Information about the Email Threat Isolation service

book

Article ID: 171046

calendar_today

Updated On:

Products

Email Security.cloud Email Threat Detection and Response

Issue/Introduction

Frequently asked questions about Symantec's Email Threat Isolation service.

Resolution

  1. What is Email threat Isolation service?
    The URL Isolation feature executes web sessions remotely on an isolation platform. Malicious content is isolated and is prevented from being delivered to your network or your end users' devices. Only safe or sanitized content is delivered to your organization. URL Isolation uses risk level assessments to determine whether to isolate a URL. The antiphishing protection and sensitive data protection policies can also isolate risky URLs. Note that for this release, neither the risk levels or default policies can be modified.
     
  2. How do I configure the Email threat Isolation service?
    - Enable both, Click-time Isolation Service & Threat isolation service.
    - Modify your block page content to match your organizational policy using the default text as a guide.
    - Add common trusted domains and recipients to your whitelist (including your own domains if appropriate).
    - Override those settings on a domain by domain basis as necessary.
     
  3. Should I exclude signed emails from ClickTime URL Protection?

    Symantec now recommends that DKIM-signed inbound emails not be excluded from URL rewriting. DKIM validation takes place at the MTA level and not at the endpoint level. This means that DKIM validation can be done before the URL is rewritten so that the rewriting doesn't break the validation. By contrast, because validation for both S/MIME and PGP is done on the endpoint, validation always takes place after rewriting, thus breaking encryption.   

    Be careful to implement DKIM checking using Email Security.cloud only. You cannot perform DKIM checking on an MTA that is downstream from Email Security.cloud without breaking the signatures for the messages that contain rewritten URLs.

  4. How does the recipient protection feature work?
    You can add individual email recipients to one of two lists:

- Protect All Users – Exclude List
  The threat isolation feature is enabled for all users, recipients on this list will not have URLs re-written

- Protect Specific Users – Include List
  The Threat Isolation feature is disabled by default and enabled for all recipients on the list.

  1. What happens to rewritten URLs if I disable or cancel the service?
    The URLs will not be scanned at click time and will just proceed to the original URL

  2. How do I know if the service is working?

    - Emails will contain re-written URLs (note that HTML emails will show the original URL text but will point to a re-written URL).
    - Statistics about the number of clicks and blocked URLs can be found on the CTP Incidents page and in the summary report.
    - Threat Isolation logs can be downloaded from Services > Email Threat Isolation > URL Isolation Report.

  3. What kinds of events appear in the Email Threat Isolation Report?
    Any risky URLs that are clicked by end users. Only the ‘top level’ URL will be reported, embedded/child page content.

  4. How long are Isolation logs retained?
    The retention time is 30 days

  5. How long does it take the activity to show up in Email Threat Isolation Report logs?
    It will take 5 minutes or less.