This article contains information on configuring an Attachment Management Definition in Mimecast, including defining rules for file extensions, handling encrypted and unreadable archives, setting notifications, and managing content types for secure email attachment processing.
The Attachment Management Policy is a policy that scans email attachments and actions according to the file extension they have. If the file extension is listed in the blocked list, the attachment will be held, and if on the allow list, then the attachment will be released. This page describes how to configure an Attachment Management Definition.
To configure an Attachment Management Set definition:
- Log in to the Mimecast Administration Console.
- Select the Policies | Gateway Policies menu item.
- Click on the Definitions drop-down.
- Select the Attachment Sets definition type from the list.
- Click on a Folder in the navigator where the definition exists or will be placed.
You cannot create a definition in the Root folder.
- Click on either the:
-
- Definition to be changed.
- New Attachment Set Definition button to create a definition.
- Complete the General Properties as follows:
| Field / Option | Description | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Description | Enter a description for the definition that distinguishes it from other attachment set definitions. | |||||||||
| Default Block / Allow | Controls whether the Deny or Allow column is displayed in the Content Types section. When the definition is saved, an icon indicates the chosen value in the list of definitions:
When selecting the "Allow" file types setting in the attachment management definition, a new option is displayed to allow blocking the content of the dangerous file list. This would allow specific file types only but will override it as a block if the file type is within their dangerous-file-types list. This check box is only surfaced when the allow option is selected in the definition. The tooltip is worded: "When selected, the files on the Mimecast dangerous file list will be blocked unless explicitly allowed in the attachment set." |
|||||||||
| Allow Auto Updates | If selected, any updates we make to the default list of dangerous file types are automatically applied to your policies. This ensures your policy is using the most up-to-date list of dangerous file extensions and providing the most effective protection possible. See the Email Security Cloud Gateway - Dangerous File Type page for further details.
This option is only displayed if the Description field has a value of “Default Attachment Management Definition - Block Dangerous File Types”. |
|||||||||
| Pornographic Image Setting | Specify a percentage likelihood that an image file contains pornography. We compare the image to others known to contain a security risk. If the chance of the image containing pornographic images matches the specified percentage value, the message is held in the administrator held queue.
|
|||||||||
| QR Code Image Setting |
Specify a percentage likelihood that an image contains QR Codes. The pixels within an image are compared to another known to contain a security risk. If the chance of the image containing QR Codes matches the specified percentage value, the message is held in the administrator held queue.
|
|||||||||
| Encrypted Archives | Controls how encrypted or password-protected archive files are processed. The possible values are:
• For Strip and Link Encrypted Attachments to be enabled, this must be set to Allow.
• To allow decrypted and non-malicious archives through, configure the attachment management definition option for Encrypted Archives to Hold, and then enable the checkbox option to Allow if decrypted and not malicious. • To make sure that passwords that have been generated internally are discoverable by auto-decrypt, we recommend using only alpha-numeric characters "a-zA-Z0-9". |
|||||||||
| Unreadable Archives | Controls the handling of unencrypted archives that fail to be extracted correctly. The field has the same options as the "Encrypted Archives" field. | |||||||||
| Encrypted Documents | Controls how password-protected Office files (e.g., .DOCX, .XLSX) are processed. The field has the same options as the "Encrypted Archives" field.
• For Strip and Link Encrypted Attachments to be enabled, this must be set to Allow.
• To allow decrypted and non-malicious archives through, configure the attachment management definition option for Encrypted Archives to Hold, and then enable the checkbox option to Allow if decrypted and not malicious. • To make sure that passwords that have been generated internally are discoverable by auto-decrypt, we recommend using only alpha-numeric characters "a-zA-Z0-9". |
|||||||||
| Scan for Disallowed Extensions Within Legacy Microsoft Office Files | If selected, legacy Microsoft Office attachments are scanned for embedded files (e.g., embedded .BAT files in a Word document). | |||||||||
| Note: | In case your file extensions are not listed in the Mimecast Default list, Mimecast engineers can add/export them for you. Send them an excel file with the extension files to be exported by logging a support case |
- Complete the Hold/Block Notification Options as follows:
| Field / Option | Description |
|---|---|
| Hold Type | Controls whether held messages in the Mimecast Personal Portal and Mimecast for Outlook on hold queue are restricted. For Data Leak Prevention (DLP) reasons, a user can't release outbound items that were placed On Hold due to content examination. |
| Moderator Group | Specify a group of moderators via the Lookup button to notify them that the policy has been triggered. This field is not displayed if the "Hold Type" field is set to "Administrator". |
| Notify Group | Specifies a group of users via the Lookup button to notify them that the policy has been triggered. |
| Notify (Internal) Sender | If selected, the sender is notified if an internal message they send triggers a policy. |
| Notify (External) Sender | If selected, the sender is notified if an external message they send triggers a policy. |
| Notify (Internal) Recipient | If selected, the recipient is notified if an internal message they receive triggers a policy. |
| Notify (External) Recipient | If selected, the recipient is notified if an external message they receive triggers a policy. |
| Notify Overseers | If selected, users configured by a Content Overseers policy are informed when the policy is triggered. |
Complete the Content Types as follows. Each file extension has the following options:
| Field / Option | Description |
|---|---|
| LFS Override | If selected, Large File Send has been enabled for your account and takes preference over the Deny, Hold, and Link settings. |
| Deny | If selected, all messages containing attachments whose total size exceeds the value specified in the "Size(KB)" field. The files are stripped and replaced with a substitute file. This file informs the recipient that the attachment was removed and to contact their administrator. If a value of "0" is specified, all attachments of the specified content type will be denied. |
| Allow | If selected, all messages containing attachments whose total size exceeds the value specified in the "Size(KB)" field are allowed. If a value of "0" is specified, all messages with attachments regardless of the file size are allowed. |
| Hold | If selected, all messages containing attachments whose total size exceeds the value specified in the "Size(KB)" field are held. If a value of "0" is specified, all attachments of the specified content type will be Held. |
| Link | If selected, all messages containing attachments whose total size exceeds the value specified in the "Size(KB)" field are replaced by links. If a value of "0" is specified, all attachments of the specified content type will be replaced with a link. |
| Notify (Internal) Recipient | If selected, the recipient is notified if an internal message they receive triggers a policy. |
- Click on the Save and Exit button.
.eml extensions cannot be blocked with attachment management.
In the Attachment Sets definition, if "Allow Specified Content Types (Block or Link All Others)" is selected then a new check box option is displayed "Blocked Dangerous File Types".
Checking this new option will result in the files on the Mimecast dangerous file list to be blocked unless explicitly allowed by the attachment set.
By default, the new option will be off so that there is no impact on existing attachment sets.
Examples of how this might be used are provided below.
Example 1: Wildcard with Dangerous Files Blocked
-
Configuration:
- ext=all for mime=text/plain is set to Allow.
- "Allow Specified Content Types" is selected.
- "Block Dangerous File Types" is checked.
-
Result:
- The email will be blocked if it contains a dangerous file, as defined on the Mimecast dangerous file list.
Example 2: Explicit Override of Wildcard
-
Configuration:
- ext=bat for mime=text/plain is explicitly set to Allow.
- "Allow Specified Content Types" is selected.
- "Block Dangerous File Types" is checked.
-
Result:
- Cloud Gateway will adhere to the explicit configuration for .bat files and apply the specified allow action for those files, overriding the blocking behavior of ext=all.
Filtering the Content Types List
To filter the file extensions listed in the Content Types section:
- Click the View toolbar button.
- Click on one of the following menu items:
-
- View Common Extensions.
- View Dangerous Extensions.
- View Base Extensions.
- View Mime Extensions.
Comments
Please sign in to leave a comment.