Configuring the decompression engine filters
Check password protected archives
Screenshot 60 - Configuring password protected archives options
This filter allows you to quarantine or delete emails which contain password protected archives. To configure this filter:
1. Click on the Decompression node in the Console Root.
2. From the list of available filters (in the right window), click on Check password protected archives.
3. Select the Check password protected archives option to enable this filter.
4. Specify what to do with emails containing password protected archives by selecting one of the following options:
- Quarantine - Select this option to quarantine the emails that contain a password protected archive. The administrator can later review these quarantined emails and approve or delete them accordingly.
- Automatically Delete - Select this option to automatically delete emails containing password protected archives.
5. Click on the Actions tab to configure any actions to be performed whenever an email containing a password protected archive is detected and blocked. For more information on how to configure actions refer to the `Configuring decompression filter actions' section in this chapter.
6. Click on the Apply button to confirm your settings.
Check corrupted archives
This filter allows you to quarantine or delete emails which contain corrupted archives. The configuration options of this filter are exactly identical to those of the `Check password protected archives'. For more information on how to configure these options, refer to the `Check password protected archives' section above.
Check for recursive archives
Screenshot 61 - Configuring recursive archives options
This filter allows you to quarantine or delete emails which contain recursive archives. Recursive archives, also known as nested archives, are archives which contain other/multiple levels of sub-archives (i.e. archives within archives). A high number of archive levels can indicate a malicious archive: Recursive archives can be used in a DoS (Denial of Service) attack, since most content scanning and anti-virus packages crash while attempting to scan nested archive levels.
To configure this filter:
1. Click on the Decompression node in the Console Root.
2. From the list of available filters (in the right window), click on Check for recursive archives.
3. Select the Check for recursive archives option to enable this filter and specify the maximum number of nested archives permitted.
NOTE: If you disable the Check for recursive archives rule, recursive archives will not be scanned and quarantined, thus bypassing the anti-virus checking.
4. Decide on what to do with emails containing nested archives which exceed the specified limit by selecting one of the following options:
- Quarantine - Select this option to quarantine the emails that contain recursive archives. The administrator can later review these quarantined emails and approve or delete them accordingly.
- Automatically Delete - Select this option to automatically delete emails containing recursive archives which exceed the specified nesting limit.
5. Click on the Actions tab to configure any actions to be performed whenever an email containing a recursive archive is detected and blocked. For more information on how to configure actions refer to the `Configuring decompression filter actions' section in this chapter.
6. Click on the Apply button to confirm your settings.
Check size of uncompressed files in archives
Screenshot 62 - Configuring checks for the size of uncompressed files in archives
This filter allows you to block or delete emails with archives that exceed the specified physical size when uncompressed. Hackers sometimes use this method in a DoS (Denial of Service) attack: By sending an archive that can be uncompressed to a very large file, they can often crash content security or anti-virus software.
To configure this filter:
1. Click on the Decompression node in the Console Root.
2. From the list of available filters (in the right window), click on Check size of uncompressed files in archives.
3. Select the Check size of uncompressed files in archives option to enable this feature and specify the maximum size (in MB) allowed for uncompressed files, received within an archive.
NOTE: If you disable the Check size of uncompressed files in archives rule, archived attachments will not be scanned and quarantined, thus bypassing the anti-virus checking.
4. Decide on what to do with emails containing archived files which exceed the specified size when un-compressed.
- Quarantine - Select this option to quarantine the emails that contain these archives. The administrator can later review these quarantined emails and approve or delete them accordingly.
- Automatically Delete - Select this option to automatically delete emails containing archived files which, when un-compressed, exceed the specified size limit.
5. Click on the Actions tab to configure any actions to be performed whenever this filter detects and blocks emails containing an archive. For more information on how to configure actions refer to the `Configuring decompression filter actions' section in this chapter.
6. Click on the Apply button to confirm your settings.
Check for amount of files in archives
Screenshot 63 - Configuring checks for the amount of files in archives
This filter allows you to quarantine or delete emails which contain an excessive amount of compressed files within an attached archive. You can specify the number of files allowed in archive attachments from the configuration options included in this filter.
To configure this filter:
1. Click on the Decompression node in the Console Root.
2. From the list of filters (in the right window), click on Check for amount of files in archives.
3. Select the Check for amount of files in archives option to enable this filter and specify the maximum amount of files allowed in an archive.
NOTE: If you disable the Check for amount of files in archives rule, archive attachments will not be scanned and quarantined, thus bypassing the anti-virus checking.
4. Decide on what to do with emails containing archives which exceed the specified limit of contained files by selecting one of the following options:
- Quarantine - Select this option to quarantine the emails that contain these archives. The administrator can later review these quarantined emails and approve or delete them accordingly.
- Automatically Delete - Select this option to automatically delete emails containing archives which exceed the specified file limit.
5. Click on the Actions tab to configure any actions to be performed whenever this filter detects and blocks emails containing an archive. For more information on how to configure actions refer to the `Configuring decompression filter actions' section in this chapter.
6. Click on the Apply button to confirm your settings.
Scan within archives
The Scan within archives option allows you to disable Attachment Checking and Content Checking of files in archives. Effectively it means that when this option is disabled, archive attachments are ignored and therefore not scanned by the Attachment Checking and Content Checking modules.
Configure this option as follows:
1. Click on the Decompression node in the Console Root.
2. From the list of filters (in the right window), click on Scan within archives.
3. Select the Scan within archives option to scan emails having archive attachments using the decompression and attachment scanning rules.
