This document describes how the negative content filter conditions work for email messages that contain multiple attachments on the Cisco Email Security Appliance (ESA).
You use a content filter that allows certain types of email attachments, while other types of attachments should be marked for quarantine. When an email message arrives that has multiple attachments, one that should be allowed and another that should be marked for quarantine, the filter identifies the entire message as allowed.
Here is the content filter that is used:
if attachment filename != (list of attachments), then quarantine
This condition and action functions as intended if the email message has a single attachment, but it does not function properly for messages that contain multiple, different attachments.
These are the types of attachments that are allowed:
All other attachments should be sent to quarantine, as specified by the filter condition and action.
Here is the filter condition that is used:
if attachment filename != (rar|pdf|jpg)
Here is the filter action that is used:
The expectation typically is that if the email message contains a pdf attachment and a txt attachment, then it should be quarantined due to the txt attachment because it is not in the list of allowed attachments. However, this content filter does not function as intended because it matches the pdf attachment in the message and directly permits it, even though it has a txt attachment.
It is not possible to quarantine the email with the txt attachment for these reasons:
- The attachment conditions are for all of the attachments that are included in a message.
- The negative != comparison verifies whether any of the attachments match.
As described, if any of the attachments are allowed, such as when they match the !=, then the entire message is treated as allowed. There is no way around this; it is simply the way that these conditions work.
The only other solution is to invert the logic and block specific attachments, not just any attachment that is not white-listed.