If you want to filter certain file types, you can create a filter and set the File Types selection to the exact file type you want to filter.

For example, create a filter and set the File Types to MP3. This ensures that all MP3 files are filtered no matter what their file name or extension.

If you want to filter all files with a certain name, you can create a filter by adding the file name to the File Names tab. Filter matching is not case-sensitive.

For example, if a virus uses an attached file named payload.doc, you can create the filter payload.doc. This ensures that any file named payload.doc will be filtered no matter what the file type.

Detecting file attachments by name is also useful when there is an outbreak of a new virus and you know the name of the file in which the virus resides before your virus scanners are updated to detect it.

If you want to filter any file that has a certain extension, you can create a filter for the extension by adding it to the File Names tab. Filter matching is not case-sensitive.

For example, create a filter for any executable file with the extension .exe by adding *.exe* as the file name on the File Names tab. This will ensure that all files with an .exe extension will be filtered.

Important:
When creating generic file filters to stop all of a certain type of file (for example .exe files), it is recommended to write the filter in this format: *.exe*. The second asterisk (*) will prevent files with extra characters appended after the file extension from bypassing the filter.

Note:
It is recommended to avoid the use of a generic filter * (where nothing is defined for filtering) with the File Types set to Select All. This filter configuration could result in the reporting of repeated detections.

To create and configure a file filter

1. In the Forefront TMG Management console, in the tree, click the E-Mail Policy node.

2. In the details pane, click the Virus and Content Filtering tab, and then click Message Body Filtering.

3. On the General tab of the Message Body Filtering properties, verify that Status is set to Enabled.

4. On the Message Body Filters tab, click Add.

5. On the General tab of the Message Body Filter properties, verify that the Enable this filter check box is selected. It is enabled by default.

6. Under Filter name, type a name for this filter.

7. Select the Action to take if there is a filter match:

   • Skip—Records the number of messages that meet the filter criteria, but enables messages to route normally.
     
     
   • Identify—Tags the subject line or message header of the detected message with a customizable word or phrase so that it can be identified later for processing into folders by user inboxes.
     
     
   • Delete—Deletes the file attachment. The detected file attachment is removed from the message.
     
     
   • Purge—Deletes the message from your mail system.
     
     

8. Select whether you want this filter to be applied to inbound messages, outbound messages, or both.

9. On the Keywords tab, click Add and type the keywords you want to filter. For information about syntax and expressions that you can use with message body filters, see About keyword list syntax rules below.

The following are the syntax rules for a keyword list:

• Each item (line of text) is considered a search query.
  
  
• Queries use the OR operator. It is considered to be a positive detection if any entry is a match.
  
  
• Queries can contain operators that separate text tokens. Such queries are called expressions. The following logical operators are supported. There must be a space between an operator and a keyword, represented in the examples by the • character:
  
  
  • _AND_ (Logical AND). For example: apple•_AND_•orange juice
    
    
  • _NOT_ (Negation). For example: apple•_AND__NOT_•juice
    
    
  • _ANDNOT_ (Same as _AND__NOT_). For example: apple•_ANDNOT_•juice
    
    
  • _WITHIN[#]OF_ (Proximity). If the two terms are within a specified number of words of each other, there is a match. For example: free•_WITHIN[10]OF_•offer. (If free is within 10 words of offer, this query is true.)
    
    
  • _HAS[#]OF_ (Frequency). Specifies the minimum number of times the text must appear for the query to be considered true. For example: _HAS[4]OF_•get rich quick. If the phrase "get rich quick" is found in the text four or more times, this query is true. This operator is implicitly assumed and has a default value of 1 when it is not specified.
    
    
  • Multiple _AND_, _NOT_, _HAS[#]OF_, and _WITHIN[#]OF_ operators are allowed in a single query. The precedence of the operators is (from highest to lowest):
    1) _WITHIN[#]OF_
    2) _HAS[#]OF_
    3) _NOT_
    4) _AND_
    This precedence cannot be overridden with parentheses.
    
    
• The logical operators must be entered in uppercase letters.
  
  
• Phrases can also be used as keywords, for example, apple juice or get rich quick.
  
  
• Multiple blank spaces (blank characters, line feed characters, carriage return characters, horizontal tabs, and vertical tabs) are treated as one blank space for matching purposes. For example, A••••B is treated as A•B and matches the phrase A•B.
  
  
• In HTML encoded message texts, punctuation (any character that is not alphanumeric) is treated as a word separator similar to blank spaces. Therefore, words surrounded by HTML tags can be properly identified by the filter. However, note that the filter <html> matches <html>, but not html.
  
  

  Note:
  You must leave a space between the operators and the keywords. The logical operators must be entered in uppercase letters as shown to function properly.

Examples (the • character represents a space):

• apple•_AND_•orange•_AND_•lemon•_WITHIN[50]OF_•juice
  
  
• confidential•_WITHIN[10]OF_•project•_AND_•banana•_WITHIN[25]OF_•shake
  
  
• _HAS[2]OF_•get rich•_WITHIN[20]OF_•quick
  
  

To filter e-mail messages that automatically load HTML images from a Web server, add the following items to a keyword filter list:

• img _WITHIN[6]OF_ src="http"
  
  
• img _WITHIN[6]OF_ src='http'
  
  

These filters will identify instances of the text "img" that occur within six words of the following text: src="http"

If e-mail messages that contain HTML images are not filtered after you add these filters to the keyword list, you can examine the source code of the e-mail messages to see how these e-mail messages identify images. Then, you can create additional customized filters.