Email Security - API - Malware Protection Policy

Updated

This article outlines the configuration of Malware Protection Policies for Email Security - API.

Overview

The Malware Protection policy can be configured for Email Security - API with an Action set to either 'Monitor' or 'Protect' to detect and manage malware, ransomware, trojans, and other malicious code in attachments.

Considerations

  • Every threat family policy will have a default policy defined and accessible. It is not possible to delete the default policy; however, there will be no restrictions on its actions, e.g., it could be configured to monitor for any subsequent detections.
  • Certain policy actions check for the presence of macros and content, while not scanning for malicious content. Ensure you understand each action clearly.

Microsoft 365 API Dependency: API-Based Protection relies on Microsoft 365 APIs for: (i) event ingestion and notifications (i.e., to trigger scanning), and (ii) enforcement actions (e.g., moving messages to Junk / Quarantine). If Microsoft APIs are unavailable, delayed, or fail to execute an action, this may impact the timeliness or effectiveness of the service.

  • Customer Responsibilities: To ensure optimal performance of API-Based Protection, customers are responsible for: (i) maintaining valid Microsoft 365 licenses with the required permissions and API access enabled; and (ii) ensuring configuration and permissions remain accurate and up to date.
  • Mimecast's Boundaries of Responsibility: Mimecast's responsibility for Customer Data begins when that data enters the Mimecast environment. Mimecast is not responsible for any delays, failures, or other outcomes attributable to Microsoft API unavailability, non-performance, or third-party service issues.

Default Malware Protection Policy

Each of the new policies has a default policy at the bottom of the list, which acts as a ‘catch-all’ policy in the event that a recipient is not included in any of the policies above this policy.

This default policy is created when an account is provisioned, and the configuration is dependent on the type of policy. The policy will be scoped from Everyone to Everyone and provide a default level of protection. For more information, see the individual policies articles listed below.

In the policy list view, it is not possible to delete or re-order the default policy. It will always be pinned at the bottom of the policy list. The ‘Order’ of the policy will always be set to the (number of customer policies in the list +1 ), and it will be evaluated last.

  • In the policy view, it is not possible to change the Policy DetailsConfiguration, and Target sections. However, you are able to change the Actions or Notifications sections (if provided) of the policy.

Default Policy Configuration

The default policy will be configured as follows:

Column Description
Policy Name and Description Default Malware Protection Policy; This is the default malware protection policy created by Mimecast.
Activate Policy Enabled.
Target

Sender: Everyone

Recipient: Everyone

Configuration

Configure the types of files and threats to be scanned and protected against.

  • Suspected Malware: Enabled
  • Encrypted Archives: Enabled
  • Unreadable Archives: Enabled
  • Scan for disallowed extensions within legacy MSTF Office files: Enabled
  • Scan for MSFT Office files: Enabled
Action Monitor

 

Policy List and Evaluation Order Page

The Policy List page provides a view of all the Spam Protection policies created, with columns providing key information. 

malwareevaluationorderpage.png

Evaluation Order

Policies are listed in descending order of evaluation. The policy at the top of the list (Numbered 1) will be evaluated first (if relevant), and so on. 

In addition to there being a policy evaluation order configurable per threat family, there is also a Mimecast-defined hierarchy based on the risk of the specific threat family. The order of policies can be 

  1. Malware
  2. Phishing
  3. Spam

Policies can be ordered based on the priority of users to be protected, for example: 

  1. Policy 1: Executives and other high-risk individuals. 
  2. Policy 2: Additional Departments 
  3. Policy 3: Default Policy

Policy Creation, Update, and Deletion

Creating a Policy

To create a Spam Protection policy:

  1. Log in to the Mimecast Administration Console.

  2. Navigate to Policies | Malware Protection Policies.

  3. Select the Create New Policy button.

malwarecreate.png

  1. Complete the fields as follows:

Section Description
Policy Details Enter a Policy Name and Description (Optional) that will help to easily identify the policy.
Activate Policy Toggle this to active or deactivate the Policy.
Target

The policy is applied based on either the sender From (Header) and/or Return (Envelope) Address. Select from:

  • Everyone
  • Domain
  • Address Group
  • Email Address
Malware Protection Configuration

Configure the types of files and threats to be scanned and protected against.

  • Suspected Malware: If selected, messages containing an archived file format (e.g., .ZIP) containing one or more of the following file types are considered as suspected malware:
.PIF .EXE .COM
.SCR .CPL .MSI
  • Encrypted Archives: Controls how encrypted or password-protected archive files are processed.
  • Unreadable Archives: Provides a way to control the handling of encrypted archives not supported by the archive extraction process.
.ZIP .RAR .7Z .Z (UNIX Compress)
.GZ .JAR .BZIP  
  • Scan for disallowed extensions within legacy MSFT Office files: The check offers protection against dangerous files detected in legacy Microsoft Office extensions.
  • Scan for MSFT Office files: The check offers protection against Microsoft Office attachments that contain macros.
Actions

Select an action to be applied:

  • Quarantine: Action will be taken upon discovery of a threat.
  • Monitor: Take action on the discovery of a threat but allow the users to move the message back into the inbox.
  • None: Bypass the policy. Don't record results or take an action. Default value.
Graymail Control

Choose how to handle Graymail messages:

  • Move to Junk
  • Apply Spam Policy Action
Notification configuration Choose who will be notified when this policy is applied.
  1. Click Create Policy.

You will see a confirmation that the policy has been successfully created: 

PolicyCreatedToast.png

Editing a Policy

To edit an existing policy:

  1. Log in to the Mimecast Administration Console.

  2. Navigate to Policies | Malware Protection Policies.

  3. Click the appropriate three-dot icon next to the policy and select Edit:

You can edit the policy order by selecting Edit Order.

malwareedit.png

Note

  • If policies are not configured with a Quarantine or Move to Junk action, a banner will appear highlighting that a policy must be created, or that policy Actions must be updated to ensure protection.
  • The Duplicate option can be selected to create a duplicate version of the selected policy.
  1. Make any changes and click Save.
editmalwaresave.png

The Edit Order option can be used to reorder the Policy List.

malwareeditorder.png

Deleting a Policy

To edit an existing policy:

  1. Log in to the Mimecast Administration Console.

  2. Navigate to Policies | Malware Protection Policies.

  3. Click the appropriate three-dot icon next to the policy and select Delete:

malwaredelete.png

  1. Confirm by clicking Delete.

malwareconfirmdelete.png

You will see a confirmation that the policy has been successfully deleted:

PolicyDeletedToast.png

Note: The Spam Protection Policy is a Single Rules policy.

See Also...

Related to

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.