File Filtering – File Type versus File Extension
My name is Holly Kipp and I’m a Security Support Engineer on the Antigen/Forefront Server Security team in New York. I’ve worked with Antigen for seven years and some of the most frequently asked questions from clients are about the difference between filtering files by type and by extension. I’m going to use Forefront Security for Exchange Server (FSE) as an example, but the concept is the same for Forefront Security for SharePoint and Antigen for Exchange.
File Filtering Basics
You can filter files in a number of ways:
· By type, for example DOC file type
· By extension, for example *.exe
· By name, for example, filename.extension
· By size, for example >5mb
I’m going to focus on just the difference between file type and file extension. The Forefront/Antigen User Guides go into detail about the other ways of filtering files, as well as how to configure all the file filtering options.
Filtering by file type
To filter file attachments by type, create a * file filter and select the file types you want filtered in the File Types section of the Administrator console. For example, create the filter * and set the File Types to MP3. This will ensure that all MP3 files are filtered regardless of their file name or extension. Even if the file is renamed it will still be filtered. For example, if the file extension is renamed from .MP3 to .xyz, it will still be detected by the MP3 filter you configured.
One advantage of setting a generic * filter and associating it with a certain file type is that it reduces the chance of false positives since FSE will look at the file header information instead of the file name. Therefore, it is recommended that you use this configuration whenever possible.
Note: There is additional information on configuring file type filters for Office 2007 and older files in the Forefront/Antigen User Guides.
Filtering by file extension
To filter files that have a specific extension, you can create a generic filter for the extension and set the File Types selection to All Types.
For example: Create the filter *.exe* and set the File Types selection to All Types. The second asterisk (*) will prevent files with extra characters appended after the file extension from bypassing the filter. This ensures that all files with an .exe extension are filtered.
You can also set the File Types to a specific type. However, when doing so the file extension and file type must both match for the filter to be applied correctly. If the file extension filter does not match the extension of the attached file, the specified action will not be applied regardless of the file type.
File Filter File Type Action
1) *.rtf DOC Skip: Detect only
2) * All Types Delete: remove contents
If you send through an attachment with a .doc extension, for example filename.doc, it will be deleted rather than skipped. The first action listed of Skip will not be applied but the second (Delete) will be. Even though FSE will recognize the file as a Word doc, the file extension doesn't match the first extension filter of *.rtf. Even if you set the first filter to All Types instead of DOC, the attached file still won't match the filter because it does not have a .rtf extension.
However, if the file extension matches, the File Type is checked to see if it too matches, and if so, the Action is applied, even on renamed files.
File Filter File Type Action
1) *.doc DOC Delete: remove contents
If you rename an .exe to a .doc, Antigen will not remove it. Although the file extension matches the filter, FSE is able to determine that the file is not a valid DOC file; therefore it does not match the file type you configured.
In summary, the following are the recommended methods for configuring a file filter:
· Create a * file filter and select the specific File Types (for example, DOC) you want filtered.
· Create a generic filter for the extension (for example, *.exe* ) and set File Types to All Types.
· Create a generic filter for the extension (for example, *.exe* ) and set File Types to a specific type. Note that this is the riskiest method since you must be sure of the file type and file extension when creating such a filter.
The Forefront Security for Exchange Server User Guide describes the following additional topics related to file filtering:
- Configuring file filters based on their size.
- Creating filter lists containing multiple file filters.
- Using wildcard characters to have your filter match patterns in the file name, rather than a specific file name.
- Configuring a filter so that it checks only inbound or outbound messages.
- Filtering container files.
- Excluding the contents of a container file from being scanned for filter matches.
- Using file filtering to block some file types and permit others.
- Importing and exporting items into/from a file filter list.
- Creating a filter set template, which can contain a combination of file filters and content filters.
- Disabling file filtering for specific scan jobs.
For quick assistance with file filtering or any other Antigen or Forefront problem, please visit our Forum:
CSS Security Support Engineer (Antigen/Forefront Server Security)