Skip to content

k-sec-tools/ExchangeFilter

Repository files navigation

Microsoft Exchange 2019 Transport Filtering Agent

Overview

  • Detects potential malware with libyara.NET (we use our own build with different fixes).
  • Extracts archives with SevenZipSharp.
  • Disarms potentially malicious PDFs with based on xdpdf algorithm.
  • Parses subject/body/headers with regex, aho-corasik.
  • Checks MessageId and source subnet of messages.
  • Can send user email notifications about potentially malicious messages.
  • Marks potentially malicious message with special header, which helps you archive and reject malicious messages on your Exchange server.
  • Uses metrics to decide whether a message is malicious.
  • Bruteforces archive attachments with the dictionary generated on message text (bad guys like that way to hide malicious files from antiviruses).

Using third party libraries:

Requirements

Linyaranet requires .Net version 4.6 and higher. You can check if your server support it:

Installation

  • Stop-Service msexchangetransport
  • ls "c:\Path\To\FilterBinaries" -Recurse | Unblock-File
  • Install-TransportAgent -Name "ExchangeFilter" -TransportAgentFactory "ExchangeFilterAgentFactory " -AssemblyPath "c:\Path\To\FilterBinaries\ExchangeFilter.dll"
  • Set-TransportAgent "ExchangeFilter" -Priority 10
  • Enable-TransportAgent -identity ExchangeFilter
  • Start-Service msexchangetransport

Configuration

  • Config.cs - Class contains necessary configurations, without which agents work is impossible.
  • default_config.xml - once configured, will be backup fuse, and if you change config.xml with mistake, agent will use default configuration
  • config.xml - main configuration file.

Logging

Information about messages processing is stored as JSON on filesystem via log4net.Ext.Json. Its useful to process these logs via ELK stack.

About

No description, website, or topics provided.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published