XCS - AEP/CSS can we, or how do we configure to block file attachments in emails

Hi all, we are using the XCS product on endpoints and whilst a bit overprotective on containment, overall the product is doing the job. This leads to the question below.

Q . Can XCS be used to block attachments in email clients ?

This is in the context of after they have been through the email providers’ systems, so it may be 365/gsuite/old imap/pop as we have all of that with our mixture of clients.
Most are outlook clients but few are thunderbird, windows mail and so forth.
Mixture of standalone workstations, AzureAD, ADsync, and domain joined.

Ideally blocking access to those pesky phishing-type emails with html attachments, zip files etc.
However I’d like to extend the file types as needed.

The first comment is bound to be “use a mail/spam filter” or the old dome shield type setup, yes but specifically asking at the endpoint level. IF XCS cannot do this, then what is the preferred method to use, back to local policy, regedit etc.


The security of XCS comes from “NOT allowing an unknown executable file (application), to have the ability to modify your computer”…
You can watch how it provides endpoint security with this video.

So in theory, no matter what these “attachments” are, if they have a payload of an executable, those executables will NOT be able to modify your system. (and once that ability is taken away, things like ransomware can’t do damage to your system).

Next question is: At what level do you want to block these attachements. Because XCS might not have access to what the email client sees, but has access to every file trying to execute.
Email client itself might be processing the stuff internally without giving visibility to XCS.

In order to protect email related stuff, you will need a protection tool that understands the email protocol and deciphers it and extracts what is email content vs attachment etc…

Also worth Watching this full blown SOC capability for MSPs built into Itarian.

This can be done using Xcitium, and speaking with the Xcitium team the way to do this is via HIPS or Containment.

A copy of their answer is listed below

HIPS or Containment can be used. But it won’t work if content is executed from explorer - not directly from email client.
We can use also Containment rule with criteria “Created by” but it will work only for executables and scripts.

HIPS Configuration

Containment Configuration

I’m sorry that the above images are using the Xcitium interface and not the ITarian Endpoint Manager interface, but you will see other than the top bar the rest of the screen should match.

1 Like

Thank you for the follow-up to the question.
I’ll test on a few users and see if they can click through.

That’s a good start as need to ensure we are proactive, as 365 defender/exchange online protection is snapping at the heals of some of my users, seems all products have a place.