Phone Lines icon GFI Support Home

Articles in this section

See more

Determining why Attachment Filtering blocked or allowed a message

Author: Luis Fernandes Updated

Overview

Attachment Filtering is one of the Content Filtering plug-ins that enables administrators to block emails based on the types of email attachments that an email has. This plug-in scans inbound as well as outbound emails and blocks any emails containing attachments matching the specified content filtering rules.

In this article, you will learn how to determine why the Attachment Filtering plug-in blocked or allowed a message as part of the troubleshooting process.

Introduction

Attachment Filtering blocks emails based on the type or size of its attachment(s). However, there may be scenarios where customers open support requests wanting to understand why the plug-in blocked or allowed specific attachments against their expectations.

The next steps outline the troubleshooting process to determine the reason behind the actions taken by this plug-in.

Description

If you are questioning why an email with attachments(s) was blocked or allowed by the Attachment Filtering Content Filter and would like more information, you can find further details in the log file for the filter.
Follow the below procedure to find the log file and information regarding the message under review, and thereafter use the examples below to interpret and determine why the message was either blocked or allowed:
  1. Find the Message-ID of the email in question by either gathering it from the headers of the message itself, or by looking for it in the MailEssentials Dashboard > Logs > Details tab. Refer to this linked article for more information on Reading Email Headers to extract the Message ID
  2. Navigate to ..GFI\MailEssentials\EmailSecurity\DebugLogs\ and locate the debug log file for the Attachment Filtering module. The log file name is Attachment Checking.gfi_log.txt
    • This is the debug log for the Keyword Filtering Module and corresponds to the GFI MailEssentials > Content Filtering > Attachment Filtering > (Click on the Rule Name) on the configuration UI as well as the tb_attachauth tables in avapicfg.mdb located at ...GFI\MailEssentials\EmailSecurity\Data.
  3. Open the debug log file in a text editor and search for the Message-ID obtained in step 1.
  4. Refer to the scenarios below to determine the reasons behind the action taken by the Keyword FIlter module. Pay close attention to the lines in bold to understand what happened and why.

If there are no filtering rules enabled, no checks will be done by this filter and the debug logs will show:

>> Process Message
Executing processing ...
<< Process Message

Scenario 1: Email was allowed by the module

>> ProcessMail()
Message-ID [<20140408013018.8D9F436E4BB@gfitest.local>]
Attachment count [2].
Debug level [20]
>> InitializeMailSpecificInformation()
Mail Direction [0].
>> LoadRules
Getting rule resolver class...
Rule resolver class obtained...
Enumerating the rules...
>> ProcessRuleFromDB()
Processing rule : [CONTENT POLICY: Block all potentially malicious attachments]
>> GetRuleAppliesToEmailInThisDirection [0]
Rule applies to direction : VALUEID_AC_CHECKINBOUND
Rule applies to direction : VALUEID_AC_CHECKOUTBOUND
<< GetRuleAppliesToEmailInThisDirection() == TRUE
Rule applies to this direction.
Get attachment list...
Get list cursor interface...
Get list count
Enumerate the list [42]...
<< ProcessRuleFromDB() = TRUE
Sorting the rules.
Done.
<< LoadRules() = TRUE
Number of rules loaded : [1]
<< InitializeMailSpecificInformation() = TRUE
---------------------------------------------------------------------------------------------------------------------
Processing attachment [1] of [2]
Processing the parent PFI.
>> ProcessPFI() -------------
>> GetFileInformationFromPFI()
Scan In Archive Directive from PFI = TRUE
Parent File Name =
Full File Name   = detail - advanced orthopaedic centers - 03_31_2014.pdf
Content Type     = application/pdf
Content Class    =
File Name No Ext = detail - advanced orthopaedic centers - 03_31_2014
File Extension   = pdf
File Type        = 15 : []
Derived File Name=
File Size        = 84194
Number of Extensions associated with this file = 1
<< GetFileInformationFromPFI() = TRUE
>> ProcessFile(detail - advanced orthopaedic centers - 03_31_2014.pdf)
>> ProcessBasicFileProperties()
>> [1300] [54] [detail - advanced orthopaedic centers - 03_31_2014.pdf]
<< ProcessBasicFileProperties = TRUE
>> ProcessFileType()
File type detected by file type checker.
Claimed extension not empty.
Performing check.
<< ProcessFileType() = TRUE
>> ProcessFileName(detail - advanced orthopaedic centers - 03_31_2014, pdf)
listWildCard size [0]
Nothing in wildcard list to compare with.
Block this list. Nothing infringed.
<< ProcessFileName() = TRUE
>> ProcessFileNameBasedOnFileType()
List Obtained : (1 items)
>> ProcessFileName(detail - advanced orthopaedic centers - 03_31_2014, pdf)
listWildCard size [0]
Nothing in wildcard list to compare with.
Block this list. Nothing infringed.
<< ProcessFileName() = TRUE
<< ProcessFileNameBasedOnFileType() = TRUE
<< ProcessFile() = TRUE
<< ProcessPFI() = TRUE
---------------------------------------------------------------------------------------------------------------------
Processing attachment [2] of [2]
Processing the parent PFI.
>> ProcessPFI() -------------
>> GetFileInformationFromPFI()
Scan In Archive Directive from PFI = TRUE
Parent File Name =
Full File Name   = discovery benefits invoice - advanced orthopaedic centers - 03_31_2014.pdf
Content Type     = application/pdf
Content Class    =
File Name No Ext = discovery benefits invoice - advanced orthopaedic centers - 03_31_2014
File Extension   = pdf
File Type        = 15 : []
Derived File Name=
File Size        = 187377
Number of Extensions associated with this file = 1
<< GetFileInformationFromPFI() = TRUE
>> ProcessFile(discovery benefits invoice - advanced orthopaedic centers - 03_31_2014.pdf)
>> ProcessBasicFileProperties()
>> [1300] [74] [discovery benefits invoice - advanced orthopaedic centers - 03_31_2014.pdf]
<< ProcessBasicFileProperties = TRUE
>> ProcessFileType()
File type detected by file type checker.
Claimed extension not empty.
Performing check.
<< ProcessFileType() = TRUE
>> ProcessFileName(discovery benefits invoice - advanced orthopaedic centers - 03_31_2014, pdf)
listWildCard size [0]
Nothing in wildcard list to compare with.
Block this list. Nothing infringed.
<< ProcessFileName() = TRUE
>> ProcessFileNameBasedOnFileType()
List Obtained : (1 items)
>> ProcessFileName(discovery benefits invoice - advanced orthopaedic centers - 03_31_2014, pdf)
listWildCard size [0]
Nothing in wildcard list to compare with.
Block this list. Nothing infringed.
<< ProcessFileName() = TRUE
<< ProcessFileNameBasedOnFileType() = TRUE
<< ProcessFile() = TRUE
<< ProcessPFI() = TRUE
<< ProcessMail() = EMAA_ERR_SUCCESS
Note: If an attachment is allowed through, make sure the email direction (<< GetRuleAppliesToEmailInThisDirection() == TRUE) will be checked by the rule. Confirm all configured rules (Processing rule) were checked. If you see only the statement below, the email did not have an attachment. 
>> ProcessMail()
Message-ID [<498643237106049864888116823978@gfitest.us>]
Attachment count [0].
<< ProcessMail() = EMAA_ERR_SUCCESS

Scenario 2: Email was blocked by the module 

>> ProcessMail()
Message-ID [<002f01cf529126ecdad0bf7458ce@gfitest.local>]
Attachment count [1].
Debug level [20]
>> InitializeMailSpecificInformation()
Mail Direction [0].
>> LoadRules
Getting rule resolver class...
Rule resolver class obtained...
Enumerating the rules...
>> ProcessRuleFromDB()
Processing rule : [CONTENT POLICY: Block all potentially malicious attachments]
>> GetRuleAppliesToEmailInThisDirection [0]
Rule applies to direction : VALUEID_AC_CHECKINBOUND
Rule applies to direction : VALUEID_AC_CHECKOUTBOUND
<< GetRuleAppliesToEmailInThisDirection() == TRUE
Rule applies to this direction.
Get attachment list...
Get list cursor interface...
Get list count
Enumerate the list [42]...
<< ProcessRuleFromDB() = TRUE
Sorting the rules.
Done.
<< LoadRules() = TRUE
Number of rules loaded : [1]
<< InitializeMailSpecificInformation() = TRUE
---------------------------------------------------------------------------------------------------------------------
Processing attachment [1] of [1]
Processing the parent PFI.
>> ProcessPFI() -------------
>> GetFileInformationFromPFI()
Scan In Archive Directive from PFI = TRUE
Parent File Name =
Full File Name   = notice_of_appearance_po5406.zip
Content Type     = application/x-zip-compressed
Content Class    =
File Name No Ext = notice_of_appearance_po5406
File Extension   = zip
File Type        = 9 : [{122E66FD-C158-4ae7-B03E-C6468504817C}]
Derived File Name=
File Size        = 79681
Number of Extensions associated with this file = 1
<< GetFileInformationFromPFI() = TRUE
>> ProcessFile(notice_of_appearance_po5406.zip)
>> ProcessBasicFileProperties()
>> [1300] [31] [notice_of_appearance_po5406.zip]
<< ProcessBasicFileProperties = TRUE
>> ProcessFileType()
File type detected by file type checker.
Claimed extension not empty.
Performing check.
<< ProcessFileType() = TRUE
>> ProcessFileName(notice_of_appearance_po5406, zip)
listWildCard size [0]
Nothing in wildcard list to compare with.
Block this list. Nothing infringed.
<< ProcessFileName() = TRUE
>> ProcessFileNameBasedOnFileType()
List Obtained : (1 items)
>> ProcessFileName(notice_of_appearance_po5406, zip)
listWildCard size [0]
Nothing in wildcard list to compare with.
Block this list. Nothing infringed.
<< ProcessFileName() = TRUE
<< ProcessFileNameBasedOnFileType() = TRUE
<< ProcessFile() = TRUE
Packed File : Needs Recursion
>> ProcessPFI() -------------
>> GetFileInformationFromPFI()
Scan In Archive Directive from PFI = TRUE
Parent File Name = notice_of_appearance_po5406.zip
Full File Name   = court_notice_copy_07-04-14_ap.exe
Content Type     =
Content Class    =
File Name No Ext = court_notice_copy_07-04-14_ap
File Extension   = exe
File Type        = 3 : []
Derived File Name=
File Size        = 148480
Number of Extensions associated with this file = 3
<< GetFileInformationFromPFI() = TRUE
>> ProcessFile(court_notice_copy_07-04-14_ap.exe)
>> ProcessBasicFileProperties()
>> [1300] [33] [court_notice_copy_07-04-14_ap.exe]
<< ProcessBasicFileProperties = TRUE
>> ProcessFileType()
File type detected by file type checker.
Claimed extension not empty.
Performing check.
<< ProcessFileType() = TRUE
>> ProcessFileName(court_notice_copy_07-04-14_ap, exe)
listWildCard size [0]
Nothing in wildcard list to compare with.
Rule infringed.
Extension in original list, hence definite block.
Short Error Report [Triggered rule CONTENT POLICY: Block all potentially malicious attachments"]"
Long Error Report [File notice_of_appearance_po5406.zip\court_notice_copy_07-04-14_ap.exe" triggered rule "CONTENT POLICY: Block all potentially malicious attachments" (Claimed extension "exe" listed in "block" extension list)]"
<< ProcessFileName() = FALSE
<< ProcessFile() = FALSE
<< ProcessPFI() = FALSE
<< ProcessPFI() = FALSE
Processing infringements collection for current attachment...
Infringements in the collection [1]
Copying infringements to local list...
Clearing the infringements collection...
Iterate through the local infringements list...
Infringement rule id matched... retrieved rule display name.
Short Description [Triggered rule CONTENT POLICY: Block all potentially malicious attachments"]"
<< ProcessMail() = EMAA_ERR_DBACTION

Note: This message had a single .zip attachment which was allowed but the zip file contained a .exe file, which was blocked.  Scan In Archive Directive from PFI = TRUE shows that scanning within archive files is enabled (A Decompression Engine setting) which allowed this message to be blocked.  The Long Error Report lets us know the exact reason the email was blocked, while the Short Description is what would be shown in the Quarantine.

 

Related Articles

Back to top

Related articles