Policies - Suspected Malware

Updated

This article contains information on configuring Suspected Malware Policies and Definitions in Mimecast, including early detection of zero-day threats, policy actions, notification options, and considerations for bypassing malware checks or handling encrypted files.

Suspected Malware Policies, or Zero Hour Adaptive Risk Assessor (ZHARA), is our proprietary software that provides early detection and prevention against zero-day malware and spam outbreaks. This protects against previously unknown threats using deep-level anomaly detection and trending against our entire customer base.

Considerations

Consider the following before configuring a definition or policy:

  • A default Suspected Malware policy is created when your Mimecast account is created. See the Out of the Box Settings for Mimecast Email Security page for further information.
  • You can bypass malware checks with a Suspected Malware Bypass policy. This should only be implemented if regular attachments are blocked, which should be allowed through. Bypassing Suspected Malware checks can result in undetected virus outbreaks while signatures are being updated. See the Configuring Suspected Malware Bypass Policies page for further details.
  • Encrypted ZIP files cannot be checked, although they can be held using an Attachment Management policy.

Configuring a Suspected Malware Definition

To configure a Suspected Malware definition:

  1. Log in to the Mimecast Administration Console.
  2. Select the Policies | Gateway Policies menu item.
  3. Click on the Definitions button.
  4. Click on the Suspected Malware definition type from the list.
  5. Either click on the:
    • Definition to be changed.
    • New Definition button to create a definition.
  1. Complete the Malware Definitions Settings section as follows:

    If you have Attachment Management enabled on your Mimecast account, the Dangerous Files, Encrypted Archives, Unreadable Archives, and Scan for Disallowed Extensions options should be left unchecked. The existing Attachment Management policy already covers these four options.

Field / Option Description
Description Add a description for the definition. 
Suspected Malware If selected, messages containing an archived file format (e.g., .ZIP) containing one or more of the following file types are considered as suspected malware.
.PIF .EXE .COM
.SCR .CPL .MSI
Dangerous Files If selected, messages containing any of the file types listed on the What is a Dangerous File Type? page are considered dangerous. 
Encrypted Archives All encrypted or password-protected archive files will be processed according to the selected options. Hold places messages containing these attachments on hold pending user action. Block strips the attachment and places it in the held queue. 
Unreadable Archives Provides a way to control the handling of encrypted archives not supported by the archive extraction process. Attachments found to be an unsupported archive type are processed according to the selected option of Allow/Link/Hold/Block.
.ZIP .RAR .7Z .Z (UNIX Compress)
.GZ .JAR .BZIP  
Scan for Disallowed Extensions Within Legacy Microsoft Office Files This option is enabled by default if Attachment Management is not part of your Mimecast subscription. In that scenario, we recommend it is left enabled. The check offers protection against dangerous files detected in legacy Microsoft Office extensions. 
Scan for Microsoft Office Macros This option is disabled by default. The check offers protection against Microsoft Office attachments that hold macros. The "Scan for Disallowed Extensions Within Legacy Microsoft Office Files" option must also be enabled for detection in legacy Microsoft Office files.  Legacy Microsoft PowerPoint files are excluded. 
Archive Limit

Check for the following attributes:

  • A zip file containing more than five levels of zip depth.
  • The file contains more than 20000 entries or files.
  • Maximum unpacked file size is greater than 200MB.
  • Total maximum unpacked size is greater than 2GB.

For example, Excel files can be packaged as XML files. To determine the true uncompressed size of the file change, change the extension to .ZIP and unpack the file.
  1. Complete the Notification Options section as follows:
Field / Option Description
Policy Action

This menu provides options such as hold for review, bounce, and delete.

  • Hold for Review: Holds a message and prevents it from being delivered.
  • Bounce: A message is accepted and then bounced.
Hold Type Specifies that Administrators are able to see the held messages via Mimecast's end user applications. The field is only displayed if the Policy Action field has a Hold for Review value.
Notify Group Use this option to notify a group of users when the policy is triggered. Use the Lookup button to select a group.
Notify (Internal) Sender Use this option to notify an internal sender that the policy has been triggered.
Notify (Internal) Recipient Use this option to notify an internal recipient that the policy has been triggered.
Notify (External) Sender Use this option to notify an external sender that the policy has been triggered.
Notify (External) Recipient Use this option to notify an external recipient that the policy has been triggered.
  1. Click on the Save and Exit button.

Configuring a Suspected Malware Policy

To configure a Suspected Malware policy:

  1. Log in to the Mimecast Administration Console.
  2. Select the Policies | Gateway Policies menu item.
  3. Click on Suspected Malware.
  4. Either click on the:
    • Policy to be changed.
    • New Policy button to create a policy.
  1. Complete the Options section as required:
Field / Option Description
Policy Narrative Provide a description for the policy to allow you to identify it in the future easily. 
Select Suspected Malware Definition Use the Lookup button to select the required Suspected Malware definition for the policy. 
  1. Complete the Emails From and Emails To sections as required:
Field / Option Description
Addresses Based On

Specify the email address characteristics the policy is based on. This option is only available in the Emails From section. The options are:

  • The Return Address (Mail Envelope From): This default setting applies the policy to the SMTP address match based on the message's envelope or true address (i.e., the address used during SMTP transmission).
  • The Message From Address (Message Header From): This policy applies to the masked address used in the message's header.
  • Both: Applies the policy based on the Mail Envelope From or the Message Header From, whichever matches. When both match, the specified value of the Message Header From will be used.
Applies From / To

Specify the Sender characteristics the policy is based on. For multiple policies, you should apply them from the most to the least specific. The options are:

  • Everyone: Includes all email users (i.e., internal and external). This option is only available in the Emails From section.
  • Internal Address: Includes only internal organization addresses.
  • External Address: Includes only external organization addresses. This option is only available in the Emails From section.
  • Email Domain: Enables you to specify a domain name to which this policy is applied. The domain name is entered in the Specifically field.
  • Address Groups: Enables you to specify a directory or local group. If this option is selected, click on the Lookup button to select a group from the Profile Group field. Once a group has been selected, you can click on the Show Location field to display the group's path.
  • Address Attributes: Enables you to specify a predefined Attribute. The attribute is selected from the Where Attribute drop-down list. Once the Attribute is specified, an attribute value must be entered in the Is Equal To field. This can only be used if attributes have been configured for user accounts.
  • Individual Email Address: Enables you to specify an SMTP address. The email address is entered in the Specifically field.
  1. Complete the Validity section as required:
Field / Option Description
Enable / Disable Use this to enable (default) or disable a policy. Disabling the policy allows you to prevent it from being applied without having to delete or backdate it. Should the policy's configured date range be reached, it is automatically disabled.
Set Policy as Perpetual Specifies that the policy's start and end dates are set to Eternal, meaning the policy never expires.
Date Range Specify a start and end date for the policy. This automatically deselects the Eternal option.
Policy Override Select this to override the default order in which policies are applied. If there are multiple applicable policies, this policy is applied first unless more specific policies of the same type have also been configured with an override.
Bi-Directional If selected, the policy also applies when the policy's recipient is the sender and the sender is the recipient.
Source IP Ranges (n.n.n.n/x) Enter any required Source IP Ranges for the policy. These only apply if the source IP address used to transmit the message data, falls inside or matches the range(s) configured. IP ranges should be entered in CIDR notation.
  1. Click on the Save and Exit button.

See Also...

Related to

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.