Add a custom Archive Unpacker to unpack a new file type


This article applies to:

  • Trustwave MailMarshal (SEG) 6.X and above
  • Trustwave ECM/MailMarshal Exchange 7.X

Question:

  • How can I unpack and scan content in unknown archive types?

Procedure:

SEG/MailMarshal allows you to add custom file type recognition, and to specify new archive unpackers. By combining these features, it is possible to unpack and scan the content of a custom archive type with full functionality.

Notes: 

  • This procedure requires advanced skills. Most organizations do not require this configuration and you should only use it if you have a specific need to customize operation.
  • Only Archive unpackers can be specified. You cannot specify custom handling for compound documents such as Word or PDF documents.

The procedure consists of three steps:

  1. Add a Custom Filetype
  2. Add a Custom Archive Type
  3. Configure the Custom Unpacker

This article uses as an example the Switch file unpacker from Egress (http://www.egress.com/). Switch files are not recognized by MailMarshal default configuration, and MailMarshal does not include functionality to unpack them.  

Note: All the registry entries referred to below are added under the MailMarshal Engine key, which for MailMarshal SMTP 8.X is typically: HKEY_LOCAL_MACHINE\SOFTWARE\Trustwave\Secure Email Gateway\Default\Engine

For MailMarshal (SEG) 10.X the entries are made in the Management Console Advanced settings with the prefix Engine. (Engine dot).

For other versions, use the following Trustwave Knowledgebase article to locate the Registry key if necessary:

  • Q10832: What are the Trustwave SEG install paths and registry key locations?
  • Q14003: What are the MailMarshal Exchange install paths and registry key locations?

Step 1: Add Custom Filetype

Add the custom filetype as described in this Trustwave Knowledgebase article: Q10199: How do I add custom file type definitions to MailMarshal?

For this example, make the following entry:

T:SWCH
D:Egress Switch Archive
X:0=53 44 01 00 01 02

Note: This is an example only - Egress Switch file type is already included in the default types recognized by MailMarshal.

2 – Add Custom Archive Types

Create a new registry string value called ArchiveTypes (MailMarshal (SEG) 10: advanced setting Engine.ArchiveTypes). For this example, enter the value as SWCH   

3 – Configure the Custom Unpacker

Add the new unpacker executable to the MailMarshal install folder on all the MailMarshal email processing nodes. In this example, the executable is swtool.exe

Add a new string value with the name of the custom archive type (for this example, SWCH or in MailMarshal (SEG) 10: Engine.SWCH). Set the value data according to this format:

0;Exe Par1 Par2 Par3;return-code
0
Indicates the first (in this case only) unpacker to be configured for this type. Others could be added if required.
Exe
The name of the unpacker executable, with the file extension omitted
Par1
The first parameter needed by the executable
Par2 [etc...]
Any additional parameters needed by the executable
return-code
The return code generated by the executable on success

For the Switch unpacker use a string similar to the following: 
0;swtool x "%s" "Switch" /switchid email@example.org /password Passw0rd;0

Note: "%s" in the above example is a variable which represents the full path of the archive file to be unpacked. Additional examples of custom unpacker values (as reported from the field) include:

  • RAR: 0;unrar e "%s";0
  • ZIP (using winzip)0;wzunzip –e "%s";0

To effect the changes, commit the Configuration, and restart the Engine.  

Testing:

To verify operation, view the message log. In the example, the file is unpacked and a subsequent rule to block executables is invoked and triggers correctly.

5112 02:29:24.848 Running external unpacker: swtool x  "d:\Program Files\NetIQ\MailMarshal\Unpacking\T2\U2\TT-100831-154621.switch" "Switch" /switchid test.sample@m86security.com /password Passw0rd
5112 02:29:27.171 Type=MAIL,  size=694760,  Name=B4c7fb4c40000.000000000001.0001.mml
5112 02:29:27.171   Type=MHDR,  size=614,  Name=MsgHeader.txt
5112 02:29:27.171   Type=MBODY,  size=480,  Name=Plain.txt
5112 02:29:27.171   Type=SWCH,  size=506544,  Name=TT-100831-154621.switch
5112 02:29:27.171     Type=EXEW32,  size=1577984,  Name=swtool.exe
5112 02:29:27.171 1 user(s) match ruleset - Monitoring Only
5112 02:29:27.181   1 user(s) match rule - Exe
5112 02:29:27.181     Name=U1\B4c7fb4c40000.000000000001.0001.mml (MAIL,694760) False
5112 02:29:27.181       Name=U2\MsgHeader.txt (MHDR,614) False
5112 02:29:27.181       Name=U2\Plain.txt (MBODY,480) False
5112 02:29:27.181       Name=U2\TT-100831-154621.switch (SWCH,506544) False
5112 02:29:27.181         Name=U3\Switch\swtool.exe (EXEW32,1577984) TRUE
5112 02:29:27.181         Requesting Action <Monitoring Only:Exe:MoveMessage> be run
5112 02:29:27.181 Action MoveMessage for Component U3\Switch\swtool.exe

Last Modified 10/6/2020.
https://support.trustwave.com/kb/KnowledgebaseArticle13961.aspx