This article describes what happens when two negative conditions are used in the same compliance policy to create a Quarantine Incident in the "Quarantine Incidents" folder on a Symantec Messaging Gateway appliance with the "all" or "any" setting specified in "Which of the following conditions must be met", where the "Approved Action" is to deliver message normally and "Reject Action" is to delete the message.
The following explanations are taken from the on-line "help" and the Administration Guide for version 9.5.3. However, it is not clear that the dictionary based on the "filenames" condition needs to have both the filename AND an extension (i.e. "bob.log" and not just "bob" even if it used in the "filenames" condition. So, an enhancement request to change the wording inside the on-line help and the Administration Guide to reflect the actual current behavior has been filed for a future version of the SMG appliance.
The following explanation is from the online help for SMG:
(X & Y) - Groups conditions.
All of the conditions in the group appear indented under the first condition, except the first one. Grouping conditions in this way links them by the AND operator. All of the conditions in the checked groups must be met before the policy is violated. When you select Any from Which of the following conditions must be met, you can link multiple groups by the OR operator. A message must fulfill all of the conditions of one group, all the conditions of another group, or single condition before the policy is violated.
(X), (Y) - Ungroups the conditions.
This option only applies to conditions that are indented. When you ungroup conditions, the policy is triggered when Symantec Messaging Gateway detects a match of X condition or Y condition.
------------------------------------------------------------------------------------------------------------
The following explanation is from Administration Guide for SMG:
About negative conditions and negative rules
You can create more effective policies when you understand how negative conditions and negative rules are evaluated. Negative conditions and negative rules are the conditions and rules that consist of any of the following match verbs:
You can apply these match verbs to any of the following message parts:
A negative rule is triggered when the message part is present and contains at least one of the match verbs that you specify in the policy.
The policy is not violated when either of the following events occur:
For example, assume that you create a content filtering policy. In this policy, the action is to create an incident if the file metadata does not contain an extension from Dictionary A.
The policy is violated when both of the following events occur:
The policy is not violated if either of the following events occur:
The current behavior of the SMG version 9.5.3:
How does it work for the attachment with a filename “bob.log"?
Applies To
The setup details:
Dictionary1 = contains file names and their extensions, one per line. Note: this is the correct usage of the "filename" dictionary condition.
For example:
test.txt
Dictionary2 = contains file extensions only, without file names, one per line.
For example:
log
The compliance policy setup:
The idea behind this compliance policy: