Phone Lines icon GFI Support Home Sign in
Start a conversation
  1. GFI Support
  2. GFI Support - Content Filtering
  3. Articles

How to determine why the Attachment Filtering Content Filter blocked or allowed a message

Answer

If you are questioning why an email was blocked or allowed by the Attachment Filtering Content Filter and would like more information, you can find further details in the log file for that filter. Use the following procedure to find the log and information regarding your message within it, and then use the examples below to interpret why the message was either blocked or allowed:
  1. Find the message ID of the email in question by either gathering it from the headers of the message itself, or by looking for it in the MailEssentials Dashboard > Logs > Details tab
  2. Open the Attachment Checking.gfi_log file in notepad from  ..\GFI\MailEssentials\EmailSecurity\DebugLogs
  3. This log is for the Keyword Filtering Module and corresponds to the Configuration > EmailSecurity > Attachment Filtering > (Click on the Rule Name) in the interface and the tb_attachauth tables in the avapicfg.mdb located at ...GFI\MailEssentials\EmailSecurity\Data.
  4. Do a search for the Message ID from the dashboard or the email headers.
    • Note: The bolded lines are the important ones in the log files for determine what has happened and why

Email was allowed by the module:

>> ProcessMail()
Message-ID [<20140408013018.8D9F436E4BB@gfitest.local>]
Attachment count [2].
Debug level [20]
>> InitializeMailSpecificInformation()
Mail Direction [0].
>> LoadRules
Getting rule resolver class...
Rule resolver class obtained...
Enumerating the rules...
>> ProcessRuleFromDB()
Processing rule : [CONTENT POLICY: Block all potentially malicious attachments]
>> GetRuleAppliesToEmailInThisDirection [0]
Rule applies to direction : VALUEID_AC_CHECKINBOUND
Rule applies to direction : VALUEID_AC_CHECKOUTBOUND
<< GetRuleAppliesToEmailInThisDirection() == TRUE
Rule applies to this direction.
Get attachment list...
Get list cursor interface...
Get list count
Enumerate the list [42]...
<< ProcessRuleFromDB() = TRUE
Sorting the rules.
Done.
<< LoadRules() = TRUE
Number of rules loaded : [1]
<< InitializeMailSpecificInformation() = TRUE
---------------------------------------------------------------------------------------------------------------------
Processing attachment [1] of [2]
Processing the parent PFI.
>> ProcessPFI() -------------
>> GetFileInformationFromPFI()
Scan In Archive Directive from PFI = TRUE
Parent File Name =
Full File Name   = detail - advanced orthopaedic centers - 03_31_2014.pdf
Content Type     = application/pdf
Content Class    =
File Name No Ext = detail - advanced orthopaedic centers - 03_31_2014
File Extension   = pdf
File Type        = 15 : []
Derived File Name=
File Size        = 84194
Number of Extensions associated with this file = 1
<< GetFileInformationFromPFI() = TRUE
>> ProcessFile(detail - advanced orthopaedic centers - 03_31_2014.pdf)
>> ProcessBasicFileProperties()
>> [1300] [54] [detail - advanced orthopaedic centers - 03_31_2014.pdf]
<< ProcessBasicFileProperties = TRUE
>> ProcessFileType()
File type detected by file type checker.
Claimed extension not empty.
Performing check.
<< ProcessFileType() = TRUE
>> ProcessFileName(detail - advanced orthopaedic centers - 03_31_2014, pdf)
listWildCard size [0]
Nothing in wildcard list to compare with.
Block this list. Nothing infringed.
<< ProcessFileName() = TRUE
>> ProcessFileNameBasedOnFileType()
List Obtained : (1 items)
>> ProcessFileName(detail - advanced orthopaedic centers - 03_31_2014, pdf)
listWildCard size [0]
Nothing in wildcard list to compare with.
Block this list. Nothing infringed.
<< ProcessFileName() = TRUE
<< ProcessFileNameBasedOnFileType() = TRUE
<< ProcessFile() = TRUE
<< ProcessPFI() = TRUE
---------------------------------------------------------------------------------------------------------------------
Processing attachment [2] of [2]
Processing the parent PFI.
>> ProcessPFI() -------------
>> GetFileInformationFromPFI()
Scan In Archive Directive from PFI = TRUE
Parent File Name =
Full File Name   = discovery benefits invoice - advanced orthopaedic centers - 03_31_2014.pdf
Content Type     = application/pdf
Content Class    =
File Name No Ext = discovery benefits invoice - advanced orthopaedic centers - 03_31_2014
File Extension   = pdf
File Type        = 15 : []
Derived File Name=
File Size        = 187377
Number of Extensions associated with this file = 1
<< GetFileInformationFromPFI() = TRUE
>> ProcessFile(discovery benefits invoice - advanced orthopaedic centers - 03_31_2014.pdf)
>> ProcessBasicFileProperties()
>> [1300] [74] [discovery benefits invoice - advanced orthopaedic centers - 03_31_2014.pdf]
<< ProcessBasicFileProperties = TRUE
>> ProcessFileType()
File type detected by file type checker.
Claimed extension not empty.
Performing check.
<< ProcessFileType() = TRUE
>> ProcessFileName(discovery benefits invoice - advanced orthopaedic centers - 03_31_2014, pdf)
listWildCard size [0]
Nothing in wildcard list to compare with.
Block this list. Nothing infringed.
<< ProcessFileName() = TRUE
>> ProcessFileNameBasedOnFileType()
List Obtained : (1 items)
>> ProcessFileName(discovery benefits invoice - advanced orthopaedic centers - 03_31_2014, pdf)
listWildCard size [0]
Nothing in wildcard list to compare with.
Block this list. Nothing infringed.
<< ProcessFileName() = TRUE
<< ProcessFileNameBasedOnFileType() = TRUE
<< ProcessFile() = TRUE
<< ProcessPFI() = TRUE
<< ProcessMail() = EMAA_ERR_SUCCESS
 
Note: If an attachment is allowed through, make sure the email direction (<< GetRuleAppliesToEmailInThisDirection() == TRUE) will be checked by the rule. Confirm all configured rules (Processing rule) were checked. If you see only the statement below, the email did not have an attachment.
 
>> ProcessMail()
Message-ID [<498643237106049864888116823978@gfitest.us>]
Attachment count [0].
<< ProcessMail() = EMAA_ERR_SUCCESS
 

Email was blocked by the module:

>> ProcessMail()
Message-ID [<002f01cf529126ecdad0bf7458ce@gfitest.local>]
Attachment count [1].
Debug level [20]
>> InitializeMailSpecificInformation()
Mail Direction [0].
>> LoadRules
Getting rule resolver class...
Rule resolver class obtained...
Enumerating the rules...
>> ProcessRuleFromDB()
Processing rule : [CONTENT POLICY: Block all potentially malicious attachments]
>> GetRuleAppliesToEmailInThisDirection [0]
Rule applies to direction : VALUEID_AC_CHECKINBOUND
Rule applies to direction : VALUEID_AC_CHECKOUTBOUND
<< GetRuleAppliesToEmailInThisDirection() == TRUE
Rule applies to this direction.
Get attachment list...
Get list cursor interface...
Get list count
Enumerate the list [42]...
<< ProcessRuleFromDB() = TRUE
Sorting the rules.
Done.
<< LoadRules() = TRUE
Number of rules loaded : [1]
<< InitializeMailSpecificInformation() = TRUE
---------------------------------------------------------------------------------------------------------------------
Processing attachment [1] of [1]
Processing the parent PFI.
>> ProcessPFI() -------------
>> GetFileInformationFromPFI()
Scan In Archive Directive from PFI = TRUE
Parent File Name =
Full File Name   = notice_of_appearance_po5406.zip
Content Type     = application/x-zip-compressed
Content Class    =
File Name No Ext = notice_of_appearance_po5406
File Extension   = zip
File Type        = 9 : [{122E66FD-C158-4ae7-B03E-C6468504817C}]
Derived File Name=
File Size        = 79681
Number of Extensions associated with this file = 1
<< GetFileInformationFromPFI() = TRUE
>> ProcessFile(notice_of_appearance_po5406.zip)
>> ProcessBasicFileProperties()
>> [1300] [31] [notice_of_appearance_po5406.zip]
<< ProcessBasicFileProperties = TRUE
>> ProcessFileType()
File type detected by file type checker.
Claimed extension not empty.
Performing check.
<< ProcessFileType() = TRUE
>> ProcessFileName(notice_of_appearance_po5406, zip)
listWildCard size [0]
Nothing in wildcard list to compare with.
Block this list. Nothing infringed.
<< ProcessFileName() = TRUE
>> ProcessFileNameBasedOnFileType()
List Obtained : (1 items)
>> ProcessFileName(notice_of_appearance_po5406, zip)
listWildCard size [0]
Nothing in wildcard list to compare with.
Block this list. Nothing infringed.
<< ProcessFileName() = TRUE
<< ProcessFileNameBasedOnFileType() = TRUE
<< ProcessFile() = TRUE
Packed File : Needs Recursion
>> ProcessPFI() -------------
>> GetFileInformationFromPFI()
Scan In Archive Directive from PFI = TRUE
Parent File Name = notice_of_appearance_po5406.zip
Full File Name   = court_notice_copy_07-04-14_ap.exe
Content Type     =
Content Class    =
File Name No Ext = court_notice_copy_07-04-14_ap
File Extension   = exe
File Type        = 3 : []
Derived File Name=
File Size        = 148480
Number of Extensions associated with this file = 3
<< GetFileInformationFromPFI() = TRUE
>> ProcessFile(court_notice_copy_07-04-14_ap.exe)
>> ProcessBasicFileProperties()
>> [1300] [33] [court_notice_copy_07-04-14_ap.exe]
<< ProcessBasicFileProperties = TRUE
>> ProcessFileType()
File type detected by file type checker.
Claimed extension not empty.
Performing check.
<< ProcessFileType() = TRUE
>> ProcessFileName(court_notice_copy_07-04-14_ap, exe)
listWildCard size [0]
Nothing in wildcard list to compare with.
Rule infringed.
Extension in original list, hence definite block.
Short Error Report [Triggered rule CONTENT POLICY: Block all potentially malicious attachments"]"
Long Error Report [File notice_of_appearance_po5406.zip\court_notice_copy_07-04-14_ap.exe" triggered rule "CONTENT POLICY: Block all potentially malicious attachments" (Claimed extension "exe" listed in "block" extension list)]"
<< ProcessFileName() = FALSE
<< ProcessFile() = FALSE
<< ProcessPFI() = FALSE
<< ProcessPFI() = FALSE
Processing infringements collection for current attachment...
Infringements in the collection [1]
Copying infringements to local list...
Clearing the infringements collection...
Iterate through the local infringements list...
Infringement rule id matched... retrieved rule display name.
Short Description [Triggered rule CONTENT POLICY: Block all potentially malicious attachments"]"
<< ProcessMail() = EMAA_ERR_DBACTION

Note: This message had a single .zip attachment which was allowed, however the zip file contained a .exe file, which was blocked.  Scan In Archive Directive from PFI = TRUE shows that scanning within archive files is enabled (A Decompression Engine setting) which allowed this message to be blocked.  The Long Error Report lets us know the exact reason the email was blocked, while the Short Description is what would be shown in the Quarantine.
 

Module is disabled:

>> Process Message
Executing processing ...
<< Process Message
 
Note: There is no disabled message, simply no checks are done.
Choose files or drag and drop files
Was this article helpful?
Yes
No

  1. Priyanka Bhotika

  2. Posted

Comments