Guide to Mimecast Content Examination and Troubleshooting

Overview

Mimecast's Content Examination (CEX) is a crucial component of email security. Content Examination Definitions and Policies analyze message content for matches that you provide. It sets the conditions under which a message is considered safe, and what action should be taken if the message is not safe.

Once configured, each definition is applied to either a Content Examination or Content Examination Bypass policy, to control what message flows it should be used for (e.g., inbound or outbound).

Creating Content Examination Bypass Policies

To create a bypass policy for Mimecast Content Examination, follow these steps:

1. Navigate to Users & Groups | Directories | Profile Groups in the Administration Console.
2. Create a new folder (e.g., 'Content Examination Bypass').
3. Add specific email addresses to this group.
4. Navigate to Policies | Gateway Policies.
5. Select 'Content Examination Bypass' and create a policy.
6. Choose the content definition to bypass.
7. Select the address group you created.
8. Optionally, ensure 'Policy Override' is checked to apply the bypass before other policies.

The above step can be used if you would like the bypass to be prioritized. For more information on Policy ordering, see Policy Specificity.

Common Issues and Causes

Content Examination policies can hold outgoing emails for various reasons, including:

1. Overly restrictive policy settings.
2. Incorrect policy scoping or being limited to specific IPs.
3. Bypass policies override the applied Content Examination policy.

To resolve these issues, review your policy settings, check the hold reason in the DLP logs, and create appropriate bypass policies for specific senders or domains if needed.

Step-by-Step Procedures

To bypass Content Examination for specific email senders:

1. Navigate to Policies | Gateway Policies | Content Examination Bypass | New Policy.
2. This allows you to allowlist specific email addresses or domains that are being held up by spam or content review filters.

To bypass Content Examination:

1. Navigate to Policies | Gateway Policies | Content Examination Bypass.

2. Create a new policy that scopes the bypass from the sender to the recipient for a specific Content Definition.

   This will allow emails to pass through without being blocked by content scanning.

   Note that the bypass only works for future emails, not for emails already stuck in the processing queue.

Verification and Outcomes

After creating a bypass policy, verify that:

1. The scope is set correctly for the intended senders and recipients.

2. The policy is configured to bypass the erroneous Content Examination Definition from the intended sender or domain.

   Future emails from the specified senders will pass through without being blocked.

Additional Resources

Suppose you encounter an error where Mimecast's Content Examination (CEX) has trouble scanning or reading an email attachment. In that case, it typically indicates an issue with the file itself that prevents the content scanning process from completing successfully. The system will automatically requeue the email after multiple failed scanning attempts. For more information, see: Policies - Dangerous File Type.