the extension has been changed?

    If I do need to select the File Types for the types I have in my filter then what extensions do I need to allow for TNEFFILE, UNICODE etc?

    Paul
     
  • Wednesday, November 04, 2009 4:50 PMChristian Groebner [MVP]MVPUsers MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    Hi Paul,

    leave all types checked, the exclusion is made by the file extension. If you uncheck some filetypes then the rule maybe wouldn't apply to some files you have set under exclusion.

    Greetings

    Christian
    Christian Groebner MVP Forefront