Configuring Suspected Malware Definitions and Policies

Document created by user.oxriBaJeN4 Employee on Sep 12, 2015Last modified by user.Yo2IBgvWqr on Oct 10, 2017
Version 10Show Document
  • View in full screen mode

Suspected Malware policies, or Zero Hour Adaptive Risk Assessor (ZHARA), is our proprietary software that provides early detection and prevention against zero day malware and spam outbreaks. This provides protection against previously unknown threats using deep level anomaly detection, and trending against our entire customer base.

 

Considerations

 

Consider the following before configuring a definition or policy:

  • A default Suspected Malware policy is created when your Mimecast account is created. See the Default Connect policies page for further information.
  • You can bypass malware checks with a Suspected Malware Bypass policy. This should only be implemented if regular attachments are being blocked which should be allowed through. Bypassing suspected malware checks can result in a virus outbreak being undetected whilst signatures are being updated.
  • Encrypted ZIP files cannot be checked, although they can be held using an Attachment Management policy.

 

Configuring a Suspected Malware Definition

 

To configure a Suspected Malware definition:

  1. Log on to the Administration Console.
  2. Click on the Administration toolbar menu item. A menu drop down is displayed.
  3. Click on the Gateway | Policies menu item. The Gateway Policy Editor is displayed.
  4. Click on the Definitions button. A list of the definition types is displayed.
    Distribution List
  5. Click on the Suspected Malware definition type from the list. The list of definitions is displayed.
  6. Either click on the:
    • Policy to be changed.
    • New Definition button to create a definition.
  7. Complete the Malware Definitions Settings section as follows:
    If you have Attachment Management enabled on your Mimecast account, the "Dangerous Files", "Encrypted Archives", "Unreadable Archives", and "Scan for Disallowed Extensions" options should be left unchecked. These four options are already covered by an existing Attachment Protection Policy.
    FieldDescription
    DescriptionAdd a description for the definition.
    Suspected MalwareIf selected, messages containing the following file types are considered as suspected malware:
    .ZIP.EXE.COM.PIF
    .SCR.CPL.MSI

    Dangerous Files

    If selected, messages containing any of the file types listed on the What is a Dangerous File Type? page are considered dangerous.
    Encrypted ArchivesAll encrypted or password protected archive files will be processed according to the selected options. Hold places messages containing these attachments on hold pending user action. Block strips the attachment and places it in the held queue.
    Unreadable ArchivesProvides a way to control the handling of encrypted archives that are not supported by the archive extraction process. Attachments found to be an unsupported archive type are processed according to the selected option of Allow / Link / Hold / Block.
    .ZIP.RAR.7Z
    .GZ.JAR.BZIP.Z (UNIX Compress)
    Scan for Disallowed Extensions Within Legacy Microsoft Office FilesThis option is enabled by default if Attachment Management is not part of your Mimecast subscription. In that scenario we recommend it is left enabled. The check offers protection against dangerous files detected in legacy Microsoft Office extensions.
    Scan for Microsoft Office MacrosThis option is disabled by default. The check offers protection against Microsoft Office attachments that hold macros. For detection in legacy Microsoft Office files, the "Scan for Disallowed Extensions Within Legacy Microsoft Office Files" option must be enabled as well. Legacy Microsoft PowerPoint files are excluded.
    Archive LimitChecks for the following attributes:
    • A zip file containing more than five levels of zip depth.
    • The file contains more than 20000 entries or files.
    • Maximum unpacked file size is greater than 200MB.
    • Total maximum unpacked size is greater 2GB.
    For example, Excel files can be packaged XML files. To determine the true uncompressed size of the file change, change the extension to .ZIP and unpack the file.
  8. Complete the Notification Options sections as follows:
    FieldDescription
    Policy ActionThis menu provides options such as hold for review, bounce and delete.
    • Hold for Review: Holds a message and prevents it from being delivered.
    • Bounce: A message is accepted and then bounced.
    Hold TypeSpecifies that Administrators are able to see the held messages via Mimecast's end user applications. The field is only displayed if the "Policy Action" field has a "Hold for Review" value.
    Notify GroupUse this option to notify a group of users when the policy is triggered. Use the Lookup button to select a group.
    Notify (Internal) SenderUse this option to notify an internal sender that the policy has been triggered.
    Notify (Internal) RecipientUse this option to notify an internal recipient that the policy has been triggered.
    Notify (External) SenderUse this option to notify an external sender that the policy has been triggered.
    Notify (External) RecipientUse this option to notify an external recipient that the policy has been triggered.
  9. Click on the Save and Exit button.

 

Configuring a Suspected Malware Policy

 

To configure a Suspected Malware policy:

  1. Log on to the Administration Console.
  2. Click on the Administration menu item. A menu drop down is displayed.
  3. Click on the Gateway | Policies menu item. The Gateway Policy Editor is displayed.
  4. Click on Suspected Malware. A list of policies is displayed.
  5. Either click on the:
    • Policy to be changed.
    • New Policy button to create a policy.
  6. Complete the Options section as required:
    OptionDescription
    Policy NarrativeProvide a description for the policy to allow you to easily identify it in the future.
    Select Suspected Malware DefinitionUse the Lookup button to select the required Suspected Malware definition for the policy.
  7. Complete the Emails From and Emails To sections as required:
    Field / OptionDescription
    Addresses Based OnSpecify the email address characteristics the policy is based on. This option is only available in the "Emails From" section. The options are:
    OptionDescription
    The Return Address (Mail Envelope From)This default setting applies the policy to the SMTP address match, based on the message's envelope or true address (i.e. the address used during SMTP transmission).
    The Message From Address (Message Header From)Applies the policy based on the masked address used in the message's header.
    BothApplies the policy based on either the Mail Envelope From or the Message Header From whichever matches. When both match, the specified value the Message Header From will be used.
    Applies From / ToSpecify the Sender characteristics the policy is based on. For multiple policies, you should apply them from the most to least specific. The options are:
    OptionDescription
    EveryoneIncludes all email users (i.e. internal and external). This option is only available in the "Emails From" section.
    Internal AddressIncludes only internal organization addresses.
    External AddressIncludes only external organization addresses. This option is only available in the "Emails From" section.
    Email DomainEnables you to specify a domain name to which this policy is applied. The domain name is entered in the Specifically field.
    Address GroupsEnables you to specify a directory or local group. If this option is selected, click on the Lookup button to select a group from the Profile Group field. Once a group has been selected, you can click on the Show Location field to display the group's path.
    Address AttributesEnables you to specify a predefined Attribute. The attribute is selected from the Where Attribute drop down list. Once the Attribute is specified, an attribute value must be entered in the Is Equal To field. This can only be used if attributes have been configured for user accounts.
    Individual Email AddressEnables you to specify an SMTP address. The email address is entered in the Specifically field.
  8. Complete the Validity section as required:
    Field / OptionDescription
    Enable / DisableUse this to enable (default) or disable a policy. Disabling the policy allows you to prevent it from being applied without having to delete or back date it. Should the policy's configured date range be reached, the it is automatically disabled.
    Set Policy as PerpetualSpecifies that the policy's start and end dates are set to "Eternal", meaning the policy never expires.
    Date RangeSpecify a start and end date for the policy. This automatically deselects the "Eternal" option.
    Policy OverrideSelect this to override the default order that policies are applied. If there are multiple applicable policies, this policy is applied first unless more specific policies of the same type have also been configured with an override.
    Bi-DirectionalIf selected, the policy also applies when the policy's recipient is the sender and the sender is the recipient.
    Source IP Ranges (n.n.n.n/x)Enter any required Source IP Ranges for the policy. These only apply if the source IP address used to transmit the message data, falls inside or matches the range(s) configured. IP ranges should be entered in CIDR notation.
  9. Click on the Save and Exit button.

 

See Also...

 

Attachments

    Outcomes