Configuring Attachment Protection Definitions and Policies

Document created by user.oxriBaJeN4 Employee on Sep 12, 2015Last modified by user.oxriBaJeN4 Employee on May 21, 2018
Version 14Show Document
  • View in full screen mode

Attachment Protection policies protect your organization from targeted threats by capturing messages with potentially unsafe attachments. Each policy requires a configured Attachment Protection definition to set the conditions under which an attachment is considered safe or unsafe, and what actions should be taken if considered unsafe.

 

Best Practice Settings

 

We provide a list of Attachment Protection definition settings, based on commonly used configurations, that we consider best practice. They provide an optimal solution to protect you against potentially unsafe attachments.See the Attachment Protect Best Practice page for full details. You must log on to Mimecaster Central to access this page.

As one setting may not meet all your specific requirements, we recommend you review your requirements changing these options where necessary.

Configuring an Attachment Protection Definition

 

Definition ListingTo configure an Attachment Protection definition:

  1. Log on to the Administration Console.
  2. Click on the Administration menu item. A menu drop down is displayed.
  3. Click on the Gateway | Policies menu item.
  4. Select the Definitions drop down. A list of the definition types is displayed.
  5. Select Attachment Protection from the drop down menu. The list of definitions is displayed.
  6. Either click the:
    • New Definition button to create a definition.
    • Definition to be changed.
  7. In the Definition Narrative field, provide a description of the definition. This is kept in the archive for messages that have this definition applied.
  8. Complete the Inbound, Outbound and Journal Settings as required. If the setting applies, a 'Y' will show in the appropriate column below:

    Field / OptionInboundOutboundJournalDescription
    Enable Inbound / Outbound / Journal CheckYYYSelect this option to enable Attachment Protection for Inbound / Outbound / or Journal mail. If selected, some additional fields / options are displayed, as listed below. These can protect against malicious attachments found in mail.
    Attachment Protect Delivery OptionsYNNSpecify a delivery option for the definition. The options are:
    • Safe File: Transcribes vulnerable file types to a different file format to ensure they're safe. If selected, the "Administrator Notification" and "Admin Review Group" fields are not displayed.
    • Safe File with On-Demand Sandbox: Transcribes vulnerable file types to a different file format to ensure they are safe, but allows users to request the original versions via the on-demand sandbox.
    • Preemptive Sandbox: Checks all vulnerable file types in the preemptive sandbox, before delivering the mail and attachments to the user. This is the only option for ZDR and Metadata Only customers.
    • Dynamic Configuration: This takes the onus away from the administrator by giving control to users to decide if individual users are added to a trusted list. By default, Safe File with On-Demand Sandbox is used, but for users on the trusted list, Preemptive Sandbox is used. 
    Ignore Signed MessagesYNNIf selected, attachment protection is not applied to digitally signed messages. This ensures the message signature remains intact but means attachments are not security checked. This option is not displayed if the "Attachment Protect Delivery Options" field is set to a value of "Preemptive Sandbox'.
    Sandbox Fallback ActionYNNSpecify the action to take if an attachment cannot be processed by the sandbox. This option is only displayed if the "Attachment Protect Delivery Options" field is set to a value of "Preemptive Sandbox". The options are:
    • Hold for Administrator Review: The message and attachment are placed in the held queue.
    • Bounce: The message and attachment are accepted, but bounced with a notification to the sender.
    Release Forwarded Internal AttachmentYNNControls whether any internally forwarded attachment can be released from the sandbox.
    Enable NotificationsYYYEnables a group of users to be notified when an attachment is unsafe. If selected, the "Administrator Group" field is displayed. See the Managing Groups page for full details on creating the group.
    Administrator Group / Notify GroupYYYSelect a group of administrators via the Lookup button to receive notifications of any unsafe attachments.
    Internal SenderYYYSends a notification to the message's internal sender if an unsafe attachment is found.
    Internal RecipientYNY

    Sends a notification to the message's internal recipient if an unsafe attachment is found.

    External SenderYNNSends a notification to the message's external sender if an unsafe attachment is found.
    Default Transcribed Document FormatYNNSpecify the default file format to be used for safe file document transcription:
    • PDF
    • TIFF: This is used if the document cannot be transcribed to the selected format.
    • Original Format
    Default Transcribed Spreadsheet FormatYNN

    Specify the default file format to be used for safe file spreadsheet transcription:

    • CSV: If selected, the 'Spreadsheet Worksheet Options' field is displayed.
    • PDF
    • TIFF: This is used if the spreadsheet cannot be transcribed to the selected format.
    • Original Format
    • HTML 
    • HTML Multi-Tab: This provides a .zip file that must be extracted. This value is used if the spreadsheet cannot be transcribed to the selected format.
    Gateway ActionNYNSelect the action (or fallback action) to take when a message containing an unsafe attachment is detected. The Gateway Fallback Action is only applied if we're unable to check a message's attachment. 
    • None: The message is delivered to the recipients.
    • Hold: The message is sent to the hold queue, and not delivered to the recipients.
    • Bounce: The message is rejected, and not delivered to the recipients.
    Gateway Fallback ActionNYN
    User Mailbox ActionNYYSelect the action (or fallback action) to take on the user's mailbox when a message containing an unsafe attachment is detected. The User Mailbox Fallback Action is only applied if we're unable to check a message's attachment.
    • None: No action is taken on the user's mailbox. The message is delivered to the recipients.
    • Remove Message: The message is removed from the user's mailbox.
    • Remove Attachment: The message is delivered to the user's mailbox, with the attachment removed.
    In non-Exchange environments, automatic remediation isn't supported. However you can leverage detection with a journal connector, and through these alerts perform manual remediation.
    User Mailbox Fallback ActionNYY
    Outbound and Journal settings are only displayed if you have Targeted Threat Protection: Internal Email Protect enabled on your account.
  9. Click on the Save and Exit button.

 

Configuring an Attachment Protection Policy

 

To configure an Attachment Protection policy:

  1. Log on to the Administration Console.
  2. Click on the Administration menu item. A menu drop down is displayed.
  3. Click on the Gateway | Policies menu item.
  4. Click on Attachment Protection. A list of existing policies is displayed.
  5. Either click on the:
    • New Policy button to create a policy.
    • Policy to be amended.
  6. Complete the Options section as follows:
    Filed / OptionDescription
    Policy NarrativeEnter a description for the policy. This is kept with the message in the archive.
    Select OptionSpecify an Attachment Protection definition from the drop down list.
  7. Complete the Emails From section as follows:
    Filed / OptionDescription
    Addresses Based OnSpecify the email address characteristics the policy is based on.
    Applies FromSpecify the sender characteristics the policy is based on. For multiple policies, you should apply them from the most to least specific.
    SpecificallyEnables you to specify an SMTP address, if "Individual Email Addresses" is specified in the "Applies From" field.
  8. Complete the Emails To section as follows:
    Filed / OptionDescription
    Applies ToSpecify the recipient characteristics the policy is based on. For multiple policies, you should apply them from the most to least specific.
    SpecificallyEnables a specific SMTP address, if "Individual Email Addresses" is specified in the "Applies To" field.
  9. Complete the Validity section as required:
    Field / OptionDescription
    Enable / DisableUse this option to enable (default) or disable a policy. Disabling the policy allows you to prevent it from being applied without having to delete or backdate it. Should the policy's configured date range be reached, it's automatically disabled.
    Set Policy as PerpetualSpecifies that the policy's start and end dates are set to "Eternal", meaning the policy never expires.
    Date RangeSpecify a start and end date for the policy. This automatically deselects the "Eternal" option.
    Policy OverrideSelect this option to override the default order that policies are applied. If there are multiple applicable policies, this policy is applied first unless more specific policies of the same type have also been configured with an override.
    Bi-DirectionalIf selected, the policy also applies when the policy's recipient is the sender and the sender is the recipient.
    Source IP Ranges (n.n.n.n/x)Enter any required Source IP Ranges for the policy. These only apply if the source IP address used to transmit the message data, falls inside or matches the range(s) configured. IP ranges should be entered in CIDR notation.
  10. Click on the Save and Exit button.

 

See Also...

 

1 person found this helpful

Attachments

    Outcomes