Configuring an Attachment Protection Definition

Document created by user.oxriBaJeN4 Employee on Sep 12, 2015Last modified by user.oxriBaJeN4 Employee on May 30, 2017
Version 19Show Document
  • Comment9
  • View in full screen mode

Applies To...

 

An attachment protection definition sets the conditions under which an email attachment is considered safe, or whether action should be taken if considered unsafe. This guide describes how administrators can configure attachment protection definitions. Once configured, they can be applied to an Attachment Protection Policy to protect users against spear phishing and targeted attacks.

 

Best Practice Settings

 

 

When configuring your definitions, you should consider our recommended best practice settings. Where a field / option has a best practice setting, it is displayed in the "Configuring a Definition" subsections below. These are based on commonly used configurations, and can provide an optimal solution to protect you against targeted attacks via attachments. However it is important to understand that one setting may not meet all your specific requirements. We recommend you review your environment, amending these options where necessary.

 

Configuring a Definition

 

To configure an attachment protection definition:

  1. Log in to the Administration Console.
  2. Click on the Administration toolbar button. A menu drop down is displayed.
  3. Definition ListingClick on the Gateway | Policies menu item.
  4. Hover over the Definitions button.
  5. Select Attachment Protection from the drop down menu. Any existing definitions are listed.
  6. Either click the:
    • New Definition button to create a definition.
    • Definition to be changed.
  7. In the Definition Narrative field, provide a description of the definition. This is kept in the archive for messages that have this definition applied.
  8. Complete the following sections as required:
    1. Inbound Settings: See the Inbound Settings section below for full details.
    2. Outbound Settings: See the Outbound Settings section below for full details.
    3. Journal Settings: See the Journal Settings section below for full details.
    The "Outbound Settings" and "Journal Settings" sections are only displayed if your account has Internal Email Protect enabled.
  9. Click on the Save and Exit button.

 

Inbound Settings

 

Field / OptionDescriptionBest Practice Setting
Enable Inbound CheckIf selected, the fields / options listed below are displayed. These can be used to protect against malicious attachments in inbound traffic. When setting up inbound checks, use a policy with the correct routing to activate this definition.Enabled
Attachment Protect Delivery Options

Specify a delivery option for the definition. The options are:

  • Safe File: Transcribes vulnerable file types to a different file format to ensure they are safe.
    If selected, the "Administrator Notification" and "Admin Review Group" fields are not displayed.
  • Safe File with On-Demand Sandbox: Transcribes vulnerable file types to a different file format to ensure they are safe, and allows the user to request the original versions via the On-Demand Sandbox.
  • Preemptive Sandbox: Checks all vulnerable file types in the preemptive sandbox, before delivering the mail and attachments to the user. This is the only option available for ZDR and Metadata Only customers.
  • Dynamic Configuration: This takes the onus away from the administrator by giving control to the end user to decide whether individual users are added to a trusted list. By default, Safe File With On-Demand Sandbox is used, but for users on the trusted list, Pre-Emptive Sandbox is used. 
Dynamic Configuration
Ignore Signed MessagesIf selected, attachment protection is not applied to digitally signed messages. This ensures the message signature remains intact, but means attachments are not security checked.
This option is not displayed if the "Attachment Protect Delivery Options" field is set to a value of "Pre-emptive Sandbox".
Disabled
Sandbox Fallback ActionSpecify the action to take if an attachment cannot be processed by the pre-emptive sandbox. the options are:
  • Hold for Administrator Review: The email and attachment are placed in the held queue.
  • Bounce: The email and attachment are accepted, but bounced with a notification to the sender.
This option is only displayed if the "Attachment Protect Delivery Options" field is set to a value of "Preemptive Sandbox".
Hold for Administrator Review
Release Forwarded Internal AttachmentControls whether any internally forwarded attachment can be released from the sandbox.Enabled
Administrator NotificationEnables a groups of users to be notified when an attachment is unsafe. If selected, the "Admin Review Group" field is displayed. See the Managing Groups page for full details on creating the group.Enabled
Admin Review GroupSelect a group of administrators, via the Lookup button, to receive notifications of any unsafe attachments.Select the appropriate group of users.
Default Transcribed Document FormatSpecify the default file format to be used for safe file document transcription. The options are:
  • PDF
  • TIFF: This is used if the document cannot be transcribed to the selected format.
  • Original Format
PDF
Default Transcribed Spreadsheet Format

Specify the default file format to be used for safe file spreadsheet transcription. The options are

  • CSV: If selected, the "Spreadsheet Worksheet Options" field is displayed.
  • PDF
  • TIFF: This is used if the spreadsheet cannot be transcribed to the selected format.
  • Original Format
  • HTML 
  • HTML Multi-Tab: This provides a .zip file that must be extracted. This value is used if the spreadsheet cannot be transcribed to the selected format.
HTML
Spreadsheet Worksheet OptionsSpecify the option to use for spreadsheets containing multiple worksheets. The options are:
  • Transcribe First Worksheet Only
  • Transcribe All Worksheets
Transcribe All Worksheets

 

Outbound Settings

This section is only available if you have Targeted Threat Protection: Internal Email Protect enabled on your account.
Field / OptionDescriptionBest Practice Setting
Enable Outbound CheckIf selected, the fields / options listed below are displayed. These can be used to protect against malicious attachments in outbound traffic. When setting up outbound checks, use a policy with the correct routing to activate this definition.Enabled
Gateway ActionSelect the action (or fallback action) to take when a message containing an unsafe attachment is detected. A "Gateway Fallback Action" is only applied if we are unable to check a message's attachment. 
  • None: The message is delivered to the recipients.
  • Hold: The message is sent to the hold queue, and not delivered to the recipients.
  • Bounce: The message is rejected, and not delivered to the recipients.
Hold
Gateway Fallback Action
User Mailbox ActionSelect the action (or fallback action) to take on the user's mailbox when a message containing an unsafe attachment is detected. A "User Mailbox Fallback Action" is only applied if we are unable to check a message's attachment.
  • None: No action is taken on the user's mailbox. The message is delivered to the recipients.
  • Remove Attachment: The message is delivered to the user's mailbox, with the attachment removed.
  • Remove Message: The message is removed from the user's mailbox.
In non-Exchange environments automatic remediation is not supported. However if a support journal connector is used, you can leverage detection, and through these alerts perform manual remediation.
None
This is an initial setting, but should be reviewed periodically.
User Mailbox Fallback Action
Enable NotificationsEnables a group of users to be notified, as well as the internal sender / recipient, when an unsafe URL is found. If selected, the "Notify Group", "Internal Sender", and "Internal Recipient" fields are displayed.Enabled
Notify GroupSelect a group of administrators, via the Lookup button, to receive notifications of any unsafe attachments.Select the appropriate group of users.
Internal SenderIf selected, a notification is sent to the message's internal sender, if an unsafe attachment is detected.Enabled
Internal RecipientIf selected, a notification is sent to the message's internal recipient, if an unsafe attachment is detected.Enabled

 

Journal Settings

This section is only available if you have Targeted Threat Protection: Internal Email Protect enabled on your account.
Field / OptionDescriptionBest Practice Setting
Enable Journal CheckIf selected, the fields / options listed below are displayed. These can be used to protect against malicious attachments in journaled traffic.Enabled
User Mailbox ActionSelect the action (or fallback action) to take on the user's mailbox when a message containing an unsafe attachment is detected. A "User Mailbox Fallback Action" is only applied if we are unable to check a message's attachment.
  • None: No action is taken on the user's mailbox. The message is delivered to the recipients.
  • Remove Attachment: The message is delivered to the user's mailbox, with the attachment removed.
  • Remove Message: The message is removed from the user's mailbox.
None
This is an initial setting, but should be reviewed periodically.
User Mailbox Fallback Action
Enable NotificationsEnables a group of users to be notified, as well as the internal sender / recipient, when an unsafe attachment is found. If selected, the "Notify Group", "Internal Sender", and "Internal Recipient" fields are displayed.Enabled
Notify GroupSelect a group of administrators, via the Lookup button, to receive notifications of any unsafe attachments.Select the appropriate group of users.
Internal SenderIf selected, a notification is sent to the message's internal sender, if there is an unsafe attachment.Enabled
Internal RecipientIf selected, a notification is sent to the message's internal recipient, if there is an unsafe attachment.Enabled

 

See Also...

 

Attachments

    Outcomes