Malware Scanning uses Trend Micro's virus scan engine to detect emerging threats.
Configuring Malware Scanning
Procedure
- Select Malware Scanning.
- Configure rule settings.SettingDescriptionApply to(Exchange Online and Gmail only) Select the scope of email messages that Malware Scanning applies to.
-
All messages: means that this policy applies to incoming, outgoing, and internal email messages. Incoming/outgoing email messages are sent from/to non-internal domains.
-
Incoming messages: means that this policy applies only to incoming email messages sent from non-internal domains.
Note
For details about internal domains, see Configuring the internal domain listFor Exchange Online (Inline Mode), the scope is fixed to Inbound messages for inbound protection and Outbound messages for outbound protection. Inbound messages are sent from outside your organization to an address inside the organization, while outbound messages are sent from your organization to external addresses.Files to scan-
Scan all files, true file types, or specific file types for malware
-
Select whether to leverage the Predictive Machine Learning engine to detect emerging unknown security risks. For details, see About predictive machine learning.For a new policy, this check box is selected by default.
-
(Exchange Online and Gmail only) Select whether to scan the message body.
-
Select whether to enable IntelliTrap.IntelliTrap helps reduce the risk of viruses that use real-time compression algorithms to bypass network security by blocking real-time compressed executable files and pairing them with other malware characteristics. Because IntelliTrap identifies such files as security risks and may incorrectly block safe files, consider quarantining (not deleting) files after enabling IntelliTrap.
-
Select whether to let Trend Micro collect suspicious file information to improve the detection capabilities of the Advanced Threat Scan Engine and the Predictive Machine Learning engine.
Note
If you enable this option, Trend Micro only checks potentially risky files and encrypts all content before transferring any information.For a new policy, this check box is selected by default.
Enable Predictive Machine LearningSelect whether to leverage the Predictive Machine Learning engine to detect emerging unknown security risks. For details, see About predictive machine learning.For a new policy, this check box is selected by default.Scan message body(Exchange Online and Gmail only) Select whether to scan the message body.Enable IntelliTrapSelect whether to enable IntelliTrap.IntelliTrap helps reduce the risk of viruses that use real-time compression algorithms to bypass network security by blocking real-time compressed executable files and pairing them with other malware characteristics. Because IntelliTrap identifies such files as security risks and may incorrectly block safe files, consider quarantining (not deleting) files after enabling IntelliTrap.Allow Trend Micro to collect suspicious file information to improve its detection capabilitiesSelect whether to let Trend Micro collect suspicious file information to improve the detection capabilities of the Advanced Threat Scan Engine and the Predictive Machine Learning engine.Note
If you enable this option, Trend Micro only checks potentially risky files and encrypts all content before transferring any information.For a new policy, this check box is selected by default.Detect active content in Microsoft Office files(Exchange Online only) Select whether to enable and configure actions specifically for email messages that contain active content such as macros in attached Microsoft office files.When detecting the presence of supported active content, whether it is malicious, Cloud App Security takes the configured action.This option applies to uncompressed files in received email messages from external and internal senders.In the Action section, you can configure to sanitize the attached file or pass, quarantine, or delete the entire email message upon detection of active content. If Sanitize file is selected, Cloud App Security removes the active content from the file and delivers the email message with the sanitized file.Note
The email message will still go through the other security filters in the same policy.If Cloud App Security fails to remove the active content, it will take the Pass action, that is, to deliver the email message with the original file to the intended recipient. -
- Click Action & Notifications.
- Configure Action settings.Cloud App Security protects cloud applications and services by executing specified actions after detecting a file that matches scanning conditions. The action depends on the performed scan, the affected application or service, and the configured actions for that scan.
-
Exchange Online, Exchange Online (Inline Mode) - Inbound Protection, Exchange Online (Inline Mode) - Outbound Protection policies
Option Description ActionFor details about the actions, see Actions available for different services.Advanced OptionsSpecify the Replacement file name and Replacement text that Cloud App Security uses when an unscannable message arrives. Cloud App Security replaces the file/text with the configured replacement information.Unscannable File OptionsSelect actions for password-protected files. Specify replacement text that replaces a file/text for an unscannable message.When an email message with password-protected attachments arrives, if Attachment Password Guessing is enabled, Cloud App Security first attempts to find passwords in the message to decrypt the attachments for scanning. If no password is found or Attachment Password Guessing is not enabled, Cloud App Security treats the attachments as unscannable and perform the action for Password-protected compressed files or Other password-protected files, depending on whether the attachments are compressed.-
Gmail policies
Option Description ActionFor details about the actions, see Actions available for different services.Unscannable File OptionsSelect actions for password-protected files.When an email message with password-protected attachments arrives, if Attachment Password Guessing is enabled, Cloud App Security first attempts to find passwords in the message to decrypt the attachments for scanning. If no password is found or Attachment Password Guessing is not enabled, Cloud App Security treats the attachments as unscannable and perform the action for Password-protected compressed files or Other password-protected files, depending on whether the attachments are compressed.-
Salesforce policies
Option Description ActionFor details about the actions, see Actions available for different services.Advanced Settings for Files-
Select Apply secondary action when file quarantine fails, and specify a secondary action if you want to take a backup action when the quarantine action for a file fails. This option can be configured only when a Quarantine action is selected.
-
Specify text to append to the file name if the Tag file name action is selected in the Action section.
Note
-
The Tag file name action adds a tag to the file name to warn stakeholders about threats detected in uploaded files. In the Web Reputation and Data Loss Prevention security filters, Salesforce admins can separately configure actions, including Pass, Quarantine, Delete, and Tag file name, for files.
-
The tag cannot exceed 20 characters or contain unsupported characters (/ \ : * ? < > " |).
-
-
Specify text to replace the original file content when a file is quarantined or deleted. The text applies to the Quarantine and Delete actions in the Action section.
Unscannable File OptionsSelect actions for password-protected files. -
- Configure Notification
settings.
Option Description Notify administrator-
Specify the administrators to notify by selecting a recipient group or specifying individual recipients. You can click Manage recipient groups to edit the members in a group or add more groups.
-
Specify message details to notify administrators that Cloud App Security detected a security risk and took action on an email message, attachment, or file.
-
Set the notification threshold which limits the number of notification messages to send. Threshold settings include:
-
Send consolidated notifications periodically: Cloud App Security sends an email message that consolidates all the notifications for a period of time. Specify the period of time by typing a number in the box and selecting hour(s) or day(s).
-
Send consolidated notifications by occurrences: Cloud App Security sends an email message that consolidates notifications for a set number of filtering actions. Specify the number of virus/malware occurrences by typing a number in the box.
-
Send individual notifications: Cloud App Security sends an email message notification every time Cloud App Security performs a filtering action.
-
Notify UserExchange Online and Gmail: Specify message details that notify recipients that Cloud App Security detected a security risk and took action on their email message or attachment.SharePoint Online, OneDrive, Microsoft Teams (Teams), Box, Dropbox, and Google Drive: Specify message details that notify the user who updated a file that Cloud App Security detected a security risk and took action on their file.Salesforce: Specify message details that notify the user who updated a Salesforce object record that Cloud App Security detected a security risk and took action on the update.Teams Chat: Cloud App Security does not provide this option. When a chat message was blocked, a notification "This message was blocked." provided by Microsoft appears in the sender's private chat window. Message senders can click What can I do? to view more information about the blocked messages.Note
When specifying a notification message, include relevant tokens and edit the message content as desired. For details about tokens, see Token list. -
- Click Save or select another policy configuration on the left navigation to continue with additional rules.
About predictive machine learning
Trend Micro Predictive Machine Learning uses advanced machine learning technology
to correlate threat information and perform in-depth file analysis to detect emerging
unknown
security risks through digital DNA fingerprinting, API mapping, and other file features.
Predictive Machine Learning is a powerful tool that helps protect your environment
from
unidentified threats and zero-day attacks.
After detecting an unknown or low-prevalence file, Cloud App Security scans the file using the Advanced Threat Scan Engine
to extract file features and sends the report to the Predictive Machine Learning engine.
Through
use of malware modeling, Predictive Machine Learning compares the sample to the malware
model,
assigns a probability score, and determines the probable malware type that the file
contains.