How Does Targeted Threat Protection - Attachment Protect Work?

on Sep 7, 2015•Last modified by user.oxriBaJeN4

on Oct 9, 2017

Like • Show 1 Like1
Comment • 10
View in full screen mode

Configuration
Considerations
Dynamic Configuration
Supported File Types
Requesting a Blocked Attachment
Malicious Code in the Original Attachment
Handling Messages Held as Spam
Safe or Unsafe Files

Targeted Threat Protection - Attachment Protect provides advanced security protection for file attachments in email. It uses a definition that can be configured to deliver messages using one of the following methods:

Delivery Method	Description
Safe File	Users are provided with a safe, transcribed version of the attachment.
Safe File with On-Demand Sandbox	Users are provided with a safe, transcribed version of the attachment, and an option to request the original attachment via the sandbox. When an original attachment is requested, a detailed security analysis is performed before it is provided to the user. The original attachment can only be released within your data retention time frame. For example, you receive the safe file and confirm it’s what you want, but don’t request the original file. If there is a 30 day retention period, and you request the original file on the 31st day, you won’t be able to release it.
Pre-Emptive Sandbox	Files are submitted to the sandbox during the email delivery process. All vulnerable file types are analysed in the sandbox. The message and it's attachments are only delivered to the user if they are considered safe.
Dynamic Configuration	Allows users to specify the delivery option for individual senders, by adding them to their trusted user list. The delivery option used, depends on whether the sender is on the user's trusted sender list. Users who aren't on their trusted list, use the "Safe File With On-Demand Sandbox" delivery option. Users who are on their trusted list, use the "Pre-Emptive Sandbox" delivery option. See the "Dynamic Configuration" section below for further details.

Configuration

To use Targeted Threat Protection - Attachment Protect, you must configure definitions, and attach them to policies for the different attachment scenarios. You can configure any combination of the modes, and apply to all users or selected users / groups. View the Configuring Attachment Protection Definitions and Policies page for full details.

When configuring Targeted Threat Protection - Attachment Protect, we recommend:

Referring to the Attachment Protect Best Practice page for a list of optimal definition and policy settings. You must log on to Mimecaster Central to access this page.
Setting up the configuration for a small group of users, until you're satisfied the settings work for you.

Considerations

Files that are unreadable, encrypted, or greater than 50MB in size, can’t be processed by the sandbox. Instead they are allowed through, and are not scanned or held. You can use an Attachment Management policy to hold encrypted, unreadable, or large files.
If either of the following conditions are met, no safe file is created. The file:
- Can't be larger than five times the original size.
- Can never exceed 30 MB.
The maximum size of a file that can be transcribed by Targeted Threat Protection - Attachment Protect is 15 MB.

We recommend you create attachment policies to handle these files. Failure to do so means these files are placed on Administrator Hold. See the Managing Attachments Overview page for further details.

Dynamic Configuration

If an attachment protection definition's delivery method is set to "Dynamic Configuration", the following process is used.

A check is made to see if the sender's email address is on the end user's managed senders list.
If the sender is:
- On the end user's blocked senders list, the message and attachment is not delivered.
- Not on the end user's blocked senders list, regardless of whether it is on their permitted senders or auto allow list, the following notification is displayed.
The end user can click either:
- Request Files: Safe versions of the files are released and sent to the end user.
- Request and Trust: The original files are released and sent to the end user if they are considered safe, and the sender's email address is added to the end user's trusted list.
Either:
- If the sender is not on the end user's permitted senders list, or has an auto allow policy, an auto allow policy is automatically created.
- If there is an auto allow policy for the sender, a flag is added to it to ensure it is not purged after 120 days.

If following sandboxing an unsafe attachment is received from a trusted sender, the sender's email address is automatically removed from the end user's trusted list.

Supported File Types

Targeted Threat Protection - Attachment Protect provides protection across the following file types:

All Microsoft Office file formats
All Open Office file formats
PDF
Archived files in the following formats:
- ZIP
- BZIP
- GZIP
- 7ZIP
- JS
- RAR
- TAR
- LHA
- LZH
- XZ

Requesting a Blocked Attachment

When a message containing an attachment has been put on hold as a result of an Attachment Protection policy finding it unsafe, the recipient receives an email detailing what has happened. If they wish, the recipient can request the administrator to release the original attachment to the user.

Malicious Code in the Original Attachment

If an email attachment is found to contain malicious code, it is blocked and not sent to the recipient. Instead the recipient receives a notification informing them of the block, and displaying details of the:

Message
Attachment
Policy that blocked it.

Handling Messages Held as Spam

When a message comes in with the attachment, it immediately goes into the Targeted Threat Protection - Attachment Protect sandbox for immediate scanning. If it's to be held, it is sent to the spam hold for release. Depending on your Attachment Protection definition, you'll have access to download the original file from the sandbox once the message has been released along with the attachment.

Safe or Unsafe Files

The administrator has full control over what happens to blocked attachments. Whilst the recipient can request for an attachment to be released, it is the administrator's ultimate responsibility to allow this. They can release the:

Message to the recipient.
Attachment to the recipient.
Attachment to the sandbox.

6 people found this helpful

Attachments

Outcomes

10 Comments

user.VA4GBsgndpG May 20, 2016 10:50 AM
I question the statement it supports all Microsoft office file formats. .XLSB is unsupported according the logs.

04-16.xlsb application/vnd.openxmlformat... 2016-05-17 15:36 Unsupported file type
Like • Show 0 Likes0
Actions
user.VA4GBsgndpG Jun 9, 2017 6:19 AM
So I have found another anomoly, zip files that contain .eml files generate unsupported file type where as attachments that contain .msg files are not.
Like • Show 0 Likes0
Actions
user.KZrHBaK4Vn Jun 9, 2017 10:43 AM
Hi Guys,

Thanks for the comments, have you got any support tickets so we can investigate these further for you?

Hiwot
Like • Show 0 Likes0
Actions
- user.VA4GBsgndpG @ user.KZrHBaK4Vn on Jun 12, 2017 6:59 AM
  Hi,
  
  support have said there will be a fix released this week for .eml files. As to the first point xlsb this is quite old and must have been addressed as I havent seen any more stopped for this reason.
  
  Regards
  Nick
  Like • Show 0 Likes0
  Actions
user.QAXtB1zk2Z Jun 15, 2017 3:43 AM
Hi,

I am reading up about this policy after upgrading to this capability. I have to ask, why not use the pre-emptive sandbox for every suspicious attachment? Is there an overhead/delay processing attachments? This option would seem the most transparent to users.

I have read other discussions where people are choosing the 'safe file with sandboxng' but I can't work out why this option is preferable to pre-emptive. Am I missing something?

Regards
Michael.
Like • Show 1 Like1
Actions
- user.VA4GBsgndpG @ user.QAXtB1zk2Z on Jun 19, 2017 9:55 AM
  Hi Michael,
  
  that would be the best option but there are a couple of things to remember, file size limit, supported file types and the majority of spread sheets we receive are for M.I. purposes and a 'safe file' is no use to them. Yes there is a delay on sandboxing, content, size and how busy the system is, single files are usually done in 5 minutes or less I have seen one take over 48 hours but it did have nested zip files so was understandable. All in all it is a very good product in my opinion.
  
  regards
  Nick
  1 person found this helpful
  Like • Show 1 Like1
  Actions
user.3RYpBNIpm8m Aug 4, 2017 10:47 AM
Great explanation of the differences but how do you set this up? At least provide a link to instructions on how to set which option you want. I am still searching the KB, ugh.
Like • Show 0 Likes0
Actions
- user.oxriBaJeN4 @ user.3RYpBNIpm8m on Aug 4, 2017 11:08 AM
  Hi Rhett. Just below the table are two links going to the Configuring an Attachment Protection Definition and Configuring Attachment Protection Definitions and Policies pages. These will help you set this up.
  1 person found this helpful
  Like • Show 1 Like1
  Actions
  - user.3RYpBNIpm8m @ user.oxriBaJeN4 on Aug 4, 2017 12:00 PM
    Oh, thank you. I saw that but read it over too fast and thought it was extra custom config info, not the way to actually set it up. Looking at it now. Thanks again.
    Like • Show 0 Likes0
    Actions
    - user.oxriBaJeN4 @ user.3RYpBNIpm8m on Aug 4, 2017 12:19 PM
      We did wonder whether those references were prominent enough Rhett. We've now added a "Configuration" section and added some pointers to help when you configure the definitions and policies. Hope this helps you and anyone else who has the same issue.
      Like • Show 0 Likes0
      Actions