Thanks for providing this Nenad.  I've had a few instances of dubious messages coming through recently which this should help with.  I haven't had experience with Policy Tasks but through some investigation, it looks like you need to escape the double quotes you added around the ~F argument.

So  

Task: "ZIP-EXE",17,0,"C:\\MERCURY\\ZIP-EXE\\zip-exe.bat ~X ~R "~F" ~Z","","",0,"Admin"

becomes

Task: "ZIP-EXE",17,0,"C:\\MERCURY\\ZIP-EXE\\zip-exe.bat ~X ~R \"~F\" ~Z","","",0,"Admin" 

If this isn't done, some of the fields in the 'Edit policy task' dialog are incorrect, namely:

Commandline:  C:\\MERCURY\\ZIP-EXE\\zip-exe.bat ~X ~R

Sentinel file: ~F" ~Z"

Parameter: 0

Thanks again

Hi all,

I think it would be usefull to be able to filter emails which have EXE file in ZIP attachments. Currently I don't see automatic option to do that within Mercury server so I made a batch file which does the job using Policies:

Content of file TASKS.MER: (add the last "Task:" line to your TASKS.MER)

#
# Mercury/32 policy task list file
#

Task: "ZIP-EXE",17,0,"C:\\MERCURY\\ZIP-EXE\\zip-exe.bat ~X ~R "~F" ~Z","","",0,"Admin"

Content of file ZIP-EXE.BAT: (Add this file to folder C:\MERCURY\ZIP-EXE)

@echo off

rem %1 = File to scan
rem %2 = File to report
rem %3 = Attachment filename (with quotes)
rem %4 = Attachment extension

echo Scan file: "%1" Report: "%2" Att filename: %3 Att ext: "%4"
echo Scan file: "%1" Report: "%2" Att filename: %3 Att ext: "%4" > %2

rem Is attachment a compressed file type?
if %4 == .zip goto test
if %4 == .arj goto test
if %4 == .rar goto test
echo This is not a compressed file: %4                            &rem If not compressed,
echo This is not a compressed file: %4 >> %2
exit /B 0                                                                         &rem then safe exit

:test

echo File %3 is compressed
echo File %3 is compressed >> %2

rem Does it contain an EXECUTABLE?
findstr /m /l /i ".exe .scr .com .bat .vbs" %1 > nul            &rem Case Insensitive!  
rem echo ELEVEL: %ERRORLEVEL%                           &rem If found, then ELEVEL = 0!
rem echo ELEVEL: %ERRORLEVEL% >> %2
if %ERRORLEVEL% == 0 echo Found an EXECUTABLE in file %3.
if %ERRORLEVEL% == 0 echo Found an EXECUTABLE in file %3. >> %2
if %ERRORLEVEL% == 0 exit /B 1
echo Didn't found an EXECUTABLE in the file.                &rem If nt found,
echo Didn't found an EXECUTABLE in the file. >> %2
exit /B 0                                                                       &rem then safe exit


I hope somebody will find this to be helpful.

Bye,

Nenad

Thanks for sharing!  I had actually just started copying all zip files to a holding account that I would manually look at before sending them off to the end user.  We just recently got hit with the cryptolocker virus and decided it was just to dangerous to allow even zip files through.  I have always been blocking executable files..

 Jim 

One question.  Is this line a typo?  If so you should edit your post to change.

Content of file ZIP-EXE.BAT: (Add this file to folder C:\MERCYRY\ZIP-EXE)

is it actually supposed to be:

C:\MERCURY\ZIP-EXE

Hello, I dont know what you do with the message if happens to fire the policy exception, in any case I strongly suggest that you give a feedback (to the sender, to the receiver or both) that the message has been dropped (or maybe just that attachment removed) for this security reasons.  This will save you investigating issues like: " I cannot receive mail from XY" (if message is fully dropped)  or  "I am not able to receive attachments from XY" (in case you just drop the file attachment...

 If the sender and/or the receiver are being informed that this msg has been processed in this way they will not think that the email system seems to work in unreliable manner (some messages works other do not for 'unknown'(their side)  reason...)

Best regards

Giorgio

jbanks, sorry for late reply.

Yes of course it is a typographic mistake, thanks for suggestion. I looked several times trying to catch what you were pointing to and finally I got it: should be MERCURY instead of MERCYRY.

In the mean time I have made a small modification to TASKS.MER, adding double-quote signs around ~F parameter, which will help handling long filenames properly. So the line should look like following:

Task: "ZIP-EXE",17,0,"C:\\MERCURY\\ZIP-EXE\\zip-exe.bat ~X ~R "~F" ~Z","","",0,"Admin"

I am going to try to correct my original post now..

Nenad

Hi Giorgio,

I agree that we should not automatically dump all ZIP files that contain executables, because some small percentage of all occurances might come from regular users trying to send regular programs via email. Therefore I do forward all ZIP-EXE messages to administrator. You can find parameter "Admin" at the end of my TASKS.MER line. This corresponds to Step 4 in "Edit policy task" window:

Action: Forward the message to a local user

Parameter: Admin

Bye,

Nenad

Thanks for sharing this with us!

[quote user="Supur"]findstr /m /l /i ".exe .scr .com .bat .vbs" %1 > nul            &rem Case Insensitive![/quote]

Perhaps in the list a ".pif .lnk" should be added ...

bye    Olaf