Phone Lines icon GFI Support Home

Articles in this section

Decompression Engine

Author: Dennis Chege Updated

Overview

The Decompression engine is one of the Content Filtering scanning modules that extracts and analyzes archives (compressed files such as .zip or .rar files) attached to an email. The engine checks if the scanned archive infringes any of the rules configured in the Decompression Engine node in the MailEssentials’ Content Filtering configuration.

Introduction

Content Filtering engines allow MailEssentials to scan the content of emails and attachments, and block emails containing content matching any configured content filtering rules.

MailEssentials provides 4 independent Content filtering engines which are:

  • Keyword Filtering blocks emails based on keywords in the body, subject and/or attachments;
  • Attachment Filtering blocks emails based on the type or size of its attachment(s);
  • Decompression Engine blocks emails with specific types of compressed files within the email, such
    as password-protected archives, recursive archives, and so on;
  • Advanced Content Filtering blocks emails based on text in the header, subject, or body of the email, using text search or regular expressions.

The Decompression engine extracts and analyzes archives (compressed files) attached to an email.

This article delves into more details on how the Decompression Engine works using different filters that can be configured to effectively identify and block emails having unwanted compressed files.

Description

MailEssentials supports a number of rules on how compressed attachments (.rar, .zip files) are processed. The checks performed by the Decompression engine include:

  • Password-protected archives
  • Corrupted archives
  • Recursive archives - These are nested archives containing multiple levels of sub-archives i.e. archives within archives
  • Size of decompressed files in archives
  • Amount of files in archives
  • Scan within archives - This includes an option to exclude file extensions from being checked for mismatch from the original extension

 

The above decompression engine filters can be enabled or disabled from the MailEssentials Configuration UI by following these steps:

  1. Navigate to GFI MailEssentials > Content Filtering > Decompression Engine node.
  2. From the Decompression engine page, select the checkbox of the filters to enable or disable.
  3. Click Enable Selected or Disable Selected accordingly.

Clicking on each filter opens up the configuration screen where an administrator has the option to specify what to do when an email contains an archive that triggers the filter. The options available are:

  • Quarantine - Quarantines blocked emails
  • Automatically Delete - Deletes blocked emails
  • Send a sanitized copy of the original email to recipient(s) - send a copy of the blocked email to the recipients with the triggering archives removed
  • Log rule occurrence to this file - Specify the path and file name to a custom location on the disk to store the log file. By default, log files are stored in: ...GFI\MailEssentials\EmailSecurity\Logs\decompression.log

Check password-protected archives

This filter checks for any password-protected archives included as email attachments. To create an exception for certain password-protected files see: Creating a Whitelist Policy for Password Protected Files

Check corrupted archives

This filter checks and blocks any corrupted archives. If an archive cannot be uncompressed because of file corruption, the email is triggered as malicious.

Check for recursive archives

This filter allows you to quarantine or delete emails that contain recursive archives. Recursive archives, also known as nested archives, are archives that contain multiple levels of sub-archives (that is, archives within archives). A high number of archive levels can indicate a malicious archive. Recursive archives can be used in a DoS (Denial of Service) attack since recursive archives consume machine resources when they are being analyzed.

Check size of uncompressed files in archives

This filter allows you to block or delete emails with archives that exceed the specified physical size when uncompressed. Hackers sometimes use this method in a DoS (Denial of Service) attack by sending an archive that can be uncompressed to a very large file that consumes hard disk space and takes a long time to analyze by content security or antivirus software.

Check for amount of files in archives

This filter allows you to quarantine or delete emails that contain an excessive amount of compressed files within an attached archive. You can specify the number of files allowed in archive attachments from the configuration options included in this filter.

Scan within archives

This makes it possible to configure GFI MailEssentials to apply Keyword and Attachment Filtering of files within archives. Refer to this article for more information on Content Filtering: Understanding Keyword Filtering.

Back to top

Related articles