Configuring file name filtering in Symantec Protection Engine
This topic explains the options that are configured using the Core server with user interface mode. to work with the Core server only mode.
If your client uses the ICAP protocol or the Native protocol, you can filter files by file name to protect your network during an outbreak. For example, if you know the file name of a new email-borne threat, you can use this information to block infected email messages.
You can configure Symantec Protection Engine to handle the file in one of the following ways:
Block access to the file or the message
Blocks access to any top-level file that matches the file name.
If a container file or email message contains a file or attachment that matches the file name, access to the entire container or message is blocked.
Delete the file or the attachment
Deletes any file that matches the file name and logs the violation.
Symantec Protection Engine deletes any attachments within an email message that match the file name. Attachments that do not match the file name are not deleted and are delivered with the message. If you activate the mail message update feature, the message indicates that an attachment has been deleted due to a policy violation.
Symantec Protection Engine deletes any embedded files that match the specified file name within a container file that contains multiple files. The embedded files that do not match the specified file name are not deleted. Deleted files are replaced with a replacement file, DELETEN.TXT, which indicates the reason that the file was deleted.
Use wildcard characters if you are unsure of an exact file name or to block all file attachments with a specific extension. For example, you can use the wildcard *virus* to block all attachments with the word virus in the file name.
If your client uses the Native protocol or the antivirus-only application programming interface (API), file name violations are reported to the client in the server's response as mail-policy violations. If you use the extended API or have a standard ICAP implementation, this type of violation is reported as a file violation.
From version 7.0, Native protocol has been deprecated. Symantec recommends the use of either ICAP or RPC protocol.
To configure file name filtering in Symantec Protection Engine
In the console on the primary navigation bar, click Policies.
In the sidebar under Views, click Filtering.
In the content area on the Files tab, under Blocking by File Name, check Block files with the following names.
Under When a matching file is found, select one of the following to specify how Symantec Protection Engine handles the messages that contain an attachment with that file name:
Block access to the file or message
This option is enabled by default.
Delete the file or attachment
In the file name box, do any of the following:
Add a file name to the list.
Type the file name that you want to add. Type one entry per line. Search strings are not case-sensitive.
You can use the following wildcard characters as needed:
A question mark (?) to represent a single character.
An asterisk (*) to represent zero or more characters.
A backslash (\) as an escape character. For example, precede a ? or a * with \ to match a literal ? or * symbol in a file name. To match a literal \ symbol, use \\.
Remove a file name from the list.
Highlight the file name that you want to remove, and press Delete.
On the toolbar, select one of the following options:
Saves your changes.
Use this option to continue making changes in the console until you are ready to apply them.
Applies your changes.
Your changes are not implemented until you apply them.