What happens when two negative conditions are used in the same compliance policy on a Symantec Messaging Gateway appliance

book

Article ID: 156075

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

This article describes what happens when two negative conditions are used in the same compliance policy to create a Quarantine Incident in the "Quarantine Incidents" folder on a Symantec Messaging Gateway appliance with the "all" or "any" setting specified in "Which of the following conditions must be met", where the "Approved Action" is to deliver message normally and "Reject Action" is to delete the message.  

Cause

The following explanations are taken from the on-line "help" and the Administration Guide for version 9.5.3.  However, it is not clear that the dictionary based on the "filenames" condition needs to have both the filename AND an extension (i.e. "bob.log" and not just "bob" even if it used in the "filenames" condition.  So, an enhancement request to change the wording inside the on-line help and the Administration Guide to reflect the actual current behavior has been filed for a future version of the SMG appliance.

The following explanation is from the online help for SMG:

(X & Y)  - Groups conditions.

All of the conditions in the group appear indented under the first condition, except the first one. Grouping conditions in this way links them by the AND operator. All of the conditions in the checked groups must be met before the policy is violated. When you select Any from Which of the following conditions must be met, you can link multiple groups by the OR operator. A message must fulfill all of the conditions of one group, all the conditions of another group, or single condition before the policy is violated.

(X), (Y) - Ungroups the conditions.

This option only applies to conditions that are indented. When you ungroup conditions, the policy is triggered when Symantec Messaging Gateway detects a match of X condition or Y condition.

------------------------------------------------------------------------------------------------------------

The following explanation is from Administration Guide for SMG:

About negative conditions and negative rules

You can create more effective policies when you understand how negative conditions and negative rules are evaluated.  Negative conditions and negative rules are the conditions and rules that consist of any of the following match verbs:

  • Does not match regular expression
  • Does not match pattern
  • Does not contain
  • Does not start with
  • Does not end with
  • Does not match exactly

You can apply these match verbs to any of the following message parts:

  • Headers
  • MIME headers
  • Body
  • Attachment

A negative rule is triggered when the message part is present and contains at least one of the match verbs that you specify in the policy.

The policy is not violated when either of the following events occur:

  • The message part is not present
  • The message part is present, but the contents do not contain at least one of the match verbs that you specify in the policy

For example, assume that you create a content filtering policy. In this policy, the action is to create an incident if the file metadata does not contain an extension from Dictionary A.  

The policy is violated when both of the following events occur:

  • The message has an attachment
  • The attachment name does not have an extension from Dictionary A

The policy is not violated if either of the following events occur:

  • The message does not have attachment
  • The message does have an attachment, but the attachment's name has an extension from Dictionary A

Resolution

The current behavior of the SMG version 9.5.3:

 

  • The “does not contain”clause is essentially “is not” for this compliance policy , so “filename does not contain words from dictionary” is the same as “filename is not in the dictionary”.
  • The “&” inside “(X & Y)" is overriding the “All” for “Which of the following conditions must be met”.  This means that “If the filename does not contain words from Dictionary1” & “If the extension does not contain words from Dictionary2” with “All” stays exactly the same, meaning that using the “&” and “ALL” is redundant just for two conditions.  So, the condition is still the same: If the filename does not contain words from Dictionary1 & if the extension does not contain words from Dictionary2.  

How does it work for the attachment with a filename “bob.log"?

  • Evaluating the first condition separately: For the  Dictionary1 condition, ‘bob.log’ is not inside “Dictionary1”, which produces “FALSE”.  That result is negated, which is now TRUE.
  • Evaluating second condition separately: For our Dictionary2 condition, “log” is inside “Dictionary2”, which produces “TRUE”.  That result is negated, which is now FALSE.
  • Combining both results with the “&”: TRUE & FALSE => FALSE
  • Because the result was “FALSE” when the policy wants “TRUE” to fire the condition, this policy should not be applied, so the message should be delivered without triggering the policy. 

Applies To

The setup details:

Dictionary1 = contains file names and their extensions, one per line.  Note: this is the correct usage of the "filename" dictionary condition.  

For example:

test.txt

Dictionary2 = contains file extensions only, without file names, one per line.

For example:

log

The compliance policy setup:

  • Policy name: Two-negatives-do-not-make-a-positive
  • "Track violations of this policy in the dashboard and reports" setting: checked
  • "Apply to" setting: Inbound and outbound messages
  • "Which of the following conditions must be met" setting: "All"
  • Conditions:
    • If the file name does not contain words from dictionary "Dictionary1"  &
    • If the file extension does not contain words from dictionary "Dictionary2"
      • Note: Joining (also known as "grouping") is when both conditions are used with "&" by using the "(X & Y)" button.  Keeping these two conditions separate (also known as "ungrouping") is when both conditions are used with the "(X),(Y)" button.
  • Actions:
    • "Create quarantine incident in "Quarantine Incidents"
    • "Approved Action" setting: Deliver message normally
    • "Reject Action" setting: Delete message
  • Policy Groups:
    • Choose the available group from the list (i.e. "Default") if this is the group which this policy should apply to.

The idea behind this compliance policy: 

  • If the result of the above is TRUE, then create a Quarantine Incident.  
  • If the result of the above is FALSE, then deliver the message to its intended recipient.