Support

Go to the table of contents Go to the previous page Go to the next page Go to the index View or print as PDF
Working with Filters and Policies > Managing filters > Creating and configuring a filter > Websense ThreatScope
Websense ThreatScope
Email Security Manager Help | Email Security Solutions | Version 7.8.x
Websense ThreatScope includes a file-sandboxing feature, a cloud-hosted sandbox for deep content inspection of types of files that are common threat vectors (including .exe, .pdf, .xls, .xlsx, .doc, .docx, .ppt, .pptx, and archive files). Use the ThreatScope filter to configure file sandboxing for your network. This capability is available only if your subscription includes Websense ThreatScope.
The filter can be used in either monitor or enforce mode, with an option for sending a notification message when the enforce mode is active, the filter is triggered, and the attachment is sent to the file sandbox for analysis. You can define conditions that, when met, allow a message to bypass the ThreatScope filter.
After you select the ThreatScope filter type and enter a name and description, specify 1 of the following operational modes for the filter:
*
Monitor (default). Message is delivered to its recipient, and a copy is sent to the file sandbox for analysis. If analysis determines that the attachment is clean, no report is returned. If analysis determines the attachment is malicious, the message is copied to a specified queue. A notification email regarding the analysis result can be sent.
The corresponding filter action should be configured to ensure that the email message that triggered the filter is dropped and saved to a specified queue (Main > Policy Management > Actions). Default queue is the virus queue.
*
Enforce. Message is held in a queue until the file sandbox analysis is performed. If analysis determines that the attachment is clean, message processing is resumed. If analysis determines the attachment is malicious, the email is quarantined. A notification email regarding the analysis result can be sent.
The corresponding filter action should be configured to ensure that the email message that triggered the filter is dropped and saved to a specified queue (Main > Policy Management > Actions). Default queue is the virus queue.
*
Enforce and notify. Message is held in a queue until the file sandbox analysis is performed, and an email notifying the recipient that analysis is underway can be sent. Mark the Send enforcement notification check box to configure this message, which contains the original message as an attachment. The message attachment is handled as follows:
*
Some file types are converted to plain text (.pdf, .doc/.docx, .xls/.xlsx, and .ppt/.pptx).
*
Files of other types are removed and only the filename appears in the message (.exe and archive files).
The corresponding filter action should be configured to ensure that the email message that triggered the filter is dropped and saved to a specified queue (Main > Policy Management > Actions). Default queue is the virus queue.
The email notification contains the following components:
*
Sender. Identify the notification message sender, from among the following options:
*
Original email sender
*
Administrator (default). If you use this option, you must configure a valid administrator email address in the Settings > General > System Settings page (see Setting system notification email addresses).
*
Custom. If you choose this option, you can designate only 1 sender address.
*
Recipient. Identify the notification message recipient, from among the following options:
*
Original email recipient
*
Administrator. If you use this option, you must configure a valid administrator email address in the Settings > General > System Settings page (see Setting system notification email addresses).
*
Custom. If you choose this option, you can designate 1 or more recipient addresses, separated by semicolons.
*
Subject. Enter the subject that you want to be displayed when the notification is received.
*
Content. Enter the text that you want to be displayed in the notification message body.
*
Attachment. Specify whether you want to include the original message as an attachment to the notification message. Select from among the following:
*
Do not attach message (default)
*
Attach filtered message
See Creating and configuring a filter action for information about configuring an action for the ThreatScope filter.
Select the file types you want the file sandbox to find and analyze by marking the appropriate check boxes.
You can configure bypass options for messages that you want to skip file sandbox analysis. Click Add in the bypass conditions section and specify the following information:
*
Condition name. Specify a name for each set of bypass conditions.
*
Sender email address/domain. Enter an individual email address or domain. Use an asterisk (*) for wildcard entries, and separate multiple entries with a semicolon (;).
*
Attachment filename keyword. Enter a character string that is included in the attachment filename.
Edit an existing bypass condition set by clicking the condition name in the bypass conditions table.
If you want message size to determine whether file sandbox analysis is bypassed, mark the Bypass ThreatScope analysis if message size exceeds check box and enter the target file size (default is 32 MB).
Please see ThreatScope product documentation and Websense Privacy Policy (www.Websense.com) for further information.
Print print article Email email article Font Size: A A

Search

Article Rating:

Do you have any additional feedback?    Email: close

Related Articles

Quick Links

Service Requests

How are we doing?

Provide us feedback on your experience with the Service Request portal.

provide feedback >

Go to the table of contents Go to the previous page Go to the next page Go to the index View or print as PDF
Working with Filters and Policies > Managing filters > Creating and configuring a filter > Websense ThreatScope