Detect and archive emails containing attachments such as Word documents or zip files in InterScan Messaging Security products.
InterScan Messaging Security scans the file attachment inside the email when the Attachment Filter option is enabled. To enable the Attachment Filter:
- Log in to the console of your InterScan Messaging Security product.
- Go to Policy > Policy List > Add > Others to create a new policy.
- Under Step 1: Select Recipients and Senders, choose your preferred policy route type from the This rule will apply to dropdown list.
- incoming messages
- outgoing messages
- both incoming and outgoing messages
- all messages
- Specify the recipients and senders based on the selected policy route type:
- For incoming messages, specify the recipient’s address, which is in range of the internal addresses. For example, internal address is imsstest.com, valid recipients include email@example.com, firstname.lastname@example.org.
- For outgoing messages, specify the sender’s address, which is in range of the internal addresses. For example: internal address is imsstest.com, valid senders include email@example.com, firstname.lastname@example.org.
- For both incoming and outgoing messages, the rule applies to senders or recipients that match the mail address. Use the asterisk wildcard when specifying an email address.
- For POP3, the route cannot be configured because it applies to all POP3 routes.
- For all messages, the rule applies to messages from any sender to any recipient.
- Click Next.
- Under Step 2: Select Scanning Conditions, mark the True file type or the Name or extension or both check boxes on the Attachment section to filter word documents and zip files.
- Click the True file type link. Tick the Microsoft Word and ZIP check box. Click Save.
If you need to select other file types, you can perform it in this section.
- Click the Name or extension link.
- Tick the File extensions to consider scanning (more commonly exchanged) option and select the Word documents.
- Click Save.
- Select Next.
- Under Step 3: Select Actions, choose Do not intercept messages to let the matching emails pass,
but tick Archive modified to, which makes an archive copy that could be downloaded later on.
- Choose Next.
- Under Step 4: Name and Order, fill out the Rule Name and Order Number fields for this rule.
- Click Save.
For the Order Number, you would need to place this rule right after the Global Antivirus rule or the after the rule specified in this KB article.
In this approach, in case there are undetected Word and zip files, this rule would do the archive action and the email sample can be downloaded for submission to Trend Micro Support for further investigation.
To download quarantined emails from this rule, go to Mail Areas & Queues > Query, type the Rule name you created, adjust the date range if necessary and select Display Log.