000036944 - How to prevent an executable file  from being attaching to a Change Request in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Dec 10, 2018Last modified by RSA Customer Support Employee on Dec 10, 2018
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000036944
Applies ToRSA Product Set: Identity Governance & Lifecycle
RSA Product/Service Type: Enterprise Software
RSA Version/Condition: 7.0.1, 7.0.2, 7.1.x
 
IssueThe Access Request Manager (ARM) provides a mechanism to upload and download attachments related to a specific access request. It allows for the executable file to be uploaded and attached to the request. However, this process does not check uploaded files for viruses.  Therefore, context was able to upload and subsequently download a benign virus test file (EICAR) through the system, using this upload feature. 
 
User-added image
ResolutionThere are steps to restrict the file types that can be attached to a request ( .doc, .png, and so on).
  1. Go to Requests > Configuration

User-added image


  1. Click Edit.
  2. Enter the valid file extensions into the text box labeled Valid extensions for request: attachments (comma separated).

User-added image


  1. Click OK to save.

User-added image


  1. To test this configuration change. create a Change Request then select the Change Request.
  2. Click Choose File to select an .exe file.

User-added image


  1. Click Upload Attachment and the following message should display:

Invalid extension for upload.



User-added image 


8.  Click Choose File to select a file that has an extension that matches the one(s) defined in step 3.

User-added image


9. Click Upload Attachment. The file with the valid file extension is accepted. 
 
User-added image

Attachments

    Outcomes