Controlling Email Attachments

App Control can be very effective for certain types of email control, especially when a blanket policy is desired. For example, you can prevent sending attachments of a given type, such as .exe, on a per-user basis, or for an entire domain. However, because the file name extension is being matched in this case, changing the extension before sending the attachment bypasses filtering. Note that you can also prevent attachments in this way on your email server if you have one. If not, then App Control provides the functionality.

Another way to control attachments is by creating a match object that scans for file content matching strings such as “confidential,” “internal use only,” and “proprietary.” A policy using such a match object implements basic controls over the transfer of proprietary data.

You can also create a policy that prevents email to or from a specific domain or a specific user. You can use App Control to limit email file size, but not to limit the number of attachments. App Control can also block files based on MIME type.

App Control can scan email attachments that are text-based or are compressed to one level, but not encrypted.

In this example, we create a policy that blocks executable attachments except when they are sent by a member of the Support team. To do this we define an email address object containing the email addresses of the Support team, then define a match object to match file name extensions of executable files, then define an action object to strip the attachment and give the user a message, and finally define an App Rules policy that uses all these objects.

See the following sections for the necessary procedures:

•	Creating a Support Team Email Address Object

•	Creating a Match Object for Executable File Extensions

•	Creating an Action Object for Blocking the Email

•	Creating an SMTP Client App Rules Policy

Creating a Support Team Email Address Object

First, create an email address object for the Support team:

1	On the Firewall > Email Address Objects page, click Add New Email Address Object.

 

2	In the Email Address Object page, type a descriptive name for the object into the Email Address Object Name field, such as “Support team.”

 

3	Select Exact Match from the Match Type pull-down list. For an exact match, you must provide both the username and the domain parts of the email addresses to include in the object.

4	In the Content field, type in the first email address or alias used by the Support team, then click Add. The address is copied into the List box.

5	If more than one email address is used by the Support team, repeat Step 4 until all desired email addresses are included in the List box.

6	Click OK. The Modify Task Description and Schedule window displays.

 

7	To view all the options for Schedule, click the arrow to its right.

 

8	For this example, select Immediate to create the object immediately.

9	Click Accept to save the email address object with the selected schedule.

The new object is listed on the Firewall > Email Address Objects page.

Creating a Match Object for Executable File Extensions

Next, create a match object that matches file names with extensions such as .exe, indicating that they are executable:

1	On the Firewall > Match Objects page, click Add New Match Object.

2	In the Match Object Settings window, in the Object Name text box, type a descriptive name for the object, such as “Executable Files.”

3	Using the Match Object Type pull-down list, select File Extension.

4	The Match Type field is set to Exact Match; there are no other choices in this case.

5	For the Input Representation, click Alphanumeric.

6	Leave Enable Negative Matching cleared.

7	In the Content text box, type the executable file name extensions to match, and then click Add after each one. For this case, we add exe, vbs, bat, awk, and cgi, The extensions appear in the List text box.

 

8	Click OK. The Modify Task Description and Schedule window displays.

9	For the Schedule, select Immediate to create the object immediately.

10	Click Accept to save the match object with the selected schedule.

The new object is listed on the Firewall > Match Objects page.

Creating an Action Object for Blocking the Email

Now we need to create an action object that blocks the email when executable attachments are found. We could use the predefined Block SMTP E-Mail Without Reply action, but we will create a custom action object that provides an explanation of why the attachment was blocked. However, it would be more secure to use the predefined action in most situations.

To create the action object:

1	On the Firewall > Action Objects page, click Add New Action Object.

2	In the Action Object Settings window, in the Action Name text box, type a descriptive name for the object, such as “Block email with executable.”

3	In the Action pull-down list, select Disable E-Mail Attachment - Add Text.

4	In the Content text box, type the explanation that you want users to see, such as “Executable attachments are not allowed.”

 

5	Click OK. The Modify Task Description and Schedule window displays.

6	For the Schedule, select Immediate to create the object immediately.

7	Click Accept to save the action object with the selected schedule.

The new object is listed on the Firewall > Action Objects page.

Creating an SMTP Client App Rules Policy

The next step is to create an App Rules policy that uses our email address object and match object, and combines them with an action object to block executable attachments except in email from members of the Support team.

To create the App Rules policy:

1	On the Firewall > App Rules page, click Add New Policy.

2	In the App Control Policies Settings window, type a descriptive name such as “Block Executable Attachments” into the Policy Name field.

 

3	Select SMTP Client from the Policy Type pull-down list.

4	Leave Any as the source and destination in the Address pull-down lists.

5	The Service pull-down lists do not provide a choice of service. The Source is Any, and the Destination is SMTP (send E-Mail).

6	For Exclusion Address, select None from the pull-down list.

7	In the Match Object pull-down list, select the Executable Files match object that was just created.

8	In the Action pull-down list., select the Block email with executable action that was just created.

9	For Users/Groups, select All from the pull-down list under Included and select None in the Excluded pull-down list.

10	For MAIL FROM, select Any from the pull-down list under Included and select the Support team email address object in the Excluded pull-down list. The Support team email addresses are not affected by the policy.

11	For RCPT TO, select Any from the pull-down list under Included and select None in the Excluded pull-down list.

12	For Schedule, select Always on from the pull-down list.

13	Leave Enable Flow Reporting cleared.

14	If you want the policy to create a log entry when a match is found, select Enable Logging.

15	To record more details in the log, select Log individual object content.

16	For Log Redundancy Filter, select Use Global Settings to use the global value set on the Firewall > App Rules page.

17	For Connection Side, only Client Side is available in the pull-down list.

18	For Direction, select the Basic radio button and select Both in the pull-down list.

19	Click OK. The Modify Task Description and Schedule window displays.

20	For the Schedule, select Immediate to create the policy immediately.

21	Click Accept to save the policy with the selected schedule.

The new policy is listed on the Firewall > App Rules page.