Issue:
- .XLS and .XLA attachments are blocked by F-Secure filter
- The following attachment has been stripped:
Source: user1@example.com
Destination: support@domain.com
File name: 41125001012.xls
File size: 192000 bytes
Scan result: Attachment '41125001012.xls' matches 'AttachmentFiltering::Included' stripping condition; Real type: application/vnd.ms-excel; description: Microsoft Compound Document;Microsoft Excel Document; VBA;doc_long: Microsoft Excel 2003-workstattion;doc_class: Biff8;doc_spec: Excel.Sheet.8;appname: Microsoft Excel; extensions: XLS XLA VBA
Action: Dropped
Quarantine ID: 20095
Resolution:
Reason why these attachments are blocked is because you might have set a match list to strip attachments for one of the following policy routes Incoming email, Outgoing email or Internal email.
Your match list might contain some of these extensions:
*.BAT *.CMD *.COM *.EXE *.HTA *.JS *.JSE *.PIF *.SCR *.SHS *.VBE *.VBS *.zip .VBA *. *.xls*.doc*
This means that the file has been blocked since it is either a XLS or XLA file, or it includes VBA, VBE OR vbs macros.
By default these are blocked by our filter.
If you want to allow the macros, you need to remove them from Disallowed list "match list" and possibly whitelist them so that scanning engine does not detect as potentially malicious.
Which might happen later when they are whit-listed, since now they are only disallowed!
You can also create a Trusted Senders list and Exclude these senders from Disallowed Inbound Files
This way only trusted senders can send emails which include XLS and XLA attachments with VBA macros.
You can query email quarantine for dropped attachments or messages using the F-Secure Email and Server Security web console.
- From your target server login to the Web console example https://127.0.0.1:25023/
- Scroll down to Email Quarantine, Query and select Object type Attachments from the drop down menu and press Query
This way you will get results for the dropped attachments, where you will also see the reason why this attachment has been filtered.
or
You can look for logs:
For Email and Server Security 12.xx you can look for Logfile.log which will show you similar entries.
'example.xls' matches 'Disallowed Inbound Files' stripping condition; Real type: application/vnd.ms-excel; description: Microsoft Compound Document;Microsoft Excel Document; VBA;doc_long: Microsoft Excel 2003 Worksheet;doc_class: Biff8;doc_spec: Excel.Sheet.8;appname: Microsoft Excel; extensions: XLS XLA VBA
For Email and Server Security 14.01 you can look for transportAgent.log or email-scan.log
which are located under C:\Windows\ServiceProfiles\NetworkService\AppData\Local\F-Secure\Log\ess and will show you similar entries:
Scan result: Attachment '41125001012.xls' matches 'AttachmentFiltering::Included' stripping condition; Real type: application/vnd.ms-excel; description: Microsoft Compound Document;Microsoft Excel Document; VBA;doc_long: Microsoft Excel 2003-workstattion;doc_class: Biff8;doc_spec: Excel.Sheet.8;appname: Microsoft Excel; extensions: XLS XLA VBA
Action: Dropped
Quarantine ID: 20095
Article no: 000002345