Decompression Engine
The Decompression engine extracts and analyzes archives (compressed files) attached to an email.
The following is a list of checks performed by the decompression engine:
- Password protected archives
- Corrupted archives
- Recursive archives
- Size of decompressed files in archives
- Amount of files in archives
- Scan within archives
Configuring the decompression engine filters
To configure decompression engine filters:
Check password protected archives
- Navigate to Content Filtering > Decompression Engine node.
- From the list of available filters, click Check password protected archives.
- To enable this filter, select Check password protected archives.
- Specify what to do when an email contains an archive that triggers this filter:
Option | Description |
---|---|
Quarantine | Quarantines blocked emails |
Automatically Delete | Deletes blocked emails |
- Select Send a sanitized copy of the original email to recipient(s) to choose whether to send a copy of the blocked email to the recipients.
- Click the Actions tab to configure further actions.
- To send email notifications whenever an email gets blocked, check any of the following options:
Option | Description |
---|---|
Notify administrator |
To notify the administrator whenever this engine blocks an email. For more information refer to Administrator email address. For more information refer to Administrator email address. |
Notify local user | To notify the email local recipients about the blocked email. |
- To log the activity of this engine to a log file, check Log rule occurrence to this file and specify the path and file name to a custom location on the disk to store the log file. By default, log files are stored in:
<GFI MailEssentials installation path>\GFI\MailEssentials\EmailSecurity\Logs\<EngineName>.log
- Click Apply.
NOTE
To create exception for password protected files see: https://www.gfi.com/support/products/gfi-mailessentials/How-to-whitelist-users-for-a-Block-password-protected-files-policy
Check corrupted archives
- Navigate to Content Filtering > Decompression Engine node.
- From the list of available filters, click Check corrupted archives.
- To enable this filter select Check corrupted archives.
- Specify what to do when an email contains an archive that triggers this filter:
Option | Description |
---|---|
Quarantine | Quarantines blocked emails |
Automatically Delete | Deletes blocked emails |
- Select Send a sanitized copy of the original email to recipient(s) to choose whether to send a copy of the blocked email to the recipients.
- Click the Actions tab to configure further actions.
- To send email notifications whenever an email gets blocked, check any of the following options:
Option | Description |
---|---|
Notify administrator |
To notify the administrator whenever this engine blocks an email. For more information refer to Administrator email address. For more information refer to Administrator email address. |
Notify local user | To notify the email local recipients about the blocked email. |
- To log the activity of this engine to a log file, check Log rule occurrence to this file and specify the path and file name to a custom location on the disk to store the log file. By default, log files are stored in:
<GFI MailEssentials installation path>\GFI\MailEssentials\EmailSecurity\Logs\<EngineName>.log
- Click Apply
Check for recursive archives
This filter allows you to quarantine or delete emails that contain recursive archives. Recursive archives, also known as nested archives, are archives that contain multiple levels of sub-archives (that is, archives within archives). A high number of archive levels can indicate a malicious archive. Recursive archives can be used in a DoS (Denial of Service) attack, since recursive archives consume machine resources when they are being analyzed. To configure this filter:
- Navigate to Content Filtering > Decompression Engine node.
- From the list of available filters, click Check for recursive archives.
- To enable this filter select Check for recursive archives.
- Specify the maximum number of recurring archives in the Maximum number of recurring archives text box. If an archive contains more recurring archives than the specified number, the email is triggered as malicious.
- Specify what to do when an email contains an archive that triggers this filter:
Option | Description |
---|---|
Quarantine | Quarantines blocked emails |
Automatically Delete | Deletes blocked emails |
- Select Send a sanitized copy of the original email to recipient(s) to choose whether to forward a copy of the blocked email to the recipients but with the malicious content removed.
- Click the Actions tab to configure further actions.
- To send email notifications whenever an email gets blocked, check any of the following options:
Option | Description |
---|---|
Notify administrator |
To notify the administrator whenever this engine blocks an email. For more information refer to Administrator email address. For more information refer to Administrator email address. |
Notify local user | To notify the email local recipients about the blocked email. |
- To log the activity of this engine to a log file, check Log rule occurrence to this file and specify the path and file name to a custom location on the disk to store the log file. By default, log files are stored in:
<GFI MailEssentials installation path>\GFI\MailEssentials\EmailSecurity\Logs\<EngineName>.log
- Click Apply.
Check size of uncompressed files in archives
This filter allows you to block or delete emails with archives that exceed the specified physical size when uncompressed. Hackers sometimes use this method in a DoS (Denial of Service) attack by sending an archive that can be uncompressed to a very large file that consumes hard disk space and takes a long time to analyze by content security or antivirus software.
To configure this filter:
- Navigate to Content Filtering > Decompression Engine node.
- From the list of available filters, click Check size of uncompressed files in archives.
- To enable this filter select Check size of uncompressed files in archives.
- Specify the maximum size of uncompressed archives in the Maximum size of uncompressed files in archive in MB text box. If an uncompressed archive’s size is bigger than the specified value, the email is triggered as malicious.
- Specify what to do when an email contains an archive that triggers this filter:
Option | Description |
---|---|
Quarantine | Quarantines blocked emails |
Automatically Delete | Deletes blocked emails |
- Select Send a sanitized copy of the original email to recipient(s) to choose whether to send a copy of the blocked email to the recipients but with the malicious content removed.
- To send email notifications whenever an email gets blocked, check any of the following options:
Option | Description |
---|---|
Notify administrator |
To notify the administrator whenever this engine blocks an email. For more information refer to Administrator email address. For more information refer to Administrator email address. |
Notify local user | To notify the email local recipients about the blocked email. |
- To log the activity of this engine to a log file, check Log rule occurrence to this file and specify the path and file name to a custom location on the disk to store the log file. By default, log files are stored in:
<GFI MailEssentials installation path>\GFI\MailEssentials\EmailSecurity\Logs\<EngineName>.log
- Click Apply.
Check for amount of files in archives
This filter allows you to quarantine or delete emails that contain an excessive amount of compressed files within an attached archive. You can specify the number of files allowed in archive attachments from the configuration options included in this filter. To configure this filter:
- Navigate to Content Filtering > Decompression Engine node.
- From the list of available filters, click Check for amount of files in archives.
- To enable this filter select Check for amount of files in archives.
- Specify the maximum number of files in archives in the If the number of files within archive exceeds text box. If the archive contains more files than the specified value, the email is triggered as malicious.
- Specify what to do when an email contains an archive that triggers this filter:
Option | Description |
---|---|
Quarantine | Quarantines blocked emails |
Automatically Delete | Deletes blocked emails |
- Select Send a sanitized copy of the original email to recipient(s) to choose whether to send a copy of the blocked email to the recipients.
- Click the Actions tab to configure further actions.
- To send email notifications whenever an email gets blocked, check any of the following options:
Option | Description |
---|---|
Notify administrator |
To notify the administrator whenever this engine blocks an email. For more information refer to Administrator email address. For more information refer to Administrator email address. |
Notify local user | To notify the email local recipients about the blocked email. |
- To log the activity of this engine to a log file, check Log rule occurrence to this file and specify the path and file name to a custom location on the disk to store the log file. By default, log files are stored in:
<GFI MailEssentials installation path>\GFI\MailEssentials\EmailSecurity\Logs\<EngineName>.log
- Click Apply.
Scan within archives
You can configure GFI MailEssentials to apply Keyword and Attachment Filtering of files within archives.
- Navigate to Content Filtering > Decompression Engine node.
- From the list of available filters, click Scan within archives.
- To enable scanning within archives select Apply Attachment and Content Filtering rules within archives. For more information refer to Content Filtering.
- Click Apply.
Enable/disable decompression filters
To enable or disable decompression filters:
- Navigate to Content Filtering > Decompression Engine node.
- From the Decompression engine page, select the checkbox of the filters to enable or disable.
- Click Enable Selected or Disable Selected accordingly.