File Blocking

Many malware closely associate with certain file type extensions (examples: .doc, .exe, .dll). The file's extension identifies the file type. Similarly, specific attacks often associate with a specific file name. Cloud App Security can block files according to the file type, file name, file extension, or file contents that contain suspicious URLs.

  • For email services, file blocking prevents email messages containing suspicious attachments from delivering to recipients. Policy actions include replacing the file with a benign text file, quarantining or deleting all email messages with attachments that violate specified policies, or labeling the violating email messages as risky in recipient's mailbox (Gmail only).

  • For the other cloud applications, file blocking prevents suspicious files from entering these applications. Policy actions include quarantining or deleting files that violate specified policies.

Note:

Trend Micro recommends temporarily quarantining all high-risk file types and known malware file names. This way, you can examine the quarantine folder and take action on detected files when you have more time.

Configuring File Blocking

  1. Select Enable File Blocking.
  2. Configure Rules settings.
    Option Description

    Apply to

    (Exchange Online and Gmail only) Select the scope of email messages that File Blocking applies to.

    • All messages

    • Incoming messages

      Note:

      Incoming messages means that this policy applies only to incoming email messages sent from non-internal domains.

    Type of File Blocking

    Select whether to block all files or specific files.

    Blocking list

    If Type of File Blocking is set to "Block All Files":

    • Select File types not blocked to select or specify true file types that Cloud App Security never blocks.

    • Select File extensions not blocked to select or specify file extensions that Cloud App Security never blocks.

    • Select File names not blocked to type the file name that Cloud App Security never blocks.

    If Type of File Blocking is set to "Block Specific Files":

    • Select File types to block to select or specify true file types that Cloud App Security always blocks.

    • Select File extensions to block to select or specify file extensions that Cloud App Security always blocks.

    • Select File names to block to type the file name that Cloud App Security always blocks.

    Compressed Files

    Select the check box to scan for excluded file extensions and file names inside compressed files.

  3. Configure Action settings.

    Cloud App Security protects services by executing specified actions after detecting a file that matches scanning conditions. The action depends on the performed scan, the affected service, and the configured actions for that scan.

    • Exchange Online policies
    Option Description

    Replace with text/file

    Cloud App Security deletes the file, infected, malicious, or undesirable content and replaces it with text or a file. The email message is delivered to the intended recipient, but the text replacement informs them that the original content was infected and was replaced.

    Quarantine

    Cloud App Security moves the email message to a restricted access folder, removing it as a security risk to protected services.

    Delete

    Cloud App Security deletes the entire email message.

    Pass

    Cloud App Security records the detection in a log and the message is unchanged.

    Advanced Options

    Specify the Replacement file name and Replacement text that Cloud App Security uses when an attachment violating the policy rules arrives. Cloud App Security replaces the file/text with the configured replacement information.

    • SharePoint Online, OneDrive for Business, Microsoft Teams, Box, Dropbox, and Google Drive policies
    Option Description

    Quarantine

    Cloud App Security moves the file to a restricted access folder, removing it as a security risk to protected services.

    Delete

    Cloud App Security deletes the file and replaces it with a placeholder using the original file name and .txt.

    Pass

    Cloud App Security records the detection in a log and the file is unchanged.

    Advanced Options

    Specify text to replace the original file content when a file is quarantined or deleted.

    • Gmail policies
    Option Description

    Label email

    Cloud App Security includes a label Risky (by Trend Micro) at the top of the email message in the user's mailbox.

    Delete

    Cloud App Security deletes the entire email message.

    Pass

    Cloud App Security records the detection in a log and the message is unchanged.

  4. Configure Notification settings.
    Option Description

    Notify administrator

    Specify message details to notify administrators that Cloud App Security detected a security risk and took action on an email message, attachment, or file.

    Notification threshold sets limits on messages to send. Threshold settings include:

    • Send consolidated notifications periodically: Cloud App Security sends an email message that consolidates all the notifications for a period of time. Specify the period of time by typing a number in the box and selecting hour(s) or day(s).

    • Send consolidated notifications by occurrences: Cloud App Security sends an email message that consolidates notifications for a set number of filtering actions. Specify the number of virus/malware occurrences by typing a number in the box.

    • Send individual notifications: Cloud App Security sends an email message notification every time Cloud App Security performs a filtering action.

    Notify User

    Exchange Online and Gmail: Specify message details that notify recipients that Cloud App Security detected a security risk and took action on their email message or attachment.

    SharePoint Online, OneDrive for Business, Microsoft Teams, Box, Dropbox and Google Drive: Specify message details that notify the user who uploaded a file that Cloud App Security detected a security risk and took action on their file.

    Note:

    When specifying a notification message, include relevant tokens and edit the message content as desired. For details about tokens, see Token List.

  5. Click Save or select another policy configuration on the left navigation to continue with additional rules.