Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
966
Views
1
Helpful
4
Replies

Best Practices attachment Filter

Go to solution
cyberurmel
Level 1
Level 1

‎02-23-2023 01:57 AM

Hi all, 

as i couldnt find it via the attachment filter  / File Info. 

We got the information that a new way to infiltrate someone is to send .one (One Note) attachments. As they are not blocked by Macro i wonder if i can create a new Quarantine for that files. But in the Filter attachments it doesnt exist a file type namend .one 

Just to be sure -- if i would create a filter with  attachment file info contains  *.one? 

 

Thanks a lot

Regards

Cyb

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ken Stieers
VIP
VIP

‎02-23-2023 06:36 AM

Yes, that is your current solution.
I already put in an Enhancement request to add .one to MS Office files, Macro Detection, Document type, etc.
Its publicly available here: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwe31334

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Ken Stieers
VIP
VIP

‎02-23-2023 06:36 AM

Yes, that is your current solution.
I already put in an Enhancement request to add .one to MS Office files, Macro Detection, Document type, etc.
Its publicly available here: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwe31334

0 Helpful

Go to solution
cyberurmel
Level 1
Level 1
In response to Ken Stieers

‎02-26-2023 11:25 PM

Hi Ken, 

thanks first for reply. One Problem what i found as i did it like above.  In the gui i have now unter rules :

part of it below...but this also hits an attachment name where one its in the name.. where can i edit that with regex?

thanks a lot 

if (attachment-filename == ".one") 
0 Helpful

Go to solution
cyberurmel
Level 1
Level 1

‎02-27-2023 04:26 AM

Ok..had a misstake 

now with this it seems to work:

@cyberurmel wrote:

Hi all, 

as i couldnt find it via the attachment filter  / File Info. 

We got the information that a new way to infiltrate someone is to send .one (One Note) attachments. As they are not blocked by Macro i wonder if i can create a new Quarantine for that files. But in the Filter attachments it doesnt exist a file type namend .one 

Just to be sure -- if i would create a filter with  attachment file info contains  *.one? 

 

Thanks a lot

Regards

Cyb

 

 

attachment-filename == "(?i).one$")
0 Helpful

Go to solution
Dustin Anderson
VIP
VIP

‎03-06-2023 01:07 PM

some more helpful, we use similar to do this. ours is attachment ends with:

\.(7z|acea|ade|adp|bas|bat|cab|chm|cmd|com|cpl|crt|daa|exe|hlp|hta|img|inf|ins|iqy|iso|isp|jar|js|jse|lnk|lzh|mdb|mde|msc|msi|msp|mst|one|pcd|pif|ppsx|r[0-9][0-9]|rar|reg|rev|scr|sct|shb|shs|tbz|url|uue|vb|vbe|vbs|wsc|wsf|wsh|z)

The big thing you will want to look at is the ESA does regex, so the . is a wildcard without escaping it. \. tells it to match a period.

 

Customers Also Viewed These Support Documents