Keywords are special words or phrases. Add related keywords to a keyword list
to identify specific types of data. For example, "prognosis", "blood type",
"vaccination", and "physician" are keywords that may appear in a medical certificate.
To
prevent the transmission of medical certificate files, configure IMSVA to block files containing these keywords.
Expressions are data that have a certain structure. For example, credit card
numbers typically have 16 digits and appear in the format "nnnn-nnnn-nnnn-nnnn", making
them suitable for expression-based detections.
Selecting Scanning Conditions for Content 
Procedure
- Create or modify an "Other" (not an Antivirus) policy.
-
For information on creating a new rule, see Configuring Policies.
-
For information on modifying an existing rule, see Configuring Existing Policies.
-
- Under Content, on the Scanning Conditions screen, select the check boxes next to the parts of a message to which you want the content conditions to apply.
- Click the link that specifies the part of the message to which you want to
configure content conditions. The Keyword Expressions screen appears with two columns:
-
Available: Expressions available for use, but not currently in use.
-
Selected: Expressions currently in use.
-
- If configuring expressions for the header, select the check boxes next to the header items where the expression applies.
- Click Add. The screen for managing keyword expressions appears.
- Configure the expressions.
- In the Available list, click the expression list to enable.
- Click >>. The expressions appear in the Selected list.To keep an expression list available but temporarily prevent IMSVA from using it, click the expression in the selected list, and then click <<.
- Click Save to continue to the scanning conditions selection screen.
Configuring an Expression
Configure
keywords and regular expressions to enable IMSVA to
scan message content. Create keywords or expressions on the Keywords &
Expressions screen or during policy creation.
 |
TipAlthough keywords or expressions can be created during policy creation, Trend Micro recommends creating keywords or expressions
before you begin creating policies.
|
When creating expressions:
-
Start with simple expressions. Modify the expressions if they are causing false alarms or fine tune them to improve detections.
-
Specify criteria when creating expressions. An expression must meet specified criteria before IMSVA subjects it to a policy.
Creating Keywords or Expressions
Procedure
- Go to . The Keywords & Expressions screen appears.
- Click Add. The Add Keyword Expression screen appears.
- Next to List name, specify a descriptive name.
- Next to Match, select one of the following that
specifies when IMSVA takes action:
-
Any specified: Message content matches any of the keywords or expressions in the list.
-
All specified: Message content matches all keywords or expressions in the list.
-
Not the specified: Message content does not match any of the keywords or expressions in the list.
-
Only when combined score exceeds threshold: Message content contains one or more keywords or expressions in the list. If only one keyword or expression was detected, its score must be higher than the threshold. If several keywords or expressions are detected, their combined score must be higher than the threshold.Next to Total message score to trigger action, specify a number that represents the maximum score for allowed keyword expressions. When you add an expression, you can set a value for the Score.
-
- To create a new keyword expression, do the following:
- Click Add. The Add Keyword Expression list appears.
- Specify the keywords. For a partial match,
specify the keyword. To specify an exact match, use
\b before and after the keyword.For example:
-
keyword matches "keywords", "akeyword"
-
\bkeyword\b matches "keyword" only
-
- Specify a description for the added keyword expression to make it easier to understand.
- Click Save.
- Click Add.
- For IMSVA to consider the capitalization of message content when it uses the filter, select the check box under Case sensitive.
- If you selected Only when combined score exceeds
threshold:
- Specify a threshold in the Total message score to trigger action field.
- Select a value from the Score drop-down box.
- Click Save. The Keywords & Expressions screen appears with the new keyword or expression appearing in the table.
Adding/Editing a Keyword or Expression during Policy Creation/Modification
Procedure
- Create or modify an "Other" (not an Antivirus) policy.
-
For information on creating a new rule, see Configuring Policies.
-
For information on modifying an existing rule, see Configuring Existing Policies.
-
- Under Content on the Scanning
Conditions screen, click the link that specifies the part of the
message to which you want to configure content conditions. The Keyword Expressions screen appears with two columns.
- Click Add or Edit from the
Keyword Expressions screen. The configuration screen for keyword expression lists appears.
- Next to List name, specify a descriptive name.
- Next to Match, select one of the following that
specifies when IMSVA takes action:
-
Any specified: Message content can match any of the expressions in the list.
-
All specified: Message content must match all the expressions in the list.
-
Not the specified: Message content must not match any of the expressions in the list.
-
Only when combined score exceeds threshold: Next to Total message score to trigger action, specify a number that represents the maximum score for allowed keyword expressions. When you add an expression, you can set a value for the Score.
-
- To create an expression, click Add. The Add Keyword Expression list appears.
- Specify the keywords. For a partial match, specify the keyword. To specify
an exact match, use \b before and after the keyword. For example:
-
keyword matches "keywords", "akeyword"
-
\bkeyword\b matches "keyword" only
-
- Specify a description for the keywords.
- If you selected Only when combined score exceeds
threshold:
- Specify a threshold in the Total message score to trigger action field.
- Select a value from the Score drop-down box.
- Click Save.
- For IMSVA to consider the capitalization of message content when it uses the filter, select the check box under Case sensitive.
- Click Save to continue modifying or creating the policy.
About Regular Expressions
Characters
|
Regular Expression
|
Description
|
|
. (dot)
|
Any character (byte) except newline
|
|
x
|
The character 'x'
|
|
\\
|
The character '\'
|
|
\a
|
The alert (bell) character (ASCII 0x07)
|
|
\b
|
|
|
\f
|
The form-feed character (ASCII 0x0C)
|
|
\n
|
The newline (line feed) character (ASCII 0x0A)
|
|
\r
|
The carriage-return character (ASCII 0x0D)
|
|
\t
|
The normal (horizontal) tab character (ASCII
0x09)
|
|
\v
|
The vertical tab character (ASCII 0x0B)
|
|
\n
|
The character with octal value 0n (0 <=
n <= 7)
|
|
\nn
|
The character with octal value 0nn (0 <=
n <= 7)
|
|
\mnn
|
The character with octal value 0mnn (0 <=
m <= 3, 0 <= n <= 7)
|
|
\xhh
|
The character with a hexadecimal value 0xhh,
for example, \x20 means the space character
|
Bracket Expression and Character Classes
Bracket
expressions are a list of characters and/or character classes enclosed
in brackets []. Use bracket expressions to match single characters
in a list, or a range of characters in a list. If the first character
of the list is the carat ^ then it matches characters that are not
in the list.
For example:
| Expression | Matches |
| [abc] | a, b, or c |
| [a-z] | a through z |
| [^abc] | Any character except a, b, or c |
| [[:alpha:]] | Any alphabetic character (see below) |
Each character class designates a set of characters
equivalent to the corresponding standard C isXXX function. For example,
[:alpha:] designates those characters for which isalpha() returns
true (example: any alphabetic character). Character classes must
be within bracket expression.
| Character class | Description |
| [:alpha:] | Alphabetic characters |
| [:digit:] | Digits |
| [:alnum:] | Alphabetic characters and numeric characters |
| [:cntrl:] | Control character |
| [:blank:] | Space and tab |
| [:space:] | All white space characters |
| [:graph:] | Non-blank (not spaces, control characters, or the like) |
| [:print:] | Like [:graph:], but includes the space character |
| [:punct:] | Punctuation characters |
| [:lower:] | Lowercase alphabetic |
| [:upper:] | Uppercase alphabetic |
| [:xdigit:] | Digits allowed in a hexadecimal number (0-9a-fA-F) |
For a case-insensitive expression, [:lower:]
and [:upper:] are equivalent to [:alpha:].
Boundary Matches
| Expression | Description |
| ^ | Beginning of line |
| $ | End of line |
Greedy Quantifiers
| Expression | Description |
| R? | Matches R, once or not at all |
| R* | Matches R, zero or more times |
| R+ | Matches R, one or more times |
| R{n} | Matches R, exactly n times |
| R{n,} | Matches R, at least n times |
| R{n,m} | Matches R, at least n but no more than m times |
R is a regular expression.
Trend Micro
does not recommend using ".*" in a regular expression. ".*" matches
any length of letters and the large number of matches may increase memory
usage and affect performance.
For example:
If the content
is 123456abc, the regular expression ".*abc" match results are:
-
12345abc
-
23455abc
-
3456abc
-
456abc
-
56abc
-
6abc
-
abc
In this example, replace ".*abc" with
"abc" to prevent excessive use of resources.
Logical Operators
| Expression | Description |
| RS | R followed by S (concatenation) |
| R|S | Either R or S |
| R/S | An R but only if it is followed by S |
| (R) | Grouping R |
Shorthand and meta-symbol
eManager
provides the following shorthand for writing complicated regular expressions.
eManager will pre-process expressions and translate the shorthand into
regular expressions.
For example, {D}+ would be translated
to [0-9]+. If a shorthand expression is enclosed in brackets (example:
{}) or double-quotes, then IMSVA will
not translate that shorthand expression to a regular expression.
| Shorthand | Description |
| {D} | [0-9] |
| {L} | [A-Za-z] |
| {SP} | [(),;\.\\<>@\[\]:] |
| {NUMBER} | [0-9]+ |
| {WORD} | [A-Za-z]+ |
| {CR} | \r |
| {LF} | \n |
| {LWSP} | [ \t] |
| {CRLF} | (\r\n) |
| {WSP} | [ \t\f]+ |
| {ALLC} | . |
eManager also provides the following meta-symbols.
The difference between shorthand and meta-symbols is that meta-symbols
can be within a bracket expression.
| Meta-symbol | Description |
| \s | [[:space:]] |
| \S | [^[:space:]] |
| \d | [[:digit:]] |
| \D | [^[:digit:]] |
| \w | [_[:alnum:]] |
| \W | [^_[:alnum:]] |
Literal string and escape character of regular expressions
To
match a character that has a special meaning in regular expressions (example:
+), you need to use the backslash \ escape character. For example,
to match string C/C++, use the expression C\/C\+\+.
Sometimes,
you have to add many escape characters to your expression (example:
C\/C\+\+). In this situation, enclose the string C/C++ in double-quotes
(example: .REG "C/C++") then the new expression is equivalent to
the old one. Characters (except \ which is an escape character)
within double-quotes are literal. The following are some examples:
| Expression | Description |
| "C/C++" | Match string C/C++ (does not include double-quotes) |
| "Regular\x20Expression" | Match string Regular Expression (does not include double-quotes), where \x20 means the space character. |
| "[xyz]\"foo" | Match the literal string: [xyz]"foo |
Change the adjacent <space> to "\x20" for
the following in a regular expression:
-
.AND.
-
.OR.
-
.NOT.
-
.WILD.
Searching for Policies Using an Expression Keyword
Procedure
- Select the Policy Search tab.
- Next to Keyword, specify an expression keyword to search for policies.
- Click Query.A list of policies whose expressions contain the specified keyword appear. The associated expression list and expressions are also provided in the list.