Suspected Malware Bypass Policies

Document created by user.oxriBaJeN4 Employee on Sep 12, 2015Last modified by user.oxriBaJeN4 Employee on Mar 27, 2017
Version 8Show Document
  • View in full screen mode

The Suspected Malware Bypass Policy allows an administrator to configure certain mail flows to bypass Mimecast's default suspected malware detection. Suspected Malware detection, or ZHARA (Zero Hour Adaptive Risk Assessor), is Mimecast's proprietary software which provides early detection and prevention against zero day malware and spam outbreaks. This provides protection against previously unknown threats using deep level anomaly detection and trending against the entire Mimecast customer base.


Emails containing the file types below in a ZIP file will be placed in the Hold Queue and marked as Suspected Malware. The intended recipient will receive a notification, and will need to ask an administratos with access to the Hold Queue to release the email.

  • EXE
  • COM
  • PIF
  • SCR
  • CPL
  • MSI

Encrypted ZIP files cannot be checked, although can be held using an Attachment Management Policy.

These checks can be bypassed by implementing a Message Passthrough policy. Mimecast recommends that this policy should only be implemented in the event that regular attachments are getting blocked which need to be allowed through. Bypassing these checks could result in a new virus outbreak being undetected whilst signatures are being updated.


Items placed in the Hold Queue due to “Suspicious Message Structure” indicate that the message has not been correctly structured based on RFC822 and RFC1123 (Request for Comment) documents, published by the Internet Engineering Task Force (IETF).


To prevent any malicious or dangerous emails from entering your email environment, Mimecast provides extensive checking of the structure and components of emails.


Although it is not uncommon that many mail servers and clients do not conform to these RFC standards, Mimecast is flexible on the format we accept, and therefore only holds the problematic instances.


What You Need


  • An Administrator Console logon with access to the Administration | Gateway | Policies menu item.


Creating a Policy


To create a policy, follow the instructions in the Creating / Changing a Policy article, but using the following options:


Policy NarrativeProvide a description for the Policy to allow you to easily identify it in the future.
Select Option

Select whether to hold or ignore suspected malware.


Definition Required?