FRISK Software International

How can I block attachments that arrive with incoming mails?

F-PROT Antivirus Mail Scanner allows you to create a stoplist of incoming attachments. The stoplist is a list of perl-compatible regular expressions. If an attachment matches the stoplist, it will be removed and stored in quarantine. All incoming attachments are checked in three different ways to ensure correct file type identification:

  • Filename
  • Mime type
  • File content via content fingerprinting

In addition, if other policies do not apply then F-PROT Antivirus compares the results of the three file type tests mentioned above and renames any file for which discrepancies are detected, in order to avoid automatic execution of disguised unknown threats.

This is the default stoplist, which is based on attachment file types restricted by Outlook 2003. You can add expression to or delete them from this list. These expressions will be applied to the file name of the attachment.

ade, adp, app, asp, bas, bat, cer, chm, cmd, com, cpl, crt, csh, exe, fxp, hlp, hta, inf, ins, isp, its, js, jse, ksh, lnk, mad, maf, mag, mam, maq, mar, mas, mat, mau, mav, maw, mda, mdb, mde, mdt, mdw, mdz, msc, msi, msp, mst, ops, pcd, pif, prf, prg, pst, reg, scf, scr, sct, shb, shs, tmp, url, vb, vbe, vbs, vsmacros, vss, vst, vsw, ws, wsc, wsf, wsh

Here are the file formats recognized by their file contents and MIME types.

File content recognized:


MIME type recognized:


For example, if an EXE file is received as an attachment then it is detected as an EXE file by the Mail Scanner regardless of its name as specified by the e-mail message. Then its name and the generated name "filetype.exe" are both matched against the stoplist.

Note: This stoplist is based on versions 4.6.4 of F-PROT Antivirus for UNIX and newer.

To create a stoplist:

The stoplist is a semicolon separated list of perl-compatible regular expressions.

By extension


By filename


If you want to add more files in the stoplist, add a pipe (|) right after the extension, e.g., SCANMAIL_STOPLIST="\.(exe|wmf)$".

How the F-PROT Antivirus Mail Scanner stoplist works

Situation 1: A clean attachment which is on the stoplist

The attachment will be removed.

Situation 2: An infected attachment which is on the stoplist

The infection will be detected. It will not be disinfected but rather removed since it is on the stoplist.

Situation 3: An attachment was renamed but the actual content is in the stoplist

Since F-PROT Antivirus checks the content of the file, even if the attachment has been renamed it will still be recognized. If the actual content matches the expressions of the stoplist, the attachment will be blocked. For example: .wmf files disguising to be .jpg or .png

For further information, see F-PROT Antivirus Mail Scanner.

Note: The banlist behaves the same way as the stoplist except that if the banlist applies then the attachment will not be stored in the quarantine.

See also:

Feedback | Contact Technical Support | Contact Sales Support

F-PROT Antivirus
- for Windows
- for UNIX
- for Exchange
F-PROT Antivirus
- for Windows
- for UNIX
- for Exchange
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Definitions of common antivirus terminology.

More information about F-Prot Antivirus for UNIX:
Help files
Manual pages