Configuring Attachment Protection Definitions and Policies

Document created by user.oxriBaJeN4 Employee on Sep 12, 2015Last modified by user.Yo2IBgvWqr on Oct 9, 2017
Version 10Show Document
  • View in full screen mode

Attachment Protection policies protect your organization from targeted threats by capturing messages with potentially unsafe attachments. Each policy requires a configured Attachment Protection definition to set the conditions under which an attachment is considered safe or unsafe, and what actions should be taken if considered unsafe.

 

Attachment Protection policies strip attachments that could potentially contain malicious code (e.g. PDF, Microsoft Office files) from inbound messages, and replaces them with a clean, transcribed version. Employees have instant access to clean attachments to maintain productivity. If read / write access is required, a link in the message is used to request the original file via the sandbox. This safe file approach eliminates inactivity inherent in traditional sandbox solutions, as delays are confined to the rare occasions where an editable document is required.

 

Best Practice Settings

 

We've provided a list of Attachment Protection definition and policy settings which we consider best practice. These settings are based on commonly used configurations, that can provide an optimal solution to protect you against potentially unsafe attachments. It is important to understand that one setting may not meet all your specific requirements. We recommend that you review your environment, tweaking these options where necessary.

 

See the Attachment Protect Best Practice page for full details. You must log on to Mimecaster Central to access this page.

 

Configuring an Attachment Protection Definition

 

To configure an Attachment Protection definition:

  1. Log on to the Administration Console.
  2. Click on the Administration menu item. A menu drop down is displayed.
  3. Click on the Gateway | Policies menu item.
  4. Select the Definitions drop down. A list of the definition types is displayed.
    Definition Listing
  5. Select Attachment Protection from the drop down menu. The list of definitions is displayed.
  6. Either click the:
    • New Definition button to create a definition.
    • Definition to be changed.
  7. In the Definition Narrative field, provide a description of the definition. This is kept in the archive for messages that have this definition applied.
  8. Complete the Inbound Settings as required:
    Field / OptionDescription
    Enable Inbound CheckIf selected, the fields / options listed below are displayed. These can protect against malicious attachments for inbound mail.
    Attachment Protect Delivery OptionsSpecify a delivery option for the definition. The options are:
    • Safe File: Transcribes vulnerable file types to a different file format to ensure they're safe. If selected, the "Administrator Notification" and "Admin Review Group" fields are not displayed.
    • Safe File with On-Demand Sandbox: Transcribes vulnerable file types to a different file format to ensure they are safe., but allows users to request the original versions via the on demand sandbox.
    • Preemptive Sandbox: Checks all vulnerable file types in the preemptive sandbox, before delivering the mail and attachments to the user. This is the only option for ZDR and Metadata Only customers.
    • Dynamic Configuration: This takes the onus away from the administrator by giving control to users to decide if individual users are added to a trusted list. By default, Safe File with On-Demand Sandbox is used, but for users on the trusted list, Preemptive Sandbox is used. 
    Ignore Signed MessagesIf selected, attachment protection is not applied to digitally signed messages. This ensures the message signature remains intact, but means attachments are not security checked. This option is not displayed if the "Attachment Protect Delivery Options" field is set to a value of "Preemptive Sandbox'.
    Sandbox Fallback ActionSpecify the action to take if an attachment cannot be processed by the sandbox. This option is only displayed if the "Attachment Protect Delivery Options" field is set to a value of "Preemptive Sandbox". The options are:
    • Hold for Administrator Review: The message and attachment are placed in the held queue.
    • Bounce: The message and attachment are accepted, but bounced with a notification to the sender.
    Release Forwarded Internal AttachmentControls whether any internally forwarded attachment can be released from the sandbox.
    Administrator NotificationEnables a groups of users to be notified when an attachment is unsafe. If selected, the "Admin Review Group" field is displayed. See the Managing Groups page for full details on creating the group.
    Admin Review GroupSelect a group of administrators via the Lookup button to receive notifications of any unsafe attachments.
    Default Transcribed Document FormatSpecify the default file format to be used for safe file document transcription. The options are:
    • PDF
    • TIFF: This is used if the document cannot be transcribed to the selected format.
    • Original Format
    Default Transcribed Spreadsheet Format

    Specify the default file format to be used for safe file spreadsheet transcription. The options are

    • CSV: If selected, the 'Spreadsheet Worksheet Options' field is displayed.
    • PDF
    • TIFF: This is used if the spreadsheet cannot be transcribed to the selected format.
    • Original Format
    • HTML 
    • HTML Multi-Tab: This provides a .zip file that must be extracted. This value is used if the spreadsheet cannot be transcribed to the selected format.
    Spreadsheet Worksheet OptionsSpecify the option to use for spreadsheets containing multiple worksheets. The options are:
    • Transcribe First Worksheet Only
    • Transcribe All Worksheets
  9. Complete the Outbound Settings as required:
    Outbound Settings are only displayed if you have Targeted Threat Protection: Internal Email Protect enabled on your account.
    Field / OptionDescription
    Enable Outbound CheckIf selected, the fields / options listed below are displayed. These can protect against malicious attachments in outbound mail.
    Gateway ActionSelect the action (or fallback action) to take when a message containing an unsafe attachment is detected. The Gateway Fallback Action is only applied if we're unable to check a message's attachment. 
    • None: The message is delivered to the recipients.
    • Hold: The message is sent to the hold queue, and not delivered to the recipients.
    • Bounce: The message is rejected, and not delivered to the recipients.
    Gateway Fallback Action
    User Mailbox ActionSelect the action (or fallback action) to take on the user's mailbox when a message containing an unsafe attachment is detected. The User Mailbox Fallback Action is only applied if we're unable to check a message's attachment.
    • None: No action is taken on the user's mailbox. The message is delivered to the recipients.
    • Remove Attachment: The message is delivered to the user's mailbox, with the attachment removed.
    • Remove Message: The message is removed from the user's mailbox.
    In non-Exchange environments, automatic remediation isn't supported. However you can leverage detection with a journal connector, and through these alerts perform manual remediation.
    User Mailbox Fallback Action
    Enable NotificationsEnables a group of users to be notified, as well as the internal sender / recipient, when an unsafe URL is found. If selected, the "Notify Group", "Internal Sender", and "Internal Recipient" fields are displayed.
    Notify GroupSelect a group of administrators via the Lookup button to receive notifications of any unsafe attachments.
    Internal SenderIf selected, a notification is sent to the message's internal sender when an unsafe attachment is detected.
    Internal RecipientIf selected, a notification is sent to the message's internal recipient when an unsafe attachment is detected.
  10. Complete the Journal Settings as required:
    Journal Settings are only available if you have Targeted Threat Protection: Internal Email Protect enabled on your account.
    Field / OptionDescription
    Enable Journal CheckIf selected, the fields / options listed below are displayed. These can be used to protect against malicious attachments in journaled traffic.
    User Mailbox ActionSelect the action (or fallback action) to take on the user's mailbox when an unsafe attachment is detected. The User Mailbox Fallback Action is only applied if we're unable to check a message's attachment.
    • None: No action is taken on the user's mailbox. The message is delivered to the recipients.
    • Remove Attachment: The message is delivered to the user's mailbox, with the attachment removed.
    • Remove Message: The message is removed from the user's mailbox.
    User Mailbox Fallback Action
    Enable NotificationsEnables users to be notified, as well as the internal sender / recipient, when an unsafe attachment is found. If selected, the "Notify Group", "Internal Sender", and "Internal Recipient" fields are displayed.
    Notify GroupSelect a group of administrators via the Lookup button to receive notifications of any unsafe attachments.
    Internal SenderIf selected, a notification is sent to the message's internal sender when there is an unsafe attachment.
    Internal RecipientIf selected, a notification is sent to the message's internal recipient when there is an unsafe attachment.
  11. Click on the Save and Exit button.

 

Configuring an Attachment Protection Policy

 

To configure an Attachment Protection policy:

  1. Log on to the Administration Console.
  2. Click on the Administration menu item. A menu drop down is displayed.
  3. Click on the Gateway | Policies menu item.
  4. Click on Attachment Protection. A list of existing policies is displayed.
  5. Either click on the:
    • New Policy button to create a policy.
    • Policy to be amended.
  6. Complete the Options section as follows:
    Filed / OptionDescription
    Policy NarrativeEnter a description for the policy. This is kept with the message in the archive.
    Select OptionSpecify an Attachment Protection definition from the drop down list.
  7. Complete the Emails From section as follows:
    Filed / OptionDescription
    Addresses Based OnSpecify the email address characteristics the policy is based on.
    Applies FromSpecify the sender characteristics the policy is based on. For multiple policies, you should apply them from the most to least specific.
    SpecificallyEnables you to specify an SMTP address, if "Individual Email Addresses" is specified in the "Applies From" field.
  8. Complete the Emails To section as follows:
    Filed / OptionDescription
    Applies ToSpecify the recipient characteristics the policy is based on. For multiple policies, you should apply them from the most to least specific.
    SpecificallyEnables a specific SMTP address, if "Individual Email Addresses" is specified in the "Applies To" field.
  9. Complete the Validity section as required:
    Field / OptionDescription
    Enable / DisableUse this option to enable (default) or disable a policy. Disabling the policy allows you to prevent it from being applied without having to delete or back date it. Should the policy's configured date range be reached, the it is automatically disabled.
    Set Policy as PerpetualSpecifies that the policy's start and end dates are set to "Eternal", meaning the policy never expires.
    Date RangeSpecify a start and end date for the policy. This automatically deselects the "Eternal" option.
    Policy OverrideSelect this option to override the default order that policies are applied. If there are multiple applicable policies, this policy is applied first unless more specific policies of the same type have also been configured with an override.
    Bi-DirectionalIf selected, the policy also applies when the policy's recipient is the sender and the sender is the recipient.
    Source IP Ranges (n.n.n.n/x)Enter any required Source IP Ranges for the policy. These only apply if the source IP address used to transmit the message data, falls inside or matches the range(s) configured. IP ranges should be entered in CIDR notation.
  10. Click on the Save and Exit button.

 

See Also...

 

Attachments

    Outcomes