Restricted file types

This page includes:

• Restricted file types
  • About restricted file types
  • Managing your set of restricted file types
  • Bulk import of restricted file types
  • Propagating "restricted file type" settings from a parent organization to child organizations
  • Bypassing the "restricted file type" functionality
  • File type vs file extension

About restricted file types

Files of some types are particularly risky - they are prone to malicious content. For example, files of types such as .exe and .docx may be included in this category. To enhance security, you can configure FortiMail Workspace Security to restrict the entrance of files of such types into your organization - regardless of whether these files are clean or malicious. These file types are therefore called "restricted file types". A file that is of a "restricted file type" is called a restricted file. Restricted files cause the restricted verdict to be assigned to scans that are performed. The following scans are assigned the restricted verdict:

• Email: Scans of emails that include attachments that are in the list of restricted file types or URLs that include references to files that are in the list of restricted file types.

  Note: The "restricted files" functionality currently applies to the email integrations only, and not to any other integrated channels.

Note: FortiMail Workspace Security can detect restricted files even if they are: inside an attached archive file or zip file In a URL that is referenced inside the email inside a zip file that is located in a URL that is referenced inside the email In addition, the FortiMail Workspace Security "recursive unpacker" helps to detect restricted files, irrespective of the "level" at which the restricted files are located.

You can configure FortiMail Workspace Security to quarantine emails that are assigned the restricted scan verdict. For details, see Quarantine. When the scan of an email is assigned the restricted verdict - and the email is quarantined - the entire email is quarantined, not just the restricted attachment. After an email has been quarantined because it contains a restricted attachment, you can release the email in the same way that you release any quarantined email. For details, see Releasing a quarantined email.

If restricted files are not configured to be quarantined, then emails that include restricted files will be sent to the Inbox of the recipients.

Important: The Restricted file types functionality is available only if you have configured FortiMail Workspace Security to quarantine emails that are assigned the restricted scan verdict. For details, see Which verdicts cause quarantine.

You can manage a set of restricted file types for your organization - as described below.

Managing your set of restricted file types

Important: Management of Restricted file types is available only if you have configured FortiMail Workspace Security to quarantine emails that are assigned the restricted scan verdict. For details, see Which verdicts cause quarantine.

To view or manage the set of restricted file types for your organization:

1. In FortiMail Workspace Security, in the left navigation menu, select Settings > Account.

2. Scroll down to the Restricted file types section.

   Important: The Restricted file types section will be displayed only if you have configured FortiMail Workspace Security to quarantine emails that are assigned the restricted scan verdict. For details, see Which verdicts cause quarantine.

3. For each category, use the available controls to move file types [extensions] between the restricted and unrestricted lists.

   Note: If a required extension doesn't exist in a particular category, you can click Add File Extension to add the required file extension.

Bulk import of restricted file types

It is possible to perform a bulk import of restricted file types. This import procedure can be performed by FortiMail Workspace Security Support only. For assistance or more information, contact FortiMail Workspace Security Support [support@perception-point.io].

When requesting FortiMail Workspace Security Support to bulk-upload multiple restricted file types, you'll need to supply a file that contains the restricted file types - with each restricted file type on a separate line, without a period [.] before the file type.

You can include the text template below in your email:

Subject: Bulk import of restricted file types
Hi Perception Point Support Team, Organization name: <Your organization name> as it appears in FortiMail Workspace Security Please can you perform a bulk import of the restricted file types in the attached file. [Internal Reference: 1162] Please let us know when this has been done. Thank you

After FortiMail Workspace Security Support has performed the bulk import:

• Check that the requested file types appear in the list of restricted file types for your organization.

• You can edit any of the entries that were bulk-uploaded.

Propagating "restricted file type" settings from a parent organization to child organizations

All file types that are restricted [blocked] in a parent organization are restricted [blocked] in all the child organizations.

For each child organization, in addition to the files types that are restricted through the parent organization, you can restrict additional file types. Make sure to select the required child organization in the FortiMail Workspace Security banner before adding the additional file types to restrict.

Bypassing the "restricted file type" functionality

It is possible to limit the application of the "restricted file type" functionality in various ways. This is done by using allowlists. For example, you could apply the "restricted file type" functionality to all recipients in your organization, but exclude the "restricted file type" functionality from emails that are sent from a specified domain or email address. This is done by using allowlists. The specific allowlist requirements to implement the available options are described in the table below. For general information about allowlists, see Allowlists.

Note: When you add an allowlist entry to limit the application of the "restricted file type" functionality, if an email fails the SPF check, and the "Disable SPF checks" check box is not selected, then the "restricted file type" functionality will be applied.

Scenarios for bypassing the "restricted file type" functionality	Specific allowlist requirements
Apply the "restricted file type" functionality to all recipients, but exclude the functionality from emails from a specified sending domain or email address	Add a "Sender Email Address / Domain" allowlist. Under "Sender email address / domain", specify the sending email address or domain. Under "Email allow options", select "Restricted File Types". Select the "Disable IP/SPF checks" check box.
Apply the "restricted file type" functionality to all recipients, but exclude the functionality from emails from a specified IP address	Add a "Sender IP" allowlist. Under "Sender IP address", specify the IP address. Under "Email allow options", select "Restricted File Types". Select the "Disable IP/SPF checks" check box.
Apply the "restricted file type" functionality to all recipients, but exclude the functionality from emails from specified recipients	Add a "Recipient Email Address" allowlist. Under "Recipient email address", specify the receiving email address. Under "Email allow options", select "Restricted File Types". Select the "Disable IP/SPF checks" check box.
Apply the "restricted file type" functionality to specific users only. This is typically done for testing purposes.	This can be done by FortiMail Workspace Security Support only. For details, contact FortiMail Workspace Security Support [support@perception-point.io].

File type vs file extension

The "restricted file type" functionality in FortiMail Workspace Security is based on the "file type" and not on the "file extension". Although the file type and the file extension are typically the same for each file, this is not always the case. While extensions usually reflect the actual file type, they can be changed by a user. Renaming a file's extension (for example, changing image.jpg to image.txt) does not change the underlying file type or format. The data within the file remains structured as a JPEG, and a text editor attempting to open it as a plain text file would likely display garbled characters. Conversely, a program designed to open JPEG files might still be able to open the file if it inspects the file's actual content, regardless of the misleading .txt extension.

See also: 

• Scans