Web Security - Remediating Saved Attachments

This article describes how you can use the Mimecast Security Agent for Windows to remediate saved or downloaded attachments from end-user devices when a manual remediation event is performed and is intended for use by Administrators.

This ensures harmful or sensitive files are not left on the user's device after it has been removed from their mailbox.
The saved attachment remediation process is integrated into the Threat Remediation workflow.

If you have enabled the Saved Attachment Remediation option and performed a manual remediation using a file hash (SHA256) or directly from a Notify Incident that includes a file hash, you can use the Mimecast Security Agent for Windows to scan end-user devices for the attachment matching the file hash by selecting the Remove Downloaded Attachment option.

See Threat Remediation, Removing / Restoring Messages and Viewing Incidents.

Considerations

The following must be considered when remediating files using the Mimecast Security Agent for Windows:

If the file is modified after it is downloaded, the hash (SHA256) will have changed. This means the Mimecast Security Agent for Windows won't be able to match and delete the file. For example, if the user downloads:

• Document, change it, and save it.
  • .ZIP file and unzip it. In this case, the hash will match the .ZIP file but not the unzipped contents.

Only the following directories and subdirectories are targeted by the Mimecast Security Agent for Windows for file removal:

• Desktop
  • Documents
  • Downloads
  • Outlook temp

The Exclude Group From Remediation mailbox setting is not applied when using the Mimecast Security Agent for saved attachment remediation.

Prerequisites

Your Mimecast account must have the following enabled and installed:

• Mimecast Web Security with the Mimecast Security Agent for Windows v1.6 or later installed. See Mimecast Security Agent for Windows.
  • Internal Email Protect Threat Remediation, with the Mimecast Security Agent device settings enabled. See the Enabling Threat Remediation section of Threat Remediation.
  • A dedicated server connection. See Managing Connectors.

Remediating Saved Attachments

To perform a manual remediation with Saved Attachment Remediation support, you must:

1. Enable the Saved Attachment Remediation option in the Threat Remediation Device Settings. See the Enabling Threat Remediation section of Threat Remediation.
2. Select the Services | Threat Remediation dialog in the Administration Console.
3. You can either:

• Search for the messages containing the harmful attachment by using a file hash (SHA256). See Identifying the File Hash.

  You can optionally enter a from or to email address or domain to filter the results.

  • Use the Notify Incident. The option to use Saved Attachment Remediation is available if the Notify Incident includes a file hash.

4. Click on the Remove Messages button once you've identified what needs remediation.
5. Select the Remove Downloaded Attachment option in the confirmation dialog.
6. Select one of the following options:

• Message Recipient's Device: This targets internal users (senders and recipients) who have received the message and attachment. This option is only effective if users are identified by the:
  • Mimecast Security Agent for Windows via Transparent User ID.
  • User being logged in to (authenticated with) the Mimecast Security Agent for Windows. See Managing Mimecast Security Agent Settings.

• All Devices With MSA: This targets all users and devices that have the agent installed, regardless of whether they are logged in or out. All devices are scanned by the Mimecast Security Agent for Windows, which locates and removes the file.

7. Select a remediation time frame in the Removal Attempt For field. As end-user devices aren't always online, this option allows the Mimecast Security Agent for Windows to attempt remediation for up to two weeks.
8. Enter a Reason for the remediation that is logged.
9. Click on the Remove button, which initiates the following process:

• The incident type is marked as Manual+ Device in the Incidents tab. See the Incidents Tab section of
  • Mimecast connects to Exchange or Microsoft 365 and removes the message with the harmful attachment.
  • The Mimecast Security Agent synchronizes with Mimecast every 30 minutes, and performs a scan on the end user's device. If the attachment is found, it is removed.
  • A notification is displayed on the end user's device, informing them of the attachment's removal if enabled.

Identifying the File Hash

The attachment's file hash (SHA256) information is held in your Mimecast account and archive. You can identify an attachment's file hash by one of the following methods:

• Using Message Tracking or Archive Search, and clicking on the attachment in the Transmission Data, and copying the file hash to the clipboard.
• If you've configured Threat Remediation to notify you, a system notification with the hash of the harmful file is sent to you.
• If you've got the file on your device, you can use the following to view the SHA256 hash:
  • Windows command line.
  • A third-party tool.

Threat Remediation Device Summary

• The chosen Remediation option (e.g., recipient's device or all devices) with the file removal schedule's end date and time.

  • A Cancel Removal button if the remediation attempt is in progress.

    If you have selected a removal timescale greater than two days, you may need to cancel the device remediation if you want to restore the file. You can cancel device remediation at any time before the removal attempt completes, but you won't be able to restart the removal once this happens.

  • The user, device name, file path, file name, hash, and date/time.
  • The file removal status, which can be:
    • Removed: The file matching the hash was found and removed.
    • Not Found: No file matching for the hash was found.
    • Found, not removed: The file matching the hash was found, but the agent was unable to delete it because it is in use. Further attempts are performed within the removal attempt schedule.

Restoring the File

If a removed message turns out to be safe, you can manually restore it to the user's mailbox. See Removing / Restoring Messages.
To restore the file to the device only, download it from the Administration Console and share it with the user.