サインイン
 
ホームライブラリラーニングダウンロードサポートセミナー、ブログフォーラム
IT プロフェッショナルのための技術情報サイト > フォーラム ホーム > Antigen > File Filtering Problem - Body of Message
質問する質問する
フォーラムを検索:
 

質問File Filtering Problem - Body of Message

  • 2009年10月28日 12:52rewsteruk ユーザーのメダルユーザーのメダルユーザーのメダルユーザーのメダルユーザーのメダル
     
    サインインして投票
    0
    サインインして投票
    I am testing Antigen for SMTP gateways.

    I am trying to configure the server to block ALL attachments, except for certain types, here is what I have configured (which based on example from Chapter 8 of the Antigen guide):

    <in>*
    File Types: only these checked BMPFILE, DOCFILE, GIFFILE, JPEG, OPENXMLFILE, PNGFILE, RTFFILE, TEXT, TIFFILE, TNEFFILE, UNICODE, WINEXCEL1, WINWORD1&2, WINWRITE
    Action: Skip: detect only
    General Send Notifications and Quarantine unchecked

    <in>*
    File Types: All Types selected
    Action: Delete: remove contents
    General: Quarantine Files

    I have sent through an email with an attachment A90ExQuickStart.pdf from a Hotmail account, but this is breaks down to 3 incidents:

    1 removed file "A90ExQuickStart.pdf" FILE FILTER= <in>*
    2 removed file "body of message" FILE FILTER= <in>*

    In the logs the Body of Message is detected as fileType of 33 (FOBTYPE_TEXT_PLAIN)

    I am used to GFI Mail essentials where the body of message would be delivered with a text message saying the attachment has been removed, if I add a rule <in>Body Of Message  , Action Skip: detect only , General Send Notifications and Quarantine unchecked, then this acts the same way as GFI, is this a correct way to get this to work? Should the file scanner be checking the body of message anyway?

    Paul

    Here are the diagnostic logs:


    Tue Oct 27 15:50:12 2009 ( 2832- 2844), "DIAGNOSTIC: Begin scanning SMTP message"

    Tue Oct 27 15:50:12 2009 ( 2832- 2844), "DIAGNOSTIC: Begin scanning SMTP Inbound message named: Tester 15:50"

    Tue Oct 27 15:50:27 2009 ( 2832- 2844), "INFORMATION: AVE multi engine manager enabled"

    Tue Oct 27 15:50:27 2009 ( 2832- 2844), "INFORMATION: Loading MultiMapper (10908, F000000)"

    Tue Oct 27 15:51:33 2009 ( 2832- 2844), "DIAGNOSTIC: Check allowed senders is scanning the sender address "paulrewston@hotmail.com" from the message named "Tester 15:50" located in the "Inbound" folder using the Antigen Scan Engine"

    Tue Oct 27 15:51:33 2009 ( 2832- 2844), "DIAGNOSTIC: Check allowed senders has finished scanning the sender address "paulrewston@hotmail.com" from the message named "Tester 15:50" located in the "Inbound" folder using the Antigen Scan Engine with hr(0x00000000) ulBypassTypes(0x00000000)"

    Tue Oct 27 15:51:33 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS scanner is performing the AseScan test on the message named "Tester 15:50" located in the "Inbound" folder"

    Tue Oct 27 15:51:34 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS scanner has finished the AseScan test with hResult(0x00000000)"

    Tue Oct 27 15:51:34 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS scanner detected a FileType of 33 (FOBTYPE_TEXT_PLAIN)"

    Tue Oct 27 15:51:34 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS Virus scanner is scanning the file named "Body of Message" from the message named "Tester 15:50" located in the "Inbound" folder"

    Tue Oct 27 15:51:34 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS Virus scanner has finished scanning the file named "Body of Message" from the message named "Tester 15:50" located in the "Inbound" folder with hResult(0x000C0100)"

    Tue Oct 27 15:51:34 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS File Filter scanner is scanning the file named "Body of Message" from the message named "Tester 15:50" located in the "Inbound" folder using the Antigen Scan Engine"

    Tue Oct 27 15:51:34 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS File Filter scanner has finished scanning the file named "Body of Message" from the message named "Tester 15:50" located in the "Inbound" folder using the Antigen Scan Engine with hResult(0x015C0101)"

    Tue Oct 27 15:51:34 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS scanner is attempting to delete the file named "Body of Message""

    Tue Oct 27 15:51:35 2009 ( 2832- 2836), "INFORMATION: Internet scan found virus:

       Folder: SMTP Messages\Inbound

       Message: Tester 15:50

       File: Body of Message

       Incident: FILE FILTER=  <in>*

       State: Removed"

    Tue Oct 27 15:51:35 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS scanner detected a FileType of 33 (FOBTYPE_TEXT_PLAIN)"

    Tue Oct 27 15:51:35 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS Virus scanner is scanning the file named "Body of Message" from the message named "Tester 15:50" located in the "Inbound" folder"

    Tue Oct 27 15:51:35 2009 ( 2316- 2360), "Changed Time: 2009/10/27 15:51:35"

    Tue Oct 27 15:51:35 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS Virus scanner has finished scanning the file named "Body of Message" from the message named "Tester 15:50" located in the "Inbound" folder with hResult(0x000C0100)"

    Tue Oct 27 15:51:35 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS File Filter scanner is scanning the file named "Body of Message" from the message named "Tester 15:50" located in the "Inbound" folder using the Antigen Scan Engine"

    Tue Oct 27 15:51:35 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS File Filter scanner has finished scanning the file named "Body of Message" from the message named "Tester 15:50" located in the "Inbound" folder using the Antigen Scan Engine with hResult(0x015C0101)"

    Tue Oct 27 15:51:35 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS scanner is attempting to delete the file named "Body of Message""

    Tue Oct 27 15:51:36 2009 ( 2832- 2836), "INFORMATION: Internet scan found virus:

       Folder: SMTP Messages\Inbound

       Message: Tester 15:50

       File: Body of Message

       Incident: FILE FILTER=  <in>*

       State: Removed"

    Tue Oct 27 15:51:36 2009 ( 2316- 2360), "Changed Time: 2009/10/27 15:51:36"

    Tue Oct 27 15:51:36 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS scanner detected a FileType of 47 (FOBTYPE_PDFFILE)"

    Tue Oct 27 15:51:36 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS Virus scanner is scanning the file named "A90ExQuickStart.pdf" from the message named "Tester 15:50" located in the "Inbound" folder"

    Tue Oct 27 15:51:36 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS Virus scanner has finished scanning the file named "A90ExQuickStart.pdf" from the message named "Tester 15:50" located in the "Inbound" folder with hResult(0x000C0100)"

    Tue Oct 27 15:51:36 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS File Filter scanner is scanning the file named "A90ExQuickStart.pdf" from the message named "Tester 15:50" located in the "Inbound" folder using the Antigen Scan Engine"

    Tue Oct 27 15:51:36 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS File Filter scanner has finished scanning the file named "A90ExQuickStart.pdf" from the message named "Tester 15:50" located in the "Inbound" folder using the Antigen Scan Engine with hResult(0x015C0101)"

    Tue Oct 27 15:51:36 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS scanner is attempting to delete the file named "A90ExQuickStart.pdf""

    Tue Oct 27 15:51:36 2009 ( 2832- 2836), "INFORMATION: Internet scan found virus:

       Folder: SMTP Messages\Inbound

       Message: Tester 15:50

       File: A90ExQuickStart.pdf

       Incident: FILE FILTER=  <in>*

       State: Removed"


     

すべての返信

  • 2009年10月28日 13:00Christian Groebner [MVP]MVPユーザーのメダルユーザーのメダルユーザーのメダルユーザーのメダルユーザーのメダル
     
    サインインして投票
    0
    サインインして投票
    Hi,

    I would do that in another way.

    Create a filterlist for files that blocks all (*.*) and on the exclusions side enter the extensions you would allow. Set the filterrule to purge and everything should do well.

    Greetings

    Christian
    Christian Groebner MVP Forefront
     
  • 2009年10月28日 15:41rewsteruk ユーザーのメダルユーザーのメダルユーザーのメダルユーザーのメダルユーザーのメダル
     
    サインインして投票
    0
    サインインして投票
    For some reason when I try to add a file filter the Antigen Administrator crashes with Event ID 1000, so will need to investigate that too.

    Would the method you suggest show the same issue described above with scanning the Body of Message as a file? as the filter rule that purges everything else seems to cause this issue, which is why I added the <in>Body of Message rule.

    Paul
     
  • 2009年10月28日 15:57Christian Groebner [MVP]MVPユーザーのメダルユーザーのメダルユーザーのメダルユーザーのメダルユーザーのメダル
     
    サインインして投票
    0
    サインインして投票
    Hi,

    my method is only looking at attached files.

    Greetings

    Christian
    Christian Groebner MVP Forefront
     
  • 2009年11月4日 15:41rewsteruk ユーザーのメダルユーザーのメダルユーザーのメダルユーザーのメダルユーザーのメダル
     
    サインインして投票
    0
    サインインして投票
    Hi Christian

    Can I just ask another question.

    In the filter list "LC", I have on the include side i have typed *.* , in the exclude the files I want ie *.pdf*, *.docx* etc etc

    Then in the FILE section I have seleted the LC list, what do I do with the File Types check boxes, I presume that I would leave the All Types ticked as these check the container to see if the extension has been changed?

    If I do need to select the File Types for the types I have in my filter then what extensions do I need to allow for TNEFFILE, UNICODE etc?

    Paul
     
  • 2009年11月4日 16:50Christian Groebner [MVP]MVPユーザーのメダルユーザーのメダルユーザーのメダルユーザーのメダルユーザーのメダル
     
    サインインして投票
    0
    サインインして投票
    Hi Paul,

    leave all types checked, the exclusion is made by the file extension. If you uncheck some filetypes then the rule maybe wouldn't apply to some files you have set under exclusion.

    Greetings

    Christian
    Christian Groebner MVP Forefront