[SOLVED] Remove compressed attachments example (.zip) that contain .exe, .msi, .aspx in the .zip file

[poetry]

Hello,
Can some help out how to configure proxmox to remove compressed attachments that contain .exe, .msi or other executable, dangerous files?

Right now I have a huge list of attachments that get removed but I would also like to apply this rule to all compressed attachments that contain files I have on remove list:

.*\.(ade|ade|adp|apk|app|application|appref-ms|appx|appxbundle|arj|asp|aspx|asx|bas|bat|bgi|bz|cab|cer|chm|cmd|cnt|com|cpl|crt|csh|der|diagcab|dll|dmg|ex|ex_|exe|fxp|gadget|grp|hlp|hpj|hta|htc|img|inf|ins|iso|isp|its|jar|jnlp|js|jse|ksh|lib|lnk|lz|lzh|mad|maf|mag|mam|maq|mar|mas|mat|mau|mav|maw|mcf|mda|mdb|mde|mdt|mdw|mdz|msc|msh|msh1|msh1xml|msh2|msh2xml|mshxml|msi|msix|msixbundle|msp|mst|msu|nsh|ops|osd|pcd|pif|pl|plg|prf|prg|printerexport|ps1|ps1xml|ps2|ps2xml|psc1|psc2|psd1|psdm1|pst|py|pyc|pyo|pyw|pyz|pyzw|r00|r01|rar|reg|scf|scr|sct|shb|shs|sys|tar|theme|tmp|url|vb|vbe|vbp|vbs|vhd|vhdx|vps|vsmacros|vss|vst|vsw|vxd|webpnp|website|ws|wsc|wsf|wsh|xbap|xll|xnk|xz)

I would like to have a separate rule so I can see what rule is working. What is the easiest way to add all this file types?

Thanks for the help as always!

EDIT:

What is the difference between


and


And


Will this work the same?

EDIT: can someone also explain this rule
Match Filename:
Filename: .*\.\{.+\}

This is probably unnecessary for what I am doing right?




----------

EDIT3
Is this the correct solution or will I break something?
Match Archive Filename:

.*\.(ade|ade|adp|apk|app|application|appref-ms|appx|appxbundle|arj|asp|aspx|asx|bas|bat|bgi|bz|cab|cer|chm|cmd|cnt|com|cpl|crt|csh|der|diagcab|dll|dmg|ex|ex_|exe|fxp|gadget|grp|hlp|hpj|hta|htc|img|inf|ins|iso|isp|its|jar|jnlp|js|jse|ksh|lib|lnk|lz|lzh|mad|maf|mag|mam|maq|mar|mas|mat|mau|mav|maw|mcf|mda|mdb|mde|mdt|mdw|mdz|msc|msh|msh1|msh1xml|msh2|msh2xml|mshxml|msi|msix|msixbundle|msp|mst|msu|nsh|ops|osd|pcd|pif|pl|plg|prf|prg|printerexport|ps1|ps1xml|ps2|ps2xml|psc1|psc2|psd1|psdm1|pst|py|pyc|pyo|pyw|pyz|pyzw|r00|r01|rar|reg|scf|scr|sct|shb|shs|sys|tar|theme|tmp|url|vb|vbe|vbp|vbs|vhd|vhdx|vps|vsmacros|vss|vst|vsw|vxd|webpnp|website|ws|wsc|wsf|wsh|xbap|xll|xnk|xz)

 

[poetry]

From the manual


This looks my final solution. One rule to replace them all

Match Archive Filename:
Filename:

.*\.(ade|ade|adp|apk|app|application|appref-ms|appx|appxbundle|arj|asp|aspx|asx|bas|bat|bgi|bz|cab|cer|chm|cmd|cnt|com|cpl|crt|csh|der|diagcab|dll|dmg|ex|ex_|exe|fxp|gadget|grp|hlp|hpj|hta|htc|img|inf|ins|iso|isp|its|jar|jnlp|js|jse|ksh|lib|lnk|lz|lzh|mad|maf|mag|mam|maq|mar|mas|mat|mau|mav|maw|mcf|mda|mdb|mde|mdt|mdw|mdz|msc|msh|msh1|msh1xml|msh2|msh2xml|mshxml|msi|msix|msixbundle|msp|mst|msu|nsh|ops|osd|pcd|pif|pl|plg|prf|prg|printerexport|ps1|ps1xml|ps2|ps2xml|psc1|psc2|psd1|psdm1|pst|py|pyc|pyo|pyw|pyz|pyzw|r00|r01|rar|reg|scf|scr|sct|shb|shs|sys|tar|theme|tmp|url|vb|vbe|vbp|vbs|vhd|vhdx|vps|vsmacros|vss|vst|vsw|vxd|webpnp|website|ws|wsc|wsf|wsh|xbap|xll|xnk|xz)

Is this correct or I will see any abnormal behavior if I use just this rule?




EDIT interesting note that once this rule is activated we see in the logs additional lines that will indicate attachments that have been unpacked and checked.

Nov 2 17:54:12 pmg-smtp-filter[88291]: 1215406362A0B378390: found archive '.xlsx' (application/zip)
Nov 2 17:54:12 pmg-smtp-filter[88291]: 1215406362A0B378390: unpack archive '.xlsx' done (72 ms)

Is there a way to show additional log for attachments that are not archived to see on all messages what attachments have been detected.

EDIT2 already seeing some abnormal behavior in the logs:

Nov 2 18:16:53 pmg-smtp-filter[90229]: 1215586362A60546765: new mail message-id=<202211021716.2A2HGqv71895009@>#012
Nov 2 18:16:53 pmg-smtp-filter[90229]: 1215586362A60546765: found archive 'msg-90229-20.txt' (message/rfc822)
Nov 2 18:16:53 pmg-smtp-filter[90229]: 1215586362A60546765: unpack failed - unexpected number of files '0' at /usr/share/perl5/PMG/Unpack.pm line 481.
Nov 2 18:16:53 pmg-smtp-filter[90229]: 1215586362A60546765: unpack archive 'msg-90229-20.txt' done (3 ms)

EDIT3 I am guessing password protected file:

Nov 2 19:01:16 pmg-smtp-filter[959]: 1215736362B06C1CD02: new mail message-id=<36401782.4761.1667412075269>#012
Nov 2 19:01:16 pmg-smtp-filter[959]: 1215736362B06C1CD02: found archive '1.zip' (application/zip)
Nov 2 19:01:16 pmg-smtp-filter[959]: 1215736362B06C1CD02: unpack failed - child '1034' failed: 512
Nov 2 19:01:16 pmg-smtp-filter[959]: 1215736362B06C1CD02: unpack archive '1.zip' done (245 ms)

EDIT4: how high does it make sense to set Virus Detector - Max files? Right now have it set all 1000

Nov 2 17:36:34 pmg-smtp-filter[86365]: 12154163629C928CB9A: new mail message-id=<03f001d8eed8$e124c6a0$a36e53e0>#012
Nov 2 17:36:42 pmg-smtp-filter[86365]: 12154163629C928CB9A: found archive '.pptx' (application/zip)
Nov 2 17:36:43 pmg-smtp-filter[86365]: 12154163629C928CB9A: unpack failed - too many files in archive (> 1000) at /usr/share/perl5/PMG/Unpack.pm line 486, <GEN10229> line 3919.
Nov 2 17:36:43 pmg-smtp-filter[86365]: 12154163629C928CB9A: unpack archive '.pptx' done (622 ms)

 

[poetry]

I have configured What Object to detect compressed and non compressed attachments Match Archive Filename.
I want to detect all this attachments and in the archives and if it matches the attachment type then it should block.

Filename

.*\.(ade|ade|adp|apk|app|application|appref-ms|appx|appxbundle|arj|asp|aspx|asx|bas|bat|bgi|bz|cab|cer|chm|cmd|cnt|com|cpl|csh|der|diagcab|dll|dmg|ex|ex_|exe|fxp|gadget|grp|hlp|hpj|hta|htc|img|inf|ins|iso|isp|its|jar|jnlp|js|jse|ksh|lib|lnk|lz|lzh|mad|maf|mag|mam|maq|mar|mas|mat|mau|mav|maw|mcf|mda|mdb|mde|mdt|mdw|mdz|msc|msh|msh1|msh1xml|msh2|msh2xml|mshxml|msi|msix|msixbundle|msp|mst|msu|nsh|ops|osd|pcd|pif|pl|plg|prf|prg|printerexport|ps1|ps1xml|ps2|ps2xml|psc1|psc2|psd1|psdm1|pst|py|pyc|pyo|pyw|pyz|pyzw|r00|r01|rar|reg|scf|scr|sct|shb|shs|sys|tar|theme|tmp|url|vb|vbe|vbp|vbs|vhd|vhdx|vps|vsmacros|vss|vst|vsw|vxd|webpnp|website|wim|ws|wsc|wsf|wsh|xbap|xll|xnk|xz)

I am noticing in the logs that it is detecting files for example .docx as application/zip. This seems strange. Is this normal behavior or?
Is it possible because it's scanning all the files then they are shown in the logs

Nov 23 13:34:36 server postfix/smtpd[216408]: connect from sender-server[1.2.3.4]
Nov 23 13:34:36 server postfix/smtpd[216408]: Anonymous TLS connection established from sender-server[1.2.3.4]: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
Nov 23 13:34:36 server postfix/smtpd[216408]: NOQUEUE: client=sender-server[1.2.3.4]
Nov 23 13:34:37 server pmg-smtp-filter[217179]: 121374637E135D19847: new mail message-id=<11d68aae-f0f1-2334-0faf-b89a1f2e7183@sender>#012
Nov 23 13:34:37 server pmg-smtp-filter[217179]: 121374637E135D19847: found archive 'anon.docx' (application/zip)
Nov 23 13:34:37 server pmg-smtp-filter[217179]: 121374637E135D19847: unpack archive 'anon.docx' done (62 ms)
Nov 23 13:34:38 server pmg-smtp-filter[217179]: 121374637E135D19847: SA score=0/5 time=0.966 bayes=undefined autolearn=disabled hits=HTML_MESSAGE(0.001),KAM_DMARC_STATUS(0.01),SPF_HELO_NONE(0.001),SPF_PASS(-0.25)
Nov 23 13:34:38 server postfix/smtpd[215484]: connect from localhost.localdomain[127.0.0.1]
Nov 23 13:34:38 server postfix/smtpd[215484]: 7203A12130C: client=localhost.localdomain[127.0.0.1], orig_client=sender-server[1.2.3.4]
Nov 23 13:34:38 server postfix/cleanup[216702]: 7203A12130C: message-id=<11d68aae-f0f1-2334-0faf-b89a1f2e7183@sender>
Nov 23 13:34:38 server postfix/qmgr[945]: 7203A12130C: from=<sender>, size=225842, nrcpt=1 (queue active)
Nov 23 13:34:38 server postfix/smtpd[215484]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Nov 23 13:34:38 server pmg-smtp-filter[217179]: 121374637E135D19847: accept mail to <receiver> (7203A12130C) (rule: default-accept)
Nov 23 13:34:38 server postfix/smtp[216228]: Untrusted TLS connection established to 5.6.7.8[5.6.7.8]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Nov 23 13:34:38 server pmg-smtp-filter[217179]: 121374637E135D19847: processing time: 1.415 seconds (0.966, 0.182, 0.08)
Nov 23 13:34:38 server postfix/smtpd[216408]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (121374637E135D19847); from=<sender> to=<receiver> proto=ESMTP helo=<mail.sender>
Nov 23 13:34:38 server postfix/smtpd[216408]: disconnect from sender-server[1.2.3.4] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Nov 23 13:34:38 server postfix/smtp[216228]: 7203A12130C: to=<receiver>, relay=5.6.7.8[5.6.7.8]:25, delay=0.27, delays=0.06/0/0.02/0.19, dsn=2.6.0, status=sent (250 2.6.0 <11d68aae-f0f1-2334-0faf-b89a1f2e7183@sender> [InternalId=124300648513640, Hostname=receiver] 227156 bytes in 0.120, 1833,830 KB/sec Queued mail for delivery)
Nov 23 13:34:38 server postfix/qmgr[945]: 7203A12130C: removed

 

[Stoiko Ivanov]

I am noticing in the logs that it is detecting files for example .docx as application/zip. This seems strange. Is this normal behavior or?
Is it possible because it's scanning all the files then they are shown in the logs

docx files are zipped xml files - so this is not unusual

 

[poetry]

I am getting undesirable behavior with my solution.
It's matching on files like rosenbauer.com!example.com!58005.xml.gz (this is matching my rule) looks like it's matching on .com
In that archive it's just a file rosenbauer.com!example.com!58005.xml (this is not matching)

I see in the logs
Nov 23 22:13:40 server pmg-smtp-filter[282412]: 12117B637E8D040EDDC: found archive 'rosenbauer-1.com.gz' (application/gzip)
Nov 23 22:13:40 server pmg-smtp-filter[282412]: 12117B637E8D040EDDC: unpack archive 'rosenbauer-1.com.gz' done (5 ms)

How to fix this? I want to block .com files but I don't want to block file rosenbauer.com!example.com!58005.xml.gz I am guessing only two sub file attachment types down like .com.gz should still detect .com but not any deeper I guess? How to do this?

Right now I am using:
Match Archive Filename with Filename

.*\.(ade|ade|adp|apk|app|application|appref-ms|appx|appxbundle|arj|asp|aspx|asx|bas|bat|bgi|bz|cab|cer|chm|cmd|cnt|com|cpl|csh|der|diagcab|dll|dmg|ex|ex_|exe|fxp|gadget|grp|hlp|hpj|hta|htc|img|inf|ins|iso|isp|its|jar|jnlp|js|jse|ksh|lib|lnk|lz|lzh|mad|maf|mag|mam|maq|mar|mas|mat|mau|mav|maw|mcf|mda|mdb|mde|mdt|mdw|mdz|msc|msh|msh1|msh1xml|msh2|msh2xml|mshxml|msi|msix|msixbundle|msp|mst|msu|nsh|ops|osd|pcd|pif|pl|plg|prf|prg|printerexport|ps1|ps1xml|ps2|ps2xml|psc1|psc2|psd1|psdm1|pst|py|pyc|pyo|pyw|pyz|pyzw|r00|r01|rar|reg|scf|scr|sct|shb|shs|sys|tar|theme|tmp|url|vb|vbe|vbp|vbs|vhd|vhdx|vps|vsmacros|vss|vst|vsw|vxd|webpnp|website|wim|ws|wsc|wsf|wsh|xbap|xll|xnk|xz)

 

[Stoiko Ivanov]

How to fix this? I want to block .com

the filename (and archivefilename filters) match regex - so if you want to only match a file-ending/extension - add a '$' at the end of your regex
(I'd suggest after the parantheses: '(xx|yy|zz|....)$'

I hope this helps!

 

[poetry]

the filename (and archivefilename filters) match regex - so if you want to only match a file-ending/extension - add a '$' at the end of your regex
(I'd suggest after the parantheses: '(xx|yy|zz|....)$'

I hope this helps!

This works for just file-ending/extension.
What if I want to block also also example .com.xml (detect .com) then how to do it? I see some extensions that have more then just file-ending so that would be also helpful to detect I guess.

 

[Stoiko Ivanov]

What if I want to block also also example .com.xml

the regex for that would be '.*\.com\.xml$' ?

 

[poetry]

the regex for that would be '.*\.com\.xml$' ?

Thanks for the help I will give up on this for now. I should of been more clear before I want to add all the extensions I am blocking so they will be blocked as file extension and subfile extension like .ade.apk, .rar.plg but I am hitting Parameter verification failed. (400) regex: value may only be 1024 characters long I probably should of split the rules then it might work.

This does not seem to be the right sytax for this and it's too long:
.*\.(ade|ade|adp|apk|app|application|appref-ms|appx|appxbundle|arj|asp|aspx|asx|bas|bat|bgi|bz|cab|cer|chm|cmd|cnt|com|cpl|csh|der|diagcab|dll|dmg|ex|ex_|exe|fxp|gadget|grp|hlp|hpj|hta|htc|img|inf|ins|iso|isp|its|jar|jnlp|js|jse|ksh|lib|lnk|lz|lzh|mad|maf|mag|mam|maq|mar|mas|mat|mau|mav|maw|mcf|mda|mdb|mde|mdt|mdw|mdz|msc|msh|msh1|msh1xml|msh2|msh2xml|mshxml|msi|msix|msixbundle|msp|mst|msu|nsh|ops|osd|pcd|pif|pl|plg|prf|prg|printerexport|ps1|ps1xml|ps2|ps2xml|psc1|psc2|psd1|psdm1|pst|py|pyc|pyo|pyw|pyz|pyzw|r00|r01|rar|reg|scf|scr|sct|shb|shs|sys|tar|theme|tmp|url|vb|vbe|vbp|vbs|vhd|vhdx|vps|vsmacros|vss|vst|vsw|vxd|webpnp|website|wim|ws|wsc|wsf|wsh|xbap|xll|xnk|xz)\.(ade|ade|adp|apk|app|application|appref-ms|appx|appxbundle|arj|asp|aspx|asx|bas|bat|bgi|bz|cab|cer|chm|cmd|cnt|com|cpl|csh|der|diagcab|dll|dmg|ex|ex_|exe|fxp|gadget|grp|hlp|hpj|hta|htc|img|inf|ins|iso|isp|its|jar|jnlp|js|jse|ksh|lib|lnk|lz|lzh|mad|maf|mag|mam|maq|mar|mas|mat|mau|mav|maw|mcf|mda|mdb|mde|mdt|mdw|mdz|msc|msh|msh1|msh1xml|msh2|msh2xml|mshxml|msi|msix|msixbundle|msp|mst|msu|nsh|ops|osd|pcd|pif|pl|plg|prf|prg|printerexport|ps1|ps1xml|ps2|ps2xml|psc1|psc2|psd1|psdm1|pst|py|pyc|pyo|pyw|pyz|pyzw|r00|r01|rar|reg|scf|scr|sct|shb|shs|sys|tar|theme|tmp|url|vb|vbe|vbp|vbs|vhd|vhdx|vps|vsmacros|vss|vst|vsw|vxd|webpnp|website|wim|ws|wsc|wsf|wsh|xbap|xll|xnk|xz)$

 

[Stoiko Ivanov]

Not sure what you're trying to achieve here - but if you want to block filenames matching '\.<extensions>$' and then also files matching
'\.<extensions>\.<extensions>$' the second part is not necessary (the first one would already block the second one..)

and yes - 1024 is a rather large limit for a regex- maybe try a different approach - if it's really necessary in your environment - consider allowing only certain attachments (accept action on a higher prio), and then removing all other attachments (remove attachments (with quarantine) with a lower prio)

I hope this helps!