Configuring a Threat Protection Rule

Procedure

1. Go to Policies → Policy Management.
2. Click the Threat Protection Rules tab.
3. Do one of the following:
   • Click Add to create a new rule.
   • Click a rule name to change the settings.
4. Type a rule name.
5. Configure the settings for High, Medium, Low risk, and Unrated messages.
   1. For Unrated messages, select a detection reason.
   2. Specify the Action.
      For more information, see Policy Actions.
   3. (Optional) From the Send notification drop-down list, select a notification message to inform recipients about the applied policy action.

      Important Deep Discovery Email Inspector only sends recipient notifications when you select Send notification and a notification message.

      You can configure notification messages on the Notifications screen (go to Policies → Policy Objects → Notifications).

      For more information, see Configuring Recipient Notification.
   4. (Optional) For low-risk messages, configure the subject tag and X-header settings.
      • Subject tag: Specify the string to insert in the subject of email messages.
      • X-Header: Specify the text to add to the X-header.
6. (Optional) Under Advanced Settings, select one or more of the following settings:
   • Select Quarantine the original message when attachments cannot be stripped to store the detected email message in the quarantine when Deep Discovery Email Inspector is unable to strip the attachments. Deep Discovery Email Inspector does not deliver the email message to the recipients.

     Note This setting only takes effect when Deep Discovery Email Inspector is in MTA mode. When you select this option, Deep Discovery Email Inspector also quarantines detected phishing messages.

   • Select Quarantine a copy of the original message when stripping attachments or redirecting links to store a copy of the detected email message with the attachment and URL in the quarantine for further investigation.

     Note This setting only takes effect when Deep Discovery Email Inspector is in MTA mode.

   • Select Attempt to clean before stripping attachments to have Deep Discovery Email Inspector clean an attachment first when you also select a strip attachment action for the rule. If Deep Discovery Email Inspector is unable to clean the attachment, Deep Discovery Email Inspector then deletes the attachment.
     Clear the check box to have Deep Discovery Email Inspector immediately delete attachments that are detected as malicious.

     Note This setting only takes effect when Deep Discovery Email Inspector is in MTA mode.

   • Select Prioritize for Virtual Analyzer submission to submit detected email messages to Virtual Analyzer with high priority.
   • Select Deliver directly to send email messages that match a policy rule and are not deleted or quarantined to the specified SMTP server.

     Note If you select this setting, you must specify the SMTP server address and port number.

   • Select BCC and type one or more recipient email addresses in the field to send a blind carbon copy of detected messages to the recipients.

     Note You can specify up to 50 email addresses. Wildcard characters are not supported.

   • (Optional) From the Insert stamp drop-down list, select a stamp that you want to insert in to detected messages.
     For more information, see Configuring a Message Stamp.
7. Click Save.
   After adding a rule, you can:

   • Click a rule name to edit the rule settings.
   • Select a rule and click Delete to remove the selected rule.