Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
pshute
New Contributor

Emails with wmz files being sent to system quarantine

We've had Fortimail for a few months, and have only recently discovered that emails with wmz attachments are being moved to system quarantine. Probably about 20, from perhaps 4 different senders, over 3 months. Important emails that need to get through.

 

It appears that these attachments are small images used in some senders' signatures.

 

Fortinet tech support has advised deleting the executable_windows file filter from the CF_Inbound content profile. That seems a bit extreme - I think it would also allow through exe files and many others. They say there's no way to strip them from the emails instead.

 

Can anyone please advise:

- are you also seeing these attachments resulting in quarantined emails?

- is allowing them through the appropriate course of action? Should I instead be advising the senders not to include them? (I assume they have no idea they're doing this, and won't know how to fix it.)

- is there a safer way to let them through?

4 REPLIES 4
Dirty_Wizard_FTNT

Completely removing the executable_windows file filter is extreme.

You can clone that file filter to create a new one, then edit the cloned filter and remove *.wmz extension.

 

Then apply the new filter filter instead of executable_windows to the Content Profile(s).

Or you can specify to apply this only to certain senders with additional Recipient Policy.

 

There is an action to 'strip' attachments and it is 'Replace with message'. I have not tried this out for an embedded image, however.

pshute

jwilkins wrote:

You can clone that file filter to create a new one, then edit the cloned filter and remove *.wmz extension.

 

Then apply the new filter filter instead of executable_windows to the Content Profile(s).

That's what I ended up doing.

Or you can specify to apply this only to certain senders with additional Recipient Policy.

From what I've seen so far, there are a few senders using these attachments. Perhaps 10 in 3 or 4 months. Mostly from one domain, but random enough that I think I'd better not restrict it this way - there will always be new senders having their mail quarantined before I add their addresses to the exclusion.

 

I read that these attachments are generated by using Word as the email editor in Outlook, which is probably a common thing.

There is an action to 'strip' attachments and it is 'Replace with message'. I have not tried this out for an embedded image, however.

I took that to mean it would replace the entire email contents with a message. The AV profile has "Replace infected / suspicious body or attachment(s)", which sounds like what I want, but I'm not sure the "Replace with message" in the content profile is the same thing. That would be a good solution if it is.

 

I would test it, but I find the whole thing very confusing, and I'm not sure how to go about testing it without affecting all incoming mail.

Dirty_Wizard_FTNT

The replace action in the Content Profile should only replace the attachment with the message if triggered by the Attachment Filter. You can avoid affecting all mail when testing by defining your test sender / recipient in an additional policy.
Johan_de_Koning

Thanks for the topic i did the following to make a workaround.

 

- Went to: Profile > Content > File Filter.

- Made a new file filter named *.wmz

- @Predefined note the correct file type as in image/x-wmz although selecting that one doesnt identify it as such.

- So select at the bottom table file extension *.wmz and add it.

- Go to your content policy and Add a new rule and select the *.wmz and select an appropriate action profile which lets the mail through.

- Then move it up so its above the executable one where it always got blocked.

- Test it and it should work.

 

Also you know what i dont understand?

That fortinet support is so reckless with their advice, why would you advise someone to take out Executables from a content policy it kind of defeats the purpose of protecting your customers.

I had a similar advice from them when Silverlight applications were seen as executable and i could not exclude them and they were like, yeah just dont check for executables. Pretty dissapointing.

 

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors