about_attachment_blocking
Attachment blocking prevents email messages containing suspicious attachments from being delivered to the Exchange Information Store. ScanMail can block attachments according to the attachment type, attachment name, or attachment extension and then replace, quarantine, or delete all the messages that have attachments that match your configuration. Blocking can occur during real-time, manual, and scheduled scanning. The delete and quarantine actions are not available for manual and scheduled scans. You can enable or disable attachment blocking.
The extension of an attachment identifies the file type, for example .doc, .exe, or .dll. Many viruses/malware are closely associated with certain types of files. By configuring ScanMail to block according to file type, you can decrease the security risk to your Exchange servers from those types of files. Similarly, specific attacks are often associated with a specific file name.
Note: Using attachment blocking is an effective way to control virus/malware outbreaks. You can temporarily quarantine all high-risk file types or those with a specific name associated with a known virus/malware. Later, when you have more time, you can examine the quarantine folder and take action on detected files.
Recipients for messages can match one attachment blocking exception or the attachment blocking global rule based on priority. If the recipient matches an attachment blocking exception, then targets selected in the exception will be excluded from attachment blocking global rule.If the recipient does not match any attachment blocking exceptions, then the attachment blocking global rule is applied.
Four types of accounts are supported for customizing specified Recipients: Active Directory Users, Active Directory contacts, Active Directory distribution groups and special groups.
For each attachment blocking exception, you can specify selected accounts and excluded accounts. The exception applies to those accounts that belong to selected accounts but does not apply to those that belong to the excluded accounts. For example, Active Directory Group1 contains ADuser1, ADuser2., When selected accounts includes "AD Group1", excluded accounts include "ADuser1", then the policy only applies to ADuser2.
The following table lists the actions available to ScanMail for attachment blocking and describes what happens when the action is performed:
|
Action |
Description |
|
Replace attachment with text/file |
ScanMail deletes the attachment and replaces it with text or a file. The email message is delivered to the intended recipient, but the text replacement informs them that the original content was infected and was replaced. |
|
Quarantine entire message |
ScanMail moves the email message to a restricted access folder, removing it as a security risk to the Exchange environment. This option is not available in manual and scheduled scanning. |
|
Quarantine message part |
ScanMail moves the attachment to a restricted access folder, removing it as a security risk to the Exchange environment. ScanMail replaces the message part with the text/file you specify. |
|
Delete entire message |
During real-time scanning, ScanMail deletes the entire email message. The delete action in ScanMail 10.0 and 8.0 differs from that of ScanMail 7.0. ScanMail 7.0 does not have this option for manual scan or scheduled scan. |
See also: