I decided to write up a filter guide as there seems to be some confusion with the new interface in FPE. The screens are from FPE but the guidance is good for filtering in all of our products.
With Forefront Protection for Exchange we have drastically changed the interface for our filtering. I will be going over the filtering interface as well as discussing best practice for filtering.
The first thing you will notice is the removal of the “File” option for one off filters.
Everything is in a list now so you are creating a list for each set of filters you want to make.
I will walk through a filter list creation for file types.
Under policy management select filter lists.
Click on create
And choose the type of filter type (again in Antigen/FSS it was Filtering shuttle with content, keyword, file allowed senders and filter lists broken into new pages)
As you can see in FPE you now have a wizard to walk you through list creation.
We are picking inspect the header for this post. This will create a * filter with options for file types.
In the the next part you set your filter list name and the type of files.
Here is where you need to be careful to select file types you know you need to block. In this screen you would want to stay away from zip file format as office 2007-2010 files have a zip file header.
If you need to block zips you need to set up a skip filter first. I will be going over that in another blog post.
The next set of file types.
I would be very carful about some of the image filters
A JPG filter could wipe out all email with a signature that has images in them.
WMF is also used in 2007/2010 office documents.
The most important one here would be the Microsoft Transport Neutral Encapsulation Format File type. This is the contents of every piece of mail at the hub level in a 2007/2010 organization. If you filter on this you might need to update your resume as you will start deleting every mail that comes through that server.
I would keep EICAR virus Test File out of the list as it is harmless and you might have need for it later.
Again make sure what you are deleting is not needed in your environment.
This is where you set your action when caught. If you were setting a skip detect you would set it here for each scan. My test box has both roles so you see every scan.
And here you can see the finished filter list.
I would suggest that if you are not sure of what a file type does you create two filters. Have one set to delete for files you know you do not want. And another with files you think you might not want. Set the filter up for skip detect and then monitor what it catches. Once you are comfortable you can move more file types into the delete list.
Hope this information was of some use.
This is very descriptive. Wonderfully explained