- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Emails with wmz files being sent to system quarant...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Emails with wmz files being sent to system quarantine
We've had Fortimail for a few months, and have only recently discovered that emails with wmz attachments are being moved to system quarantine. Probably about 20, from perhaps 4 different senders, over 3 months. Important emails that need to get through.
It appears that these attachments are small images used in some senders' signatures.
Fortinet tech support has advised deleting the executable_windows file filter from the CF_Inbound content profile. That seems a bit extreme - I think it would also allow through exe files and many others. They say there's no way to strip them from the emails instead.
Can anyone please advise:
- are you also seeing these attachments resulting in quarantined emails?
- is allowing them through the appropriate course of action? Should I instead be advising the senders not to include them? (I assume they have no idea they're doing this, and won't know how to fix it.)
- is there a safer way to let them through?
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Completely removing the executable_windows file filter is extreme.
You can clone that file filter to create a new one, then edit the cloned filter and remove *.wmz extension.
Then apply the new filter filter instead of executable_windows to the Content Profile(s).
Or you can specify to apply this only to certain senders with additional Recipient Policy.
There is an action to 'strip' attachments and it is 'Replace with message'. I have not tried this out for an embedded image, however.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jwilkins wrote:You can clone that file filter to create a new one, then edit the cloned filter and remove *.wmz extension.
Then apply the new filter filter instead of executable_windows to the Content Profile(s).
That's what I ended up doing.
Or you can specify to apply this only to certain senders with additional Recipient Policy.
From what I've seen so far, there are a few senders using these attachments. Perhaps 10 in 3 or 4 months. Mostly from one domain, but random enough that I think I'd better not restrict it this way - there will always be new senders having their mail quarantined before I add their addresses to the exclusion.
I read that these attachments are generated by using Word as the email editor in Outlook, which is probably a common thing.
There is an action to 'strip' attachments and it is 'Replace with message'. I have not tried this out for an embedded image, however.
I took that to mean it would replace the entire email contents with a message. The AV profile has "Replace infected / suspicious body or attachment(s)", which sounds like what I want, but I'm not sure the "Replace with message" in the content profile is the same thing. That would be a good solution if it is.
I would test it, but I find the whole thing very confusing, and I'm not sure how to go about testing it without affecting all incoming mail.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The replace action in the Content Profile should only replace the attachment with the message if triggered by the Attachment Filter.
You can avoid affecting all mail when testing by defining your test sender / recipient in an additional policy.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the topic i did the following to make a workaround.
- Went to: Profile > Content > File Filter.
- Made a new file filter named *.wmz
- @Predefined note the correct file type as in image/x-wmz although selecting that one doesnt identify it as such.
- So select at the bottom table file extension *.wmz and add it.
- Go to your content policy and Add a new rule and select the *.wmz and select an appropriate action profile which lets the mail through.
- Then move it up so its above the executable one where it always got blocked.
- Test it and it should work.
Also you know what i dont understand?
That fortinet support is so reckless with their advice, why would you advise someone to take out Executables from a content policy it kind of defeats the purpose of protecting your customers.
I had a similar advice from them when Silverlight applications were seen as executable and i could not exclude them and they were like, yeah just dont check for executables. Pretty dissapointing.
Related Posts
- Email POP3 block 150 Views
- Feature Request: Optional disable wildcards in... 230 Views
- change email content - Interface status... 271 Views
- FortiAnalyzer: Unable to configure SMTP server... 360 Views
- Statistics report for SPF, DKIM DMARK... 595 Views
Labels
-
FortiGate
6,491 -
FortiClient
1,295 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiSwitch
331 -
FortiAP
331 -
FortiClient EMS
260 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
104 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
70 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
57 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
18 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
FortiAuthenticator
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSID
6 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
NAC policy
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.