This article applies to: - Trustwave MailMarshal (SEG)
- Trustwave ECM/MailMarshal Exchange 7.X
- This feature is NOT present in MailMarshal Exchange 5.X
- Trustwave SPE
- Note: The location used to enter and store custom types varies by product.
- In SEG and ECM, types are entered by editing a file.
- In SPE, types are entered in the Administration Console.
Question: - How do I add custom file type definitions to MailMarshal?
- How do I configure MailMarshal to correctly recognize my file types?
- How do I prevent my "Block Unknown Attachments" rule from triggering on legitimate attachments?
- Why is MailMarshal blocking legitimate file types?
- How do I stop MailMarshal from blocking legitimate file types?
- See also Q12988, How do I remove or disable custom filetypes?
Causes: Trustwave SEG and ECM recognize many, but not all, executable, image, document, movie, sound, archive, encrypted, and other file types. If the product does not recognize an attachment as a legitimate file type during mail processing, it tags the unrecognized file as Binary Unknown (BIN). By default, the product blocks the file with the Block Unknown Attachments rule. The workaround is to add a custom file type definition locally. Once the product recognizes the file as a custom file type, and not as BIN, the attachment will no longer trigger the Block Unknown Attachments rule. This article explains how administrators can create custom file type definitions, enabling the products to recognize and pass files you do not want it to block. Important notes: - Custom types override the built-in types. The product assigns only one file type to each file. If a file is recognized as a custom type, it may not be unpacked or scanned for malware as expected. This behavior can result in security breaches. Test any custom file types carefully.
- You can only have ONE custom entry with each name such as T:MY-CUSTOM
- You can have a custom entry that duplicates a default type name (such as T:XLS).
- If you have more than one identical T: name entry, you will not be able to load the configuration. This behavior is enforced beginning with the File Type release of October 2020.
- To recognize several signatures as MY-CUSTOM, include multiple A or X lines in the same signature. See details below.
- To prevent conflict with built-in types, avoid re-using default typenames such as PDF. Using the default typenames for custom filetypes will not affect unpacking of files.
Procedure: Note: This solution is intended for advanced users. Most sites will not need to use it. To create and apply a custom file type definition, follow these steps: - Gather multiple samples of the file in question.
If the blocked file type comes from multiple sources, get several samples of the file type from each source. In this example we will use AutoCAD Shape files to demonstrate the steps involved. For example, use different versions of AutoCAD to create Shape files, and create them on different operating systems, etc. In essence, try to cover the various flavors you will encounter in the real world.
Try to obtain about 10 samples of the file type in question. You may need more samples if there are multiple versions of the file type. Fewer samples are sufficient if there is only one version of the file type.
If the file type in question is binary file, you will need to work with the hexadecimal values. In unusual cases you may wish to use text values instead of Hex. Text files are covered later in this article. For now we will continue with a binary example. - View each sample file in a Binhex reader. The following are freely available:
- Start up multiple sessions of your Binhex reader with a different file opened in each. We are looking for a pattern common to all these files. Typically the opening few bytes will be common to all your examples. We are looking for a happy medium. Use too many bytes, and you risk failing to recognize a different flavor with a slightly different signature. Use too few, and you risk false triggering on unrelated files. A good rule of thumb is to use the first 4 - 8 bytes. Note that each hexadecimal pair of digits you see in the Binhex reader equates to one byte (i.e. 4 - 8 bytes = 8 - 16 digits).
- Create, or edit the existing, file type configuration.
- For SPE, see Policy Elements > Custom File Types in the Administration Console.
- For SEG and ECM, on the Array Manager server, edit the
filetype.cfg file in the installation folder (not in a subfolder).
- For Trustwave MailMarshal/SEG version 8.X and 10.X on 64 bit systems, the default location is
C:\Program Files\Trustwave\Secure Email Gateway - When you add or make changes in this file, you must restart the Array Manager service. You may also need to force refresh of the 10.X web console (ctrl-F5).
- For MailMarshal Exchange 7.X (64 bit systems), the default location is C:\Program Files (x86)\Marshal\M86 MailMarshal Exchange
- For a list of default locations for earlier versions, see Trustwave Knowledgebase article Q10832.
Notes: - The file is named
filetype.cfg, not insert-filetype-here.cfg. Use the filetype.cfg file for all current and future file-type customizations. - The entry markers (T, D, X, A) MUST BE UPPERCASE.
- If you are identifying a text or ASCII file, skip to Step 6. If you are identifying a binary file, each custom file type listed requires the first three of the following four entries. The comment line is optional.
- T: typename
- D: description
- X: offset=hexadecimal signature
- # Optional comment line
Notes: The offset is an integer (decimal).
Multiple X lines can be entered. The type triggers if ANY of the signatures is found (OR condition).
In SPE, you enter the data in separate fields without the leading identifiers T,D,X,#.
Example: Binhex reader shows the following digits at the start of a file: 4175 746f 4341 442d X:0=4175 746f 4341 442d
T:SHX
D:AutoCAD Shapes file
X:0=4175 746f 4341 442d
# Recognizes AutoCAD shape files.
-
If you are identifying a text or ASCII file, each custom file type listed requires the first three of the following four entries. The comment line is optional. - T: typename
- D: description
- A: offset,length=ascii signature
- # Optional comment line
Note: Multiple A lines can be entered. The type triggers if ANY of the signatures is found (OR condition).
Here is an example of a text file type definition. The AWK file will always have, in the first 14 characters, the string #!/usr/bin/AWK. This implies an offset of 0, and a length of 14: T:AWK
D:AWK File
A:0,14=#!/usr/bin/AWK
- In the above list,
SHX and AWK are user-defined, shorthand names for the file type. Ensure the shorthand names you choose are not used in the default list of known file types. Once the customization is complete, SHX and AWK are visible in rule creation, in rules and logs, and wherever these file types are referenced. AutoCAD Shapes file and AWK File are the full names that will appear when choosing file types within a rule. - Save the
filetype.cfg file, or (for SPE) click OK on the entry window. - For SEG and ECM, set the security permissions on
filetype.cfg so that only the mail administrator and the service accounts have access to it. (By default, MailMarshal uses the Local System account.) - To apply the new custom file type:
- MailMarshal SMTP 5.5: Restart the MailMarshal Controller service.
- SEG/MailMarshal SMTP 6.X and above, ECM/MailMarshal Exchange 7.X:
- Restart the Array Manager service.
- Select Commit Configuration Changes to push the update to all nodes.
- Restart the Engine service on all nodes.
- For MailMarshal (SEG) 10.X, to ensure you see new types in the Management Console website, restart the site in IIS.
- SPE: Wait for configuration to update.
When you create a new rule, the new file types will appear in a User Defined group in the Select File Type dialog of the Rule Wizard. Additional Example Entries for filetype.cfg Following are some real-life samples we have encountered. Do not use these without using a Binhex reader to confirm the signatures of your files. T:MY-MIDI
D:MIDI Sound File - User Defined
X:0=4d54 6864 0000 0006
T:CAMOUFLAGE
D:Camouflaged File
# 20 bytes from end of file always seem to have 74 a4 54 10 22 97
X:-20=74 a4 54 10 22 97
T:SCC
D:Visual Source Safe
# Example vssver.scc
X:0=3412 0100 9060 adf1
T:DCX
D:DCX Fax Image File
X:0=B1 68 de 3a
T:SKC
D:SKC Molecular Structure
X:0=01 03 00 04 02
T:CDX
D:CDX Molecular Structure
X:0=56 6a 43 44 30 31 30 30
T:BLK
D:Blackberry DAT file
X:0=03 91 0a 00
X:0=03 a0 0a 00
X:0=03 9e 0a 00
X:0=03 9d 0a 00
X:0=03 4e 01 00
X:2=00 00 00 00 00 00 00 01
Note: Multiple X (hex signature) lines are present in this definition. The type triggers if ANY of the signatures is found (OR condition). T:UNI
D:Unicode Binary NDR information
A:0,18=Reporting-MTA: dns
T:PCT
D:Mac Word embedded PCT Files
X:10=0011 02ff 0c00 fffe
T:MPR
D:MRG Print File
X:0=1b 45 1b 26 6c 4c 1b 2a 72 30 46 1b
T:XLSWorks
D:Excel Spreadsheets by MS Works
X:0=09 04 06 00 00 00 10 00
T:MRF
D:MRF Data File
X:0=50 4b 03 04 14 00 00 00
- This article was previously published as:
- NETIQKB29638
- Marshal KB478
To contact Trustwave about this article or to request support:
Add Your Comments
Comment submission is disabled for anonymous
users.
Please send feedback to Trustwave Technical Support or the Webmaster.
|
|
Article ID: 10199
Last Modified: 9/11/2023
Type: HOWTO
Rated 3 stars based on 18 votes.
Article has been viewed 34,726 times.
|
