How Does Targeted Threat Protection - Attachment Protect Work?

Document created by user.oxriBaJeN4 Employee on Sep 7, 2015Last modified by user.oxriBaJeN4 Employee on Oct 9, 2017
Version 24Show Document
  • View in full screen mode

Targeted Threat Protection - Attachment Protect provides advanced security protection for file attachments in email. It uses a definition that can be configured to deliver messages using one of the following methods:

 

Delivery MethodDescription
Safe FileUsers are provided with a safe, transcribed version of the attachment.
Safe File with On-Demand SandboxUsers are provided with a safe, transcribed version of the attachment, and an option to request the original attachment via the sandbox. When an original attachment is requested, a detailed security analysis is performed before it is provided to the user.
The original attachment can only be released within your data retention time frame. For example, you receive the safe file and confirm it’s what you want, but don’t request the original file. If there is a 30 day retention period, and you request the original file on the 31st day, you won’t be able to release it.
Pre-Emptive SandboxFiles are submitted to the sandbox during the email delivery process. All vulnerable file types are analysed in the sandbox. The message and it's attachments are only delivered to the user if they are considered safe.
Dynamic Configuration

Allows users to specify the delivery option for individual senders, by adding them to their trusted user list. The delivery option used, depends on whether the sender is on the user's trusted sender list.

  • Users who aren't on their trusted list, use the "Safe File With On-Demand Sandbox" delivery option.
  • Users who are on their trusted list, use the "Pre-Emptive Sandbox" delivery option.
See the "Dynamic Configuration" section below for further details.

 

Configuration

 

To use Targeted Threat Protection - Attachment Protect, you must configure definitions, and attach them to policies for the different attachment scenarios. You can configure any combination of the modes, and apply to all users or selected users / groups. View the Configuring Attachment Protection Definitions and Policies page for full details.

 

When configuring Targeted Threat Protection - Attachment Protect, we recommend:

  • Referring to the Attachment Protect Best Practice page for a list of optimal definition and policy settings. You must log on to Mimecaster Central to access this page.
  • Setting up the configuration for a small group of users, until you're satisfied the settings work for you.

 

Considerations

 

  • Files that are unreadable, encrypted, or greater than 50MB in size, can’t be processed by the sandbox. Instead they are allowed through, and are not scanned or held. You can use an Attachment Management policy to hold encrypted, unreadable, or large files.
  • If either of the following conditions are met, no safe file is created. The file:
    • Can't be larger than five times the original size.
    • Can never exceed 30 MB.
  • The maximum size of a file that can be transcribed by Targeted Threat Protection - Attachment Protect is 15 MB.

 

We recommend you create attachment policies to handle these files. Failure to do so means these files are placed on Administrator Hold. See the Managing Attachments Overview page for further details.

 

Dynamic Configuration

 

If an attachment protection definition's delivery method is set to "Dynamic Configuration", the following process is used.

  1. A check is made to see if the sender's email address is on the end user's managed senders list.
  2. If the sender is:
    • On the end user's blocked senders list, the message and attachment is not delivered.
    • Not on the end user's blocked senders list, regardless of whether it is on their permitted senders or auto allow list, the following notification is displayed.

      Dynamic Configuration Notification
  3. The end user can click either:
    • Request Files: Safe versions of the files are released and sent to the end user.
    • Request and Trust: The original files are released and sent to the end user if they are considered safe, and the sender's email address is added to the end user's trusted list.
      Dynamic Configuration Process
  4. Either:
    • If the sender is not on the end user's permitted senders list, or has an auto allow policy, an auto allow policy is automatically created.
    • If there is an auto allow policy for the sender, a flag is added to it to ensure it is not purged after 120 days.
If following sandboxing an unsafe attachment is received from a trusted sender, the sender's email address is automatically removed from the end user's trusted list.

Supported File Types

 

Targeted Threat Protection - Attachment Protect provides protection across the following file types:

  • All Microsoft Office file formats
  • All Open Office file formats
  • PDF
  • Archived files in the following formats:
    • ZIP
    • BZIP
    • GZIP
    • 7ZIP
    • JS
    • RAR
    • TAR
    • LHA
    • LZH
    • XZ

 

Requesting a Blocked Attachment

 

When a message containing an attachment has been put on hold as a result of an Attachment Protection policy finding it unsafe, the recipient receives an email detailing what has happened. If they wish, the recipient can request the administrator to release the original attachment to the user.

 

Malicious Code in the Original Attachment

 

If an email attachment is found to contain malicious code, it is blocked and not sent to the recipient. Instead the recipient receives a notification informing them of the block, and displaying details of the:

  • Message
  • Attachment
  • Policy that blocked it.

TTP Attachment Protect - Access Denied Notification
Handling Messages Held as Spam

 

When a message comes in with the attachment, it immediately goes into the Targeted Threat Protection - Attachment Protect sandbox for immediate scanning. If it's to be held, it is sent to the spam hold for release. Depending on your Attachment Protection definition, you'll have access to download the original file from the sandbox once the message has been released along with the attachment.

 

Safe or Unsafe Files

 

The administrator has full control over what happens to blocked attachments. Whilst the recipient can request for an attachment to be released, it is the administrator's ultimate responsibility to allow this. They can release the:

  • Message to the recipient.
  • Attachment to the recipient.
  • Attachment to the sandbox.
6 people found this helpful

Attachments

    Outcomes