Views:
Malware Scanning uses Trend Micro's virus scan engine to detect emerging threats.

Configuring Malware Scanning

Procedure

  1. Select Malware Scanning.
  2. Configure rule settings.
    Setting
    Description
    Apply to
    (Exchange Online and Gmail only) Select the scope of email messages that Malware Scanning applies to.
    • All messages: means that this policy applies to incoming, outgoing, and internal email messages. Incoming/outgoing email messages are sent from/to non-internal domains.
    • Incoming messages: means that this policy applies only to incoming email messages sent from non-internal domains.
    Note
    Note
    For details about internal domains, see Configuring the internal domain list
    For Exchange Online (Inline Mode), the scope is fixed to Inbound messages for inbound protection and Outbound messages for outbound protection. Inbound messages are sent from outside your organization to an address inside the organization, while outbound messages are sent from your organization to external addresses.
    Files to scan
    • Scan all files, true file types, or specific file types for malware
    • Select whether to leverage the Predictive Machine Learning engine to detect emerging unknown security risks. For details, see About predictive machine learning.
      For a new policy, this check box is selected by default.
    • (Exchange Online and Gmail only) Select whether to scan the message body.
    • Select whether to enable IntelliTrap.
      IntelliTrap helps reduce the risk of viruses that use real-time compression algorithms to bypass network security by blocking real-time compressed executable files and pairing them with other malware characteristics. Because IntelliTrap identifies such files as security risks and may incorrectly block safe files, consider quarantining (not deleting) files after enabling IntelliTrap.
    • Select whether to let Trend Micro collect suspicious file information to improve the detection capabilities of the Advanced Threat Scan Engine and the Predictive Machine Learning engine.
      Note
      Note
      If you enable this option, Trend Micro only checks potentially risky files and encrypts all content before transferring any information.
      For a new policy, this check box is selected by default.
    Enable Predictive Machine Learning
    Select whether to leverage the Predictive Machine Learning engine to detect emerging unknown security risks. For details, see About predictive machine learning.
    For a new policy, this check box is selected by default.
    Scan message body
    (Exchange Online and Gmail only) Select whether to scan the message body.
    Enable IntelliTrap
    Select whether to enable IntelliTrap.
    IntelliTrap helps reduce the risk of viruses that use real-time compression algorithms to bypass network security by blocking real-time compressed executable files and pairing them with other malware characteristics. Because IntelliTrap identifies such files as security risks and may incorrectly block safe files, consider quarantining (not deleting) files after enabling IntelliTrap.
    Allow Trend Micro to collect suspicious file information to improve its detection capabilities
    Select whether to let Trend Micro collect suspicious file information to improve the detection capabilities of the Advanced Threat Scan Engine and the Predictive Machine Learning engine.
    Note
    Note
    If you enable this option, Trend Micro only checks potentially risky files and encrypts all content before transferring any information.
    For a new policy, this check box is selected by default.
    Detect active content in Microsoft Office files
    (Exchange Online only) Select whether to enable and configure actions specifically for email messages that contain active content such as macros in attached Microsoft office files.
    When detecting the presence of supported active content, whether it is malicious, Cloud Email and Collaboration Protection takes the configured action.
    This option applies to uncompressed files in received email messages from external and internal senders.
    In the Action section, you can configure to sanitize the attached file or pass, quarantine, or delete the entire email message upon detection of active content. If Sanitize file is selected, Cloud Email and Collaboration Protection removes the active content from the file and delivers the email message with the sanitized file.
    Note
    Note
    The email message will still go through the other security filters in the same policy.
    If Cloud Email and Collaboration Protection fails to remove the active content, it will take the Pass action, that is, to deliver the email message with the original file to the intended recipient.
  3. Click Action & Notifications.
  4. Configure Action settings.
    Cloud Email and Collaboration Protection protects cloud applications and services by executing specified actions after detecting a file that matches scanning conditions. The action depends on the performed scan, the affected application or service, and the configured actions for that scan.
    • Exchange Online, Exchange Online (Inline Mode) - Inbound Protection, Exchange Online (Inline Mode) - Outbound Protection policies
    Option Description
    Action
    For details about the actions, see Actions available for different services.
    Advanced Options
    Specify the Replacement file name and Replacement text that Cloud Email and Collaboration Protection uses when an unscannable message arrives. Cloud Email and Collaboration Protection replaces the file/text with the configured replacement information.
    Unscannable File Options
    Select actions for password-protected files. Specify replacement text that replaces a file/text for an unscannable message.
    When an email message with password-protected attachments arrives, if Attachment Password Guessing is enabled, Cloud Email and Collaboration Protection first attempts to find passwords in the message to decrypt the attachments for scanning. If no password is found or Attachment Password Guessing is not enabled, Cloud Email and Collaboration Protection treats the attachments as unscannable and perform the action for Password-protected compressed files or Other password-protected files, depending on whether the attachments are compressed.
    • Gmail policies
    Option Description
    Action
    For details about the actions, see Actions available for different services.
    Unscannable File Options
    Select actions for password-protected files.
    When an email message with password-protected attachments arrives, if Attachment Password Guessing is enabled, Cloud Email and Collaboration Protection first attempts to find passwords in the message to decrypt the attachments for scanning. If no password is found or Attachment Password Guessing is not enabled, Cloud Email and Collaboration Protection treats the attachments as unscannable and perform the action for Password-protected compressed files or Other password-protected files, depending on whether the attachments are compressed.
  5. Configure Notification settings.
    Option Description
    Notify administrator
    1. Specify the administrators to notify by selecting a recipient group or specifying individual recipients. You can click Manage recipient groups to edit the members in a group or add more groups.
    2. Specify message details to notify administrators that Cloud Email and Collaboration Protection detected a security risk and took action on an email message, attachment, or file.
    3. Set the notification threshold which limits the number of notification messages to send. Threshold settings include:
      • Send consolidated notifications periodically: Cloud Email and Collaboration Protection sends an email message that consolidates all the notifications for a period of time. Specify the period of time by typing a number in the box and selecting hour(s) or day(s).
      • Send consolidated notifications by occurrences: Cloud Email and Collaboration Protection sends an email message that consolidates notifications for a set number of filtering actions. Specify the number of virus/malware occurrences by typing a number in the box.
      • Send individual notifications: Cloud Email and Collaboration Protection sends an email message notification every time Cloud Email and Collaboration Protection performs a filtering action.
    Notify User
    Exchange Online and Gmail: Specify message details that notify recipients that Cloud Email and Collaboration Protection detected a security risk and took action on their email message or attachment.
    SharePoint Online, OneDrive, Microsoft Teams (Teams), Box, Dropbox, and Google Drive: Specify message details that notify the user who updated a file that Cloud Email and Collaboration Protection detected a security risk and took action on their file.
    Teams Chat: Cloud Email and Collaboration Protection does not provide this option. When a chat message was blocked, a notification "This message was blocked." provided by Microsoft appears in the sender's private chat window. Message senders can click What can I do? to view more information about the blocked messages.
    Note
    Note
    When specifying a notification message, include relevant tokens and edit the message content as desired. For details about tokens, see Token list.
  6. Click Save or select another policy configuration on the left navigation to continue with additional rules.

About predictive machine learning

Trend Micro Predictive Machine Learning uses advanced machine learning technology to correlate threat information and perform in-depth file analysis to detect emerging unknown security risks through digital DNA fingerprinting, API mapping, and other file features. Predictive Machine Learning is a powerful tool that helps protect your environment from unidentified threats and zero-day attacks.
After detecting an unknown or low-prevalence file, Cloud Email and Collaboration Protection scans the file using the Advanced Threat Scan Engine to extract file features and sends the report to the Predictive Machine Learning engine. Through use of malware modeling, Predictive Machine Learning compares the sample to the malware model, assigns a probability score, and determines the probable malware type that the file contains.