Filtering files by type and extension
Applies to: Forefront Security for Exchange Server
You can filter files in a number of ways:
By type. For example: the DOC file type
By extension. For example: *.exe
By name. For example: myfile.ext
By size. For example: >5mb
This section focuses on the difference between filtering by file type and by file extension. The Microsoft Forefront Security for Exchange Server User Guide, available at the Microsoft Forefront Security for Exchange Server TechNet Library, goes into detail about the other ways of filtering files, as well as how to configure all the file filtering options.
Filtering by file type
To filter file attachments by type, create a * file filter and select the file types you want filtered in the File Types section of the Administrator console. For example, create the filter * and set the File Types to MP3. This ensures that all MP3 files are filtered regardless of their file name or extension. Even if the file is renamed it will still be filtered. For example, if the file extension is renamed from .MP3 to .xyz, it will still be detected by the MP3 filter you configured.
One advantage of setting a generic * filter and associating it with a certain file type is that it reduces the chance of false positives since Forefront Security for Exchange Server (FSE) looks at the file header information instead of the file name. Therefore, it is recommended that you use this configuration whenever possible.
There is additional information on configuring file type filters for Office 2007 and older files in the "Microsoft Forefront Security for Exchange Server User Guide".
Filtering by file extension
To filter files that have a specific extension, you can create a generic filter for the extension and set the File Types selection to All Types.
For example: Create the filter *.exe* and set the File Types selection to All Types. The second asterisk (*) will prevent files with extra characters appended after the file extension from bypassing the filter. This ensures that all files with an .exe extension are filtered.
You can also set the File Types to a specific type. However, when doing so the file extension and file type must both match for the filter to be applied correctly. If the file extension filter does not match the extension of the attached file, the specified action will not be applied regardless of the file type.
As an example:
File Filter File Type Action
1) *.rtf DOC Skip: detect only
2) * All Types Delete: remove contents
If you send through an attachment with a .doc extension, for example filename.doc, it will be deleted rather than skipped. The first action listed of Skip: Detect only will not be applied but the second (Delete: remove contents) will be. Even though FSE recognizes the file as a Microsoft Word document, the file extension does not match the first extension filter of *.rtf. Even if you set the first filter to All Types instead of DOC, the attached file still will not match the filter because it does not have a .rtf extension.
However, if the file extension matches, the File Type is checked to see if it too matches, and if so, the action is applied, even on renamed files.
As an example:
File Filter File Type Action
1) *.doc DOC Delete: remove contents
If you rename an .exe to a .doc, FSE will not remove it. Although the file extension matches the filter, FSE is able to determine that the file is not a valid DOC file; therefore it does not match the file type you configured.
Recommended methods for configuring a file filter
In summary, the following are the recommended methods for configuring a file filter:
Create a * file filter and select the specific File Types (for example, DOC) you want filtered.
Create a generic filter for the extension (for example, *.exe*) and set File Types to All Types.
Create a generic filter for the extension (for example, *.exe*) and set File Types to a specific type. Note that this is the riskiest method since you must be sure of the file type and file extension when creating such a filter.
The "Microsoft Forefront Security for Exchange Server User Guide", available at the Microsoft Forefront Security for Exchange Server TechNet Library, describes the following additional topics related to file filtering:
Configuring file filters based on their size.
Creating filter lists containing multiple file filters.
Using wildcard characters to have your filter match patterns in the file name, rather than a specific file name.
Configuring a filter so that it checks only inbound or outbound messages.
Filtering container files.
Excluding the contents of a container file from being scanned for filter matches.
Using file filtering to block some file types and permit others.
Importing and exporting items into and from a file filter list.
Creating a filter set template, which can contain a combination of file filters and content filters.
Disabling file filtering for specific scan jobs.