Content Examination - Definitions

Updated

This article contains information on configuring a Content Examination definition, including steps, parameter details, scanning options, policy overrides, notification settings, and examples for administrators to manage content policies effectively.
For details on configuring a Content Examination policy, see Content Examination - Policy.

Configuring a Content Examination Definition

You can configure a content examination definition, by using the following steps:

  1. Log in to the Mimecast Administration Console.
  2. Navigate to Gateway | Policies.
  3. Click on Definitions.
  4. Select Content Definitions from the drop-down menu.
  5. Select a Folder in the hierarchy. You cannot create a definition in the Root folder.
  6. Either click on the:
    • New Content Definition button to create a definition.
    • Definition to be changed.
  1. Describe the definition in the Definition Narrative field. This is kept in the archive for messages that have this definition applied.
  2. Complete the Policy Definitions section as required:
    Field / Option Description
    Description Describe the definition. This is kept in the archive for messages that have this definition applied.
    Definition Type Specify how the content text is matched. The options are:

    • Independent Content Definition: The content is matched directly as listed in the Word / Phrase Match List field.
    Reference Dictionary: The content is matched against a predefined set of text entries. This option allows you to create a dictionary that multiple content definitions can reference.
    Activation Score Specify a value between 1 and 99 that must be reached before the content definition is triggered.
    This works by combining the value assigned to text in the Word / Phrase Match List field. 
    When the total value of matched text meets this value, the definition is triggered.
    For example, if the Activation score is set to 6, and there are three words in the Word / Phrase Match List field, each weighted at 2, and each word appears in the message, the activation score is reached, and the definition is triggered.

    This field is not displayed if the Definition Type field is set to a Reference Dictionary value.
    Fuzzy Hash Setting If selected, you can match files that might not be identical but hold a configurable similarity level.
    Select the appropriate similarity value from the drop-down list (80% probability is recommended).
    A high probability percentage lowers the chances of false positives.

    Use the Insert | Fuzzy Hash menu item to add fuzzy hashes to the Word / Phrase Match List.
    See the Content Examination Fuzzy Hashes page for full details.

  3. Complete the Scanning Options section as required:

    Field / Option Description
    Word / Phrase Match List Use the Insert menu item to add a search term to search for that specific text only, or use parameters to meet more complex search requirements.
    For further details, see Word Phrase Match List Parameter Details.
    A message's HTML and TXT parts are treated as separate elements when applying a content examination definition.
    This means that if a trigger word is present once in a message but is present in both HTML and TXT parts, it scores twice.
    Similarly, if it is present twice in both parts, it scores four times.
    Case Sensitive Match If selected, the entered text in the Word / Phrase Match List field must match the text case in the message (e.g., uppercase, lowercase, or proper case). 
    If not selected, any case is matched. Case sensitivity will apply to all terms.
    Match Multiple Words If selected, a search is performed for repetitions of the text entered in the Word / Phrase Match List field. This is used in conjunction with a repetition scoring for the word. For example, a "1:10 notifications" entry searches for 10 matches of the word "notifications" throughout the message.

    By default, the Content Examination definition looks for repeat instances of a term in different message parts (header, body, etc.) depending on the scanning options selected.
    For example, if looking for a word with the Scan Subject Line and Scan Message Body options selected, the definition looks for multiple instances of the word in the subject and multiple instances in the body.
    Scan Subject Line If selected, the message's subject is scanned.
    Scan Message Headers If selected, the message's message header is scanned.
    Scan Message Body If selected, the message's message body is scanned.
    Scan Attachments If selected, the message's attachments are scanned. Additionally, the Scan Binary Attachment option is displayed.  
    Excel extraction is always Formatted Extraction unless the Binary Attachment option is selected.

  4. Complete the Policy Override Options of the Inbound and Outbound Settings section as required:

    Field / Option Description
    Enable Inbound and Outbound Checks If selected, the fields/options listed below are displayed. These can be used to protect against unsafe content in both inbound and outbound traffic.
    Only inbound traffic is checked using the settings in the Scanning Options in step 10 if unselected.
    Policy Action Specify the action to be applied by definition.
    The options are:

    • None: No action is taken.
    Hold for Review: The message is sent to the hold queue and not delivered to the recipients.
    Delete: The message is purged from the delivery queue but retained for auditing purposes. It is referenced as a hard bounce in the message's delivery information. For further details, see Bounced Messages.
    Bounce: The message is rejected, and not delivered to the recipients. A notification is sent with the reason, Message bounced due to Content Examination Policy. See Bounced Messages.
    Hold Type If Hold for Review is specified as the Policy Action field, this option specifies who can see the message via a Mimecast end-user application.
    The options are:

    • User: Users can see the message in their Personal On Hold view.
    Moderator: Moderators can see the message in the Moderated On Hold view. The group of moderators is specified in the Moderator Group field.
    Administrator: Messages can be viewed by administrators only.
    Moderator Group Specify a group of moderators who can access messages in the Moderated On Hold views via a Mimecast end-user application.
    Content Preservation (Days) Specify how long the message remains in Mimecast before being purged. This also applies to messages held in the hold queue once the message expires from the queue.

    Leaving both options at 0 (days) doesn't affect your account's default content retention period.
    Metadata Preservation (Days)
    Document Policy If Document Services is enabled on your account, you can strip metadata from documents before they leave your organization, and convert documents to PDF, ODF, or other Microsoft Word versions. This option also allows you to apply document services definitions to messages based on their content.
    Disable Document Services Disables Document Services if it is enabled on your account.
    Assign to Smart Tag Assigns a Smart Tag to the message. This field is only available if the Disable Smart Tags option is disabled.
    Disable Smart Tags If selected, adding a Smart Tag to a message is disabled.
    Delivery Route Specify the delivery route to deliver messages to the next mail server.
    For example, if the message contains the address orders@domain.com deliver it to the Call Center email server.
    Secure Delivery Use the Lookup button to apply a Secure Delivery policy to add additional security to the message's delivery.
    Encryption Mode If the definition specified in the Secure Delivery uses TLS, specify the encryption mode to use. The options are:

    • Strict: This is a trust-enforced mode and requires a public certificate. This is the recommended option.
    Relaxed Mode: This requires a self-signed certificate.
    Attachment Strip and Link

    If selected, the Attachment Management Policy field appears.
    How attachments are handled depends on how the selected Attachment Management Policy has been set up.

    You must also select an Attachment Management Policy, or you will see an alert on saving "Please select an Attachment Management Policy if you have chosen to remove the attachment and add it as a downloadable link."
    Attachment Management Policy Appears if Attachment Strip and Link has been selected.
    Use the Lookup button to apply an Attachment Management Policy.
    Select a Attachment Management Policy that is configured to:
    Deny: The attachment(s) are removed before the message is delivered.
    The message contains a notification of the removal in the message's body, and a link is not included to download the attachment(s).
    Link: The attachment(s) are removed before the message is delivered.
    The message contains a notification of the removal in the message's body, and a link is included to download the attachment(s).
    Hold: The message is placed in a hold queue, and users / groups are notified, as specified.
    Secure Messaging Override Use the Lookup button to apply a Secure Messaging policy to send the message via Mimecast's Secure Messaging functionality.
    Group Carbon Copy Use the Lookup button to send a copy of the message to a group of users.
    Stationery Override Use the Lookup button to apply a Stationery Layout that overrides an existing stationery policy.
    For example, if the phrase "new product" is in the message, apply a Stationery Layout that promotes the product.
    Disable Stationery If selected, Stationery is not applied to any message.

  5. Complete the Notification Options of the Inbound and Outbound Settings section as required:

    Field / Option Description
    Notify Group Use the Lookup button to select a group of users to be notified that action must be taken on the message.
    Notify (Internal) Sender Notifies the internal sender if an outbound message triggers the definition.
    Notify (Internal) Recipient Notifies the internal recipient if an inbound message triggers the definition.
    Notify Overseers Notifies the Content Overseers that a message has triggered the definition.
    Notify (External) Sender Notifies the external sender if an inbound message triggers the definition.
    Notify (External) Recipient Notifies the external recipient if an outbound message triggers the definition.
  6. Complete the Journal Settings section as required. This section is only available if you have Targeted Threat Protection - Internal Email Protect enabled on your account.

    When configuring your journal settings, consider our recommended best practice settings. These are based on commonly used configurations and can provide an optimal solution to protect you against targeted attacks via attachments.

    Field /  Option Description
    Enable Journal Check If selected, the fields/options listed below are displayed. These can be used to protect against unsafe content in journaled traffic.
    User Mailbox Action Select the action (or fallback action) to take on the user's mailbox if a message containing unsafe content is detected.
    A User Mailbox Fallback Action is only applied if we cannot check a URL.

    • None: No action is taken on the user's mailbox, and the message is delivered to the recipients.
    Remove Message: The message containing unsafe content is removed from the user's mailbox.
    User Mailbox Fallback Action
    Enable Notifications Enables a group of users to be notified and the internal sender/recipient when a message containing unsafe content is found.
    If selected, the Notify Group, Internal Sender, and Internal Recipient fields are displayed.
    Notify Group Click the Lookup button to select a group of administrators to receive notifications of any messages containing unsafe content.
    Internal Sender If selected, a notification is sent to the message's internal sender if any messages contain unsafe content.
    Internal Recipient If selected, a notification is sent to the message's internal sender if any messages contain unsafe content.
  7. Click on Save and Exit.
  8. Apply the definition to a Content Examination Policy policy.

Word Phrase Match List Parameter Details

Once the words or phrases have been entered into the list Word / Phrase Match List field, additional criteria can be added to make the content matching more specific.

Using formatted file scanning can help reduce the incidence of false positives, but at the risk of missing some content. Content examination of the header and subject of a message is separate from the body examination. However, the score is cumulative up to the optional limit. If all sections are selected, all sections are scanned, even if the limit is reached before examining the body/attachments. This gives the sender a more accurate indication of why their message is unacceptable per the policy.

Parameter Description
Weight The line must begin with the required score for that particular word or phrase.
A negative weight can be given, to reduce the hit count if that entry is found.
Examples:
1 "the quick brown fox jumped over the lazy dog"
1 regex (Beginning of the "really important" information)
Max Score Allows you to set the maximum number of occurrences that a word in the message should trigger the definition.
For example, if a "1:13 index fish" entry is specified, Mimecast would match up to 13 instances of the word "fish," with each instance scoring 1.
If "1:" is entered before the search term, there is no upper limit to the score. This scoring is only used if the option Match Multiple Words is enabled. 
The combined score of the individual Weights is tallied and matched to the Activation Score, with the definition only triggered once the Activation Score is reached.
Conditions Allows you to use the operators “required” and “exclude.” Add the word required if the match term is specifically required for the policy to trigger.
The weight is zero if a required item is not found and no further scoring occurs.
If the word "exclude" is added after the weight, and the match term exists, the weight is set to zero, and no further scoring occurs. 
"required" and "exclude" terms need to be placed above all other terms to be considered.
Search Text / Phrases To search for a word phrase, enclose the phrase in double quotes.

Example:
"the quick brown fox jumped over the lazy dog".
If you use multiple sets of double quotes in a phrase, you can inadvertently end up closing your phrase prematurely, and completely changing the meaning of the string.
Since a space character means OR, the use of multiple / nested double quotes can result in multiple strings connected by OR statements.

Example:

The search phrase "Beginning of the "really important" information I'm providing" would be interpreted as:

"Beginning of the"
OR
really
OR
important
OR
"information I'm providing"
Regular Expressions

Proceed with the regular expression with “regex.”
Regular expressions can be used to detect structured strings like Social Security Numbers, or Credit Card Numbers in emails.
Example:

1 regex

followed by the regex search string.

Mimecast is not able to create regex strings for our customers.
MD5# Enter "hash" at the beginning of the line (or following the score if relevant) followed by the MD5 code of the attachment.
The MD5# is a unique reference given to specific file contents.

Example:
hash 9EBD30E761ED4FF770A90DDBD5CB4190 Confidential.PDF
If the attachment is known to Mimecast (i.e. Mimecast has previously processed the attachment), this checksum is located in the Transmission Data when viewing the email delivery details.
Preconfigured Reference Dictionaries Preconfigured Reference Dictionaries Use the Insert | Reference Dictionary menu item to select a Reference Dictionary
The entry will begin with the word “reference”, followed by the internal Mimecast reference code and dictionary name.
Reference Dictionaries can be created manually, or a predefined Mimecast Managed Reference Dictionary (MMRD) can be selected.
Comments Comments can be inserted using a hash symbol "#" at the beginning of the line. These are ignored when examining the message for matches.

Word Phrase Match List Parameter Examples

Search Parameters Examples
Weight : [ maxscore ] [ search text ] 4:1 “Company Confidential”
Weight [ required ] [ search text ] 1 required “Project X”
Weight [ exclude ] [ search text ] 0 exclude “Tax exemption”
Weight [ # ] [ MD5# ] 1 hash 9EBD30E761ED4FF770A90DDBD5CB4190 Confidential.PDF
Weight [ regex ] [ regular expression ] 1 regex ssn ([^0-9-]|^)([0-9]{3}-[0-9]{2}-[0-9]{4})([^0-9-]|$)

The supported regex grammars are Java, RE2 (Golang) and PCRE.

Related to

Was this article helpful?
2 out of 5 found this helpful

Comments

0 comments

Please sign in to leave a comment.