Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Defining Email Policies > Antivirus tab > Editing inbound or outbound rules
Editing inbound or outbound rules
Related topics:
The majority of the antivirus functionality is the same for inbound and outbound email. Field descriptions are provided below.
Check this box if you want viruses to be quarantined when detected. Viruses are software programs capable of reproducing themselves and usually capable of causing great harm to files or other programs on the computer.
This option is applicable to inbound email only. Define whether suspected phishing messages should be quarantined, or allowed with suspicious URLs replaced by a link to a block page that you specify.
To set up block pages for phishing messages, see Configure block and notification pages.
To bypass phishing checks for certain users, domains, or groups, click Phishing Exceptions. See Antivirus exceptions.
Filter active HTML content
This ThreatSeeker Intelligence feature automatically analyzes HTML inside messages and disables any potential dangerous content (by disabling specific HTML tags). You can define how strictly the system applies this security feature. Available settings are:
The recommended setting is Medium; setting the level higher than this may cause messages to display too poorly for general users.
Block potentially malicious macros
This feature looks for potentially malicious macros in common Microsoft Office document formats. By changing the sensitivity, you can control how suspicious Forcepoint ThreatSeeker Intelligence is when it carries out its analysis. We recommend setting this to High initially. You may need to amend this setting if you find that a lot of documents just over the threshold are being quarantined. Documents containing known viruses are quarantined by the antivirus engines, regardless of this setting.
Strict checks on message structure
This feature runs a set of structural checks on email messages to determine whether they conform to an accepted structure. For example, one of the attachment checks would quarantine a MIME attachment with a filename that ends in a period but has no file extension (such as "attachment1."). Messages with a malformed message structure can be a potential attack vector.
This option is disabled by default. We recommend leaving it disabled unless you are running an old mail client that may be vulnerable to malformed email messages, or if you are performing penetration testing on your messages. Enabling this feature may result in false positives.
Encrypted Messages
An encrypted email message must be decrypted before it can be analyzed for viruses. Since the cloud service does not have access to the necessary decryption key, it cannot analyze an encrypted message. Similarly, the contents of a password-protected archive file attachment such as ZIP or RAR cannot be analyzed, because the password is unknown. To protect against the possibility of virus infection, Forcepoint Email Security Cloud allows such messages to be quarantined. Administrators can open quarantined messages later in a secure environment.
Select the Quarantine all messages containing encrypted archive files checkbox to quarantine emails with password-protected archive files attached (such as ZIP or RAR files).
Select the Quarantine all encrypted messages checkbox to quarantine encrypted email messages (such as those using PGP or S/MIME encryption). This setting also quarantines emails with password-protected PDF files or Microsoft Office files (such as DOC or DOCX) attached.
Encrypted Message Bypass
Encrypted Message Bypass is used to override the encrypted message settings for specific sender/recipient, domain, and group.
To enable the bypass setting:
Navigate to the Antivirus tab and click Encrypted Message Bypass.
Click Add to add a new rule.
Toggle the State switch to ON to enable the rule.
Click Save.
To protect against the possibility of virus infection, Forcepoint Email Security Cloud allows you to quarantine messages whose contents appear to contain scripts or executables, or with attachments with potentially dangerous file extensions. Administrators can view quarantined messages later in a secure environment.
Select Quarantine messages containing scripts and executables to quarantine emails containing scripts and executable file attachments (such as EXE or BAT files).
Select Deliver all containing scripts and executables to allow email messages containing scripts and executable files.
To allow executables for certain users, domains, or groups, click Executable Exceptions. See Antivirus exceptions.
Forcepoint Email Security Cloud uses commercial antivirus (AV) engines to identify known viruses, and its own ThreatSeeker Intelligence technology to identify viruses for which AV vendors have not yet released a patch. However, even with multiple layers of protection, it is impossible to predict the types of exploit that may become available to malicious actors. We recommend that, where possible, email containing executable attachments be quarantined. If this is not appropriate for all users, best practice is to enforce this policy globally and use the Executable Exceptions option for specific users.
Quarantining messages containing scripts and executables
If you choose to block scripts and executables, messages containing any file whose contents appear to be executable are blocked, along with those with the following potentially dangerous file extensions: A6P, AC, ACR, ACTION, AIR, APK, APP, APPLESCRIPT, AWK, BAS, BAT, BIN, CGI, CHM, CMD, COM, CPL, CSH, DEK, DLD, DLL, DRV, DS, EBM, ELF, ESH, EXE, EZS, FKY, FRS, FXP, GADGET, GPE, GPU, HLP, HMS, HTA, ICD, IIM, INF, INS, INX, IPA, IPF, ISU, JAR, JS, JSE, JSX, KIX, KSH, LIB, LNK, MCR, MEL, MEM, MPX, MRC, MS, MSC, MSI, MSP, MST, MXE, OBS, OCX, PAF, PCD, PEX, PIF, PL, PLSC, PM, PRC, PRG, PVD, PWC, PYC, PYO, PY, QPX, RBX, RGS, ROX, RPJ, SCAR, SCPT, SCR, SCRIPT, SCT, SEED, SH, SHB, SHS, SPR, SYS, THM, TLB, TMS, U3P, UDF, VB, VBE, VBS, VBSCRIPT, VCARD, VDO, VXD, WCM, WIDGET, WORKFLOW, WPK, WS, WSC, WSF, WSH, XAP, XQT.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Defining Email Policies > Antivirus tab > Editing inbound or outbound rules
Copyright 2023 Forcepoint. All rights reserved.