| How can I block attachments that arrive with incoming mails? |
F-PROT Antivirus Mail Scanner allows you to create a stoplist of incoming attachments. The stoplist is a list of perl-compatible regular expressions. If an attachment matches the stoplist, it will be removed and stored in quarantine. All incoming attachments are checked in three different ways to ensure correct file type identification:
- Filename
- Mime type
- File content via content fingerprinting
In addition, if other policies do not apply then F-PROT Antivirus compares the results of the three file type tests mentioned above and renames any file for which discrepancies are detected, in order to avoid automatic execution of disguised unknown threats.
This is the default stoplist, which is based on attachment file types restricted by Outlook 2003. You can add expression to or delete them from this list. These expressions will be applied to the file name of the attachment.
ade, adp, app, asp, bas, bat, cer, chm, cmd, com, cpl, crt, csh, exe, fxp, hlp, hta, inf, ins, isp, its, js, jse, ksh, lnk, mad, maf, mag, mam, maq, mar, mas, mat, mau, mav, maw, mda, mdb, mde, mdt, mdw, mdz, msc, msi, msp, mst, ops, pcd, pif, prf, prg, pst, reg, scf, scr, sct, shb, shs, tmp, url, vb, vbe, vbs, vsmacros, vss, vst, vsw, ws, wsc, wsf, wsh
Here are the file formats recognized by their file contents and MIME types.
File content recognized:
EXE, WMF, JPEG, GIF, PNG, TIFF
MIME type recognized:
EXE, WMF, JPEG, GIF, PNG, TIFF, JS, HTML, TXT
For example, if an EXE file is received as an attachment then it is detected as an EXE file by the Mail Scanner regardless of its name as specified by the e-mail message. Then its name and the generated name "filetype.exe" are both matched against the stoplist.
Note: This stoplist is based on versions 4.6.4 of F-PROT Antivirus for UNIX and newer.To create a stoplist:
The stoplist is a semicolon separated list of perl-compatible regular expressions.
By extension
SCANMAIL_STOPLIST="\.exe$"
By filename
SCANMAIL_STOPLIST="clean\.exe$"
If you want to add more files in the stoplist, add a pipe (|) right after the extension, e.g., SCANMAIL_STOPLIST="\.(exe|wmf)$".
How the F-PROT Antivirus Mail Scanner stoplist works
Situation 1: A clean attachment which is on the stoplist
The attachment will be removed.
Situation 2: An infected attachment which is on the stoplist
The infection will be detected. It will not be disinfected but rather removed since it is on the stoplist.
Situation 3: An attachment was renamed but the actual content is in the stoplist
Since F-PROT Antivirus checks the content of the file, even if the attachment has been renamed it will still be recognized. If the actual content matches the expressions of the stoplist, the attachment will be blocked. For example: .wmf files disguising to be .jpg or .png
For further information, see F-PROT Antivirus Mail Scanner.
Note: The banlist behaves the same way as the stoplist except that if the banlist applies then the attachment will not be stored in the quarantine.
See also:Feedback | Contact Technical Support | Contact Sales Support |