Creating / Changing a Suspected Malware Definition

Document created by user.oxriBaJeN4 Employee on Sep 12, 2015Last modified by user.oxriBaJeN4 Employee on Oct 31, 2016
Version 5Show Document
  • View in full screen mode

Suspected malware detection, or ZHARA (Zero Hour Adaptive Risk Assessor), is Mimecast's proprietary software which provides early detection and prevention against zero day malware and spam outbreaks. This provides protection against previously unknown threats using deep level anomaly detection and trending against the entire Mimecast customer base.

 

A Suspected Malware Policy is implemented by default when your Mimecast account is created. See the Default Connect Process Policies page for further information about the policies created.

Encrypted ZIP files cannot be checked, although can be held using an Attachment Management Policy.

Suspected malware checks can be bypassed by implementing a Suspected Malware Bypass policy. Mimecast recommends that this policy should only be implemented in the event that regular attachments are getting blocked, but which need to be allowed through. Bypassing the malware checks could result in a virus outbreak being undetected whilst signatures are being updated.

Prerequisites

 

To create or change a definition you must:

  • Be logged on to the Mimecast Administration Console.
  • Have access to the relevant Gateway menu item for the definition being created or changed.

 

Creating / Changing a Suspected Malware Definition

 

To create / change a suspected malware definition:

  1. Open the Gateway Policy Editor.
  2. Select the Definitions drop down. A list of the definition types is displayed.
  3. Select the Suspected Malware definition type from the list. The list of definitions is displayed.
  4. Either select the:
    • Policy to be changed.
    • New Definition button to create a definition.
  5. Complete the Malware Definitions Settings section as follows:

    FieldDescription
    DescriptionAdd a description for the definition.

    Suspected Malware

    If selected, emails containing the following file types are considered as suspected malware:

    .ZIP.EXE.COM.PIF
    .SCR.CPL.MSI

    Dangerous Files

    If selected, emails containing the following file types are considered as dangerous:

    .EXE.COM.PIF.SCR
    .CPL.MSI

    Encrypted Archives

    All encrypted or password protected archive files will be processed according to the selected options. Hold places messages containing these attachments on hold pending user action. Block strips the attachment and places it in the Administrative Hold queue.

    Unreadable Archives

    Provides a way for Administrators to control the handling of encrypted archives that are not supported by the archive extraction process. Attachments which are detected to be an unsupported archive type will be processed according to the selected option of Allow / Link / Hold / Block. 

    ZIP, RAR, 7Z, GZIP, GZ, JAR, BZIP, TAR, Z (UNIX Compress).

    Scan for Disallowed Extensions Within Legacy Microsoft Office Files

    This option is enabled by default if Attachment Management is not part of the Mimecast subscription. In that case it is recommended to leave it enabled. The check offers protection against dangerous files detected in legacy Microsoft Office extensions.

    Scan for Microsoft Office Macros

    This option is disabled by default. The check offers protection against Microsoft Office attachments that hold macros. For detection in legacy Office files, the "Scan for Disallowed Extensions Within Legacy Microsoft Office Files" option should be enabled as well.

    Legacy PowerPoint files are excluded.

    Archive Limit

    Checks for the following attributes:

    • A zip file containing more than five levels of zip depth.
    • The file contains more than 20000 entries or files.
    • Maximum unpacked file size is greater than 200MB.
    • Total maximum unpacked size is greater 2GB.

    For example, Excel files can be packaged xml files. To determine the true uncompressed size of the file change, change the extension to .zip and unpack the file.

  6. Complete the Notification Options sections as follows:

    FieldDescription
    Policy Action

    This menu provides options such as hold for review, bounce and delete.

    • Hold for Review: Holds the email and prevent it from being delivered.
    • Bounce: The email is accepted and then bounced.
    Hold Type

    This field allows you to specify that Administrators are able to see the held messages via Mimecast Personal Portal, Mimecast Mobile and Mimecast for Outlook. The field is only displayed if the "Policy Action" field has a "Hold for Review" value.

    Notify Group

    Use this option to notify a group of users when the policy is triggered. Use the Lookup button to select a group.

    Notify (Internal) SenderUse this option to notify an internal sender that the policy has been triggered.
    Notify (Internal) RecipientUse this option to notify an internal recipient that the policy has been triggered.
    Notify (External) SenderUse this option to notify an external sender that the policy has been triggered.
    Notify (External) RecipientUse this option to notify an external recipient that the policy has been triggered.
  7. Select the Save and Exit menu item.
2 people found this helpful

Attachments

    Outcomes