Hello,

some of mailservers I admin are behind fortinet device that does content inspection and removes viruses by replacing them with content:

------=_NextPart_000_0012_F7463AA1.9316ADCB
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Content-Length: 221
Connection: Close

Dangerous attachment removed.  The file "ORDER_00812387.xlsx" was infected with the 
"MSExcel/CVE_2017_11882!exploit" virus. It has been removed and quarantined as: 
"[disabled]"."http://www.fortinet.com/ve?vid=10022639";.
------=_NextPart_000_0012_F7463AA1.9316ADCB--

I created rule that should catch this content and award it:

body     FORTI_ATT_REMOVED  /^Dangerous attachment removed\.  The file \"\S{0,255}\" was infected with 
the \"\S{0,63}\" virus\. It has been removed and quarantined as: 
\"\S{0,31}\"."http:\/\/www\.fortinet\.com\//
describe FORTI_ATT_REMOVED  Dangerous attachment removed by Fortinet
score    FORTI_ATT_REMOVED  5

So far, all files I found are of small size (<100K), but can (and should) I somehow restrict search for this content only as beginning of attachments?
Is there anything I should do better?

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Windows found: (R)emove, (E)rase, (D)elete

Reply via email to