Configuring rules to address unscannable and encrypted files

book

Article ID: 181286

calendar_today

Updated On:

Products

Mail Security for Microsoft Exchange

Issue/Introduction

 

Resolution

A file that cannot be scanned can put your network at risk if it contains a threat. Mail Security provides the following default rules to address unscannable and encrypted files:

UFR - Scanning Limits (Unscannable File Rule for Scanning Limits)

This rule gets triggered when any of the scanning limits are violated. You can set the scanning limits under the Policies > Scanning Limits workspace.

The default action for the Unscannable File Rule for Scanning Limits is Quarantine entire message and replace with text (By part for Store).

UFR - Malformed Files (Unscannable File Rule for Malformed Files)

This rule gets triggered when Mail Security does not recognize the file format of a specific file and is unable to scan it. In such cases, the file is treated as Malformed.

The default action for the Unscannable File Rule for Malformed Files is Quarantine entire message and replace with text (By part for Store).

Encrypted File Rule

Infected files can be intentionally encrypted. Encrypted files cannot be decrypted and scanned without the appropriate decryption tool. You can configure how you want Mail Security to process encrypted container files to protect your network from threats.

The default setting for the Encrypted File Rule is to log the violation only.

These rules are always enabled.

To configure rules to address unscannable and encrypted files

  1. In the console on the primary navigation bar, click Policies.

  2. In the sidebar under General, click Exceptions.

  3. In the Exceptions table, select one of the following rules that you want to view or modify:

    • UFR - Scanning Limits

    • UFR - Malformed Files

    • Encrypted File Rule

  4. In the preview pane, in the Action to take list, use the drop-down menu to select the action to take when a violation is detected.

  5. In the Replacement text box, type your customized message if you want to replace the message or the attachment body with a text message.

    The default text is: Symantec Mail Security replaced %attachment% with this text message. The original file was unscannable and was %action%.

    You can use variables in your customized text.

    See Alert and notification variables

  6. Check the option Enable list of trusted domains or users if you want to enter a list of domains or email addresses.

    For each of the three rules, you can enter a list of trusted domains or users, and can set different actions for these trusted domains or users.

  7. From the Action to take drop-down menu, select an action that you want to take on the list of trusted domains or users.

  8. In the Replacement text box, type your customized message if you want to replace the message or the attachment body with a text message.

    The default text is: Symantec Mail Security replaced %attachment% with this text message. The original file was unscannable and was %action%.

  9. Check one or more of the following to send email notifications about the detection:

    • Notify administrators

      Click the down arrow and then type your customized text in the Subject line box and the Message body box. The default Subject line and Message body text is as follows:

      • Default subject line text: Administrator Alert: Symantec Mail Security detected a message with an unscannable attachment or body

      • Default message body text: Location of the message: %location% Sender of the message: %sender% Subject of the message %subject% The attachment(s) "%attachment%" was %action%. This was done due to the following Symantec Mail Security settings: Scan: %scan% Rule: %rule%

    • Notify internal sender

      Click the down arrow and then type your customized text in the Subject line box and the Message body box. The default Subject line and Message body text is as follows:

      • Default subject line text: Symantec Mail Security detected unscannable content in a message sent from your address

      • Default message body text: Subject of the message: %subject% Recipient of the message % recipient%

    • Notify external sender

      Click the down arrow and then type your customized text in the Subject line box and the Message body box. The default Subject line and Message body text is as follows:

      • Default subject line text: Symantec Mail Security detected unscannable content in a message sent from your address

      • Default message body text: Subject of the message: %subject% Recipient of the message %recipient%

      See Alert and notification variables

  10. On the toolbar, click Deploy changes to apply your changes.

    See Deploying settings and changes to a server or group

Registry keys can be used to bypass actions on unscannable malformed files. For more information refer the Mail Security Knowledge Base.