Attachment Filtering settings

With the help of the Attachment Filtering protection module, you can filter attachments in your company mailboxes.

Attachment Filtering is a feature that scans files attached to email messages. This feature allows you to control external and internal file exchange within your Exchange Online. If Attachment Filtering is enabled, Kaspersky Security for Microsoft Office 365 scans messages for files that match the specified filtering criteria and applies the action that you predefine in the settings.

When creating a security policy, you can specify the Attachment Filtering settings.

Attachment types to be detected

In the Attachment types area, configure the types of files to be detected by the application:

Detect files of the following formats
This option allows you to filter attached files according to the specified file formats.

To recognize the format of an attached file, the application analyzes the structure of the file. As a result, the specified file formats are detected even if the extension of an attached file does not match the actual type of the file (for example, if the extension has been changed intentionally).

By default, all file formats are disabled. To enable file formats:
1. Select the Detect files of the following formats check box.
2. Click the Select button under the check box.
  The File formats window opens.
3. Select the file formats that you want to filter.
4. Click Save.
Detect files matching the following masks
This option allows you to filter attached files according to the specified file names and/or file name masks.

By default, file masks are not specified. To specify a file name or a file mask:
1. Select the Detect files matching the following masks check box.
2. Click the Select button under the check box.
  The File masks window opens.
3. Enter a file name or mask in the Specify a file mask entry field and click the Plus () button.
  Examples of permitted file name masks:
  - *.txt—all files with the .txt extension, for example, readme.txt or notes.txt.
  - readme.???—all files named readme with an extension of three characters, for example, readme.txt or readme.doc.
  - test—all files named test without an extension.
4. To remove an entry from the list, click the Delete () button next to this entry.
5. Click Save.
Detect Microsoft Office files containing macros
This option allows you to filter attached Microsoft Office files that contain macros.

To determine whether an attached file contains a macro, the application analyzes the structure of the file. As a result, files with macros are detected even if the extension of an attached file does not match the actual type of the file (for example, if the extension has been changed intentionally).

By default, this option is disabled. To enable this option, select the Detect Microsoft Office files containing macros check box.
Detect protected files
This option allows you to filter attached password-protected files.

By default, this option is disabled. To enable this option, select the Detect protected files check box.

Actions to be taken by the application

In the Action area, specify what the application must do with messages in which it detects the specified attachments:

Delete and quarantine message
The whole message is deleted from the user mailbox and moved to Quarantine.
Delete and quarantine attachment
If the application detects an attached file matching the filtering criteria, the application removes this file only. The rest of the message remains unchanged in the user mailbox. A message copy containing the original attached file is placed in Quarantine. In this case, the removed attachment is replaced with a text file that informs the user about the action taken by the application.

The replacement file also contains the list of attachments matching the filtering criteria and those that were filtered out. If an attachment matching the filtering criteria is detected inside of an archive, the application applies the configured action to the whole archive.
Allow through
The message remains unchanged in the user mailbox.
Tag the subject
You can add a custom tag to the subjects of affected messages. If necessary, change the tag in the entry field under the Tag the subject check box.

This option is available for the Delete and quarantine attachment and Allow through actions.
File replacement template
You can customize the file replacement template:
1. Click the Edit replacement file button.
  The Replacement file template window opens.
2. Edit the template contents in the Message text field. For example, the text can include instructions or other information relevant to employees of your organization.
3. If you want to restore the default template, click the Reset button.
4. Click Save.
In your custom template, you can keep using the variables included in the default template.
- %DETECTED_FILES%. The list of files matching the filtering criteria detected in the message attachment.
- %REMOVED_ATTACHMENTS%. The list of files actually filtered out by the Attachment Filtering module.
This option is available for the Delete and quarantine attachment action only.

Notifications

In the Notifications area, configure notifications that will be sent automatically:

Notify administrators about detections
This option allows you to enable and configure notifications about detected items. By default, notifications are disabled.

To enable and configure notifications:
1. Select the Notify administrators about detections check box.
2. Click the Select button to add recipients.
  The Notification for administrators window appears.
3. Enter the email addresses of the notification recipients.
  You can specify up to 25 email addresses.
4. Click the Plus () button.
  The selected email addresses will be displayed under the Specify email address field.
5. To delete an email address from the list, click the Delete () button in the row.
6. Click Save.
  The list of addresses is saved. The notifications will be sent to the specified addresses.
Notify mailbox owner about deleted messages
This option allows you to notify the user from whose mailbox an entire message was deleted. By default, notifications are disabled.

To enable and configure notifications:
1. Select the Notify mailbox owner about deleted messages check box.
2. If necessary, adapt the notification template to comply with the requirements of your corporate security policy:
  1. Click the Edit notification template button.
    The Notification template window opens.
  2. Edit the Subject and/or Body fields.
  3. If you want to restore the default template, click the Reset button.
  4. Click Save.
  In your custom template, you can keep using the variables included in the default template to provide the user with detailed information about the deleted message.
  
  Notifications to mailbox owners are sent on behalf of the Security Service, which will be indicated in the From field of the corresponding email message. You cannot send a reply to this sender.
  
  %FROM%. Message sender.
  
  %TO%. Message recipients, including carbon copy ones.
  
  %SUBJECT%. Message subject.
  
  %FOLDER%. Mailbox folder where the message was detected.
  
  %MSG_TIME%. The receipt date and time for incoming messages, the date and time when the message was sent for outgoing messages, and the draft creation date and time for drafts. The time zone specified in the application settings is applied.
  
  %DETECTED_FILES%. List of files detected in the message attachment.
This option is available for the Delete and quarantine message action only.

Allowlist

In the Allowlist area, configure allowed senders and files to be skipped from processing.

Allow files matching the following masks
This option allows you to configure allowed files. Files that match the specified masks will be skipped from processing.

To configure allowed files:
1. Select the Allow files matching the following masks check box.
2. Click the Select button.
  The Allowed file masks window opens.
3. To specify a file name or a file mask, enter it in the entry field and click the Plus () button.
  Examples of permitted file name masks:
  - *.txt—all files with the *.txt extension, for example, readme.txt or notes.txt.
  - readme.???—all files named readme with an extension of three characters, for example, readme.txt or readme.doc.
  - test—all files named test without an extension.
4. To remove an entry from the list, click the Delete () button next to this entry.
5. Click Save.
Allow messages from the following senders
This option allows you to configure allowed senders. These senders are considered trusted and messages from them are skipped from processing.

To configure allowed senders:
1. Select the Allow messages from the following senders check box.
2. Click the Select button.
  The Sender allowlist window opens.
3. Click the Add sender button.
  The Add a sender to the allowlist window opens.
4. In the Specify a complete email address or a mask entry field, provide an email address or several email addresses that should be added to the allowlist separated by semicolons or line breaks.
  If you want to allow several senders at once, you can use masks. For instance, if you specify the *@example.com mask, the allowlist contains all email addresses from the @example.com domain. You can also copy and paste a list of email addresses / masks separated by semicolons or line breaks in the entry field.
  
  Representation of a file name using wildcards. The standard wildcards used in file masks are * and ?, where * represents any number of any characters and ? stands for any single character.
5. Click Validate.
  The provided email addresses / masks are displayed in the list.
  
  If the email addresses / masks are entered incorrectly, they are displayed in the list in a red font, and you must introduce changes to save them.
6. Click Save to save the list of provided addresses / masks.
7. If you want to delete an email address / mask from the list:
  1. Click the Delete () button next to the email address / mask.
  2. Click Save.

Page top