Configuring the conditions of a content filtering rule

Article:HOWTO53011  |  Created: 2011-05-16  |  Updated: 2014-07-21  |  Article URL http://www.symantec.com/docs/HOWTO53011
Article Type
How To



Configuring the conditions of a content filtering rule

A content filtering rule consists of one or more conditions that you define. For example, a condition might be that an email subject line contains one or more words from a subject line match list. A rule can optionally contain one or more exceptions.

Mail Security uses OR ("Match any term") and AND ("Match all terms") conditions to create a framework in which to evaluate email messages or email messages and their attachments. By default, content filtering rules are set to "Match any term" for the entries in the Content list. This means that the rule triggers a violation if any of the entries are present and all of the other criteria that you configured are met. If you check "Match all terms," then the rule only triggers a violation if all the items in the Content list are present and all other rule criteria that you configure are met. "Match any terms" is the only condition available for the entries in the Unless list.

Figure: Content filtering rule tab shows the rule elements that you can configure on the content filtering rule tab.

Figure: Content filtering rule tab

Content filtering rule tab

Table: Elements of a content filtering rule describes the rule elements that you can configure on the content filtering rule tab.

Table: Elements of a content filtering rule

Rule condition

Description

Name

Lets you provide a unique name for the content filtering rule that you can easily identify in the list of rules and in reports in the event log.

Description

Lets you provide a unique description for the content filtering rule. The description should provide enough detail to remind you what the rule is configured to detect.

Message part to scan

Lets you specify the part of the email message that you want Mail Security to scan for violations.

Use the "Message part to scan" drop-down list to choose from the following message parts:

  • Message Body

  • Subject

  • Sender

  • Attachment Name

  • Attachment Content

Note:

When the message part to scan is Attachment Name, Mail Security does not evaluate the file names that are inside a container file, for example, the compressed files in a .zip file.

See What you can do with content filtering rules

See About creating a content filtering rule

Apply rule to

Lets you specify the messages to which you want the rule to apply. You can choose to apply the rule to any combination of inbound, outbound, or internal messages. You must select at least one of these options.

The default setting is Internal messages.

The "Apply rule to" element only applies to auto-protect scanning. Manual and scheduled scans automatically scan internal messages.

Match type

Lets you determine how words and phrases in the Content list and Unless list are interpreted.

Note:

The content filtering rule "Match type" element does not determine how the match lists that you use in the Content list and Unless list are interpreted. A match list can have a different match type than the content filtering rule.

The Match Type options are as follows:

  • Literal string: Matches the exact text in the Content and Unless lists

  • Regular expression: Matches patterns of text using symbols and syntactic elements

  • Wild cards: Specifies file names using wild card-style expressions

Options

Lets you select from the following match options:

  • Whole term: Applies the rule only if the exact term in the Content list and Unless list or match list is found.

  • Case: Applies the rule only if the exact term is in the same case as in the Content list and Unless list or in the match list. For example, if you type ACME in the Content list, a message that contains the word Acme will not trigger a violation.

Content Pane

Contains

Lets you specify the Contains condition for a content filtering rule.

The Contains conditions are as follows:

  • Contains: The message part to scan contains the terms in the Content list.

  • Does not contain: The message part to scan does not contain the terms in the Content list.

  • Equals: The message part to scan equals the terms in the Content list.

  • Does not equal: The message part to scan does not equal the terms in the Content list.

The Equals and Does not equal options only apply to the Subject, Sender, and Attachment Name message parts.

Add match list

Lets you specify a match list to use in your content filtering rule. You can also create a new match list or edit an existing match list.

Using a match list in content filtering rule is optional.

Match any term

Lets you evaluate the specified message part for any term contained in the Content list.

For example, assume the Content list contains the terms: free, confidential, and money. If Mail Security detects any one of these terms in the specified message part, it triggers a violation.

Match all terms

Lets you evaluate the specified message part for all of the terms contained in the Content list.

The "Match all terms" option is only available to use with the terms in the Content list.

For example, assume that the Content list contains the terms: free, confidential, and money. Mail Security must detect all of these terms in the specified message part to trigger a violation.

Content list

Lets you specify the words or phrases for which you want to evaluate the specified message parts.

The format of the terms that you type in the Content list should mirror that of the match type that you select. For example, if you select literal string from the match type list, format your Content list entries as literal strings.

Attachment size is

Lets you specify "Attachment size is" as a condition of the content filtering rule. The "Attachment size is" option can be applied to all message parts to scan, except message body. You can also use "Attachment size is" by itself if you want Mail Security to detect attachments of a certain size.

When you select the sender or subject message parts and the "Match any terms" or "Match all terms" conditions, the rule action is applied to the message or the attachment based on the violation that is detected.

For example, assume that you have specified Sender, chosen the "Match any terms" condition, and specified the "Attachment size is" as = 2MB. Since Mail Security scans messages in parts, if there is a Sender match, dispositions are applied to the message body and the attachment. If the attachment size is the only match, the disposition only applies to the attachment.

Assume for the same example that you change the condition to "Match all terms." Mail Security applies a disposition to the attachment only if it detects all of the terms in the Content list AND the specified attachment size.

Unless Pane

Contains

Lets you specify the Contains condition for a content filtering rule.

The Contains conditions are as follows:

  • Contains: The message part to scan contains the terms in the Unless list.

  • Does not contain: The message part to scan does not contain the terms in the Unless list.

  • Equals: The message part to scan equals the terms in the Unless list.

  • Does not equal: The message part to scan does not equal the terms in the Unless list.

The Equals and Does not equal options apply only to the Subject, Sender, and Attachment Name message parts.

Add match list

Lets you specify a match list to use in your content filtering rule Unless condition. You can also create a new match list or edit an existing match list.

Using a match list is optional.

Unless list

Lets you create exceptions to content filtering rules. You can add words and phrases to the Unless list which Mail Security evaluates as exceptions to the content filtering rule.

All entries in the Unless list are automatically designated with the "Match any terms" (OR condition) option.

The format of the terms that you type in the Unless list should mirror that of the match type that you select. For example, if you select Literal string from the Match Type menu, you should format your Unless list entries as literal strings.

Or attachment size

Lets you specify "Attachment size is" as a condition of the content filtering rule. The "Attachment size is" option can be applied to all message parts to scan, except message body. You can also use "Attachment size is" by itself if you want Mail Security to detect attachments of a certain size.

When you select the sender or subject message parts, the rule action is applied to the message or the attachment based on the violation that is detected. (All Unless conditions are applied as OR conditions between the message part and the attachment.) And the "Match any term" condition always applies to all Unless conditions.

For example, assume that you have specified Sender and specified the "Attachment size is" as = 2MB. Since Mail Security scans messages in parts, if there is a Sender match, dispositions are applied to the message body and the attachment because "Match any term" makes this rule an OR condition. However, if the attachment size is the only match, the disposition only applies to the attachment.

To configure the conditions of a content filtering rule

  1. In the console on the primary navigation bar, click Policies.

  2. In the sidebar under Content Enforcement, click Content Filtering Rules.

  3. Do one of the following:

    Create a rule

    In the sidebar under Tasks, click New rule.

    Modify an existing rule

    In the content area, double-click the rule that you want to edit.

  4. On the Rule tab, define the conditions for the content filtering rule.

    See Table: Elements of a content filtering rule for a description of the content filtering rule conditions.

  5. Do any of the following:



Legacy ID



SMSID0EARAI_v59319968


Article URL http://www.symantec.com/docs/HOWTO53011


Terms of use for this information are found in Legal Notices