Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Request a Demo
Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Request a Demo
Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

View All Trustwave Services
Solutions
BY INDUSTRY
BY REGULATION
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
We reduce cyber risk and fortify organizations
Awards and Accolades
Recognition by analysts and media outlets
Trustwave SpiderLabs Team
Global researchers, ethical hackers, and responders
Trustwave Fusion Security Operations Platform
Unprecedented security visibility and control
Trustwave Security Colony
Access to cybersecurity threat protection resources
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
Register
Login
Resources
BLOGS
UPCOMING
MEDIA & ASSETS
NOTICES
HELP
Loading...
Loading...

Trustwave Knowledge Base

Home » Knowledgebase » Trustwave MailMarshal (SEG) » HOWTO: Add a custom Archive Unpacker to unpack a new file type

HOWTO: Add a custom Archive Unpacker to unpack a new file type

Expand / Collapse
Show/Hide Article Tools


This article applies to:

  • Trustwave MailMarshal (SEG) 6.X and above
  • Trustwave ECM/MailMarshal Exchange 7.X

Question:

  • How can I unpack and scan content in unknown archive types?

Procedure:

SEG/MailMarshal allows you to add custom file type recognition, and to specify new archive unpackers. By combining these features, it is possible to unpack and scan the content of a custom archive type with full functionality.

Notes: 

  • This procedure requires advanced skills. Most organizations do not require this configuration and you should only use it if you have a specific need to customize operation.
  • Only Archive unpackers can be specified. You cannot specify custom handling for compound documents such as Word or PDF documents.

The procedure consists of three steps:

  1. Add a Custom Filetype
  2. Add a Custom Archive Type
  3. Configure the Custom Unpacker

This article uses as an example the Switch file unpacker from Egress (http://www.egress.com/). Switch files are not recognized by MailMarshal default configuration, and MailMarshal does not include functionality to unpack them.  

Note: All the registry entries referred to below are added under the MailMarshal Engine key, which for MailMarshal SMTP 8.X is typically: HKEY_LOCAL_MACHINE\SOFTWARE\Trustwave\Secure Email Gateway\Default\Engine

For MailMarshal (SEG) 10.X the entries are made in the Management Console Advanced settings with the prefix Engine. (Engine dot).

For other versions, use the following Trustwave Knowledgebase article to locate the Registry key if necessary:

  • Q10832: What are the Trustwave SEG install paths and registry key locations?
  • Q14003: What are the MailMarshal Exchange install paths and registry key locations?

Step 1: Add Custom Filetype

Add the custom filetype as described in this Trustwave Knowledgebase article: Q10199: How do I add custom file type definitions to MailMarshal?

For this example, make the following entry:

T:SWCH
D:Egress Switch Archive
X:0=53 44 01 00 01 02

Note: This is an example only - Egress Switch file type is already included in the default types recognized by MailMarshal.

2 – Add Custom Archive Types

Create a new registry string value called ArchiveTypes (MailMarshal (SEG) 10: advanced setting Engine.ArchiveTypes). For this example, enter the value as SWCH   

3 – Configure the Custom Unpacker

Add the new unpacker executable to the MailMarshal install folder on all the MailMarshal email processing nodes. In this example, the executable is swtool.exe

Add a new string value with the name of the custom archive type (for this example, SWCH or in MailMarshal (SEG) 10: Engine.SWCH). Set the value data according to this format:

0;Exe Par1 Par2 Par3;return-code
0
Indicates the first (in this case only) unpacker to be configured for this type. Others could be added if required.
Exe
The name of the unpacker executable, with the file extension omitted
Par1
The first parameter needed by the executable
Par2 [etc...]
Any additional parameters needed by the executable
return-code
The return code generated by the executable on success

For the Switch unpacker use a string similar to the following: 
0;swtool x "%s" "Switch" /switchid email@example.org /password Passw0rd;0

Note: "%s" in the above example is a variable which represents the full path of the archive file to be unpacked. Additional examples of custom unpacker values (as reported from the field) include:

  • RAR: 0;unrar e "%s";0
  • ZIP (using winzip)0;wzunzip –e "%s";0

To effect the changes, commit the Configuration, and restart the Engine.  

Testing:

To verify operation, view the message log. In the example, the file is unpacked and a subsequent rule to block executables is invoked and triggers correctly.

5112 02:29:24.848 Running external unpacker: swtool x  "d:\Program Files\NetIQ\MailMarshal\Unpacking\T2\U2\TT-100831-154621.switch" "Switch" /switchid test.sample@m86security.com /password Passw0rd
5112 02:29:27.171 Type=MAIL,  size=694760,  Name=B4c7fb4c40000.000000000001.0001.mml
5112 02:29:27.171   Type=MHDR,  size=614,  Name=MsgHeader.txt
5112 02:29:27.171   Type=MBODY,  size=480,  Name=Plain.txt
5112 02:29:27.171   Type=SWCH,  size=506544,  Name=TT-100831-154621.switch
5112 02:29:27.171     Type=EXEW32,  size=1577984,  Name=swtool.exe
5112 02:29:27.171 1 user(s) match ruleset - Monitoring Only
5112 02:29:27.181   1 user(s) match rule - Exe
5112 02:29:27.181     Name=U1\B4c7fb4c40000.000000000001.0001.mml (MAIL,694760) False
5112 02:29:27.181       Name=U2\MsgHeader.txt (MHDR,614) False
5112 02:29:27.181       Name=U2\Plain.txt (MBODY,480) False
5112 02:29:27.181       Name=U2\TT-100831-154621.switch (SWCH,506544) False
5112 02:29:27.181         Name=U3\Switch\swtool.exe (EXEW32,1577984) TRUE
5112 02:29:27.181         Requesting Action <Monitoring Only:Exe:MoveMessage> be run
5112 02:29:27.181 Action MoveMessage for Component U3\Switch\swtool.exe

To contact Trustwave about this article or to request support:

Rate this Article:
     

Add Your Comments


Comment submission is disabled for anonymous users.
Please send feedback to Trustwave Technical Support or the Webmaster.


Execution: 0.031. 9 queries. Compression Disabled.
Powered by InstantKB.NET