Restricting users from uploading and viewing files with specific extensions

You can restrict AR System users from uploading and viewing files with specific extensions in Mid Tier. This restriction can help prevent users from uploading malicious attachments and viewing them. 

An administrator sets a list of attachment file types that are allowed or disallowed in the environment. Users will be prevented from uploading the attachments with the file extensions that are disallowed as per your company policy.


Best practice

  • The attachment file name should not include a comma (,).
    BMC Helix Innovation Suite stores attachment file name as file-name-withExtension, MIME Type of file if supplied. If an end user uploads a file which has a comma in its name, the attachment is attached and saved in the record definition. However, BMC Helix Innovation Suite assumes that the MIME type of the document displayed after the first occurrence of the comma, and truncates the strings after the comma.
    Therefore, when the attachment is downloaded, it might be missing the extension type and is downloaded as a file without an extension.
  • We recomment using the AR System Management Console to set security restrictions on file uploads. For more information, see Setting-global-level-and-local-level-configurations-for-a-server-group.

To restrict attachments

Important

The AR System Administration: Server Information form shows the local level value of the configuration. If a local value does not exist, the form displays the global level configuration. If you modify the value on this form, the local level configuration value is modified.

For example, if a configuration shows a global level value, and you modify the value by using this form, the local level value gets created for the configuration.

  1. In a browser, open the AR System Administration Console, and click System > General > Server Information.
    The AR System Administration: Server Information form is displayed.
  2. Click the Attachment Security tab as shown in the following figure:
    221_Attachment_validation.png

  3. Enter the attachment option that you need, and click Apply.
    The following table describes the available options:

    Field name

    Description

    Attachment criteria

    • Allow all attachments—No restrictions on uploading attachments
    • Allow attachments with the following extensions—Upload attachments with extensions listed in Comma-separated list of limit extensions.
    • Disallow attachments with the following extensions—Do not upload attachments with extensions listed in the Comma-separated list of limit extensions. Upload attachments with other extensions.

    Important: Disallowing attachments with specific extensions impacts all the features that have attachments. For example, Import Export features or email attachments. To avoid this, you can add a related exception form to the Attachment exception list.

    For example, when running a UDM job, if the attachment extension is disallowed, add the DMT:ErrorException form in the Attachment exception list.

    Comma-separated list of limit extensions

    Attachment extensions that are allowed or not allowed, based on the Attachment criteria selected.

    Attachment exception list

    The list of Form names (field ID) for which attachment limitations do not apply—for example, Data Visualization Module (3450298).

    If the user uploads an attachment in the form fields specified in the attachment exception list, these fields are not validated, and the attachments are uploaded without verification in the fields.

    Attachment validation plugin name

    The out-of-the-box ARSYS.ARF.SECURITY.ATTACHMENTVALIDATION plug-in performs real-time attachment scanning by using the ClamAV antivirus.

    Important:

    As an on-premises customer, if you plan to use your own plugin, add the custom plugin name in the Attachment validation plugin name parameter, and register it.

    The plugin returns the following status:

    • 527 — VirusFound
    • 528 — Warning
    • 529 — Error

    View the failure logs by using the Attachment Scan Failure Report form. The following screenshot shows the Attachment Scan Failure Report form:

    221_Attachment Scan Failure Report.png

    Attachment virus scan exception list

    Configure a comma-separated exception list that consists of forms and form field IDs or record definitions and field IDs to skip antivirus scanning for a given list.

    You can configure the exception list when you set a value for the Attachment validation plugin name field.

    For example:
    "com.sample.DemoApp:MyDoc(10001)",
    "HPD:Helpdesk(10001)"

    Display criteria

    • Allow display of all attachments—Users can view all the attached files by clicking the Display button in the Attachments pool.
    • Allow display of attachments with the following extensions—Users can view attached files that have extensions specified in Comma separated list of display extensions.
    • Disallow display of attachments with the following extensions—Users cannot view attached files that have extensions specified in Comma separated list of display extensions. All other attachments are allowed.
    • Disallow display of all attachments—Users cannot view any attachment. 

    The display criteria are applied to all the existing extensions in the Mid Tier application.

    Comma separated list of display extensions

    Lists the attachment extensions that you want to allow or not, based on Display criteria.

Attachments flowchart

The following flowchart helps you understand the attachment security based on the options that you select from the Attachment criteria list:

221_restricting users_attachment security flow.png

Scenarios for restricting attachments

The following table lists examples of parameter values for requests that include attachments:

To restrict users from viewing the content of specific types of files

  1. In a browser, open the AR System Administration Console, and click System > General > Server Information.
    The AR System Administration: Server Information form is displayed.
  2. Click the Attachment Security tab.
    Attachment-Security-Plugin.png
  3. Select the display options that you need, and click Apply.
    For any particular attachment that you want to view, the Display button is visible only if the value in Display criteria is set to Allow display of attachments with the following extensions. For all other attachments, the Display button is dimmed.


To allow list domains in the ClamAV pod

Sometimes, email messages or attachments containing non-malicious URLs could be blocked by the ClamAV antivirus scan, which considers them as phishing URLs.

(For SaaS environments)

SaaS subscribers must contact BMC Support if any such false positives are reported by ClamAV. 

(For on-premises deployments)

Administrators must configure URLs for on-premises deployments to be allowed listed in the ClamAV antivirus pod to avoid false positive detections. For more information, see Using ConfigMaps to access the configuration files in BMC Helix Service Management Deployment documentation. 

(On-premises only) Defining a custom plug-in

You can choose to define a custom plug-in for real-time attachment scanning.

You can develop the plug-in for performing functions like verifying the attachment containing malicious content, verifying whether the attachment is a virus, verifying whether the user has changed the extension for uploading the attachment

For more information about defining a custom plugin, see Deploying custom plug-ins in BMC Helix Service Management Deployment documentation.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*