Content filtering rule configured to block attachments blocks items not in the matchlist
Last Updated August 08, 2014
I've configured a content filtering rule to block based on attachment name with a list of extensions (*.bat, *.exe, for example) but it blocks files without those extensions.
The files blocked erroneously by the rule will contain the match term someplace in the file name. For example, your matchlist contains *.com and the file name caught was sampledomain.com.pdf
The content filtering rule blocking the files is set to Match type: "Contains":
An event will be written to the application event log indicating that your rule blocked the file:
Event Type: Warning Event Source: Symantec Mail Security for Microsoft Exchange Event Category: Content Enforcement Rules Event ID: 291 Description: The message "None" located in Administrator/Drafts has violated the following policy settings: Scan: Auto-Protect Rule: Example rule The following actions were taken on it: The attachment "example.com.pdf" was Quarantined for the following reason(s): A Filtering Rule was violated.
When configuring a new content rule, the content type will default to "Contains" instead of "Equals" for the terms you are trying to match. A content rule set to "Contains" with terms such as *.com in the match list, will match against .com anywhere in the attachment name, not just as the extension.
Change the content section to "Equals" instead of "Contains" when trying to match attachments based on extension. To make this change:
Open the SMSMSE console
Navigate to Policies -> Content filtering rules
Locate the rule referred to in the event log entry
Right click the rule in question and select Edit rule...
On the main "Rule" tab, change the "Match Type:" dropdown from Contains to Equals and then click OK
Click Deploy changes.
The rule should now function as expected.
Imported Document ID: TECH122517
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe