Malware Scanning

Procedure

1. Select Malware Scanning.
2. Configure rule settings.

   Setting	Description
   Apply to	(Exchange Online and Gmail only) Select the scope of email messages that Malware Scanning applies to. All messages: means that this policy applies to incoming, outgoing, and internal email messages. Incoming/outgoing email messages are sent from/to non-internal domains. Incoming messages: means that this policy applies only to incoming email messages sent from non-internal domains. Note For details about internal domains, see Configuring the Internal Domain List For Exchange Online (Inline Mode), the scope is fixed to Inbound messages for inbound protection and Outbound messages for outbound protection. Inbound messages are sent from outside your organization to an address inside the organization, while outbound messages are sent from your organization to external addresses.
   Files to scan	Scan all files, true file types, or specific file types for malware Select whether to leverage the Predictive Machine Learning engine to detect emerging unknown security risks. For details, see About Predictive Machine Learning. For a new policy, this check box is selected by default. (Exchange Online and Gmail only) Select whether to scan the message body. Select whether to enable IntelliTrap. IntelliTrap helps reduce the risk of viruses that use real-time compression algorithms to bypass network security by blocking real-time compressed executable files and pairing them with other malware characteristics. Because IntelliTrap identifies such files as security risks and may incorrectly block safe files, consider quarantining (not deleting) files after enabling IntelliTrap. Select whether to let Trend Micro collect suspicious file information to improve the detection capabilities of the Advanced Threat Scan Engine and the Predictive Machine Learning engine. Note If you enable this option, Trend Micro only checks potentially risky files and encrypts all content before transferring any information. For a new policy, this check box is selected by default.
   Enable Predictive Machine Learning	Select whether to leverage the Predictive Machine Learning engine to detect emerging unknown security risks. For details, see About Predictive Machine Learning. For a new policy, this check box is selected by default.
   Scan message body	(Exchange Online and Gmail only) Select whether to scan the message body.
   Enable IntelliTrap	Select whether to enable IntelliTrap. IntelliTrap helps reduce the risk of viruses that use real-time compression algorithms to bypass network security by blocking real-time compressed executable files and pairing them with other malware characteristics. Because IntelliTrap identifies such files as security risks and may incorrectly block safe files, consider quarantining (not deleting) files after enabling IntelliTrap.
   Allow Trend Micro to collect suspicious file information to improve its detection capabilities	Select whether to let Trend Micro collect suspicious file information to improve the detection capabilities of the Advanced Threat Scan Engine and the Predictive Machine Learning engine. Note If you enable this option, Trend Micro only checks potentially risky files and encrypts all content before transferring any information. For a new policy, this check box is selected by default.
   Detect active content in Microsoft Office files	(Exchange Online only) Select whether to enable and configure actions specifically for email messages that contain active content such as macros in attached Microsoft office files. When detecting the presence of supported active content, whether it is malicious, Cloud App Security takes the configured action. This option applies to uncompressed files in received email messages from external and internal senders. In the Action section, you can configure to sanitize the attached file or pass, quarantine, or delete the entire email message upon detection of active content. If Sanitize file is selected, Cloud App Security removes the active content from the file and delivers the email message with the sanitized file. Note The email message will still go through the other security filters in the same policy. If Cloud App Security fails to remove the active content, it will take the Pass action, that is, to deliver the email message with the original file to the intended recipient.

3. Click Action & Notifications.
4. Configure Action settings.
   Cloud App Security protects cloud applications and services by executing specified actions after detecting a file that matches scanning conditions. The action depends on the performed scan, the affected application or service, and the configured actions for that scan.
   • Exchange Online, Exchange Online (Inline Mode) - Inbound Protection, Exchange Online (Inline Mode) - Outbound Protection policies

   Option	Description
   Action	For details about the actions, see Actions Available for Different Services.
   Advanced Options	Specify the Replacement file name and Replacement text that Cloud App Security uses when an unscannable message arrives. Cloud App Security replaces the file/text with the configured replacement information.
   Unscannable File Options	Select actions for password-protected files. Specify replacement text that replaces a file/text for an unscannable message. When an email message with password-protected attachments arrives, if Attachment Password Guessing is enabled, Cloud App Security first attempts to find passwords in the message to decrypt the attachments for scanning. If no password is found or Attachment Password Guessing is not enabled, Cloud App Security treats the attachments as unscannable and perform the action for Password-protected compressed files or Other password-protected files, depending on whether the attachments are compressed.

   • Gmail policies

   Option	Description
   Action	For details about the actions, see Actions Available for Different Services.
   Unscannable File Options	Select actions for password-protected files. When an email message with password-protected attachments arrives, if Attachment Password Guessing is enabled, Cloud App Security first attempts to find passwords in the message to decrypt the attachments for scanning. If no password is found or Attachment Password Guessing is not enabled, Cloud App Security treats the attachments as unscannable and perform the action for Password-protected compressed files or Other password-protected files, depending on whether the attachments are compressed.

5. Configure Notification settings.

   Option	Description
   Notify administrator	Specify the administrators to notify by selecting a recipient group or specifying individual recipients. You can click Manage recipient groups to edit the members in a group or add more groups. Specify message details to notify administrators that Cloud App Security detected a security risk and took action on an email message, attachment, or file. Set the notification threshold which limits the number of notification messages to send. Threshold settings include: Send consolidated notifications periodically: Cloud App Security sends an email message that consolidates all the notifications for a period of time. Specify the period of time by typing a number in the box and selecting hour(s) or day(s). Send consolidated notifications by occurrences: Cloud App Security sends an email message that consolidates notifications for a set number of filtering actions. Specify the number of virus/malware occurrences by typing a number in the box. Send individual notifications: Cloud App Security sends an email message notification every time Cloud App Security performs a filtering action.
   Notify User	Exchange Online and Gmail: Specify message details that notify recipients that Cloud App Security detected a security risk and took action on their email message or attachment. SharePoint Online, OneDrive, Microsoft Teams (Teams), Box, Dropbox, and Google Drive: Specify message details that notify the user who updated a file that Cloud App Security detected a security risk and took action on their file. Teams Chat: Cloud App Security does not provide this option. When a chat message was blocked, a notification "This message was blocked." provided by Microsoft appears in the sender's private chat window. Message senders can click What can I do? to view more information about the blocked messages.

   Note When specifying a notification message, include relevant tokens and edit the message content as desired. For details about tokens, see Token List.

6. Click Save or select another policy configuration on the left navigation to continue with additional rules.