Configure advanced file analysis filter

Steps

  1. From the section Modes, select one of the following operational modes for the filter:
    • Monitor

      Message is delivered to its recipient and a copy is sent to advanced file analysis. If analysis determines that the attachment is clean, no report is returned. If analysis determines that the attachment is malicious, the message is copied to a specified queue. A notification email can be sent regarding the analysis result. This is the default.

      Configure the corresponding filter action to ensure that the email message that triggered the filter is delivered to its recipient along with the attachment (Main > Policy Management > Actions). The default queue is the virus queue. See Managing filter actions, page 189.

    • Enforce

      Message is held in a queue until advanced file analysis is performed. If analysis determines that the attachment is clean, message processing is resumed. If analysis determines that the attachment is malicious, the email is quarantined. A notification email can be sent regarding the analysis result.

      Configure the corresponding filter action to ensure that the email message that triggered the filter is dropped and saved to a specified queue (Main > Policy Management > Actions). The default queue is the virus queue. See Managing filter actions.

      1. (Only applicable ifEnforceis selected in step 1) Notify the recipient when analysis is underway, mark the check box Send enforcement notification.

        Selection displays the Notification Properties section with functionality to configure the notification email, which contains the original message as an attachment. The message attachment is handled as follows:

        • Some file types are converted to plain text (for example, .pdf, .doc/.docx, .xls/.xlsx, and .ppt/.pptx).
        • Files of other types are removed and only the filename appears in the message (for example, .exe and archive files).
      2. From the section Notification Properties, configure the email notification:

        From Sender, click the radio button for identifying the notification message sender; Administrator or Custom.

        The default is Administrator. If you select this option, you must configure a valid administrator email address on the page Settings > General > System Settings (see Setting system notification email addresses).

        Selection of Custom enables a text field to enter the sender address. If you choose this option, you can designate only one sender address.

      3. From Recipient, mark the check box for one or more message recipients: Original email recipient, Administrator, or Custom.

        The default is Administrator. If you select this option, you must configure a valid administrator email address on the page Settings > General > System Settings (see Setting system notification email addresses).

        • Selection of Custom enables a text field to enter the recipient addresses. If you choose this option, you can designate one or more recipient addresses, separated by semicolons.
        • In the text field Subject, enter the subject to be displayed when the notification is received.
        • In the text field Content, enter the text to be displayed in the notification message body.
        • From Attachment, specify whether to include the original message as an attachment to the notification message; Do not attach message or Attach analyzed message.

          The default is Do not attach message.

  2. From the section File Types, mark the check boxes for the file types that cloud- hosted Advanced Malware Detection - Cloud should find and analyze.

    Expand top-level categories; click the plus sign.

    Select all file types in a category; mark the check box for the top-level file type.

    Select all categories; at the top of the File Types list, mark the check box All file types.

    This option is not available for the Advanced Malware Detection - On-Premises platform.

  3. Configure bypass options for messages that should be excluded from advanced file analysis; from the section Advanced file analysis bypass conditions, select an existing condition name or add a new condition by clicking Add.

    The Add Bypass Condition dialog box displays to configure the following settings:

    • In the text field Condition name, enter a name for each set of bypass conditions.
    • In the text field Sender email address/domain, enter an individual email address or domain.

      Use an asterisk (*) for wildcard entries and separate multiple entries with a semicolon (;).

    • In the text field Attachment filename keyword, enter a character string that is included in the attachment filename.

      Use an asterisk (*) for wildcard entries.

    • Click OK.

      The settings are saved and the new condition displays in the list of bypass conditions.

  4. (Optional) Mark the check box Bypass advanced file analysis if message size exceeds.

    In the text field, enter a message size in MB for the cloud-hosted file sandbox (default is 32), or enter a value that equals the maximum file size accepted by that appliance for Advanced Malware Detection - On-Premises.

    Selection indicates to use message size to determine whether advanced file analysis is bypassed.

  5. Configure additional filter settings and click OK.
    The advanced file analysis filter settings are saved. See Creating and configuring a filter action for information about configuring an action for the advanced file analysis filter.