Views:
After selecting the senders and recipients for a new rule or modifying the senders and recipients for an existing rule, configure the rules to filter message traffic based on several conditions.
The scanning conditions vary depending on whether Antivirus rules or Other rules are being created.

Procedure

  1. Select the check boxes as desired, from the Step 2: Select Scanning Conditions screen. The categories of scanning conditions for the Antivirus and the Other rule types vary as follows:
    • Antivirus rule
      1. Files to Scan: Set the default method for scanning messages and specific file types containing viruses and other malware.

        Files to Scan

        Setting
        Description
        All scannable files
        Attempt to scan all files.
        IntelliScan: uses "true file type" identification
        Use IntelliScan to identify malicious code that can be disguised by a harmless extension name.
        Specific file types
        Select the check box next to one of the following types of file extensions to scan:
        • Application and executables: Click the link and select the sub-types to scan.
        • Documents: Click the link and select the sub-types to scan.
        • Compressed files: Click the link and select the sub-types to scan.
        • Specified file extensions: Specify the extension in the text box. You do not need to type the period (.) before the extension. You can also use an asterisk wildcard for the extension.
      2. IntelliTrap Settings: Scan compressed files for viruses/malware and send samples to TrendLabs for investigation.
        • IntelliTrap: Scan message attachments that contain real-time compressed executable files.
        • Send the IntelliTrap samples to TrendLabs: IMSVA can automatically send messages with attachments that IntelliTrap catches to TrendLabs.
      3. Spyware/Grayware Scan: Scan for other types of threats such as spyware and adware.
    • Other rule
      1. Select one of the following next to Take rule action when, which specifies when IMSVA can take action on a message:
        • all conditions matched (AND): When a message matches all of the conditions.
        • any conditions matched (OR): When a message matches any of the conditions.
      2. C&C Email: Scans message headers for email addresses known to be used as C&C callback addresses.
        This filter is not triggered if the detected email addresses are found in the C&C Email Approved List. For more information, see Configuring the C&C Email Approved List.
        Note
        Note
        Selecting C&C Email and the filter relation all conditions matched (AND) disables the Phishing/Social Engineering Attack/Spam and Web Reputation filters.
      3. Phishing/Social Engineering Attack/Spam: Scans messages identified as spam, phishing, and social engineering attack. Spam messages are generally unsolicited messages containing mainly advertising content. Phishing messages, on the other hand, originate from senders masquerading as trustworthy entities. Social engineering attack refers to suspicious behavior that the Antispam Engine detects in several parts of an email transmission.
        • Spam detection settings: Click the link to select a level of spam protection and configure lists for approved and blocked senders and text exemptions.
        • Phishing email
        • Social Engineering Attack Protection
      4. Web Reputation: Scans URLs in messages to protect against phishing and other malicious websites.
      5. Graymail: Scans messages against the ERS score to identify graymail messages.
      6. Attachment: Scans messages for file attachments that match the selected criteria, such as attachments with specific extensions or belonging to a certain true file type.
        • Name or extension: Click the link to configure filter settings for specific file names or extension names.
        • MIME content type: Click the link to configure filter settings for MIME content types.
        • True file type: Click the link to configure filter settings for common executable, document, image, media, and compressed files and configure whether to send these types of files to Virtual Analyzer for analysis.
        • Size is {>, <, =} {size} {MB, KB, B}: Select to filter attachments of a size that is more than, less than, or equal to a certain number of bytes, kilobytes, or megabytes. Specify a number that represents the file size.
        • Number is {>, <, =} {number}: Select to filter the number of attachments that is more than, less than, or equal to a certain number. Specify a number that represents the total number of attachments for each message.
        • Password protected zip files (unscannable files): Select to filter password protected zip files that cannot be scanned by IMSVA.
      7. Size: Scans messages that match the specified message size.
        • Message size is {>, <, =} {size} {MB, KB}: Select to filter messages of a size that is more than, less than, or equal to a certain number of kilobytes, or megabytes. Specify a number that represents the message size.
      8. Content: Scans messages containing the keyword expressions that match those expressions specified in the subject, body, header, or attachment keyword expressions links.
        • Subject keyword expressions: Click the link to manage your expression lists.
        • Subject is blank: Select to filter messages without a subject. Sometimes spam messages do not contain subject lines.
        • Body keyword expressions: Click the link to manage your expression lists.
        • Header keyword expressions: Click the link to manage your expression lists. Headers include Subject, To, From, CC, and other headers that you can specify.
        • Attachment keyword expressions: Click the link to manage your expression lists. Attachments include attachment names and attachment content.
      9. Data Loss Prevention: Scans messages to protect against data leakage using regulatory compliance templates. Click DLP compliance templates to see the list of available templates.
      10. Others: Scans messages in which the number of recipients match the specified number. Also scans messages that are received within the specified time range.
        • Number of recipients is {>, <, =} {number}: Select to filter the number of recipients. Specify a number that represents the total number of recipients for each message.
        • Received time range: Click the link to select a day and time within which a message was received.
        • Unable to decrypt messages: Select to filter encrypted messages that cannot be decrypted by IMSVA.
        • Spoofed internal messages: Click the link to create or modify a trusted internal IP address list.