Many malware closely associate with certain file type extensions (examples:
.doc, .exe, .dll). The file's extension identifies the file type. Similarly, specific
attacks
often associate with a specific file name. Cloud App Security can block
files according to the file type, file name, file extension, or file contents that
contain
suspicious URLs.
-
For email services, file blocking prevents email messages containing suspicious attachments from delivering to recipients. Policy actions include replacing the file with a benign text file, quarantining or deleting all email messages with attachments that violate specified policies, or labeling the violating email messages as risky in recipient's mailbox (Gmail only).
-
For the other cloud applications, file blocking prevents suspicious files from entering these applications. Policy actions include quarantining or deleting files that violate specified policies.
NoteTrend Micro recommends temporarily quarantining all high-risk file types and known
malware
file names. This way, you can examine the quarantine folder and take action on detected
files
when you have more time.
|
Configuring File Blocking
Procedure
- Select File Blocking.
- Enable File Blocking.
- Configure rule settings.SettingDescriptionApply to(Exchange Online and Gmail only) Select the scope of email messages that File Blocking applies to.
-
All messages: means that this policy applies to incoming, outgoing, and internal email messages. Incoming/outgoing email messages are sent from/to non-internal domains.
-
Incoming messages: means that this policy applies only to incoming email messages sent from non-internal domains.
Note
For details about internal domains, see Configuring the internal domain listFor Exchange Online (Inline Mode), the scope is fixed to Inbound messages for inbound protection and Outbound messages for outbound protection. Inbound messages are sent from outside your organization to an address inside the organization, while outbound messages are sent from your organization to external addresses.Type of File BlockingSelect whether to block all files or specific files.Blocking listIf Type of File Blocking is set toBlock All Files
:-
Select File types not blocked to select or specify true file types that Cloud App Security never blocks.
-
Select File extensions not blocked to select or specify file extensions that Cloud App Security never blocks.
-
Select File names not blocked to type the file name that Cloud App Security never blocks.
If Type of File Blocking is set toBlock Specific Files
:-
Select File types to blocked to select or specify true file types that Cloud App Security always blocks.
-
Select File extensions to blocked to select or specify file extensions that Cloud App Security always blocks.Optionally click Export to export the specified file extensions as a
.txt
file.Optionally click Import to import file extensions in batches. The extension cannot exceed 255 characters, begin or end with a period ("."), or contain unsupported characters (/ \ : * ? < > " |) . The total number of users, including those already added, cannot exceed 1,000. -
Select File names to blocked to type the file name that Cloud App Security always blocks.
-
Select Additional files to block for incoming messages and specify other files to block specifically for incoming messages in addition to the files blocked for all messages.
Contained FilesSelect the check box to scan for file extensions and file names inside archive files or embedded in files. -
- Click Approved/Blocked List.
- Configure the approved sender list.This feature is available to Gmail, Exchange Online, and Exchange Online (Inline Mode).
- Enable the approved sender list.
- Specify a sending email address or domain to bypass File Blocking
scanning and click and click Add >.
Note
You can use the wildcard character (*) to represent any characters in the email address or domain name. Examples: *@example.com, name@*.com, *@*.example.comThe following formats are invalid: *@*, *A maximum of 1,024 email addresses or domains can be added to the Approved Sender list. - Optionally click Import to import sender email
addresses in batches from a .txt file.Make sure that each email address occupies a separate line in the .txt file.
- Click Action & Notifications.
- Configure Action settings.Cloud App Security protects cloud applications and services by executing specified actions after detecting a file that matches scanning conditions. The action depends on the performed scan, the affected application or service, and the configured actions for that scan.For details about the actions, see Actions available for different services.
- Configure Notification
settings.
Option Description Notify administrator-
Specify the administrators to notify by selecting a recipient group or specifying individual recipients. You can click Manage recipient groups to edit the members in a group or add more groups.
-
Specify message details to notify administrators that Cloud App Security detected a security risk and took action on an email message, attachment, or file.
-
Set the notification threshold which limits the number of notification messages to send. Threshold settings include:
-
Send consolidated notifications periodically: Cloud App Security sends an email message that consolidates all the notifications for a period of time. Specify the period of time by typing a number in the box and selecting hour(s) or day(s).
-
Send consolidated notifications by occurrences: Cloud App Security sends an email message that consolidates notifications for a set number of filtering actions. Specify the number of virus/malware occurrences by typing a number in the box.
-
Send individual notifications: Cloud App Security sends an email message notification every time Cloud App Security performs a filtering action.
-
Notify UserExchange Online and Gmail: Specify message details that notify recipients that Cloud App Security detected a security risk and took action on their email message or attachment.SharePoint Online, OneDrive, Microsoft Teams (Teams), Box, Dropbox, and Google Drive: Specify message details that notify the user who updated a file that Cloud App Security detected a security risk and took action on their file.Teams Chat: Cloud App Security does not provide this option. When a chat message was blocked, a notification "This message was blocked." provided by Microsoft appears in the sender's private chat window. Message senders can click What can I do? to view more information about the blocked messages.Salesforce: Specify message details that notify the user who updated a Salesforce object record that Cloud App Security detected a security risk and took action on the update.Note
When specifying a notification message, include relevant tokens and edit the message content as desired. For details about tokens, see Token list. -
- Click Save or select another policy configuration on the left navigation to continue with additional rules.