Attachment Management definitions allow Administrators to create Attachment Sets. These apply granular attachment handling for individual attachment types. Attachments can be denied by size, held for review, or stripped and linked to emails as appropriate. These restrictions are applied to the true MIME type of an attachment, meaning that renaming an attachment file extension will not bypass the attachment control system.
A default attachment set is created during the Mimecast implementation process, together with a list of Mimecast best practice Dangerous File Types set to be blocked.
When an attachment is detected that is defined as a blocked attachment, the email is accepted. However the attachment is stripped from the email and held in an Striped Attachments queue. If configured, the email will have a notification attached informing the recipient that an attachment was stripped from the email. If the end user feels that the attachment is legitimate, they can contact their Administrator to request that it is released.
To create or change a definition you must:
- Be logged on to the Mimecast Administration Console.
- Have access to the relevant Gateway menu item for the definition being created or changed.
Creating / Changing a Attachment Set Definition
To create / change an Attachment Management Definition:
- Open the Gateway Policy Editor.
- Select the Definitions drop down. A list of the definition types is displayed.
- Select the Attachment Sets definition type from the list. The list of definitions is displayed.
- Click in a folder in the Navigator. You cannot create a definition in the root folder.
- Either select the:
- Policy to be changed.
- New Attachment Set Alteration button to create a definition.
- Complete the General Properties as follows:
Field Description Description Enter a suitable Description. It is important to use something meaningful, as there may be multiple attachment sets in use. Default Block /Allow
- Allow Specified Content (Block or Link All Others): Allows only the selected attachment types through - all other attachment types will be blocked, held, stripped or linked
- Block Specified Content (Allow or Link All Others): Blocks only the selected attachment types – all other attachment types are allowed
When the definition is saved, a green indicator represents a definition set to Allow Specific Content, whereas an amber indicator denotes the Block Specified Content option.
Pornographic Image Setting
Allows certain percentages to be applied to the likelihood that an image file contains pornography. If a match is found (i.e. if the percentage chance that the attachment contains pornographic images matches), the email will be held in the Administrator Held queue. The options are to not use scanning, or set the percentage from 1% to 90%. (By default this is set to not scan). Image file formats scanned include: BMP, JPG, TIF, PNG, GIF, WBMP, TGA, PCX.
Mimecast currently scans Office 2007/10 documents (DOCX, XLSX, PPTX) and ZIP archives for pornographic images. Legacy office documents (DOC, XLS, PPT), PDFs and Archive formats other than ZIP cannot be scanned.
All archive files that are encrypted or password protected will be processed according to the selected options:
- Allow - Bypasses these attachments without scanning the content.
- Link - Strips the attachment, and instead sends a notification containing a URL link to the recipient of the message.
- Hold - Places messages containing these attachments on hold pending user action.
- Block - Strips the attachment and places it in the Administrative Hold queue.
Provides a way for Administrators to control the handling of archives that are not encrypted, but failed to be extracted correctly. Attachments which are detected to be "unreadable" will be processed according to the selected option of Allow / Link / Hold / Block. File types considered unreadable archives include .ZIP, .ZIP64, .RAR, .7Z, .GZIP, .GZ, .JAR, .BZIP, .TAR, and .Z (UNIX Compress).
Encrypted Documents Office documents (e.g. .DOCX and .XLSX) can also be controlled by choosing one of the options to Allow / Link / Hold / Block. Scan for disallowed extensions within legacy Microsoft Office files Checks legacy Microsoft Office attachments for embedded files (e.g. embedded .bat files in a Word document).
- Complete the Hold / Block Notification Options as follows:
Field Description Hold Type Restricts the view of held messages in the Mimecast Personal Portal and Mimecast for Outlook On Hold message queue. The options are User (default), Moderator (Overseer access), and Administrator. For Data Leak Prevention (DLP) reasons a user will not be able to release outbound items that were placed On Hold due to content examination. Moderator Group Specifies a group of users that are notified of the need for moderation when the policy is enforced. This field is not displayed if the Hold Type field is set to Administrator. Notify Group Specifies a group of users that are notified when the policy is enforced. Notify (Internal) Sender If selected, the sender is notified if an internal message they send with attachments triggers this policy to be enforced. Notify (External) Sender If selected, the sender is notified if an external message they send with attachments triggers this policy to be enforced. Notify (Internal) Recipient If selected, the recipient is notified if an internal message they receive with attachments triggers this policy to be enforced. Notify (External) Recipient If selected, the recipient is notified if an external message they receive with attachments triggers this policy to be enforced. Notify Overseers If selected, users configured by a Content Overseers policy are informed when the policy is enforced.
- Complete the Content Types as follows:
Field Description LFS Override If selected, Large File Send has been enabled for your account and takes preference over the Deny, Hold, and Link settings. Deny
If selected, all messages containing attachments whose total size exceeds the specified value are replaced with a substitute file. This file informs the recipient that their attachment has been removed and to contact their administrator for further assistance. If a value of "0" is specified, all messages with attachments regardless of the file size are denied.
Hold All messages containing attachments whose total size exceeds the specified value are held for moderation. If a value of "0" is specified, all messages with attachments regardless of the file size are held for moderation. Link If selected, a file size can be specified. All messages containing one or more attachment exceeding the specified file size are replaced by links. If a value of "0" is specified, all messages with attachments regardless of the file size are replaced by links.
- Select Save and Exit.
You can use the View button located above the General Properties section to filter the file types in the Content Types section by:
- View common extensions
- View dangerous extensions
- View base extensions
- View mime extensions
When saved, each definition is denoted with a colored indicator as described below:
|Block Specified Content Types (Allow or Link All Others)|
|Allow Specified Content Types (Block or Link All Others)|
|Q:||Why are files with their file extensions changed from .EXE to .PDF being whitelisted?|
If the mimetype is set to "all" for an extension, the policy's checks are:
If you have .PDF files with the mime type "all" allowed, and a .EXE file attachment is received that has been renamed with a .PDF extension, the checks will be:
As a result, the attachment is whitelisted. We recommend careful consideration when creating policies set to allow the mimetype of "all".