Suspected malware detection, or ZHARA (Zero Hour Adaptive Risk Assessor), is Mimecast's proprietary software which provides early detection and prevention against zero day malware and spam outbreaks. This provides protection against previously unknown threats using deep level anomaly detection and trending against the entire Mimecast customer base.
A Suspected Malware Policy is implemented by default when your Mimecast account is created. See the Default Connect Process Policies page for further information about the policies created.
Encrypted ZIP files cannot be checked, although can be held using an Attachment Management Policy.
Suspected malware checks can be bypassed by implementing a Suspected Malware Bypass policy. Mimecast recommends that this policy should only be implemented in the event that regular attachments are getting blocked, but which need to be allowed through. Bypassing the malware checks could result in a virus outbreak being undetected whilst signatures are being updated.
To create or change a definition you must:
- Be logged on to the Mimecast Administration Console.
- Have access to the relevant Gateway menu item for the definition being created or changed.
Creating / Changing a Suspected Malware Definition
To create / change a suspected malware definition:
- Open the Gateway Policy Editor.
- Select the Definitions drop down. A list of the definition types is displayed.
- Select the Suspected Malware definition type from the list. The list of definitions is displayed.
- Either select the:
- Policy to be changed.
- New Definition button to create a definition.
- Complete the Malware Definitions Settings section as follows:
Field Description Description Add a description for the definition.
If selected, emails containing the following file types are considered as suspected malware:
.ZIP .EXE .COM .PIF .SCR .CPL .MSI
If selected, emails containing the following file types are considered as dangerous:
.EXE .COM .PIF .SCR .CPL .MSI
All encrypted or password protected archive files will be processed according to the selected options. Hold places messages containing these attachments on hold pending user action. Block strips the attachment and places it in the Administrative Hold queue.
Provides a way for Administrators to control the handling of encrypted archives that are not supported by the archive extraction process. Attachments which are detected to be an unsupported archive type will be processed according to the selected option of Allow / Link / Hold / Block.
ZIP, RAR, 7Z, GZIP, GZ, JAR, BZIP, TAR, Z (UNIX Compress).
Scan for Disallowed Extensions Within Legacy Microsoft Office Files
This option is enabled by default if Attachment Management is not part of the Mimecast subscription. In that case it is recommended to leave it enabled. The check offers protection against dangerous files detected in legacy Microsoft Office extensions.
Scan for Microsoft Office Macros
This option is disabled by default. The check offers protection against Microsoft Office attachments that hold macros. For detection in legacy Office files, the "Scan for Disallowed Extensions Within Legacy Microsoft Office Files" option should be enabled as well.
Legacy PowerPoint files are excluded.
Checks for the following attributes:
- A zip file containing more than five levels of zip depth.
- The file contains more than 20000 entries or files.
- Maximum unpacked file size is greater than 200MB.
- Total maximum unpacked size is greater 2GB.
For example, Excel files can be packaged xml files. To determine the true uncompressed size of the file change, change the extension to .zip and unpack the file.
- Complete the Notification Options sections as follows:
Field Description Policy Action
This menu provides options such as hold for review, bounce and delete.
- Hold for Review: Holds the email and prevent it from being delivered.
- Bounce: The email is accepted and then bounced.
This field allows you to specify that Administrators are able to see the held messages via Mimecast Personal Portal, Mimecast Mobile and Mimecast for Outlook. The field is only displayed if the "Policy Action" field has a "Hold for Review" value.
Use this option to notify a group of users when the policy is triggered. Use the Lookup button to select a group.
Notify (Internal) Sender Use this option to notify an internal sender that the policy has been triggered. Notify (Internal) Recipient Use this option to notify an internal recipient that the policy has been triggered. Notify (External) Sender Use this option to notify an external sender that the policy has been triggered. Notify (External) Recipient Use this option to notify an external recipient that the policy has been triggered.
- Select the Save and Exit menu item.