Emails with wmz files being sent to system quarantine

Author
pshute
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/11/29 12:35:27
  • Status: offline
2017/11/29 12:48:24 (permalink)
0

Emails with wmz files being sent to system quarantine

We've had Fortimail for a few months, and have only recently discovered that emails with wmz attachments are being moved to system quarantine. Probably about 20, from perhaps 4 different senders, over 3 months. Important emails that need to get through.
 
It appears that these attachments are small images used in some senders' signatures.
 
Fortinet tech support has advised deleting the executable_windows file filter from the CF_Inbound content profile. That seems a bit extreme - I think it would also allow through exe files and many others. They say there's no way to strip them from the emails instead.
 
Can anyone please advise:
- are you also seeing these attachments resulting in quarantined emails?
- is allowing them through the appropriate course of action? Should I instead be advising the senders not to include them? (I assume they have no idea they're doing this, and won't know how to fix it.)
- is there a safer way to let them through?
#1

3 Replies Related Threads

    Dirty_Wizard
    Bronze Member
    • Total Posts : 23
    • Scores: 2
    • Reward points: 0
    • Joined: 2014/05/23 07:32:52
    • Status: offline
    Re: Emails with wmz files being sent to system quarantine 2017/12/05 15:13:31 (permalink)
    0
    Completely removing the executable_windows file filter is extreme.
    You can clone that file filter to create a new one, then edit the cloned filter and remove *.wmz extension.
     
    Then apply the new filter filter instead of executable_windows to the Content Profile(s).
    Or you can specify to apply this only to certain senders with additional Recipient Policy.
     
    There is an action to 'strip' attachments and it is 'Replace with message'. I have not tried this out for an embedded image, however.
    #2
    pshute
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/11/29 12:35:27
    • Status: offline
    Re: Emails with wmz files being sent to system quarantine 2017/12/05 15:31:04 (permalink)
    0
    jwilkins
    You can clone that file filter to create a new one, then edit the cloned filter and remove *.wmz extension.
     
    Then apply the new filter filter instead of executable_windows to the Content Profile(s).

    That's what I ended up doing.
    Or you can specify to apply this only to certain senders with additional Recipient Policy.

    From what I've seen so far, there are a few senders using these attachments. Perhaps 10 in 3 or 4 months. Mostly from one domain, but random enough that I think I'd better not restrict it this way - there will always be new senders having their mail quarantined before I add their addresses to the exclusion.
     
    I read that these attachments are generated by using Word as the email editor in Outlook, which is probably a common thing.
    There is an action to 'strip' attachments and it is 'Replace with message'. I have not tried this out for an embedded image, however.

    I took that to mean it would replace the entire email contents with a message. The AV profile has "Replace infected / suspicious body or attachment(s)", which sounds like what I want, but I'm not sure the "Replace with message" in the content profile is the same thing. That would be a good solution if it is.
     
    I would test it, but I find the whole thing very confusing, and I'm not sure how to go about testing it without affecting all incoming mail.
    #3
    Dirty_Wizard
    Bronze Member
    • Total Posts : 23
    • Scores: 2
    • Reward points: 0
    • Joined: 2014/05/23 07:32:52
    • Status: offline
    Re: Emails with wmz files being sent to system quarantine 2017/12/06 17:44:39 (permalink)
    0
    The replace action in the Content Profile should only replace the attachment with the message if triggered by the Attachment Filter.

    You can avoid affecting all mail when testing by defining your test sender / recipient in an additional policy.
    #4
    Jump to:
    © 2017 APG vNext Commercial Version 5.5