The Always Trigger the Rule clause specifies that the content rule must always be triggered.
| You cannot edit this clause. |
The Analyze Properties clause looks for a Document Properties expression list in attached files and documents. These lists match specific string values with specific document properties. See About Document Properties for more information.
| The Analyze Properties clause is used in the Analyze Properties content rule template. |
The Bypass Rule clause enables you to bypass sanitization or redaction on a content rule for any signed document. Sanitization or redaction will not be attempted on signed documents if the Bypass Rule for signed documents check box is selected.
Bypass Rule applies to the following content rules:
- Redact Text
- Sanitize Active Content
- Sanitize Document Content
| Bypass Rule only affects signed documents. The |
The Cryptographic Failure clause looks for instances where encryption or decryption has failed.
You can configure the clause to trigger:
- If a message cannot be encrypted
-
If a message cannot be decrypted
| The Cryptographic Failure clause is used in the Encryption or decryption fails content rule template. |
The Data Transfer Restriction clause identifies large file transfers and excludes them from content scanning.
You can configure the threshold value. File transfers which are larger than this threshold value will not be scanned.
The default threshold value is 2,040 MB (2GB).
The Detect Malformed Data content rule enables you to handle transactions that might include malformed data. For example, you might want to block any downloads identified as containing 'malformed data'.
| The Detect Malformed Data content rule operates on selected Media Types. You can exclude or include certain types (such as PDF) using a combination of Detect Malformed Data content rules. |
The Digital Signature Validation clause looks for digital signatures. You can configure the clause to look for instances where:
- The transaction Does not have a digital signature
A digitally-signed message proves to the recipient that you, not an imposter, signed the contents of the message, and that the contents have not been altered in transit. - All the digital signatures are valid
- At least one digital signature is valid
-
There is an issue with a digital signature.
You can specify the clause to look for the conditions where the Signature is NOT valid and/or the Signature is unknown.
The Direction clause looks for data that is either entering or leaving your organization. You can use this clause to restrict a content rule to search for outbound or inbound items.
You can configure a content rule to apply, where the item was detected...
- either leaving or entering the company
- leaving the company (uploading)
- entering the company (downloading)
The Document Properties clause looks for information contained in the meta-data of an attachment or document. You can use this clause to scan a file for user information, revision history, subject matter or any custom document properties belonging to a file.
| Category | Description | Microsoft Office | Libre Office | Adobe PDF | JPEG |
|---|---|---|---|---|---|
| Previous Revision History | Document history such as tracked changes | Revision history | Revision history | Review |
- |
| Subject Matter | Document properties such as Title, Subject and Keywords | Categories, Comments, Status, Subject, Tags, Title | Comments, Keywords, Subject, Title | Keywords, Subject, Title | Title, Description, Keywords, Subject |
| User Information | Properties identifying an individual, such as Author or Owner | Author, Company, Last modified by (user), Manager | Created (user), Last printed (user), Modified (user) | Author | Artist, Author, Company, Writer/Editor |
| Infrastructure Information | Properties containing environmental information, including printer information | Template, printer information | Application, Producer, printer information | Application, Producer | Creator, Producer, Program Version |
| Miscellaneous Information | Standard application properties that are not relevant to a specific category | Created (date), Last modified (date), Last printed (date), Revision number |
Created (date), Last printed (date), Modified (date), Revision number, Total editing time |
Created (date), Modified (date) | Creation Date, Copyright, Language, Unique ID |
| Rogue Properties | Properties that are either malformed or found in an unexpected location | Various | Various | Various | Various |
| Custom Properties | Properties created by the author using a facility within the authoring tool. | Various | Various | Various | Various |
| Comments | User comments added by reviewers or document owners | Comments | Comments | Comments | User comments, keywords |
| Location | GPS Location information added to a JPEG image by a device | - | - | - | Location information |
Download Size Restriction
The Download Size Restriction clause specifies the maximum size of files that can be downloaded.
You can configure the size limit by entering a value in Download Size Restriction clause. The default value is 2MB. If a download exceeds the size limit, the download will be aborted.
You can:
-
Scan any combination of the following parts of a transaction:
For a mail message:
- The message body
- The subject line
-
The attachments matching the conditions in the other clauses
-
Specific message header(s)
-
Content
For a web transaction:
- HTTP Headers
- Request URL
-
Content
For each of the message parts (including each separate attachment) the content rule considers the parts separately.
- Select an expression list.
-
Create a new expression list.Show me how...
- Click the Expression list drop-down menu.
- Select (Create a new expression list).
- Save.
- Click Policy > Lexical Expressions. Your new list has been added to the available lexical expression lists.
-
Select and click Edit to rename and configure the new expression list.
For more information, see Working with Lexical Expressions.
-
Select a Trigger value for your expression list. This determines how the content rule measures the weight of detected expressions.
- Greater than or equal - The rule will trigger if the Threshold (specified by the expression list) is matched or exceeded.
- Less than and no forced triggers - The rule will trigger if the Threshold is neither matched nor exceeded.
-
Apply any combination of the following Document options (where applicable) to scan any Microsoft Office or LibreOffice documents:
- Scan body
- Scan header and footer
- Scan properties
- Scan comments
- Scan embedded script
By default, the content rule considers each document part separately. For example, if a detected term with weight +6 appears in the body and the header of the document, the total weight = +6.
The Malware Outbreak Detection clause identifies messages that potentially contain malware. You can Enable Detection on a Detect Virus content rule. You can then configure the content rule to discard or hold the message in a message area.
|
This feature is only available on the Clearswift SECURE Email Gateway. |
Message has Failed to be Processed
The Message has Failed to be Processed clause looks for messages which have failed to be processed by the
| You cannot edit this clause. |
The Message Size Restriction clause measures the size of a message and triggers the content rule if the whole message violates the size limit.
Size Restriction is often used in conjunction with the Which Media Types clause. An example of this combination is a content rule which detects large image files.
| Use the Message Size Restriction clause to deliver oversized messages at off-peak times by combining it with a Scheduled Message Release. This helps to minimize bandwidth during core operating hours. |
You can:
- Configure a size limit between 0 and 2 GB.
-
Configure the size limit as either a maximum or a minimum value. For example, applying a restriction of 1,000,000 KB or more detects messages smaller than 1 GB.
The Real-time Categorization clause checks the content of uncategorized sites in real-time. If the current policy allows access to uncategorized sites, this clause provides additional protection. You can select the categories to be detected.
| All categories detect English content. However, the 'Pornography' category also looks for content in any of the following languages: Chinese, Czech, Danish, Dutch, Finnish, French, German, Italian, Japanese, Korean, Norwegian, Polish, Portuguese, Russian, Spanish, Swedish and Turkish. |
Request or response has failed to be processed
The Request or Response has Failed to be Processed clause looks for failures to process a request or a response by the policy engine. The content rule can be configured to generate an inform or block the communication in a controlled manner.
Restrict the Number of Attachments
The Restrict the Number of Attachments clause looks for messages which include more than a specified number of attachments. You can restrict the number of attachments to a number between 0 and 100. For example, if you configure the value to 5, the clause looks for messages with 6 or more attachments.
| The Restrict the Number of Attachments Clause is used in the Attachment Count Restriction content rule template. |
The Run External Command clause looks for details of the executable program that the Gateway is to run. See Triggering the Run external command content rule for more information on this clause.
The Search Request Detection clause looks for requests made to a SafeSearch capable site.
| This clause is specifically designed to identify search requests to Google, Yahoo! and Bing. You cannot edit this clause. |
The Spam Detection clause uses SpamLogic to look for indicators of spam contained in a message. Spam Logic uses several methods to detect spam.
You can configure the clause to trigger when spam is detected by any of the following methods:
- Bad reputation returned by TRUSTmanager
- Real-time IP Blocklist
- Spoof Detection
- BATVBounce Address Tag Validation Address Validation
- DMARCDomain-based Message Authentication, Reporting & Conformance Reject
-
DMARC Quarantine
- SPFSender Policy Framework Hard Fail
- SPF Soft Fail
- DKIMDomainKeys Identified Mail Hard Fail
- DKIM Soft Fail
- Confirmed Junk Email
- Suspected Junk Email
The Spyware Call Home clause looks for any existing spyware which is attempting to 'call home' by contacting computers outside your organization.
| You cannot edit this clause. |
The Spyware Detection clause looks for inbound spyware inside HTTP or Browser FTP connections.
The spyware defense uses a database of unique signatures that are used to identify particular types of spyware.
| You cannot edit this clause. |
The Tracking Cookie Detection clause looks for cookies which track spyware in traffic in and out of your organization.
| You cannot edit this clause. |
The Unacceptable Images clause looks for messages which are classified as unacceptable by ImageLogic.
ImageLogic rates the acceptability of each image it scans by assigning it a score based on its content. Higher scores are considered to be less acceptable than lower scores. Images scoring higher than a certain threshold value are considered unacceptable and the appropriate action (typically quarantine) is applied by the content rule.
You can configure the threshold value for ImageLogic by doing either of the following:
- Use the default threshold of (default value).
- Enter a threshold of (user-defined value between 0 and 100).
The Virus Detection clause searches for viruses in a message using virus types.
| You cannot edit this clause. |
When Message is Missing a Manager
The The message is missing a manager clause looks for messages which have been sent without including the sender's manager in the list of recipients. You can configure the clause to add exceptions.
You can configure the clause to ignore messages where the sender:
- Does not have a manager.
- Is not in the manager relationships list.
The clause can also be configured to detect messages with attachments. You can configure the The message is missing a manager clause to:
- Ignore if sender has not included an attachment.
The Which Media Types clause looks for selected media types in a message.
You can:
- Include all media types. Selects all currently detectable media types.
- Include selected media types. You can select individual media types, or categories.
- Exclude selected media types. You can exclude individual media types, or categories.
For a mail message you can also:
- Include the media type of the message body. Scans only the body of the top level message and ignores any attached messages.
- Include media types within attachments. Scans for media types contained within attachments such as ZIP files.
|
For most content rule types, you can include individual media types, or categories such as Documents, Image Types or Compressed Files. The Analyze Properties content rule restricts this list to Documents only. |
The Filename clause looks for specific filenames using pre-configured Filename Lists. Filename Lists consist of filename identifiers you might want the
|
To find out more about creating or modifying a list of filenames, see the topic About Filename Lists.