How do I create a rule to detect a zip file from which MailMarshal unpacks nothing?


This article applies to:

  • Trustwave MailMarshal (SEG)
  • Trustwave ECM/MailMarshal Exchange

Question:

  • How do I create a rule to detect a zip file from which MailMarshal unpacks nothing?
  • How do I create a rule to detect a zip file that does not contain anything (is empty)?

Procedure:

To detect an empty zip file, as a top level attachment,create a rule similar the following:

Standard Rule: EmptyZip
When a message arrives
Where the message is addressed to or from any user
Where message attachment is of type 'ZIP'
    And where number of attachments is less than '2'
Move the message to 'Suspect'

Ensure that where number of attachments is less than '2' is set to use Top level and all extracted attachments.

 

Notes:

This rule counts all attachments and their children, so it does not detect the "empty" file if the message has other top level attachments.

This article was previously published as:
NETIQKB45420

Last Modified 5/1/2020.
https://support.trustwave.com/kb/KnowledgebaseArticle10314.aspx