Policy Exceptions Parent topic

Policy exceptions reduce false positives. Configure exceptions to classify certain email messages as safe. Specify the safe senders, recipients, and X-header content, or add files, URLs, IP addresses and domains, and URL keywords. Safe email messages are discarded (BCC and SPAN/TAP mode) or delivered to the recipient (MTA mode) without further investigation.
Note
Note
If TippingPoint Advanced Threat Protection for Email is registered to Control Manager, TippingPoint Advanced Threat Protection for Email synchronizes object exceptions from Control Manager every 10 minutes.
Related information

Configuring Message Exceptions Parent topic

TippingPoint Advanced Threat Protection for Email considers specified senders, recipients, or X-header content in the exceptions list safe.

Procedure

  1. Go to PolicyExceptionsMessages.
  2. Specify email message exception criteria.
    • Senders
    • Recipients
    • X-header
    Note
    Note
    TippingPoint Advanced Threat Protection for Email ignores case-sensitivity for X-header exceptions.
    TippingPoint Advanced Threat Protection for Email supports the use of the wildcard asterisk (*) character to specify an entire domain. For example, to create a Senders exception for the domain abc.com, type the following:
    *@abc.com
  3. Click Save.

Managing Object Exceptions Parent topic

Perform any of the following tasks to manage object exceptions.

Procedure

  • Specify search filters to control the display and to view existing exceptions.
    The following table describes the Source filter options.
    Option
    Description
    Local
    Displays object exception that are added manually on TippingPoint Advanced Threat Protection for Email.
    Control Manager
    Displays object exceptions that are synchronized from Control Manager.
    Note
    Note
    If TippingPoint Advanced Threat Protection for Email is registered to Control Manager, TippingPoint Advanced Threat Protection for Email synchronizes object exceptions from Control Manager every 10 minutes.
    Web service
    Displays object exceptions that are imported through the HTTP web service.
  • Modify the objects considered safe.
    The following table describes the actions on object exceptions.
    Action
    Description
    icon_add.jpg Add
    Add a new object to the exceptions list. Optionally include a note to help you better understand the object exception.
    For more information, see Adding Object Exceptions.
    icon_import.jpg Import
    Select the CSV file to import.
    The format for each line is:
    <type>,<object>,[source],[notes]
    • <type> values: IP address, Domain, URL, Files
    • <object> values: IP address, domain, URL, or SHA-1 hash value
    • (Optional) [source] values: Control Manager, Local, web service
    • (Optional) [notes]: Any additional information in any format
    Valid CSV examples:
    • Links,www.example.com,local,customer can view this site
    • IP address,10.10.10.10,,HR address
    • Files,3395856CE81F2B7382DEE72602F798B642F14140,Control Manager,SHA-1 of CA certificate
    • Domain,example.com,,Added
    For more information, see Importing Object Exceptions.
    icon_delete.jpg Delete
    Delete the selected objects.
    icon_delete.jpg Delete All
    Delete all objects.
    icon_export.jpg Export
    Export the selected objects.
    icon_export.jpg Export All
    Export the entire exceptions list to a CSV file.
Related information

Adding Object Exceptions Parent topic

TippingPoint Advanced Threat Protection for Email passes email messages containing only safe files, URLs, IP addresses, and domains without further investigation. If an email message contains one safe URL and another unknown URL, TippingPoint Advanced Threat Protection for Email investigates the unknown URL. Virtual Analyzer also ignores safe files and URLs during sandbox analysis.

Procedure

  1. Go to PolicyExceptionsObjects.
  2. Click Add.
  3. Specify file, URL, IP address, or domain exception criteria.
    • For files, select File for the type and then specify the SHA-1 hash value.
      Note
      Note
      Threat Connect correlates suspicious objects detected in your environment and threat data from the Trend Micro Smart Protection Network to provide relevant and actionable intelligence.
    • For URLs, select URL for the type and then specify the web address.
      Note
      Note
      Specify a complete URL or use a wildcard (*) for subdomains.
    • For IP addresses, select IP address for the type and then specify the web address.
    • For domains, select Domain for the type and then specify the web address.
  4. (Optional) Specify a note.
  5. (Optional) Click Add more to specify multiple file, URL, IP address, or domain exception criteria at the same time.
    1. Specify file, URL, IP address, or domain exception criteria.
    2. Click Add to List. The criterion is added to the object list.
  6. Click Add.

Importing Object Exceptions Parent topic

You can import exceptions from a properly-formatted CSV file.

Procedure

  1. Go to PolicyExceptionsObjects.
  2. Click Import.
  3. Do one of the following:
    • If you are importing exceptions for the first time, click Download sample CSV, save and populate the CSV file with objects (see the instructions in the CSV file), browse and then select the CSV file.
    • If you have imported exceptions previously, save another copy of the CSV file, populate it with new objects, browse and then select the CSV file.
  4. Click Import.
    The imported exceptions display in the list with Web service as the source.

Configuring URL Keyword Exceptions Parent topic

URLs that contain any of the specified keywords are considered one-click URLs and will not be accessed by TippingPoint Advanced Threat Protection for Email.

Procedure

  1. Go to PolicyExceptionsURL Keywords.
  2. Specify URL keywords.
    Note
    Note
    Specify one keyword per line.
  3. Click Save.