When Blocking COM Files in Fingerprinting, Getting False Positives on Other File Types

  • 7023591
  • 14-Dec-2018
  • 07-Jan-2019

Environment

GWAVA (Secure Messaging Gateway) 7

Situation

What needs to be done to prevent SMG from blocking various files, such as a .dwfx, as a COM fingerprint?

Resolution

COM files have no official file format, the only indicators that are recognizable in them overlap certain character sequences in other files. This is why there are false positives with other file types firing as a COM fingerprint. The best solution is to create an inline exception by detecting a com file only if it also does not detect as another file type or attachment name etc. Here are steps to do this:

1) On the Inbound Mail filter policy, drag a Fingerprint node down to the workbench, from the Filter section above. Click on the icon on the left to edit it and add COM to the list. A note can be added in the white, such as "COM files", to help remember what this special rule is for.NOTE: Make sure COM is not in the list on the other Fingerprint filter node.


2) Drag the green dot on the right of the Fingerprint node and let go, you should see a list of Filters. Select Attachment Name.


3) Click on the icon on the left of the Attachment Name node, to edit it. Type in the list of attachment types that are being falsely blocked for COM fingerprints. For example: .dwfx


4) Click on the arrows on the right of the Attachment Name node and select the option for 'Invert node logic'. A note can be added to the white such as 'NOT dwfx files' to help remind what this is for.


5) Drag the orange dot on the right of the Attachment Name node, to the right and let go. Select 'block' from the list. Save changes.


The files types that were entered in the Attachment name list, should now not be blocked as a COM fingerprint.