The Decompression engine is one of the Content Filtering scanning modules that extracts and analyzes archives (compressed files such as .zip or .rar files) attached to an email. The engine checks if the scanned archive infringes any of the rules configured in the Decompression Engine node in the MailEssentials’ Content Filtering configuration.
Content Filtering engines allow MailEssentials to scan the content of emails and attachments, and block emails containing content matching any configured content filtering rules.
MailEssentials provides 4 independent Content filtering engines which are:
- Keyword Filtering blocks emails based on keywords in the body, subject and/or attachments;
- Attachment Filtering blocks emails based on the type or size of its attachment(s);
- Decompression Engine blocks emails with specific types of compressed files within the email, such
as password-protected archives, recursive archives, and so on;
- Advanced Content Filtering blocks emails based on text in the header, subject, or body of the email, using text search or regular expressions.
The Decompression engine extracts and analyzes archives (compressed files) attached to an email.
This article delves into more details on how the Decompression Engine works using different filters that can be configured to effectively identify and block emails having unwanted compressed files.
MailEssentials supports a number of rules on how compressed attachments (.rar, .zip files) are processed. The checks performed by the Decompression engine include:
- Password-protected archives
- Corrupted archives
- Recursive archives - These are nested archives containing multiple levels of sub-archives i.e. archives within archives
- Size of decompressed files in archives
- Amount of files in archives
- Scan within archives - This includes an option to exclude file extensions from being checked for mismatch from the original extension
The above decompression engine filters can be enabled or disabled from the MailEssentials Configuration UI by following these steps:
- Navigate to GFI MailEssentials > Content Filtering > Decompression Engine node.
- From the Decompression engine page, select the checkbox of the filters to enable or disable.
- Click Enable Selected or Disable Selected accordingly.
Clicking on each filter opens up the configuration screen where an administrator has the option to specify what to do when an email contains an archive that triggers the filter. The options available are:
- Quarantine - Quarantines blocked emails
- Automatically Delete - Deletes blocked emails
- Send a sanitized copy of the original email to recipient(s) - send a copy of the blocked email to the recipients with the triggering archives removed
- Log rule occurrence to this file - Specify the path and file name to a custom location on the disk to store the log file. By default, log files are stored in: ...GFI\MailEssentials\EmailSecurity\Logs\decompression.log
Check password-protected archives
Check corrupted archives
This filter checks and blocks any corrupted archives. If an archive cannot be uncompressed because of file corruption, the email is triggered as malicious.
Check for recursive archives
Check size of uncompressed files in archives
This filter allows you to block or delete emails with archives that exceed the specified physical size when uncompressed. Hackers sometimes use this method in a DoS (Denial of Service) attack by sending an archive that can be uncompressed to a very large file that consumes hard disk space and takes a long time to analyze by content security or antivirus software.
This filter allows you to quarantine or delete emails that contain an excessive amount of compressed files within an attached archive. You can specify the number of files allowed in archive attachments from the configuration options included in this filter.