Beta Information and overview
Internal Email Protect helps customer administrators to protect both internal and outbound messages from malware and sensitive content. Based on improvements to Mimecast's pooled threat intelligence and analytics capabilities, Mimecast is adding new functionality that will allow automatic remediation of newly found, zero-day attachment based malware. Customer administrators will be able to configure Mimecast to either notify administrators or notify and remediate messages if a previously delivered message's attachment status becomes known as malicious. There are also manual search based remediation functions based on either file hash (SHA256) or message ID.
Timeline and feedback
We are focused on providing an exceptional experience for our customers, so are look for candidates willing to participate in this beta, due to start from June 20th. Interested candidates are required to email firstname.lastname@example.org to register interest.
Known issues and limitations
There is a set of current known issues documented below. These are being addressed through the beta cycle, and will be fixed prior to release.
|Messages that are encrypted are treated as suspicious, so will trigger an incident.||Fixed|
|When searching by message ID and not including the < brackets > the search result isn't displayed||Fixed|
|Messages that have been remediated that were in the hold queue or pending delivery will show as 'delivered' in the recipients tab inside the message view under the incident.||Fixed|
|'Something went wrong' error when trying to restore a previously restored incident||Fix TBC|
|Export of results to XLS currently unavailable||Fixed|
|Page count does not update when changing search parameters on the results page||Fix TBC|
|No Log is created when a user exports data in remediation for logs and incidents||Fix TBC|
|No Search Log is created when a user searches for messages in Remediation||Fix TBC|
|No View Log is created for viewing email content in Remediation||Fix TBC|
Threat Remediation Dashboard
Once enabled on your account, the Threat Remediation dashboard will become visible, under Administration > Services > Threat Remediation.
On first view of the Threat Remediation dashboard, a 'toast' popup will prompt to enable and configure settings.
Alternatively, click on the settings tab. On the settings screen the following options are available;
- Status: Enabled or Disabled
- Notify only: Your administrators are notified that they need to take action.
- Automatic: The identified messages are automatically removed. Your administrators are notified.
- Notification group: Directory or local group that will receive incident administrator notifications
- Exclude group from remediation: Option to exclude a group of mailboxes from the remediation process
The overview page allows administrators to see the most recent incidents and logs, while providing access to the search functionality.
Use the search function to search for instances of either a file (defined by it's SHA256 hash) or by message ID. As message ID is unique to the individual message, there are no 'from' and 'two' fields. Mimecast will search against the data held in the Mimecast stores so if the account maximum retention is 30 days, the results will span the last 30 days. Results are displayed with each recipient on one row. Clicking onto the recipient will show the message slider, including the message summary and the header tab. Using the 'Remove Messages' button will prompt for a reason. The reason is then logged along with the removal incident in the Incident view.
Incidents correspond to an event and list all the matching messages, by recipient. Incidents recorded have a specific naming convention in the format; TR-XXXX-00000-X, where the first block relates to the customer account code, the second is the incremental incident number and the third informs the action that was taken.
|A||Automatic: Indicates messages were removed automatically by Mimecast upon discovery of a threat|
|N||Notify only: Indicates a group of messages that match a threat found by Mimecast|
|M||Manual: Indicates manual removal of messages by an adminstrator, either by removing messages found with 'Notify only' or by removing messages through the search function|
|R||Restore: Indicates messages were restored due to removal error|
The log view shows actions taken against all messages in date order. The log can be searched and retains the last 30 days of actions. There's a set of filters available using the options, such as filter by action or filter by message status.
Notifications are sent to the selected administrator group configured in the settings. The notification provides the incident details, including the ID and the hash.