FSOCS file filtering

 

Applies to: Forefront Security for Office Communications Server

The Microsoft Forefront Security for Office Communications Server (FSOCS) file-filter feature gives you the ability to search for attachments within a message by specifying a specific name, type, and size. If a match is found, the file filter can be configured to perform actions on the attachment, such as delete, quarantine, notify, and report the detected file. The file filter offers a flexible means to detect file attachments within messages.

File filtering can be configured to assess several aspects of an attached file, including the following:

• The file name and extension
• The actual file type
• The file size.
• By using these criteria, you can filter files in a variety of ways.

Creating a file filter

You can configure the file filter by file types, extensions, or names. For more information, see Filtering by file type, Filtering by extension, and Filtering by name.

To create and configure a file filter

1. In the Shuttle Navigator, click FILTERING, and then click the File icon..

2. In the File Filtering pane, in the upper section, select the IM Scan Job.

3. To detect files with a particular file name, in the File Names section, create a filter with that name, by clicking the Add button, and then typing the name of the file to be detected. Press ENTER when you are done. (There are also buttons with which to Edit and Delete existing entries.)

   To change the order in which a selected filter is executed, use the up and down arrows, which are on the same line as File Names.

   Optionally, the file filter can be configured to filter files, based on their size. To detect files by size, specify a comparison operator (=, >, <, >=, <=) and a file size in kilobytes (KB), megabytes (MB), or gigabytes (GB). (File sizes must be entered using the English size keywords KB, MB, and GB.) Place the operator and the file size immediately after the file name, with no spaces between the file name and the operator or the operator and the file size. In General Options, the Max Container File Size setting specifies the maximum container file size (in bytes) that FSOCS attempts to clean or repair, in the event that it discovers an infected file.

   Examples:

   *.bmp>=1.2MB   all .bmp files larger than or equal to 1.2 megabytes

   *.com>150KB     all .com files larger than 150 kilobytes

   *>5GB             all files larger than 5 gigabytes

4. To specify the list of file types that can be associated to the selected file name, in the list, select one or more file types or below the list, select the All Types check box.
   If the file type you want to associate to the selected file name is not available in the list, then select the All Types check box. (For a description of the file types listed in the selection box, see FSOCS file types list.)

   Note

   The All Types selection configures FSOCS to filter based only on the file name and file extension. By selecting the All Types check box, FSOCS is configured to detect the selected file name, no matter what the file type. This prevents the potential of users bypassing the filter by simply changing the extension of a file.

   If you know the file type you are searching for, FSOCS works more efficiently if you select the appropriate file type rather than All Types. For example, if you want to filter all EXE files, create a filter named "*", and then set the file type to EXE.

5. In the File Filter field, ensure that the file filter is set to Enabled. It is enabled by default.

6. In the Action field, indicate the Action to take if there is a filter match.

7. Indicate whether to send notifications for the selected file name, by using the Send Notifications check box. This does not affect reporting to the Incidents log. In addition, you must also configure the notifications (for more information, see FSOCS event notifications). Notifications are disabled by default.

8. Indicate whether to quarantine files for the selected file name, by using the Quarantine Files check box. This is enabled by default. Enabling quarantine causes deleted files to be stored, making it possible for you to recover them. However, worm-purged messages are not recoverable.

9. Optionally, you can specify deletion text, which is used to replace the contents of an infected file during a delete operation. The default deletion text informs you that an infected file was removed, along with the name of the file and the name of the filter. To create your own custom message, click the Deletion Text button.

   Note

   FSOCS provides keywords that can be used in the deletion text field in order to obtain information from the message in which the infection was found. For more information about keywords, see FSOCS keyword substitution macros.

10. Click Save.

Filtering by file type

If you want to filter certain file types, you can create a filter named "*" and use the check boxes in the File Types section to indicate the exact file types you want to filter.

For example, create the filter *, and then set the File Types to MP3. This ensures that all MP3 files are filtered, no matter what their file name or extension.

One advantage of setting a generic filter (for example, *) and associating it with a certain file type (for example, EXE) is that it prevents the potential of users bypassing the filter by simply changing the extension of a file.

Note

If you want to filter Microsoft Office 2003 and earlier Microsoft Office Excel® files, you must enter .xls or in the File Name box, and then select both WINEXCEL and DOCFILE in the File Type list. Excel 1.x files are WINEXCEL type files, but newer versions of Excel are DOCFILE file types.
For Microsoft Office 2007 documents (Word, Excel, and PowerPoint®), in the File Name box, you should enter the proper file extension, and then in the File Types list, select OPENXML.

Filtering by extension

If you want to filter any type of file that has a certain extension, you can create a generic filter for the extension and set the File Types selection to All Types. Filter matching is not case-sensitive.

For example: Create the filter *.exe* and set the File Types selection to All Types. This ensures that all files with an .exe extension are filtered.

Important

When creating generic file filters in order to block all of a certain type of file (for example .exe files), it is recommended that you write the filter in this format: .exe The second asterisk prevents files that have extra characters appended after the file extension from bypassing the filter.

Note

It is recommended that you avoid the use of the generic filter * with the File Types set to All Types. This filter configuration could result in the reporting of repeated detections.

Filtering by name

If you want to filter all files with a certain name, you can create a filter by using the file name and set the File Types selection to All Types. Filter matching is not case-sensitive.

For example: If a virus uses an attached file named payload.doc, you can create the filter payload.doc and set the File Types selection to All Types. This ensures that any file named payload.doc is filtered, no matter what the file type.

Detecting file attachments by name is also useful when there is an outbreak of a new virus and you know the name of the file in which the virus resides before your virus scanners are updated to detect it. A perfect example of this is the Melissa worm. It resided in a file named List.doc and could have been detected by FSOCS by using a file filter, even before virus scanners could detect it.

Action

On the File Filter pane, in the Action field, select the action that you want FSOCS to perform when a file filter is matched. By default, it is set to Delete: remove contents.

Note

You must set the action for each file filter you configure. The Action setting is not global.

Action	Description
Skip: detect only	Records the number of messages that meet the filter criteria, but enables messages to route normally. If, however, the Delete Corrupted Compressed, Delete Corrupted Uuencode Files, or Delete Encrypted Compressed Files check boxes are selected in General Options, a match to any of those conditions causes the item to be deleted.
Delete: remove contents	Deletes the file attachment. The detected file attachment is removed from the message, and the deletion text is inserted in its place.
Block: prevent transfer	Prevents the IM message or transferred file from reaching the intended recipient.

Editing a file filter

Once you have created a file filter, it can be modified.

To edit a file filter

1. In the Shuttle Navigator, click FILTERING, and then click the File icon.

2. In the File Filtering pane, in the upper section, select the IM Scan Job.

3. Make the required changes to the various fields. The changes apply to the selected scan job.

4. Click Save. Making any change to the configuration activates the Save and Cancel buttons. If you make a changes to the selected scan job and try moving to another scan job or shuttle icon without saving the changes, you are prompted to save or discard your changes.

Matching patterns in the file name with wildcard characters

Use wildcard characters in order to have your filter match patterns in the file name, rather than a specific file name. You can use any of the following to refine your filters.

Wildcard character	Description
*	Used to match any number of characters in a file name. You can use multiple asterisks. The following are some examples of its usage: Single:   Any of these single wildcard character patterns would detect veryevil.doc: veryevil.*, very*.doc, very*, *il.doc. Multiple:   Any of these multiple wildcard character patterns would detect eicar.com: e*c*r*om, ei*.*, *car.*. Note Use multiple asterisks in order to filter file attachments with multiple extensions. For example: love*..
?	Used to match any single character in a name where a single character may change. For example: virus?.exe would match virusa.exe, virus1.exe, or virus$.exe. However, this filter would not catch virus.exe.
[set]	Used to indicate a list of characters and ranges, enclosed in square brackets [abcdef]. Any single character in the specified set is matched. For example: klez[a-h].exe would match kleza.exe through klezh.exe.
[^set]	Used to exclude characters that you know are not used in the file name. For example: klez[^m-z].exe would not match klezm.exe through klezz.exe.
[range]	Used to indicate several possible values in a set. It is specified by a starting character, a hyphen (-), and an ending character. For example: klez[ad-gp].exe would match kleza.exe, klezd.exe, klezf.exe, and klezp.exe, but not klezb.exe or klezr.exe.
\char	Indicates that special characters are used literally. (The characters are: * ? [ ] - ^ < >.) The backslash is called an escape character and indicates that a reserved control character is to be taken literally, as a text character. For example: If you enter *hello*, you would normally expect to match hello anywhere in the file name. If you enter *\*hello\**, you would match *hello*. If you enter *\*hello\?\**, you would match *hello?*. Note You must use a \ before each special character.

Directional file filters

When using the file filter in conjunction with the IM Scan Job, you can configure a filter so that it only checks inbound or outbound messages. This is accomplished by adding an <in> or <out> prefix to the file name when entering it in the File Names pane.

For information about the inbound, outbound, and internal designations, see IM Scan Job.

Note

There are no spaces between the prefix and the file name.

Note

The prefixes <in> (for inbound messages) and <out> (for outbound messages), must be entered in English.

Inbound filtering

Prefixing the file name with the <in> directive instructs FSOCS to apply this filter only to inbound messages. Inbound filtering is formatted as follows:

**<in>**filename

Outbound filtering

Prefixing the file name with the <out> directive instructs FSOCS to apply this filter only to outbound messages. Outbound filtering is formatted as follows:

**<out>**filename

Inbound, outbound, and internal filtering

If no prefix is appended to the file name, the filter is applied to all messages, regardless of direction.

Filtering container files

Container files can be broadly described as complex files that can be broken down into various parts. FSOCS can scan the following container files for filter matches:

• PKZip (.zip)
• GNU Zip (.gzip)
• Self-Extracting .zip archives
• Zip files (.zip)
• Java archive (.jar)
• TNEF (Winmail.dat)
• Structured storage (for example:.doc, .xls, or .ppt)
• OPENXML (for example: .docx, .xlsx, or .pptx)
• MIME (.eml)
• SMIME (.eml)
• UUEncode (.uue)
• Unix tape archive (.tar)
• RAR archive (.rar)
• MACBinary (.bin)

FSOCS scans all parts of the container file and repacks the file as necessary. For example, if you configure a file filter to delete all .exe files, FSOCS deletes .exe files inside container files (replacing them with the deletion text) but leaves all other files in the container intact.

Note

FSOCS cannot scan password-protected files or encrypted files. These files are always passed to the antivirus scanners in their entirety in their encrypted form.

Excluding the contents of a container file from file filtering

To exclude the contents of a .zip (container file) from being scanned for filter matches, specify the name of the .zip file in the file-filter list and set the action to Skip. The order of the filters in the list is not important. If the name of the .zip file is in the file-filter list and its action is set to Skip, its contents are not scanned by the file filters. The file is, however, scanned for viruses. If you would like to skip filtering all .zip files, create the filter: *.zip and set the action to Skip.

Note

By default, this functionality only applies to .zip and .jar files. If you would like to enable this functionality for other archive types (TAR, GZIP, RAR, Macintosh, SMIME, and Self-Extracting .zip archives), you can set the following DWORD registry value for the IM Scan Job:
SkipFileFilterWithinCompressedInternet
For the location of these registry keys, see FSOCS registry keys. After creating each registry value, it should be set to 1 to enable file filtering in the specified archive types.

Note

OPENXML files (For example, Office 2007 documents) are ZIP container files, but the ZIP container settings do not affect them.

Using file filtering in order to block most file types

You can use file filters in order to block some file types and permit others. The files permitted through in this example are Office files, which tend to be safer than other kinds. It takes two file filters for this to work properly.

Note

Be sure that File Filter 1 is created before File Filter 2, as the filters are applied in order, from top to bottom.

First, create a file filter to permit Office files through. For this example, we will call it File Filter 1.

To create File Filter 1

1. In the Shuttle Navigator, click FILTERING, and then click the File icon.

2. In the File Filtering pane, create a new file filter by following these steps:

   1. Click Add.
   2. In the File Name box, type <in>*, and then press ENTER.
   3. In the File Types section, clear the All Types check box, and then click Yes to confirm.
   4. Select the DOC, OPENXML, TNEF file types. (TNEF is required because it is the wrapper around file attachments for internal mail.)
   5. In the Action list, click Skip: detect only.
   6. Clear the Quarantine Files check box, and then click Save.

Next, create a filter to block all files. We will call it File Filter 2. As long as you have created File Filter 1 first, Office files are permitted, and all other files are blocked.

To create File Filter 2

1. In the Shuttle Navigator, click FILTERING, and then click the File icon.

2. In the File Filtering pane, create a new file filter by following these steps:

   1. Click Add.
   2. In the File Name box, type *, and then press ENTER.
   3. In the File Types section, ensure that the All Types check box is selected.
   4. In the Action list, click either Block or Purge, as desired.
   5. Select the Quarantine Files check box and the Send Notifications check box, and then click Save.

File filter lists

As well as creating individual file filters, you can create lists of them in order to have collections of filters for use by different scan jobs or to organize your filters. The individual filters are created in the same way as previously described, but now, each filter is part of a list.

Creating a file filter list

Begin by creating a new file filter list.

To create a file filter list

1. In the Shuttle Navigator, in the FILTERING section, click the Filter Lists icon.

2. In the List Types pane, click Files.

3. In the List Names section, click the Add button, type a name for the new list, and then press ENTER. The empty list appears in the List Names section.

4. In the List Names section, select the new list name, and then click the Edit button.

5. In the Edit Filter List dialog box, add file names to the list.

6. In the Include In Filter section, click the Add button.

   1. Type a file name to be included in the filter list. When you are finished typing press ENTER. You may have as many items as you want, but each must be entered separately. Each follows all the rules already discussed for creating single file filters.
   2. In the Exclude From Filter section, enter file names that should never be included on the file-filter list. This prevents those file names from accidentally being added when importing a list from a text file. For more information on importing files, see Importing items into a filter list.
   3. When you are finished adding items, click OK. The list of items you just entered appears, alphabetically, in the pane next to List Names.

7. Click Save.

8. Configure the filter list the same way as described in Creating a file filter.

Importing items into a filter list

Data for filter lists may be created offline in Notepad or a similar text editor and then imported into the appropriate filter list by using the Forefront Server Security Administrator. Note that FSOCS can only import lists that are UTF-16 or ANSI files. Other Unicode types will not be properly imported.

To create and import entries into a filter list

1. When creating a list, place each filter on its own line in the file, and then save the list as a text file.

2. In the Shuttle Navigator, in the FILTERING section, click Filter Lists.

3. Select the filter list into which you will be importing data, and then click Edit.

4. In the Edit Filter List dialog box, click the Import button. A Windows Explorer window opens. Use it to navigate to the text file you created in step 1.

5. Select the file, and then click Open. The file is imported into the middle pane of the Import List editor.

6. If you want to move all the items into the Include In Filter section, use the <=== button.
   If you want to move single items into the Include In Filter section, use the <--- button.
   If you want to move items into the Exclude From Import section, use the right-pointing arrows.

7. When you have moved all the desired items, click OK.

8. Click Save.

Filter set templates

Filter set templates can be created for use with any FSOCS scan job. A single filter set template can be associated with any or all of the scan jobs, and you can also create multiple filter set templates for use on different servers or different scan jobs. For information on creating and configuring filter set templates, see "Filter Set Templates" in FSOCS content filtering.

International character sets

Support for file filtering by name in FSOCS extends beyond the English character set. For example, messages with an attachment or subject line that includes Japanese characters, words, or phrases are handled in the same manner as English character sets.

Statistics logging

The Incidents pane contains statistics counters that log the number of attachments that meet specified criteria and thus cause the message in which they reside to be purged. These counters can also be found in the Windows Performance snap-in.