Editing inbound or outbound rules

The majority of the antivirus functionality is the same for inbound and outbound email. Field descriptions are provided below.

Virus

Check this box if you want viruses to be quarantined when detected. Viruses are software programs capable of reproducing themselves and usually capable of causing great harm to files or other programs on the computer.

Phishing

This option is applicable to inbound email only. Define whether suspected phishing messages should be quarantined, or allowed with suspicious URLs replaced by a link to a block page that you specify.

To set up block pages for phishing messages, see Configure block and notification pages.

To bypass phishing checks for certain users, domains, or groups, click Phishing Exceptions. See Antivirus exceptions.

Content

Filter active HTML content

This ThreatSeeker Intelligence feature automatically analyzes HTML inside messages and disables any potential dangerous content (by disabling specific HTML tags). You can define how strictly the system applies this security feature. Available settings are:


Setting	Description
Low	Disable embedded scripts (<SCRIPT> and <OBJECT> tags) and disable unknown HTML tags that are deemed to be potentially dangerous.
Medium	As Low but also disable "Web bugs" (URLs that are referred to inside a message, excluding links to images) and HTML styles that contain code.
High	As Low but disable all "Web bugs" and all HTML styles.
Very high	Extremely strict: as High, but this also disables all hypertext links to protect against a number of known vulnerabilities in common email clients.

The recommended setting is Medium; setting the level higher than this may cause messages to display too poorly for general users.

Block potentially malicious macros

This feature looks for potentially malicious macros in common Microsoft Office document formats. By changing the sensitivity, you can control how suspicious Forcepoint ThreatSeeker Intelligence is when it carries out its analysis. We recommend setting this to High initially. You may need to amend this setting if you find that a lot of documents just over the threshold are being quarantined. Documents containing known viruses are quarantined by the antivirus engines, regardless of this setting.

Strict checks on message structure

This feature runs a set of structural checks on email messages to determine whether they conform to an accepted structure. For example, one of the attachment checks would quarantine a MIME attachment with a filename that ends in a period but has no file extension (such as "attachment1."). Messages with a malformed message structure can be a potential attack vector.

This option is disabled by default. We recommend leaving it disabled unless you are running an old mail client that may be vulnerable to malformed email messages, or if you are performing penetration testing on your messages. Enabling this feature may result in false positives.

Encrypted Messages

An encrypted email message must be decrypted before it can be analyzed for viruses. Since the cloud service does not have access to the necessary decryption key, it cannot analyze an encrypted message. Similarly, the contents of a password-protected archive file attachment such as ZIP or RAR cannot be analyzed, because the password is unknown. To protect against the possibility of virus infection, Forcepoint Email Security Cloud allows such messages to be quarantined. Administrators can open quarantined messages later in a secure environment.

Select the Quarantine all messages containing encrypted archive files checkbox to quarantine emails with password-protected archive files attached (such as ZIP or RAR files).

Select the Quarantine all encrypted messages checkbox to quarantine encrypted email messages (such as those using PGP or S/MIME encryption). This setting also quarantines emails with password-protected PDF files or Microsoft Office files (such as DOC or DOCX) attached.

Encrypted Message Bypass

Encrypted Message Bypass is used to override the encrypted message settings for specific sender/recipient, domain, and group.

To enable the bypass setting:

Navigate to the Antivirus tab and click Encrypted Message Bypass.

Click Add to add a new rule.

Enter a name in the Name field.

Enter the sender email address, domain, or group in the Sender field.

Enter the recipient email address, domain, or group in the Recipient field.


	Note Accepted values for Sender and Recipient fields are , a single email address, a single domain, or a single group. The character can be used to apply the rule to any address. Include all addresses for a domain by using *@domain.com. For the Inbound policy, the group option is available for the Recipient field, and for the Outbound policy, the group option is available for the Sender field. Email addresses are case sensitive. Ensure email addresses are added using lowercase.

Enter the description in the Description field.

Toggle the State switch to ON to enable the rule.

Click Save.

Executables

To protect against the possibility of virus infection, Forcepoint Email Security Cloud allows you to quarantine messages whose contents appear to contain scripts or executables, or with attachments with potentially dangerous file extensions. Administrators can view quarantined messages later in a secure environment.

Select Quarantine messages containing scripts and executables to quarantine emails containing scripts and executable file attachments (such as EXE or BAT files).

Select Deliver all containing scripts and executables to allow email messages containing scripts and executable files.

To allow executables for certain users, domains, or groups, click Executable Exceptions. See Antivirus exceptions.


	Warning Forcepoint Email Security Cloud uses commercial antivirus (AV) engines to identify known viruses, and its own ThreatSeeker Intelligence technology to identify viruses for which AV vendors have not yet released a patch. However, even with multiple layers of protection, it is impossible to predict the types of exploit that may become available to malicious actors. We recommend that, where possible, email containing executable attachments be quarantined. If this is not appropriate for all users, best practice is to enforce this policy globally and use the Executable Exceptions option for specific users.

Quarantining messages containing scripts and executables

If you choose to block scripts and executables, messages containing any file whose contents appear to be executable are blocked, along with those with the following potentially dangerous file extensions: A6P, AC, ACR, ACTION, AIR, APK, APP, APPLESCRIPT, AWK, BAS, BAT, BIN, CGI, CHM, CMD, COM, CPL, CSH, DEK, DLD, DLL, DRV, DS, EBM, ELF, ESH, EXE, EZS, FKY, FRS, FXP, GADGET, GPE, GPU, HLP, HMS, HTA, ICD, IIM, INF, INS, INX, IPA, IPF, ISU, JAR, JS, JSE, JSX, KIX, KSH, LIB, LNK, MCR, MEL, MEM, MPX, MRC, MS, MSC, MSI, MSP, MST, MXE, OBS, OCX, PAF, PCD, PEX, PIF, PL, PLSC, PM, PRC, PRG, PVD, PWC, PYC, PYO, PY, QPX, RBX, RGS, ROX, RPJ, SCAR, SCPT, SCR, SCRIPT, SCT, SEED, SH, SHB, SHS, SPR, SYS, THM, TLB, TMS, U3P, UDF, VB, VBE, VBS, VBSCRIPT, VCARD, VDO, VXD, WCM, WIDGET, WORKFLOW, WPK, WS, WSC, WSF, WSH, XAP, XQT.