Trustwave's 2024 Financial Services Threat Reports Highlight Alarming Trends in Insider Threats & Phishing-as-a-Service. Learn More

Trustwave's 2024 Financial Services Threat Reports Highlight Alarming Trends in Insider Threats & Phishing-as-a-Service. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
Loading...
Loading...

INFO: What file types are recognized by Trustwave MailMarshal (SEG) and ECM?

Expand / Collapse


This article applies to:

  • Trustwave MailMarshal (SEG) 6.X and above
  • Trustwave ECM/MailMarshal Exchange 5.2 and above

Question:

  • What file types are recognized by Trustwave MailMarshal (SEG)?
  • What file types are recognized by Trustwave ECM 5.2 and above?  

Information:

The following formats are recognized by current MailMarshal (SEG) and ECM versions.

Notes:

  • Some types are recognized only with current product versions, as noted.
  • With MailMarshal/SEG 7.3.5 and above, additional types are recognized with specific updates to the File Type DLL. For information about the File Type update for each MailMarshal version, see article Q20446.
    • File Type updates are distributed through the MailMarshal Automatic Updates to installations with current maintenance.
  • Items recognized with a specific MailMarshal/SEG or FileType update are not recognized in MailMarshal Exchange/ECM.
In the tables below, Type Name refers to the name seen in the Engine log and rule listings. Description is the name as seen when selecting types in the email policy editor.
  • The Type Name is often the same as the usual file extension. However, file type detection is based on file structure and NOT on the file extension. If you rename a zip archive as ".TXT", it is still recognized as a zip archive by MailMarshal.

Archive

Type Name Description
7Z 7Zip Archive 
7Zcrypt 7Zip encrypted archive (FileType 7.14.3 and above, 8.0.1 and above)
7Zsfx 7Zip self extracting archive
ACE ACE archive
ACEsfx ACE self extracting archive
IWA Apple iWork Archive .IWA (SEG 7.3.5 and above with FileType 7.14.0 and above)
ARC ARC archive
ARJ ARJ archive
ARJcrypt ARJ encrypted archive
ARJsfxcrypt ARJ encrypted self extracting archive
ARJsfx ARJ self extracting archive
B64 Base64 (MIME) Encoding
B2A BtoA Encoding
BZ2 bZIP2 archive
CABI InstallShield CAB Archive
CPIO CPIO archive
DEB Debian Binary Package file (SEG 7.3.5 and above with FileType 7.13.1 and above)
GZ GZIP archive
HQX HQX (BinHex) archive
CABI InstallShield CAB Archive
CDISO ISO 9660 CD Filesystem
LYMESFX LYME self extracting archive  (SEG 7.2.2 and above)
LZH LZH archive
MacBIN MacBinary I, II, or III archive
MDXMedia MDX Extended Media Descriptor File (FileType 7.14.3 and above, 8.0.1 and above)
CABM Microsoft CAB/Expand Archive
SZDD Microsoft SZDD archive 
MAR Mozilla Archive
MSI MSI Windows Installer package
MSIX MSIX Windows Installer Package (from FileType 7.14.6, 8.0.4, 8.1.1, 8.2.1.)
PBIX Power BI Report (FileType 2024-02-01 and above)
RAR RAR archive
RARcrypt RAR encrypted archive
RARsfxcrypt RAR encrypted self extracting archive
RARsfx RAR self extracting archive
RARSpan RAR spanned archive
RPM Redhat Package Manager file (SEG 7.3.5 and above with FileType 7.13.1 and above)
SEAEncrypt SEA encrypted self extracting archive
SEA SEA self extracting archive
SIT SIT archive
SITEncrypt SIT encrypted archive
TAR TAR archive
UDF Universal Disk Format (UDF) (from FileType 8.0.6, 8.1.3, 8.2.3)
UUE UUencoded Encoding
XZ XZ archive  (FileType 7.14.3 and above, 8.0.1 and above)
Z Z (compress) archive
ZIP ZIP archive
ZIPcrypt ZIP encrypted archive
ZIPsfxcrypt ZIP encrypted self extracting archive
ZIPsfx ZIP self extracting archive
ZOO ZOO archive

Azure IRM Protected Documents

New category and new items in MailMarshal/SEG 8.2.
Also recognized in:

  • 8.0.X with FileType 8.0.4 and above
  • 8.1.X with FileType 8.1.1 and above
Type Name Description
RPMSGPLAIN Decrypted restricted-permission message 
XLSXIRM Excel 2007+ document with IRM
XLSIRM Excel document with IRM
PFILE File protected with IRM 
OREIRM OLE compound document with IRM
XLSIRMcrypt Password protected Excel with IRM
PPSIRMcrypt Password protected Powerpoint show with IRM
PPTIRMcrypt Password protected Powerpoint with IRM
WordIRMcrypt Password protected Word with IRM
PPTXIRM Powerpoint 2007+ document with IRM
PPTIRM Powerpoint document with IRM
PPSIRM Powerpoint show with IRM 
RPMSG Restricted-permission message 
DOCIRM Word 2007+ doc with IRM in Word 2003 mode 
DOCXIRM Word 2007+ document with IRM

Document

Type Name Description
MDB Access database
MDW Access system database
INDD Adobe InDesign Document (SEG 7.2.2 and above)
MSO Document data
DVI DVI TeX document
XLScrypt Encrypted Excel document (SEG 7.3.5 and above)
PPTcrypt Encrypted PowerPoint Document (from FileType 7.14.6, 8.0.4, 8.1.1, 8.2.1)
PPScrypt Encrypted PowerPoint Show (from FileType 7.14.6, 8.0.4, 8.1.1, 8.2.1)
DOCcrypt Encrypted Word document
XLSB Excel 2007+ Binary Document 
Includes later versions; see note below.
XLSX Excel 2007+ document (recognized in 6.3 and above)
XLSXIRM Excel 2007+ document with IRM (SEG 7.3.5 and above)
XLS Excel document
XLSIRM Excel document with IRM (SEG 7.3.5 and above)
NFO Folio Infobase
FM3 Lotus 123 FM3 sheet form
WK1 Lotus 123 WK1 sheet
WK3 Lotus 123 WK3 sheet
WK4 Lotus 123 WK4
SAM Lotus AmiPro document
LWP Lotus WordPro document
MCW Mac Word document
ACCDB Microsoft Access Database .ACCDB (SEG 7.3.5 and above)
ONE Microsoft OneNote (SEG 7.2.2 and above)
VSDX Microsoft Visio 2013 Drawing
DOCXML Microsoft Word 2003 XML Document
OfficeMacroScript Office Macro Script
Office2007Macro Office 2007+ Macro 
Includes later versions; see note below.
OLE OLE compound document
OREIRM OLE compound document with IRM
ODC Open Office chart file 
OTC Open Office chart template 
ODB Open Office database file 
ODT Open Office document file 
OTT Open Office document template
ODF Open Office formulae file 
OOoOTF Open Office formulae template 
ODM Open Office global text document 
OTH Open Office global text template 
ODG Open Office graphics file 
OTG Open Office graphics template 
ODI Open Office image file
OTI Open Office image template 
ODP Open Office presentation file 
OTP Open Office presentation template 
ODS Open Office spreadsheet file 
OTS Open Office spreadsheet template 
OpenXML OpenXML Document (SEG 7.2.3 and above)
PM6 PageMaker document
XLSIRMcrypt Password protected Excel with IRM (from FileType 7.14.6, 8.0.4, 8.1.1, 8.2.1)
PPSIRMcrypt Password protected Powerpoint Show with IRM (from FileType 7.14.6, 8.0.4, 8.1.1, 8.2.1)
PPTIRMcrypt Password protected Powerpoint with IRM (from FileType 7.14.6, 8.0.4, 8.1.1, 8.2.1)
WordIRMcrypt Password protected Word with IRM (from FileType 7.14.6, 8.0.4, 8.1.1, 8.2.1)
PDF PDF document
PDFXFAForm PDF document - Dynamic XFA form (SEG 7.3.5 and above)
PDFcrypt PDF document - Encrypted
PDFInvalid PDF document - Invalid header record (SEG 7.2.2 and above; see Q16666)
PDFprotect PDF document - Protected
PDFInvalidFormat PDF Un-recognized file format
PS PostScript document
PPTX PowerPoint 2007+ document 
Includes later versions; see note below.
PPTXIRM PowerPoint 2007+ document with IRM (SEG 7.3.5 and above)
PPTIRM PowerPoint document with IRM (SEG 7.3.5 and above)
PPSX PowerPoint 2007+ show 
PPT PowerPoint document
PPS PowerPoint show
PPSIRM PowerPoint show with IRM (SEG 7.3.5 and above)
PRJ Project document
PUB Publisher document
QXD Quark Express document
RTF Rich Text document
Word2 Word 2 Document
DOCIRM Word 2007+ doc with IRM in Word 2003 mode 
DOCX Word 2007+ Document 
Includes later versions; see note below.
DOCXIRM Word 2007+ document with IRM (SEG 7.3.5 and above)
DOC6 Word 6 Document
DOC Word document
WPD WordPerfect document
WPS Works for Windows document
WRI Write document
XPS XPS Document (SEG 7.2.3 and above)

Drawing

Type Name Description
AI Adobe Illustrator drawing
DWG AutoCAD Drawing
DWF AutoCAD Format
CTB AutoCAD Plotting Support .CTB (SEG 7.3.5 and above with FileType 7.13.3 and above)
CMX Corel Binary Meta file
CDR Corel Draw Drawing
DXF Drawing Interchange File DXF
FP3 FloorPlan Plus 3D
FH Freehand drawing
VSDX Microsoft Visio 2013 Drawing .VSDX (SEG 8.0.1 and above; SEG 7.3.5 through 7.5.7 with FileType 7.14.0.317 and later - see note)
VXD Microsoft Visio Drawing
NWD Navisworks Document .NWD (from FileType 8.2.7)
Solidworks Solidworks CAD files (.SPDPRT, .SLDASM, .SLDDRW, .SLDDRT) (from FileType 8.1.5 or 8.2.5)
STL StereoLithography Drawing (SEG 7.3.5 and above with FileType 7.13.1 and above)

Encrypted

Type Name Description
7Zcrypt 7Zip encrypted archive (FileType 7.14.3 and above, 8.0.1 and above)
ARJcrypt ARJ encrypted archive
ARJsfxcrypt ARJ encrypted self extracting archive
AXCRYPT AXCrypt Encrypted Data (SEG 7.2.2 and above)
Switch Egress Switch Encrypted Mail (SEG 7.3.5 and above with FileType 7.13.1 and above)
XLScrypt Encrypted Excel document (SEG 7.3.5 and above)
PPTcrypt Encrypted PowerPoint Document (from FileType 7.14.6, 8.0.4, 8.1.1, 8.2.1)
PPScrypt Encrypted PowerPoint Show (from FileType 7.14.6, 8.0.4, 8.1.1, 8.2.1)
DOCcrypt Encrypted Word Document
XLSXIRM Excel 2007+ document with IRM (SEG 7.3.5 and above)
XLSIRM Excel document with IRM (SEG 7.3.5 and above)
PFILE File protected with IRM 
GPG Gnu Privacy Guard file .GPG (from FileType 8.1.5 or 8.2.5)
OREIRM OLE compound document with IRM
XLSIRMcrypt Password protected Excel with IRM (from FileType 7.14.6, 8.0.4, 8.1.1, 8.2.1)
PPSIRMcrypt Password protected Powerpoint show with IRM (from FileType 7.14.6, 8.0.4, 8.1.1, 8.2.1)
PPTIRMcrypt Password protected Powerpoint with IRM (from FileType 7.14.6, 8.0.4, 8.1.1, 8.2.1)
WordIRMcrypt Password protected Word with IRM (from FileType 7.14.6, 8.0.4, 8.1.1, 8.2.1)
PDFcrypt PDF document - encrypted
PENC Perl Encoded file .ENC (from FileType 8.1.5 or 8.2.5)
PGP PGP Encrypted Data
PPTXIRM Powerpoint 2007+ document with IRM (SEG 7.3.5 and above)
PPTIRM Powerpoint  document with IRM (SEG 7.3.5 and above)
RARcrypt RAR encrypted archive
RARsfxcrypt RAR encrypted self extracting archive
RPMSG Restricted-permission message  
SEAEncrypt SEA encrypted self extracting archive
SITEncrypt SIT encrypted archive
P7M SMime Encrypted Data
DOCIRM Word 2007+ document with IRM in Word 2003 mode
DOCXIRM Word 2007+ document with IRM (SEG 7.3.5 and above)
ZIPcrypt ZIP encrypted archive
ZIPsfxcrypt ZIP encrypted self extracting archive
ZIX ZixCorp encrypted mail (SEG 7.3.5 and above)

Executable

Type Name Description
7Zsfx 7Zip self extracting archive 
ACEsfx ACE self extracting archive
ARJsfxcrypt ARJ encrypted self extracting archive
ARJsfx ARJ self extracting archive
CLASS Java class file
APPL Macintosh M68k executable
PEF Macintosh PPC executable
CABM Microsoft CAB/Expand Archive
COM MSDOS Com executable
EXE MS-DOS Executable
MSI MSI Windows Installer Package
MSIX MSIX Windows Installer Package (from FileType 7.14.6, 8.0.4, 8.1.1, 8.2.1)
NLM NetWare Loadable Module
EXEO16 OS/2 16bit executable
DLLO32 OS/2 32bit DLL
EXEO32 OS/2 32bit Executable
PYC Python bytecode file (FileType 7.14.3 and above, 8.0.1 and above)
RARsfxcrypt RAR encrypted self extracting archive
RARsfx RAR self extracting archive
SEAEncrypt SEA encrypted self extracting archive
SEA SEA self extracting archive
CIF UNIX CIF Executable
COFF UNIX COFF Executable
ELF UNIX ELF Executable
DLLW16 Win16 DLL
EXEW16 Win16 executable
DLLO16 Win16 VXD or OS/2 DLL
DLLW32 Win32 DLL
EXE32W Win32 executable
ZIPsfxcrypt ZIP encrypted self extracting archive
ZIPsfx ZIP self extracting archive

Font

Type Name Description
EOT Embedded OpenType Font (SEG 7.3.0 and above)
OTF OpenType Font
TTF True Type Font
AFM Type 1 Adobe Font Metric
PFB Type 1 Printer Font Binary
PFM Type 1 Printer Font Metric
WOFF Web Open Font Format (SEG 7.3.0 and above)
FON Windows Bitmap font
ODTTF XPS Embedded font (ODTTF) (SEG 7.2.3 and above)

Image

Type Name Description
PSD Adobe Photoshop Image
BMP Bitmap image
CPT Corel Photo-Draw Image
EPS Encapsulated PostScript
EMF Enhanced MetaFile Image
GIF Gif image
HEIC HEIF image (FileType 8.2.4 and above)
ICO Icon
JPG Jpeg image
JBIG2 JBIG2 image (SEG 7.2.3 and above)
JPEG2000 Jpeg2000 image (recognized in 6.5 and above)
CIL Microsoft ClipArt Gallery
MDI Microsoft Document Image
MIX Microsoft PhotoDraw Image
PSP Paint Shop Pro image
PNG Portable Network Graphics (PNG)
TIF Tiff image
WEBP WebP Image File (FileType 7.14.3 and above, 8.0.1 and above)
HDPHOTO Windows HD Photo (SEG 7.2.2 and above)
WMF Windows MetaFile Image
PCX Zsoft PCX Image

Mail Components

Type Name Description
MBODY Mail Body
MHDR Mail Headers
MAIL Mail message
TNEF TNEF Exchange Mail Message
HTMLBody TNEF Exchange Mail Message extracted HTML Mail Body
RTFBody TNEF Exchange Mail Message extracted RTF Mail Body

Other

Type Name Description
BPlist Apple Binary Plist
AppleDouble AppleDouble header
AppleSingle AppleSingle formatted file
BIN Binary Unknown (indicates a file of unrecognized type)
TORRENT Bittorent .torrent metainfo file (recognized in 6.5 and above)
ICS Calendar Meeting Invitation (iCalendar) (recognized in SEG 7.2 and above)
ICSDescription Calendar Meeting Invitation Description (recognized in SEG 7.2 and above)
ICSSummary Calendar Meeting Invitation Summary (recognized in SEG 7.2 and above)
TPS Clarion TopSpeed File .TPS (SEG 7.3.5 and above with FileType 7.13.3 and above)
CHM Compiled HTML Help file
DBF dBase/xbase Data File .DBF (SEG 7.3.5 and above with FileType 7.13.3 and above)
DBT dBase Memo Field File (FileType 7.14.3 and above, 8.0.1 and above)
MDXdbase dBase Multiple Index File (FileType 7.14.3 and above, 8.0.1 and above)
SYS DOS device driver (SEG 7.2.3 and above)
VCF Electronic Business Card .VCF (SEG 7.3.5 and above with FileType 7.14.0 and above)
ICM Independent Color Matching .ICM (SEG 7.3.5 and above with FileType 7.13.3 and above)
InfoSlip Infoslips document (SEG 7.2.2 and above)
JOS Java Object Serialized Data (SEG 7.2.2 and above)
DSStore Mac OSX Finder Info (SEG 7.2.3 and above)
MAPIBlock MAPI Encoded data
OST MAPI Off-line Store
PAB MAPI Personal Address Book
PST MAPI Personal Store
MAT MATLAB Data File (FileType 7.14.3 and above, 8.0.1 and above)
PDB Microsoft Debugging Symbols (SEG 7.2.2 and above)
LIB Microsoft Program Library (SEG 7.2.3 and above)
MSBLDCACHE MS Build Cache File (SEG 7.2.2 and above)
RCM MTXWIN95 Registry Command File
OracleRDF Oracle Report Definition File (SEG 7.2.2 and above)
Appointment Outlook Appointment
Contact Outlook Contact
MSG Outlook message
Note Outlook Note
Task Outlook Task
P12 PKCS#12 Certificate Archive (FileType 2023-03-01 and above)
PCAP Packet Capture (SEG 7.2.2 and above)
PCAPNG Packet Capture NG (SEG 7.2.3 and above)
PEMCert PEM encoded certificate .PEM (Moved to "other" in January 2019. Recognized in SEG 8.0.1 and above; SEG 7.3.5 through 7.5.7 with FileType 7.14.0.317 and later - see note)
PFX PFX Certificate Archive (FileType 2023-03-01 and above)
PGPPublicKey PGP Public Key (FileType 2024-02-01 and above)
PGPSigned PGP Signed Data 
PBIXMashup Power BI Data Mashup Archive (FileType 2024-02-01 and above)
PBIXMetadata Power BI Data Metadata (FileType 2024-02-01 and above)
PBIXModel Power BI Data Model (FileType 2024-02-01 and above)
PBIXBindings Power BI Security Bindings (FileType 2024-02-01 and above)
PBIXSettings Power BI Settings (FileType 2024-02-01 and above)
QBB QuickBooks Backup .QBB (SEG 7.3.5 and above with FileType 7.14.0 and above)
QBW QuickBooks Company file .QBW (from FileType 7.14.6, 8.0.4, 8.1.1, 8.2.1)
RTF Object RTF Object
SHP Shape file (.SHP) (from FileType 7.14.6, 8.0.4, 8.1.1, 8.2.1)
SHX Shape Index file (.SHX) (from FileType 7.14.6, 8.0.4, 8.1.1, 8.2.1)
P7S SMime Signed Data
SQLiteDB SQLite Database (SEG 7.2.2 and above)
EMC Striata Encrypted Mail Communication (SEG 7.2.3 and above)
TEXT Text
VHD Virtual Hard Disk Image .VHD (from FileType 8.2.9)
VSSSCC Visual Source Safe Source Code Control (SEG 7.2.3 and above)
HLP Windows Help file
MST Windows Installer Setup Transform .MST (from FileType 8.2.9)
URL Windows Internet shortcut
EVT Windows NT event log
REG Windows Registry Data
WSF Windows Script File .WSF (SEG 7.3.5 and above with FileType 7.14.0 and above)
LNK Windows shortcut
EVTX Windows Vista event log .EVTX (SEG 7.3.5 and above with FileType 7.13.3 and above)
XML XML Document (from FileType 8.0.5, 8.1.2, 8.2.2)

Sound

Type Name Description
AAC AAC audio 
FLSA Adobe Flash Audio (SEG 7.2.2 and above)
AU AU sound file
ENC Encore Music Notation .ENC (SEG 7.3.5 and above with FileType 7.13.3 and above)
ASX Microsoft Active Streaming link
MID MIDI sound file
MP3 MP3 sound file
OGA OGG stream for audio 
RAM Real Audio Link
RA Real Audio sound file
RMP Real Jukebox Metadata Package
Real RealPlayer audio/video
WAV WAV sound file
ASF Windows Active Streaming Format

Video

Type Name Description
3GPP 3GPP Video (SEG 7.2.2 and above)
FLSV Adobe Flash Video (SEG 7.2.2 and above)
FLC Animator Pro FLC file
FLI Animator Pro FLI file
AVI AVI video
DVM DVM video
ASX Microsoft Active Streaming link
MOV Mov video
MPG Mpeg video
OGV OGG stream for video 
Real RealPlayer audio/video
SWF Shockwave Flash
FLV Shockwave Flash video
WEBM WebM Video File  (FileType 7.14.3 and above, 8.0.1 and above)
ASF Windows Active Streaming Format

Web Browsing

Type Name Description
CSS Cascading style sheet
CRL Certificate Revocation List (CRL)
GIF GIF Image 
Goog Google Safe Browsing Update
HTML HTML Document
ICO Icon
CLASS Java class file
JS JavaScript file
JPG JPEG image
OCSPResponse OCSP Response File
PNG PNG image
SWF Shockwave Flash
VBS VBScript file (from FileType 7.14.6, 8.0.4, 8.1.1, 8.2.1)
FORMBIN Web Page binary form data
FORMTEXT Web page text form data
WEBM WebM Video File (FileType 7.14.3 and above, 8.0.1 and above)
WEBP WebP Image File (FileType 7.14.3 and above, 8.0.1 and above)

Non-Selectable Types

The following types cannot be selected in rules. They are used internally by MailMarshal and will be shown in logs as appropriate.

Type Name Description
BIFF12 Binary File Format for Office 12
CHMBINOBJ CHM Binary Object
ODTCache Open Document Text Layout-cache
OLEStream OLE Raw Stream
PDFStream PDF Raw Stream 
ZIPBig Zip with massively redundant data

Notes:

  • Word, Excel, and PowerPoint "2007" or "2007+" file type is the default format used by all later versions (including Office 2010, 2013, and 2016). All documents saved in this format are recognized, regardless of the Office software version.
  • File Type 7.14.0.317 (July 20, 2017) was released after 7.14.1. 7.14.1 does not include the new items released in 7.14.0.317.
  • Trustwave Knowledgebase articles for information about earlier versions have been withdrawn.

This article was previously published as:
NETIQKB40962

To contact Trustwave about this article or to request support:


Rate this Article:
     
Tags:

Related Articles



Add Your Comments


Comment submission is disabled for anonymous users.
Please send feedback to Trustwave Technical Support or the Webmaster
.