Configuring Content Examination Definitions and Policies

Document created by user.oxriBaJeN4 Employee on Sep 11, 2015Last modified by user.oxriBaJeN4 Employee on Oct 9, 2017
Version 19Show Document
  • View in full screen mode

A Content Examination definition analyzes the content of messages, looking for matches you provide. It sets the conditions under which a message is considered safe, or what action should be taken if it isn't. Once configured, each definition is applied to either a Content Examination or Content Examination Bypass policy, to control what message flows it should be used for (e.g. inbound or outbound).

 

Usage Considerations


Consider the following before creating a policy:

  • Content Examination definitions shouldn't be used to manage inbound mail for spam checking, as this is conducted by the Mimecast heuristic scanners.
  • Scanning message content is an essential service to ensure Data Leak Prevention (DLP). You can configure specific dictionaries of words and phrases to cater for the following example scenarios:
    • Preventing a database from being emailed externally (e.g. a list of customers or confidential product information).
    • Protecting a company from losing financial information (banking or credit card details).
    • Preventing specific files from being sent or received using a unique file identifier.
    • Converting Microsoft Word documents to protected formats.
    • Protecting corporate identity by limiting use of profanity in messages.
    • Applying branding for product or service promotions.
    • Notifying / copying users when a message triggers a definition.
    • Activating email encryption during transmission.
  • The use of formatted file scanning can help reduce the incidence of false positives, but at the risk of missing some content. Content examination of the header and subject of a message is separate from the body examination. However the score is cumulative up to the optional limit. If all sections are selected, all sections are scanned, even if the limit is reached prior to examination of the body / attachments. This is to give the sender a more accurate indication of why their message is not acceptable as per the policy.

 

Configuring a Content Examination Definition

 

To configure a content examination definition:

  1. Log on to the Administration Console.
  2. Click on the Administration menu item. A menu drop down is displayed.
  3. Definition ListingClick on the Gateway | Policies menu item.
  4. Hover over the Definitions button.
  5. Select Content Definitions from the drop down menu.
  6. Select a Folder in the hierarchy. You cannot create a definition in the Root folder.
  7. Either click on the:
    • New Content Definition button to create a definition.
    • Definition to be changed.
  8. In the Definition Narrative field, provide a description of the definition. This is kept in the archive for messages that have this definition applied.
  9. Complete the Policy Definitions section as required:
    Field / OptionDescription
    DescriptionProvide a description of the definition. This is kept in the archive for messages that have this definition applied.
    Definition TypeSpecify how the content text is matched. The options are: 
    • Independent Content Definition: The content is matched directly as listed in the "Word / Phrase Match List" field.
    • Reference Dictionary: The content is matched against a predefined set of text entries.This option allows you to create a dictionary that can be referenced by multiple content definitions.
    Activation ScoreSpecify a value between 1 and 99 that must be reached before the content definition is triggered. This works by combining the value assigned to text in the "Word / Phrase Match List" field. When the total value of matched text meets this value, the definition is triggered. For example, if the Activation score is set to 6, and there are three words in the "Word / Phrase Match List" field each weighted at 2, and each word appears in the message, the activation score is reached and the definition is triggered.
    This field is not displayed if the "Definition Type" field is set to a "Reference Dictionary" value.
    Fuzzy Hash Setting

    If selected, you can match files that might not be identical, but do hold a configurable level of similarity. Select the appropriate similarity value from the drop down list (80% probability is recommended). A high probability percentage lowers the chances of false positives. 

    Use the Insert | Fuzzy Hash menu item to add fuzzy hashes to the "Word / Phrase Match List". See the Content Examination Definition: Configuring Fuzzy Hashing  page for full details.
  10. Complete the Scanning Options section as required:
    Field / OptionDescription
    Word / Phrase Match ListUse the Insert menu item to add a search term. Alternatively, the parameters can be added using the structure in the table below. See the Word Phrase Match List Parameter Details section below for further detail.

     

    Search ParametersExample
    Weight [ :maxscore ] [ search text ]4:1 “Company Confidential”
    Weight [ :maxscore ] [ require ] [ search text ]1 required “Project X”
    Weight [ :maxscore ] [ exclude ] [ search text ]1 exclude “Tax exemption”
    Weight [ :maxscore ] [ regex ] [ regular expression ]10
    Weight [ :maxscore ] [ # ] [ MD5# ]1 hash 9EBD30E761ED4FF770A90DDBD5CB4190 Confidential.PDF
    Both the HTML and TXT parts of a message are treated as separate elements when applying a content examination definition. This means that if a trigger word is present once in a message, but is present in both parts, it scores twice. Similarly if it is present twice in both parts, it scores four times.
    Case Sensitive MatchIf selected, the entered text entered in the "Word / Phrase Match List" field must match the text case in the message (e.g. uppercase, lowercase, or proper case). If not selected, any case is matched.
    This option only applies to standard text search terms.
    Match Multiple WordsIf selected, a search is performed for repetitions of the text entered in the "Word / Phrase Match List" field. This is used in conjunction with a repetition scoring for the word. For example, an entry of "1:10 notifications" searches for 10 matches of the word "notifications" throughout the message.
    Scan Subject LineIf selected, the message's subject is scanned.
    Scan Message HeadersIf selected, the message's message header is scanned.
    Scan Message BodyIf selected, the message's message body is scanned.
    Scan AttachmentsIf selected, the message's attachments are scanned. Additionally the "Scan Binary Attachment" and "Microsoft Excel Spreadsheet Scanning" fields are displayed.
    Scan Binary AttachmentIf selected, documents are scanned for matches based upon the binary data of the file rather than the extracted text content. This option should be enabled for non-text files only (e.g. image / library files).
    Enabling this option can increase the number of false positives generated by Content Examination policies.
    Microsoft Excel Spreadsheet ScanningSpecify how Microsoft Excel file attachments are scanned. The options are:
    • Raw Files: Scans the file's contents as recorded in the .XLS / .XLSX source file.
    • Formatted Files: Scans the file's contents as it would be seen by a Microsoft Excel user. This evaluates the formatting of each cell independently, and searches for possible matches across multiple cells.
  11. Complete the Policy Override Options of the "Inbound and Outbound Settings" section as required:
    Field / OptionDescription
    Enable Inbound and Outbound ChecksIf selected, the fields / options listed below are displayed. These can be used to protect against unsafe content in both inbound and outbound traffic.
    Policy ActionSpecify the action to be applied by the definition. The options are:
    • None: No action is taken.
    • Hold for Review: The message is sent to the hold queue, and not delivered to the recipients.
    • Delete: The message is purged from the delivery queue, but retained for auditing purposes. It is referenced as a hard bounce in the message's delivery information. See the Bounced Messages page for further details.
    • Bounce: The message is rejected, and not delivered to the recipients. A notification is sent with the reason "Message bounced due to Content Examination Policy". See the Bounced Messages page for further details.
    Hold TypeIf "Hold for Review" is specified as the "Policy Action" field, this option specifies who can see the message via a Mimecast end user application. The options are:
    • User: Users can see the message in their Personal On Hold view.
    • Moderator: Moderators can see the message in the Moderated On Hold view. The group of moderators is specified in the "Moderator Group" field.
    • Administrator: Messages can be viewed by administrators only.
    Moderator GroupSpecify a group of moderators who can access messages in the Moderated On Hold views via a Mimecast end user application.
    Content Preservation (Days)Specify how long the message remains in Mimecast before being purged. This also applies to messages held in the hold queue once the message expires from the queue.
    Leaving both options at 0 (days) doesn't affect the default content retention period set on your account.
    Metadata Preservation (Days)
    Document PolicyIf Document Services is enabled on your account, you can strip metadata from documents before they leave your organization, and convert documents to PDF, ODF, or other Word versions. This option also allows you to apply document services definitions to messages based on their content.
    Disable Document ServicesDisables Document Services if it is enabled on your account.
    Assign to Smart TagAssigns a Smart Tag to the message. This field is only available if the "Disable Smart Tags" option is disabled.
    Disable Smart TagsIf selected, the ability to add a smart tag to a message is disabled.
    Delivery RouteSpecify the delivery route to deliver messages to the next mail server. For example, if the message contains the address orders@domain.com, deliver it to the Call Center email server.
    Secure DeliveryUse the Lookup button to apply a Secure Delivery Definition  to add additional security to the message's delivery.
    Encryption ModeIf the definition specified in the "Secure Delivery" uses TLS, specify the encryption mode to use. The options are:
    • Strict: This is a trust enforced mode, and requires a public certificate.
      This is the recommended option.
    • Relaxed Mode: This requires a self signed certificate.
    Attachment Strip and LinkIf selected, the attachment(s) are removed before the message is delivered. The message contains a notification of the removal in the message's body, and a link is included to download the attachment(s).
    Secure Messaging OverrideUse the Lookup button to apply a Secure Messaging Definition  to send the message via Mimecast's Secure Messaging functionality.
    Group Carbon CopyUse the Lookup button to send a copy of the message to a group of users.
    Stationery OverrideUse the Lookup button to apply a Stationery Layout that overrides an existing stationery policy. For example, if the phrase "new product" is in the message, apply a Stationery Layout that promotes the product.
    Disable StationeryIf selected, stationery is not applied to any message.
  12. Complete the Notification Options of the "Inbound and Outbound Settings" section as required:
    Field / OptionDescription
    Notify GroupUse the Lookup button to select a group of users to be notified that action must be taken on the message.
    Notify (Internal) SenderNotifies the internal sender, if an outbound message triggers the definition.
    Notify (Internal) RecipientNotifies the internal recipient, if an inbound message triggers the definition.
    Notify OverseersNotifies the Content Overseers to notify them that a message has triggered the definition.
    Notify (External) SenderNotifies the external sender, if an inbound message triggers the definition.
    Notify (External) RecipientNotifies the external recipient, if an outbound message triggers the definition.
  13. Complete the Journal Settings section as required. This section is only available if you've Targeted Threat Protection: Internal Email Protect enabled on your account.
    When configuring your journal settings, consider our recommended best practice settings. These are based on commonly used configurations, and can provide an optimal solution to protect you against targeted attacks via attachments.
    Field / OptionDescription
    Enable Journal CheckIf selected, the fields / options listed below are displayed. These can be used to protect against unsafe content in journaled traffic. 
    User Mailbox ActionSelect the action (or fallback action) to take on the user's mailbox, if a message containing unsafe content is detected. A "User Mailbox Fallback Action" is only applied if we're unable to check a URL.
    • None: No action is taken on the user's mailbox, and the message is delivered to the recipients.
    • Remove Message: The message containing unsafe content is removed from the user's mailbox.
    In non-Exchange environments automatic remediation is not supported. However if a support journal connector is used, you can leverage detection, and through these alerts perform manual remediation.
    User Mailbox Fallback Action
    Enable NotificationsEnables a group of users to be notified, as well as the internal sender / recipient, when a message containing unsafe content is found. If selected, the "Notify Group", "Internal Sender", and "Internal Recipient" fields are displayed.
    Notify GroupClick on the Lookup button, to select a group of administrators to receive notifications of any messages containing unsafe content.
    Internal SenderIf selected, a notification is sent to the message's internal sender, if there are any messages containing unsafe content.
    Internal RecipientIf selected, a notification is sent to the message's internal recipient, if there are any messages containing unsafe content.
  14. Click on the Save and Exit button.

 

Word Phrase Match List Parameter Details

 

Once the words or phrases have been entered into the list "Word / Phrase Match List" field, additional criteria can be added to make the content matching more specific.

 

The use of formatted file scanning can help reduce the incidence of false positives, but at the risk of missing some content. Content examination of the header and subject of a message is separate from the body examination. However the score is cumulative up to the optional limit. If all sections are selected, all sections are scanned, even if the limit is reached prior to examination of the body / attachments. This is to give the sender a more accurate indication of why their message is not acceptable as per the policy.

 

ParameterDescription
WeightThe line must begin with the required score for that particular word or phrase.
Maximum ScoreAllows you to set the number of occurrences in the message that should trigger the definition. If an entry of 1:10 is added before the search term, Mimecast will match up to 10 instances of the search term. If 1: is entered before the search term, there is no upper limit to the score. This scoring is only used if the option "Match Multiple Words" is enabled. The combined score of the individual Weights is tallied and matched to the Activation Score. The definition is only triggered once the activation score is reached.
ConditionsAllows you to use the operators “required” and “exclude”. Add the word required if the match term is specifically required for the policy to trigger. If a required item is not found, the weight is set to zero and no further scoring takes place. If the word exclude is added after the weight, and the match term does exist, the weight is set to zero and no further scoring takes place. Required and exclude terms should be placed in the first line of the search term list.
Search Text / PhrasesEnter single words or phrases, enclosing multiple words in quotation marks (e.g. “a phrase”).
Regular ExpressionsProceed the regular expression with “regex”. Regular expressions can be used to detect structured strings like Social Security Numbers or Credit Card Numbers in emails.
MD5#Enter the “#” symbol at the beginning of the line (or following the score if relevant) followed by the MD5 code of the attachment. The MD5# is a unique reference given to specific file contents.
If the attachment is known to Mimecast (i.e. Mimecast has previously processed the attachment), this checksum is located in the Transmission Data when viewing the email delivery details.
Preconfigured Reference DictionariesUse the Insert | Reference Dictionary menu item to select a Reference dictionary. The entry will begin with the word “reference”, followed by the internal Mimecast reference code and dictionary name. Reference Dictionaries can be created manually, or a predefined Mimecast Managed Reference Dictionary (MMRD) can be selected.
CommentsComments can be inserted by using a hash symbol (#) at the beginning of the line. These are ignored when examining the message for matches.

 

Configuring a Content Examination Policy

 

To configure a Content Examination policy:

  1. Log on to the Administration Console.
  2. Click on the Administration toolbar button. A menu drop down is displayed.
  3. Click on the Gateway | Policies menu item.
  4. Click on Content Examination. A list of policies is displayed.
  5. Either:
    • Click the New Policy button to create a policy
    • Click on the policy to be changed.
  6. Complete the Options section as required:
    Field / OptionDescription
    Policy NarrativeProvide a description of the policy to enable you to identify it. This is appended to messages in the archive that have the policy applied.
    Select OptionClick on the Lookup button to display a list of Content Examination definitions. Click on the Select link to the left of the definition to be applied when this policy is triggered.
    PreviewThis field is only displayed once a definition is selected in the "Select Option" field. Click on the preview definition icon icon to display a read only version of the definition. Click on the Go Back button to return to the policy.
  7. Complete the Emails From and Emails To sections as required:
    Field / OptionDescription
    Addresses Based OnSpecify the email address characteristics the policy is based on. This option is only available in the "Emails From" section. The options are:
    OptionDescription
    The Return Address (Mail Envelope From)This default setting applies the policy to the SMTP address match, based on the message's envelope or true address (i.e. the address used during SMTP transmission).
    The Message From Address (Message Header From)Applies the policy based on the masked address used in the message's header.
    BothApplies the policy based on either the Mail Envelope From or the Message Header From whichever matches. When both match the specified value the Message Header From will be used.
    Applies From / ToSpecify the Sender characteristics the policy is based on. For multiple policies, you should apply them from the most to least specific. The options are:
    OptionDescription
    EveryoneIncludes all email users (i.e. internal and external). This option is only available in the "Emails From" section.
    Internal AddressIncludes only internal organization addresses.
    External AddressIncludes only external organization addresses. This option is only available in the "Emails From" section.
    Email DomainEnables you to specify a domain name to which this policy is applied. The domain name is entered in the Specifically field.
    Address GroupsEnables you to specify a directory or local group. If this option is selected, click on the Lookup button to select a group from the Profile Group field. Once a group has been selected, you can click on the Show Location field to display the group's path.
    Address AttributesEnables you to specify a predefined Attribute. The attribute is selected from the Where Attribute drop down list. Once the Attribute is specified, an attribute value must be entered in the Is Equal To field. This can only be used if attributes have been configured for user accounts.
    Individual Email AddressEnables you to specify an SMTP address. The email address is entered in the Specifically field.
  8. Complete the Validity section as required:
    Field / OptionDescription
    Enable / DisableUse this to enable (default) or disable a policy. If a date range has been specified, the policy will automatically be disabled when the end of the configured date range is reached.
    Set Policy as PerpetualIf the policy's date range has no end date, this field displays "Always On" meaning that the policy never expires.
    Date RangeUse this field to specify a start and / or end date for the policy. If the Eternal option are selected, no date is required.
    Policy OverrideThis overrides the default order that policies are applied. If there are multiple applicable policies, this policy is applied first unless more specific policies of the same type are configured with an override.
    Bi-DirectionalIf selected the policy is applied when the policy's recipient is the sender, and the sender is the recipient.
    Source IP Ranges (n.n.n.n/x)Enter any required Source IP Ranges for the policy. These only apply if the source IP address used to transmit the message data, falls inside or matches the range(s) configured. IP ranges should be entered in CIDR notation.
  9. Click on the Save and Exit button.

 

See Also...

 

1 person found this helpful

Attachments

    Outcomes