Creating / Changing an Attachment Set Definition

Document created by user.oxriBaJeN4 Employee on Sep 12, 2015Last modified by user.Yo2IBgvWqr on Aug 3, 2017
Version 9Show Document
  • View in full screen mode

Attachment Management definitions allow Administrators to create Attachment Sets. These apply granular attachment handling for individual attachment types. Attachments can be denied by size, held for review, or stripped and linked to emails as appropriate. These restrictions are applied to the true MIME type of an attachment, meaning that renaming an attachment file extension will not bypass the attachment control system.

With the exception of the held option, strip and deny options can be overridden by using the Large File Send functionality.   

A default attachment set is created during the Mimecast implementation process, together with a list of Mimecast best practice Dangerous File Types set to be blocked.

 

When an attachment is detected that is defined as a blocked attachment, the email is accepted. However the attachment is stripped from the email and held in an Striped Attachments queue. If configured, the email will have a notification attached informing the recipient that an attachment was stripped from the email. If the end user feels that the attachment is legitimate, they can contact their Administrator to request that it is released.

 

Prerequisites

 

To create or change a definition you must:

  • Be logged on to the Mimecast Administration Console.
  • Have access to the relevant Gateway menu item for the definition being created or changed.

 

Creating / Changing a Attachment Set Definition

 

To create / change an Attachment Management Definition:

  1. Open the Gateway Policy Editor.
  2. Select the Definitions drop down. A list of the definition types is displayed.
  3. Select the Attachment Sets definition type from the list. The list of definitions is displayed.
  4. Click in a folder in the Navigator. You cannot create a definition in the root folder.
  5. Either select the:
    • Policy to be changed.
    • New Attachment Set Alteration button to create a definition.
  6. Complete the General Properties as follows:

    FieldDescription
    DescriptionEnter a suitable Description. It is important to use something meaningful, as there may be multiple attachment sets in use.
    Default Block /Allow
    • Allow Specified Content (Block or Link All Others): Allows only the selected attachment types through - all other attachment types will be blocked, held, stripped or linked
    • Block Specified Content (Allow or Link All Others): Blocks only the selected attachment types – all other attachment types are allowed

    When the definition is saved, a green indicator represents a definition set to Allow Specific Content, whereas an amber indicator denotes the Block Specified Content option.

    Pornographic Image Setting

    Allows certain percentages to be applied to the likelihood that an image file contains pornography.  If a match is found (i.e. if the percentage chance that the attachment contains pornographic images matches), the email will be held in the Administrator Held queue.  The options are to not use scanning, or set the percentage from 1% to 90%. (By default this is set to not scan). Image file formats scanned include: BMP, JPG, TIF, PNG, GIF, WBMP, TGA, PCX.

    Mimecast currently scans Office 2007/10 documents (DOCX, XLSX, PPTX) and ZIP archives for pornographic images.  Legacy office documents (DOC, XLS, PPT), PDFs and Archive formats other than ZIP cannot be scanned.

    Encrypted Archives

    All archive files that are encrypted or password protected will be processed according to the selected options:

    • Allow - Bypasses these attachments without scanning the content.
    • Link - Strips the attachment, and instead sends a notification containing a URL link to the recipient of the message.
    • Hold - Places messages containing these attachments on hold pending user action.
    • Block - Strips the attachment and places it in the Administrative Hold queue.
    Unreadable Archives

    Provides a way for Administrators to control the handling of archives that are not encrypted, but failed to be extracted correctly. Attachments which are detected to be "unreadable" will be processed according to the selected option of Allow / Link / Hold / Block. File types considered unreadable archives include .ZIP, .ZIP64, .RAR, .7Z, .GZIP, .GZ, .JAR, .BZIP, .TAR, and .Z (UNIX Compress).

    Encrypted DocumentsOffice documents (e.g. .DOCX and .XLSX) can also be controlled by choosing one of the options to Allow / Link / Hold / Block.
    Scan for disallowed extensions within legacy Microsoft Office filesChecks legacy Microsoft Office attachments for embedded files (e.g. embedded .bat files in a Word document).
  7. Complete the Hold / Block Notification Options as follows:

    FieldDescription
    Hold TypeRestricts the view of held messages in the Mimecast Personal Portal and Mimecast for Outlook On Hold message queue. The options are User (default), Moderator (Overseer access), and Administrator. For Data Leak Prevention (DLP) reasons a user will not be able to release outbound items that were placed On Hold due to content examination.
    Moderator GroupSpecifies a group of users that are notified of the need for moderation when the policy is enforced. This field is not displayed if the Hold Type field is set to Administrator.
    Notify GroupSpecifies a group of users that are notified when the policy is enforced.
    Notify (Internal) SenderIf selected, the sender is notified if an internal message they send with attachments triggers this policy to be enforced.
    Notify (External) SenderIf selected, the sender is notified if an external message they send with attachments triggers this policy to be enforced.
    Notify (Internal) RecipientIf selected, the recipient is notified if an internal message they receive with attachments triggers this policy to be enforced.
    Notify (External) RecipientIf selected, the recipient is notified if an external message they receive with attachments triggers this policy to be enforced.
    Notify OverseersIf selected, users configured by a Content Overseers policy are informed when the policy is enforced.
  8. Complete the Content Types as follows:

    FieldDescription
    LFS OverrideIf selected, Large File Send has been enabled for your account and takes preference over the Deny, Hold, and Link settings.
    Deny

    If selected, all messages containing attachments whose total size exceeds the specified value are replaced with a substitute file. This file informs the recipient that their attachment has been removed and to contact their administrator for further assistance. If a value of "0" is specified, all messages with attachments regardless of the file size are denied.

    HoldAll messages containing attachments whose total size exceeds the specified value are held for moderation. If a value of "0" is specified, all messages with attachments regardless of the file size are held for moderation.
    LinkIf selected, a file size can be specified. All messages containing one or more attachment exceeding the specified file size are replaced by links. If a value of "0" is specified, all messages with attachments regardless of the file size are replaced by links.
  9. Select Save and Exit.

 

You can use the View button located above the General Properties section to filter the file types in the Content Types section by:

  • View common extensions
  • View dangerous extensions
  • View base extensions
  • View mime extensions

 

When saved, each definition is denoted with a colored indicator as described below:

 

IconDescription
icon1.pngBlock Specified Content Types (Allow or Link All Others)
icon2.pngAllow Specified Content Types (Block or Link All Others)

 

Troubleshooting

 

Q:Why are files with their file extensions changed from .EXE to .PDF being whitelisted?
A:

If the mimetype is set to "all" for an extension, the policy's checks are:

  • mimetype + mimetype extension
  • "All" + mimetype extension
  • "All" + actual file extension

 

If you have .PDF files with the mime type "all" allowed, and a .EXE file attachment is received that has been renamed with a .PDF extension, the checks will be:

  • application/x-ms-dos-executable + exe = no match in the attachment set
  • All + exe = no match in the attachment set
  • All + pdf = a positive match

As a result, the attachment is whitelisted. We recommend careful consideration when creating policies set to allow the mimetype of "all".

See Also...

 

3 people found this helpful

Attachments

    Outcomes