Skip to content

Latest commit

 

History

History
44 lines (38 loc) · 2.37 KB

README.md

File metadata and controls

44 lines (38 loc) · 2.37 KB

Microsoft Exchange 2019 Transport Filtering Agent

Overview

  • Detects potential malware with libyara.NET (we use our own build with different fixes).
  • Extracts archives with SevenZipSharp.
  • Disarms potentially malicious PDFs with based on xdpdf algorithm.
  • Parses subject/body/headers with regex, aho-corasik.
  • Checks MessageId and source subnet of messages.
  • Can send user email notifications about potentially malicious messages.
  • Marks potentially malicious message with special header, which helps you archive and reject malicious messages on your Exchange server.
  • Uses metrics to decide whether a message is malicious.
  • Bruteforces archive attachments with the dictionary generated on message text (bad guys like that way to hide malicious files from antiviruses).

Using third party libraries:

Requirements

Linyaranet requires .Net version 4.6 and higher. You can check if your server support it:

Installation

  • Stop-Service msexchangetransport
  • ls "c:\Path\To\FilterBinaries" -Recurse | Unblock-File
  • Install-TransportAgent -Name "ExchangeFilter" -TransportAgentFactory "ExchangeFilterAgentFactory " -AssemblyPath "c:\Path\To\FilterBinaries\ExchangeFilter.dll"
  • Set-TransportAgent "ExchangeFilter" -Priority 10
  • Enable-TransportAgent -identity ExchangeFilter
  • Start-Service msexchangetransport

Configuration

  • Config.cs - Class contains necessary configurations, without which agents work is impossible.
  • default_config.xml - once configured, will be backup fuse, and if you change config.xml with mistake, agent will use default configuration
  • config.xml - main configuration file.

Logging

Information about messages processing is stored as JSON on filesystem via log4net.Ext.Json. Its useful to process these logs via ELK stack.