IronPort Attachment Filtering using Content Filter Dictionaries

Similar Messages

• Content Filter - attachment stripping logic not working like I think it should

  Hello,
  I am working on a content filter for stripping file attachments - my logic is this:
  Condition: If File Type does NOT EQUAL file type Documents: attachment-filetype != "Document"
  Action: Strip File Attachment by File Info: drop-attachments-by-size(0 bytes) 
  My thought is that files that are not word docs, "test.ZIP" for example, would match the condition of not being a document. The match specifies that the action should then be performed on it - strip the attachment if it is over 0 bytes, which would be a match to any file. 
  Right now, it strip anythings, documents included...its like the condition does not exist. I considered using Message Filters at first, but I need to provide a replacement message with each attachment I strip. Thanks in advance for your help! 

  Hey Daniel
  Your understanding is correct to a point.
  The condition you set is correct, it will look for emails where attachments are NOT document files according to their mime structure.
  Once this condition is met (IE: test.zip)
  it will fall to the action
  Your action however is set to drop all attachments greater than 0 bytes.
  So for a setup like this I would suggest.
  First content filter:
  Attachment filetype is equal to "document"
  Action for this content filter :  skip remaining content filters
  Second content filter:
  (Either no condition or Attachment filetype is NOT "document")
  Action -> Strip if size greater than 0
  The reason why all attachment filetypes are being stripped and even document is the condition simply states what needs to be seen to trigger this action
  But this action is not set to exempt document files but to strip them all

• Content Filter Problem

  Hello experts,
  I used to do user authorization using Content Filter for each Fact Table and it worked. But Recently after upgrading to 10.1.3.4 Some dashboards adhere to that filter others don't (so one dashboard users see filtered content on other dashboards they see everything) Can you please suggest where lies the problem so I can fix this so that the filter is shown on every dashboard?
  Thank You
  Regards
  After further investigation is appeared that the content filter isn't working on the fact table but it works on the dimensions. Please note that the content filter is more than 200 lines on the fact table, when I reduce it to 10 lines it works but when it goes more than 10 lines it stops from working, Any Suggestions to make this work?
  Thank You
  Edited by: ZaidN on Apr 26, 2009 2:26 AM
  Edited by: ZaidN on Apr 27, 2009 7:29 AM

  ZaidN - you need to reduce the filter size....there's a query limit (not sure how many characters, but 200 lines is probably pushing it) on queries sent to BI server...my advice would be letting RPD Security Model deal with security...

• Attachment Content Filter not working

  I am trying to use the Attachement Content Filter to prevent the distribution of a sensitive document outside of our orginization. I have a filter that matches on the filename that works fine. However when I try to filter based on attachment contents it seems to not be working. I have selected a text string somewhat unique to the document that I would like to match on. The attached document is a PDF file. Is the attachment content scanner looking for a regexp match in the MIME encoded attachment maybe?
  Any help would be appreciated!

  Greetings,
  For this issue it would be advisable to open a support ticket. There are a couple of different issues that can cause this.  We would need to review the mail logs for the message in question to understand the issue.
  Christopher C Smith
  CSE
  Cisco IronPort Customer Support 

• Content Query not producing results when using [Me] filter

  Hi
  I'm using a Content Query web part and I'm trying to show the most recent document modified by each site user by applying it across the site collection and using the Filter, Modified By [_Hidden] equals [Me]. However, this doesn't seem to work for any user
  - the web part is always blank. I have tried different combinations such changing equals to contains, and using the Modified By field etc - nothing gives me the correct results. If I instead take the [Me] out and instead use the "people chooser"
  and set to a specific person then I seem to get the results I would expect - however I cannot hard code a given user.
  Does anyone know how to use [Me] correctly?
  Thanks

  Hi  sjb500,
  According to your description, please take steps as below to meet your demand:
  With the page layout open in Design view, double-click the Content Query Web Part.
  In the Content Query Web Part dialog box, click the plus sign (+) next to Query to expand it.
  In the Source section, click Show items from all sites in this site collection.
  In List Type section, in the Show items from this list type, click Document Library.
  In the Content Type section, in the Show items of this content type group list, click Document
  Content Types.
  In the Content Type section, in the Show items of this content type list, click Document.
  In the Additional Filters section, under Show Items When, click Modified By [_Hidden] in
  the first box, click Is Equal To in the second box, and then click [Me].
  In the Content Query Web Part dialog box, click the plus sign (+) next to Presentation to expand it.
  In the Grouping and Sorting section, in the Sort items by list, click Modified
  and Select Show items in descending order.
  Click OK.
  Reference:http://office.microsoft.com/en-us/sharepoint-designer-help/display-data-from-multiple-lists-with-the-content-query-web-part-HA010174134.aspx
  [Me] is a variable that stands for the user who is currently viewing the page that contains the Content Query Web Part in the browser.
  Here is some scenarios using [Me] in Content Query Web Part:
  http://social.technet.microsoft.com/Forums/en-US/346ffbe6-d7ba-467e-b7f5-6d6e289677a1/user-tasks-web-part
  Please inform me freely if you have any questions.
  Thanks

• Content Filter block attachment .scr/.cab etc... not working inside archive

  Hi,
  We have trouble that Content Filter for blocking attachments executable, scr, and cab is not working if .exe, .scr, or.cab are inside 7zip, zip or rar archive.
  How deep inside attachment ESA goes, if any?
  Antivirus config is set to 5 and some viruses passed like CryptoWall as .scr and .cab.
  So, we are blocking that extension but this time they were inside archive.  

  Hello Juraj,
  I apologise for the inconvenience.
  Currently if there are viral definitions within the attachment, the AV engine would be the first line of defence, if you for some reason notice some viral attachments bypassing your ESA, please open a TAC case so we can escalate the sample to Sophos for you to capture.
  As per content filtering.
  The scan depth on how deep it will go into a system is defined in 'scanconfig' in the CLI.
  This will show your current recursion depth.
  As per .cab and .7z attachments not being properly captured if .scr or .exe are inside it
  Currently there are some Enh request to allow the unpacking/decompression of these archive files to capture things inside it, at the moment the request is still undergoing review.
  As a temporary measure you can proactively send .7z and .cab files to the quarantine for your administrative review -- 
  The ESA will however be able to seek the executable should it be shrouded inside the .rar/.gzip and .zip archives however.
  I hope this helps.
  Regards,
  Matthew

• Can a Content Query Web Part (CQWP) be used to filter content based upon a substring of a variable

  Folks, I'm a newbie to this forum and to SHarepoint in general - so please be gentle :-)
  I'm using Sharepoint 2010 and have content in lists which I want to display based upon certain user attribtes. For example I have a sharepoint LINKS list which contains entries for vaious applications (I'm using the LINKS list as an example, however I'd
  like to apply it to many libraries/lists).
  Name:UK Intranet - URL:http:UKintranet.com - Description: UK
  Name:USA Intranet - http:USintranet.com - Description: USA
  Name:UK Contacts list - http:UKPhones.com - Description: UK
  Name:USA Contacts list - http:USAPhones.com - Description: USA
  My users are split accross AD domains, one for each called UK and others in a domain called USA 
  What I would like to do in a content query is display items where the users domain (ie UK or USA) is contained in the Description field.
  So a CQWP which includes something like "filter when Decription = &userdomian"
  I should also add that I am only using basic page editing in a browser and have no access to Sharepoint Designer
  Can this be done?
  BTW - I know this is a little like Audience Targetting, however I don't have rights to setup audiences and as the information about the audience is already available in the users domain I simply wanted to reuse that.

  Hi Peter,
  According to your description, my understanding is that you want to filter items based on the current user’s domain.
  Whether you could access Central Administrator, and create a new user property in User Profile Service Application->Manage User Properties. If yes, create a new user property (assuming it is called ‘Domain’)to store the users’ domain information. If not,
  please choice a existing user property that you don’t use to store the domain information, like Department.
  Then do as the followings:
  Open the page that you want to display the list.
  Eidt the page and insert the list into the page.
  Insert a Current User Filter web part(Insert->Web Part->Filters->Current User Filter) into the page.
  Then edit the Current User Filter web part, and select value to provide: SharePoint profile value for current user: Department(or Doamin).
  Connect the Current User Filter web part to the list: Connections->Set filter values to->the list.
  Connection Type: Get Filter Values from, click Configure.
  Consumer Field Name:Description, click Finish.
  I hope this helps.
  Thanks,
  Wendy
  Wendy Li
  TechNet Community Support

• IOS Content Filtering Using TrendMicro: Can I customize the block-page redirect-url?

  I have IOS content filtering using the Trend Micro subscription service working on a 2911 running 15.1.(3)T3 with the security license option and a 30 day demo Trend subscription.
  Once I figured out that the content filtering for Trend appears to be completely broken in 15.2 (even using docs for 15.2) I went back to 15.1 and it works great.
  Everything seems great so far except I would like to have a more 'fancy' or custom blocked page where a user can have a couple links to either go to the trend micro reporting page http://global.sitesafety.trendmicro.com/result.php or some other page, and maybe some branding so they know the page is coming from our network and is not some fake security thing or phishing attempt or whatever.
  I know I can use the 'parameter-map type urlfpolicy trend ' section to do a tiny bit of customization of the text that appears on the default blocked page display and there is an option for it to go to a simple redirect instead ('block-page redirect-url') but I wonder if anyone has any ideas on how to do more with either the built in page or the redirect-url to keep the information of what page the user was trying to access and why it was blocked (category etc.) while adding more features.
  Thanks!
  Oh, one last thing, this doesn't support any kind of 'user override' or anything like that does it? So that a network can have a filter applied but an admin could override the filtering to allow temporary access to something?

  Hmm... no thoughts over the weekend. Anyone?

• Outgoing mail Policy only able to use one of either Content Filter - Outbreak Filter - DLP

  No matter what config I use I am able to apply sender domains, anti spam and anti virus however I can only apply a single process of content filter which then will not move to the next process of DLP.  Can this be achieved so I can have within the same outgoing mail policy the process of content filter and dlp policies applied.

  Hello Bighead81,
  could you explain what you mean by "single process of content filter" please?  I'd suppose adding more than one content filter to a policy, which should be no problem. Also activation of Content Filter, Outbreak Filters and DLP (for outbound mailflow) for any policies.
  Regards,
  Andreas

• Ns0 prefix not attached in the xml structure generated using Content Master

  Hello Everyone,
  I am parsing a tabdelimited file using the Content Master Studio.
  I am providing the message type xsd as the schema file.
  After writing all the parsing logic the xml file which is getting generated is in the below mentioned format
  <?xml version="1.0" encoding="UTF-8"?>
  <ReadExcel xmlns="urn:readexcel.com">
  <ROW>
  <NAME>Rahul</NAME>
  <AGE>24</AGE>
  <Location>Mumbai</Location>
  </ROW>
  <ROW>
  <NAME>Vinit</NAME>
  <AGE>25</AGE>
  <Location>Mumbai</Location>
  </ROW>
  </ReadExcel>
  but since the ns0 prefix is not getting attached the mapping program is failing in XI.
  <ns0:ReadExcel xmlns:ns0="urn:readexcel.com">
  I guess the people who have used Content master studio might have also faced the similar problem.
  Please suggest me some solution
  Thanks and Regards
  Rahul Nawale

  Hi Rahul,
  the namespace prefic ns0 is only a placeholder for the namespace urn:readexcel.com. This namespace can also be represented by another prefix or even by the empty prefix.
  E.g. the document you have pasted is totally equivalent to the document
  <?xml version="1.0" encoding="UTF-8"?>
  <ns0:ReadExcel xmlns:ns0="urn:readexcel.com">
  <ns0:ROW>
  <ns0:NAME>Rahul</ns0:NAME>
  <ns0:AGE>24</ns0:AGE>
  <ns0:Location>Mumbai</ns0:Location>
  </ns0:ROW>
  <ns0:ROW>
  <ns0:NAME>Vinit</ns0:NAME>
  <ns0:AGE>25</ns0:AGE>
  <ns0:Location>Mumbai</ns0:Location>
  </ns0:ROW>
  </ns0:ReadExcel>
  However, it is not possible to model this document via a Message type in the Integration Repository. The XML instance from a Message type will look like this:
  <?xml version="1.0" encoding="UTF-8"?>
  <ns0:ReadExcel xmlns:ns0="urn:readexcel.com">
  <ROW>
  <NAME>Rahul</NAME>
  <AGE>24</AGE>
  <Location>Mumbai</Location>
  </ROW>
  <ROW>
  <NAME>Vinit</NAME>
  <AGE>25</AGE>
  <Location>Mumbai</Location>
  </ROW>
  </ns0:ReadExcel>
  Indeed, in the root tag all documents are equivalent (it has name ReadExcel and namespace urn:readexcel.com). But for the subelements (ROW, NAME,...) there is a fundemental difference. In your example (and my first example) these elements have namespace urn:readexcel.com, too. In my second example those elements have empty namespace. Indeed, all XML documents modelled as Message types have an empty namespace for all non-root elements.
  Message types are simply not suitable to model a document as you have posted. However, there is simple help. Just download the schema for the Message type to your local file system. Add attribute elementFormDefault="qualified" to the root tag of that schema. Upload that schema as External Definition. This External Definition will have one External Message. Define your mapping using that schema.
  For more background on that topic I recommend reading the specifications on XML namespaces and XML schema.
  Greetings
  Stephan

• Unable to create content properly in UCM 11G using validateStandard filter

  Hi All,
      We have used validateStandard filter to assign content id with 16 digits in UCM 10G and it worked well, we deployed this component in UCM 11G but it is not working properly. When we click on Check In button content is getting created and displaying  Check_In Confirmation with 16 digit Content ID, upon clicking on Content Info it is displaying the complete info page. When we try to search the content it is not displaying in search results, also when tried to export it using Archiver it is not creating batch file. When we see logs in View Server out put it is displaying
  Unable to lock content with dDocName: 6322932684534064
  File to be removed: D:/oracle/ucm/cs/oracle/ucm/cs/vault/~temp/6322932684534064_meta.htm
  Below is the code and its corresponding log after check In is performed
  trace("=====Set 16 digit random number as ContentId=====");
               String contId = databinder.getLocal("dDocName");
               trace("=====value of contId====="+ contId);
          if("".equals(contId))
          //trace("=====Inside ContentId generetion=====");
          int maxdigits = 16;
          StringBuilder result = new StringBuilder();
          Random r = new Random();
          for (int i = 0; i<maxdigits; i++)
          result.append(r.nextInt(10));
          databinder.putLocal("dDocName", result.toString());
          trace("=====Generated ContentId is====="+ result.toString());
  View Server O/P:
  =====Set 16 digit random number as ContentId=====
  =====value of contId=====001885
  =====Generated ContentId is=====6322932684534064
  >(internal)/6 07.08 15:09:28.273 IdcServer-968 Unable to lock content with dDocName: 6322932684534064
  >(internal)/6 07.08 15:09:29.476 IdcServer-968 File to be removed: D:/oracle/ucm/cs/oracle/ucm/cs/vault/~temp/6322932684534064_meta.htm
  Thanks,
  Ashok

  Its a bug. References BUG:16231709 - OBIA7964:ERROR WHILE CREATING DATA WAREHOUSE TABLES USING DAC 11G
  So far the workaround is to use one Container Name at a time when creating the Warehouse.
  If helps mark and update back

• How to Use and Filter Table contents after execution of Bapi

  Can anybody guide me how to Use and Filter the table Contents which i got after successful execution of a Bapi
  I used Component Controller in my Project
  Ex: My table contains Redundant data for a single column but i want to display the column contents with out Redundancy
  Name
  Raghu
  Raghu
  Raghu
  Debasish
  Debasish
  I want to filter the table contents and i want to display the table with out Redundancy
  and Even when i am using a Dropdown i selected a Column  from a Table as the values for that Dropdown  but that table is having redundant data and the same data is getting displayed in that Dropdown i want the Dropdown to display data with out redundancy
  Thanks

  I also got that problem recently and after debuging for a while I figured out, that it was resulting from an error in my table's model: When the model received new items to display I
  1.) Fired an delete event for the old items
  2.) Fired an insert event for the new items
  Problem was that when firing the delete event I didn't already assigned the new items to the model. Therefore it had still the old row count.
  Maybe you have also a faulty table model?...

• How can I achieve IOS content filtering using a Cisco router

  Good day Everybody.
  I would like to set up content filtering using IOS on my Cisco router. I already know how to do URL filtering but I want to restrict access to sites based on categories.
  Is this possible without having to introduce an external device?

  Natively in IOS this is not possible. However you can configure CWS (Cisco Web Security). The router will forward web requests to a cloud based web security service.
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps10142/ps11720/data_sheet_c78-729637.html

• Content filtering doesn´t "filter" https

  I have RV082  running latest firmware If I try to enable web filerfing under "Content Filter" by web address or keyword it ony works for HTTP sites. Lets say I try to block www.facebook.com  I get "This URLs or Page has been blocked"
  If I type https://www.facebook.com I get to facebook no problem. It looks like only HTTP is checked and blocked.
  Also If i try to  "Scheduling" and  Apply the rule from 8:00 to 13:00 it allow me to access it.Am  I missing something?

  Hi Mario, HTTPS can't really be blocked unless the router is able to perform reverse DNS lookup. If you want to block https flavors of a website you would need a service that can perform the reverse DNS lookups such as OpenDNS.
  -Tom
  Please mark answered for helpful posts

• Message filters vs Content Filters

  Differences:
  1. Message filters occur earlier in the email pipeline than content filters. Message filters before the email goes into the workqueue. The content filters occur inside the workqueue.
  2. Message filters are currently only administered from the command line. Content filters can be administered from both the CLI and the GUI interface, however, the GUI interface is the recommended mehtod.
  3. Content filters have an inbound and an outbound set of content filters, depending upon the direction of the message. That is, whether it's a relayed email (outgoing content filters) or inbound mail(inbound content filters). Message filters on the other hand, are autmoatically applied to both inbound and outgoing traffic, unless you lock it down to a specific listener. If you only have one listener, you may need to differentiate your flow of traffic by sendergroups or something else.
  4. Message filters and content filters can pretty much have the same conditions and actions. However, message filters allow for if-else conditions, so they are more robust.
  5. You can use message and content filters in unison. For example, use a message filter to insert a custom header that you content filter can key off of. However, this does not work the other way around. You cannot insert a custom header in the content filter and have the message filter key off of that info. Due to the way the email pipeline is set up, message filters come first, then content filters.
  6. Easy of use: content filters are a bit more intuitive and user-friendly. message filters are more advanced, so it has a bigger learning curve.
  7. Content filters used with customized incoming or outgoing mail policies allow you to splinter messages. Splintering messages allow you to split messages up by recipients. Message filters don't allow splintering and are applied to the entire message.
  AsyncOS User Guide: Content Filters Overview
  https://support.ironport.com/docs/c_series/4.6/HTML_4.6_Compilation/AsyncOS_4.6_User_Guide/AsyncOS_4.6_User_Guide-12-3.html
  AsyncOS User Guide: Message Filters
  https://support.ironport.com/docs/c_series/4.6/HTML_4.6_Compilation/AsyncOS_4.6_Adv_User_Guide/AsyncOS_4.6_Adv_User_Guide-09-2.html
  AsyncOS User Guide: Email Pipeline
  https://support.ironport.com/docs/c_series/4.6/HTML_4.6_Compilation/AsyncOS_4.6_User_Guide/AsyncOS_4.6_User_Guide-09-2.html

  Actually, I just did a test on this and your point is half correct.
  It's not the content filter that does the splintering, it's either the incoming or outgoing mail policy that does the splintering.
  For example, if you only have one Default outgoing policy and an outgoing content filter that drops the mail if the destination is @yahoo.com.
  If you sent in a test email with two recipients: [email protected] and [email protected]
  Then the entire message would get dropped since there was only one Default outgoing policy.
  However, you can allow for splintering if you had additional custom policies.
  For example,
  1. gmail-recipients
  2. yahoo-recipients
  3. Default policy
  In that case, your test email would split into two separate emails and then you could have the content filters apply to each separately.
  You are correct that message filters apply to the entire message and does not allow for message splintering.
  However, content filtering, message splintering is only applicable if you have additional custom policy, either inbound or outgoing.
  So, in additional to the requirement of mutliple recipients, you also need multiple policies, otherwise, have multiple recipients and only one Default policy will affect the entire message also.
  Thanks for the attention to detail.
  You've missed one of the biggest differences...
  Message filters act on a _message_. Content filters act on a message/recipient pair.
  If a message is only going to a single person then there's not any difference, but if a message is addresses to multiple people then the message filter will take the same action for all recipients, whilst the content filter will split ("splinter") the one message into multiple messages, with one (or possibly more) recipients each, and then act on each individually.