In order to analyze the content of emails, a Content Examination Definition is required. This is applied to a specific route of traffic using a Content Examination or Content Examination Bypass policy.
A content examination definition sets the conditions under which a message is considered safe, or whether action should be taken if considered unsafe. This guide describes how administrators can configure Content Examination definitions. Once configured, they can be applied to a Content Examination Policy to protect users.
Configuring a Content Examination Definition
To configure a content examination definition:
- Log in to the Administration Console.
- Click on the Administration menu item. A menu drop down is displayed.
- Click on the Gateway | Policies menu item.
- Hover over the Definitions button.
- Select Content Definitions from the drop down menu.
- Select a Folder in the hierarchy. Any existing definitions are listed.
- Either click the:
- New Definition button to create a definition.
- Definition to be changed.
- In the Definition Narrative field, provide a description of the definition. This is kept in the archive for messages that have this definition applied.
- Complete the following sections as required:
The "Inbound and Outbound Settings" and "Journal Settings" sections are only displayed if your account has Internal Email Protect enabled.
- Policy Definition: See the Policy Definition section below for full details.
- Scanning Options: See the Scanning Options section below for full details.
- Inbound and Outbound Settings: See the Inbound and Outbound Settings section below for full details.
- Journal Settings: See the Journal Settings section below for full details.
- Click on the Save and Exit button.
|Field / Option||Description|
|Description||Provide a description of the definition. This is kept in the archive for messages that have this definition applied.|
|Definition Type||Specify how the content text is matched. The options are: |
|Activation Score||Specify a value between 1 and 99 that must be reached before the content definition is triggered. This works by combining the value assigned to text in the "Word / Phrase Match List" field. When the total value of matched text meets this value, the definition is triggered. For example, if the Activation score is set to 6, and there are three words in the "Word / Phrase Match List" field each weighted at 2, and each word appears in the message, the activation score is reached and the definition is triggered.|
This field is not displayed if the "Definition Type" field is set to a "Reference Dictionary" value.
|Fuzzy Hash Setting||If selected, you can match files that might not be identical, but do hold a configurable level of similarity. Select the appropriate similarity value from the drop down list (80% probability is recommended). A high probability percentage lowers the chances of false positives. Ensure you have added fuzzy hashes to the "Word / Phrase Match List" using the Insert | Fuzzy Hash menu item.|
We recommend reading the Using Fuzzy Hashing with a Content Examination Definition page before using this option.
|Field / Option||Description|
|Word / Phrase Match List||Use the Insert menu item to add a search term. Alternatively, the parameters can be added using the structure in the table below. See the Word Phrase Match List Parameter Details section below for further detail.|
Both the HTML and TXT parts of a message are treated as separate elements when applying a content examination definition. This means that if a trigger word is present once in a message, but is present in both parts, it scores twice. Similarly if it is present twice in both parts, it scores four times.
|Case Sensitive Match||If selected, the entered text entered in the "Word / Phrase Match List" field must match the text case in the message (e.g. uppercase, lowercase, or proper case). If not selected, any case is matched.|
This option only applies to standard text search terms.
|Match Multiple Words||If selected, a search is performed for repetitions of the text entered in the "Word / Phrase Match List" field. This is used in conjunction with a repetition scoring for the word. For example, an entry of "1:10 notifications" searches for 10 matches of the word "notifications" throughout the message.|
|Scan Subject Line||If selected, the message's subject is scanned.|
|Scan Message Headers||If selected, the message's message header is scanned.|
|Scan Message Body||If selected, the message's message body is scanned.|
|Scan Attachments||If selected, the message's attachments are scanned. Additionally the "Scan Binary Attachment" and "Microsoft Excel Spreadsheet Scanning" fields are displayed.|
|Scan Binary Attachment||If selected, documents are scanned for matches based upon the binary data of the file rather than the extracted text content. This option should be enabled for non-text files only (e.g. image / library files).|
Enabling this option can increase the number of false positives generated by Content Examination policies.
|Microsoft Excel Spreadsheet Scanning||Specify how Microsoft Excel file attachments are scanned. The options are:|
Word Phrase Match List Parameter Details
|Weight||The line must begin with the required score for that particular word or phrase.|
|Maximum Score||Allows you to set the number of occurrences in the message that should trigger the definition. If an entry of 1:10 is added before the search term, Mimecast will match up to 10 instances of the search term. If 1: is entered before the search term, there is no upper limit to the score. This scoring is only used if the option "Match Multiple Words" is enabled. The combined score of the individual Weights is tallied and matched to the Activation Score. The definition is only triggered once the activation score is reached.|
|Conditions||Allows you to use the operators “required” and “exclude”. Add the word required if the match term is specifically required for the policy to trigger. If a required item is not found, the weight is set to zero and no further scoring takes place. If the word exclude is added after the weight, and the match term does exist, the weight is set to zero and no further scoring takes place. Required and exclude terms should be placed in the first line of the search term list.|
|Search Text / Phrases||Enter single words or phrases, enclosing multiple words in quotation marks (e.g. “a phrase”).|
|Regular Expressions||Proceed the regular expression with “regex”. Regular expressions can be used to detect structured strings like Social Security Numbers or Credit Card Numbers in emails.|
|MD5#||Enter the “#” symbol at the beginning of the line (or following the score if relevant) followed by the MD5 code of the attachment. The MD5# is a unique reference given to specific file contents.|
If the attachment is known to Mimecast (i.e. Mimecast has previously processed the attachment), this checksum is located in the Transmission Data when viewing the email delivery details.
|Preconfigured Reference Dictionaries||Use the Insert | Reference Dictionary menu item to select a Reference dictionary. The entry will begin with the word “reference”, followed by the internal Mimecast reference code and dictionary name. Reference Dictionaries can be created manually, or a predefined Mimecast Managed Reference Dictionary (MMRD) can be selected.|
|Comments||Comments can be inserted by using a hash symbol (#) at the beginning of the line. These are ignored when examining the message for matches.|
Once the words or phrases have been entered into the list "Word / Phrase Match List" field, additional criteria can be added to make the content matching more specific.
The use of formatted file scanning can help reduce the incidence of false positives, but at the risk of missing some content. Content examination of the header and subject of the email is separate from the body examination. However the score is cumulative up to the optional limit. If all sections are selected, all sections are scanned, even if the limit is reached prior to examination of the body / attachments. This is to give the sender a more accurate indication of why their message is not acceptable as per the policy.
Inbound and Outbound Settings
|Field / Option||Description|
|Enable Inbound and Outbound Checks||If selected, the fields / options listed below are displayed. These can be used to protect against unsafe content in both inbound and outbound traffic.|
|Policy Action||Specify the action to be applied by the definition. The options are:|
|Hold Type||If "Hold for Review" is specified as the "Policy Action" field, this option specifies who can see the message via a Mimecast end user application. The options are:|
|Moderator Group||Specify a group of moderators who can access messages in the Moderated On Hold views via a Mimecast end user application.|
|Content Preservation (Days)||Specify how long the message remains in Mimecast before being purged. This also applies to messages held in the hold queue once the message expires from the queue.|
Leaving both options at 0 (days) doesn't affect the default content retention period set on your account.
|Metadata Preservation (Days)|
|Document Policy||If Document Services is enabled on your account, you can strip metadata from documents before they leave your organization, and convert documents to PDF, ODF, or other Word versions. This option also allows you to apply document services definitions to messages based on their content.|
|Disable Document Services||Disables Document Services if it is enabled on your account.|
|Assign to Smart Tag||Assigns a Smart Tag to the message. This field is only available if the "Disable Smart Tags" option is disabled.|
|Disable Smart Tags||If selected, the ability to add a smart tag to a message is disabled.|
|Delivery Route||Specify the delivery route to deliver messages to the next mail server. For example, if the message contains the address email@example.com, deliver it to the Call Center email server.|
|Secure Delivery||Use the Lookup button to apply a Secure Delivery Definition to add additional security to the message's delivery.|
|Encryption Mode||If the definition specified in the "Secure Delivery" uses TLS, specify the encryption mode to use. The options are:|
|Attachment Strip and Link||If selected, the attachment(s) are removed before the message is delivered. The message contains a notification of the removal in the message's body, and a link is included to download the attachment(s).|
|Secure Messaging Override||Use the Lookup button to apply a Secure Messaging Definition to send the message via Mimecast's Secure Messaging functionality.|
|Group Carbon Copy||Use the Lookup button to send a copy of the message to a group of users.|
|Stationery Override||Use the Lookup button to apply a Stationery Layout that overrides an existing stationery policy. For example, if the phrase "new product" is in the message, apply a Stationery Layout that promotes the product.|
|Disable Stationery||If selected, stationery is not applied to any message.|
|Notify Group||Use the Lookup button to select a group of users to be notified that action must be taken on the message.|
|Notify (Internal) Sender||Notifies the internal sender, if an outbound message triggers the definition.|
|Notify (Internal) Recipient||Notifies the internal recipient, if an inbound message triggers the definition.|
|Notify Overseers||Notifies the Content Overseers to notify them that a message has triggered the definition.|
|Notify (External) Sender||Notifies the external sender, if an inbound message triggers the definition.|
|Notify (External) Recipient||Notifies the external recipient, if an outbound message triggers the definition.|
When configuring your journal settings, you should consider our recommended best practice settings. Where a field / option has a best practice setting, it is displayed in the "Best Practice Setting" column below. These are based on commonly used configurations, and can provide an optimal solution to protect you against targeted attacks via attachments.
|Field / Option||Description||Best Practice Setting|
|Enable Journal Check||If selected, the fields / options listed below are displayed. These can be used to protect against unsafe content in journaled traffic.||Enabled|
|User Mailbox Action||Select the action (or fallback action) to take on the user's mailbox, if a message containing unsafe content is detected. A "User Mailbox Fallback Action" is only applied if we are unable to check a URL.|
In non-Exchange environments automatic remediation is not supported. However if a support journal connector is used, you can leverage detection, and through these alerts perform manual remediation.
This is an initial setting, but should be reviewed periodically.
|User Mailbox Fallback Action|
|Enable Notifications||Enables a group of users to be notified, as well as the internal sender / recipient, when a message containing unsafe content is found. If selected, the "Notify Group", "Internal Sender", and "Internal Recipient" fields are displayed.||Enabled|
|Notify Group||Select a group of administrators, via the Lookup button, to receive notifications of any messages containing unsafe content.||Select the appropriate group of users.|
|Internal Sender||If selected, a notification is sent to the message's internal sender, if there are any messages containing unsafe content.||Enabled|
|Internal Recipient||If selected, a notification is sent to the message's internal recipient, if there are any messages containing unsafe content.||Enabled|