This article applies to:
- Trustwave MailMarshal (SEG)
- Trustwave ECM/MailMarshal Exchange
Question:
How do I block Double Extension Executables with MailMarshal?
Background
A common method to disguise malicious email attachments is to name them with a double extension, for example, e-mail.txt.lnk and picture.gif.vbe. Microsoft Windows in its default configuration mode will hide *.lnk, *.vbe and several other extensions. These attachments will appear as e-mail.txt and picture.gif. The real nature of these files is therefore hidden until the file is executed.
It is important to note that MailMarshal recognizes file types by structure and not just by extension, so MailMarshal will correctly identify executables regardless of the file name.
Implementation of a rule that identifies and quarantines files with double extensions can introduce an additional level of security into your system.
Procedure:
Current supported versions of SEG provide this rule by default in the Attachment Management (Inbound) policy group. To apply this policy, enable the rule Block Double Extension Filenames.
Customers who have upgraded from an earlier version that did not include the rule can find the definition of this rule in the Default Rules document.
- To manually create a rule that matches the same file name patterns as the default rule, add the following wildcard patterns in the "attachments named" condition:
*.??.??
*.??.???
*.???.??
*.???.???
*.???.????
- For assistance in creating or enabling rules, see Help.
- This article was previously published as:
- NETIQKB29550
- Marshal KB446