Banned Files

Spammers often use emails as a means to infect their victims. They do so by attaching files to their emails which, when opened, can install malicious software, steal personal information and/or hijack the user's computer. In order to protect our clients, our filters block certain types of files by default. The filters can also be personalized to block or accept the files you wish to receive.

This article applies to Administrator accounts - Quarantine Administrator accounts can view this information but cannot edit the parameters.

Administrators can manage user accounts under:
My Organization → Parameters → Inbound Filtering → Filtering Policy Groups → Filtering.


IN THIS ARTICLE
Files Blocked by Default Zipped Files
Banned Categories Attachments Tab

Files Blocked by Default

All files considered executable are banned by default. This includes executables for Windows, Mac, Linux, and others. The following extensions are banned by default:

.ani, .app, .bat, .cmd, .com, .cpl, .dll, .dmg, .exe, .hta, .jar, .js, .jse, .lnk, .pif, .scr, .vbs, .vbe, .wsf

We also block files based on MIME type. The following MIME types are banned:

application/dos-exe, application/exe, application/hta, application/msdos-windows, application/x-dosexec, application/x-exe, application/x-msdos-prog, application/x-msdos-program, application/x-msdownload, application/x-msmetafile, application/x-winexe, image/x-wmf, text/x-msdos-batch

Other indicators are also used to detect executable files. File detection is done based on the specific extensions well as on file meta-data (in order to block files with renamed extensions).

What Happens to Emails with Banned Files?

Emails with banned files are quarantined and a Delivery Status Notification (DSN) is sent to the sender to inform them that their email was quarantined.

Administrators and individual users may browse these emails in the quarantine, where they are identified with the Banned File icon (see below). They may release these emails and administrators may also click Release and whitelist to add the sender to the Banned file sender Whitelist.

Banned file icon

- Banned file icon

Are Zipped Files Blocked?

Zipped files are not inherently bad so our filters don't block them by default. These files are unzipped and the content is scanned to see if it matches any of the banned file rules. The zipped archives unzipped by our filters are:

.zip, .tar.gz, .bz2

Our filters are able to scan the contents of a zipped archive even if it is password protected. Password protection blocks execution of the contents, but not viewing. On the other hand, if the archive contains several levels or even several archives, our filters will not be able to consult the contents of those folders or archives. For this reason, we recommend activating the Banned Category Password protected zip archives.

Banned Categories Descriptions

Here follows a short description of the different Banned Categories and what they represent. 

(italic categories are active by default).

BANNED CATEGORY DESCRIPTION
Windows executables All Windows executable file types
Mac OS executables All MacOS executable file types
Linux executables All Linux executable file types
Other executables Files that are not meant to be executable, but that could be (eg.: .js)
Microsoft Office Dangerous Macros
Any Microsoft Office document containing macros that auto-execute and that write to system memory and/or execute arbitrary code
Pre-2007 Microsoft Office macros
All .doc, .xls, and .ppt containing macros
Microsoft Office 2007+ Macros
All .docm, .xlsm, and .pptm
Microsoft Office Mismatch Macro version All cases where the file extension and MIME type declarations do not match up
Password protected zip archives All password-protected .zip files

A Note About Microsoft Office Macros

Microsoft Office files containing macros are a popular infection vector long-since used by spammers. While these documents can come in many shapes and forms, some are more dangerous than others. The most dangerous files are auto-executable and also either write to system memory or execute something outside of their own context. The Content Category Microsoft Office Dangerous Macros looks to block these dangerous files.

Due to the danger represented by these files, Microsoft Office Dangerous Macros is activated by default. It is not recommended to uncheck this category. You may add specific trusted senders to the Banned File Sender Whitelist on a case-by-case basis.

You may also block other types of macros based on the type (pre-2007 or post-2007) by using the appropriate Banned Category.

Attachments Tab

This tab contains all filtering parameters relating to banned file verifications. You are able to either whitelist or blacklist entries relating to files attached to messages.

Adding a whitelist entry will override verifications done on that type of content (or on attached files from a specific sender if using the Banned file sender Whitelist). The message might still be blocked due to other verifications, however.

Adding a blacklist entry will put the message in the quarantine. Depending on the rest of the content filtering analysis, our filters may return a Delivery Status Notification (DSN). See the Related Articles for more information on DSNs.

TABLE NAME ACCEPTED VALUES DISABLES MOST FILTERING CHECKS DISABLES BANNED FILE CHECKS DISABLES SPF/DKIM/DMARC CHECKS DISABLES ANTIVIRUS CHECKS
File Extension Whitelist File Extension ✔️
File Extension Blacklist File Extension Messages are quarantined and a DSN may be returned to the sender (see Related Articles for DSN example)
Banned file sender Whitelist Address ✔️
MIME Type Whitelist MIME Type ✔️
MIME Type Blacklist MIME Type Messages are quarantined and a DSN may be returned to the sender (see Related Articles for DSN example)

In the event of a discrepancy, the whitelists have precedence over the blacklists.

File Extension Format Examples

Entries to this whitelist should only be the characters identifying the extension. There is no need to add "wildcard" characters (*) or to preface the extension with a period (.).

VALUE CORRECT FORMAT
eml ✔️
mp3 ✔️
JPEG ✔️
.jpg
*.exe