Many malware closely associate with certain file type extensions (examples: .doc, .exe, .dll). The file's extension identifies the file type. Similarly, specific attacks often associate with a specific file name. Cloud App Security can block files according to the file type, file name, file extension, or file contents that contain suspicious URLs.
For email services, file blocking prevents email messages containing suspicious attachments from delivering to recipients. Policy actions include replacing the file with a benign text file, quarantining or deleting all email messages with attachments that violate specified policies, or labeling the violating email messages as risky in recipient's mailbox (Gmail only).
For the other cloud applications, file blocking prevents suspicious files from entering these applications. Policy actions include quarantining or deleting files that violate specified policies.
Trend Micro recommends temporarily quarantining all high-risk file types and known malware file names. This way, you can examine the quarantine folder and take action on detected files when you have more time.
Option | Description |
---|---|
Apply to |
(Exchange Online and Gmail only) Select the scope of email messages that Malware Scanning applies to.
Note:
For details about internal domains, see Configuring Internal Domains For Exchange Online (Inline Mode), the scope is fixed to Inbound messages for inbound protection and Outbound messages for outbound protection. Inbound messages are sent from outside your organization to an address inside the organization, while outbound messages are sent from your organization to external addresses. |
Type of File Blocking |
Select whether to block all files or specific files. |
Blocking list |
If Type of File Blocking is set to "Block All Files":
If Type of File Blocking is set to "Block Specific Files":
|
Compressed Files |
Select the check box to scan for excluded file extensions and file names inside compressed files. |
Be aware that for individual email addresses, wildcard characters and regular expressions are not supported.
A maximum of 1,024 email addresses can be added to the Approved Sender list.
Make sure that each email address occupies a separate line in the .txt file.
Cloud App Security protects cloud applications and services by executing specified actions after detecting a file that matches scanning conditions. The action depends on the performed scan, the affected application or service, and the configured actions for that scan.
Option | Description |
---|---|
Replace with text/file |
Cloud App Security deletes the file, infected, malicious, or undesirable content and replaces it with text or a file. The email message is delivered to the intended recipient, but the text replacement informs them that the original content was infected and was replaced. Note:
For Exchange Online, Cloud App Security does not support this action for MIP-encrypted email messages and applies the Pass action instead. |
Quarantine |
Cloud App Security moves the email message to a dedicated quarantine location, removing it as a security risk to protected services. Note:
For Exchange Online, the quarantine location is a folder in the user's mailbox; for Exchange Online (Inline Mode), the quarantine location is in the storage of Cloud App Security. |
Delete |
Cloud App Security deletes the entire email message. |
Pass |
Cloud App Security records the detection in a log and the message is unchanged. |
Advanced Options |
Specify the Replacement file name and Replacement text that Cloud App Security uses when an attachment violating the policy rules arrives. Cloud App Security replaces the file/text with the configured replacement information. |
Option | Description |
---|---|
Quarantine |
Cloud App Security moves the file to a restricted access folder, removing it as a security risk to protected services. |
Delete |
Cloud App Security deletes the file and replaces it with a placeholder using the original file name and .txt. |
Pass |
Cloud App Security records the detection in a log and the file is unchanged. |
Advanced Options |
Specify text to replace the original file content when a file is quarantined or deleted. |
Option | Description |
---|---|
Pass |
Cloud App Security records the detection in a log and the message is unchanged. |
Block |
Cloud App Security calls Microsoft Teams to hide the message from both the sender and recipient. Note:
If a file in a chat message violated the policy, it was hidden from the private chat window (the Chat tab), but it is still stored in the sender's OneDrive folder and shown on the Files tab. |
Option | Description |
---|---|
Label email |
Cloud App Security includes a label Risky (by Trend Micro) at the top of the email message in the user's mailbox. |
Quarantine |
Cloud App Security moves the file to a restricted access folder, removing it as a security risk to protected services. |
Delete |
Cloud App Security deletes the entire email message. |
Pass |
Cloud App Security records the detection in a log and the message is unchanged. |
Option | Description |
---|---|
Tag file name |
Cloud App Security adds a tag to the file name to warn stakeholders about threats detected in uploaded files. |
Quarantine |
Cloud App Security moves the file to a restricted access folder, removing it as a security risk to protected services. |
Delete |
Cloud App Security deletes the entire email message. |
Pass |
Cloud App Security records the detection in a log and the message is unchanged. |
Advanced Settings for Files |
|
Option | Description |
---|---|
Notify administrator |
Specify message details to notify administrators that Cloud App Security detected a security risk and took action on an email message, attachment, or file. Notification threshold sets limits on messages to send. Threshold settings include:
|
Notify User |
Exchange Online and Gmail: Specify message details that notify recipients that Cloud App Security detected a security risk and took action on their email message or attachment. SharePoint Online, OneDrive, Microsoft Teams (Teams), Box, Dropbox, and Google Drive: Specify message details that notify the user who updated a file that Cloud App Security detected a security risk and took action on their file. Teams Chat: Cloud App Security does not provide this option. When a chat message was blocked, a notification "This message was blocked." provided by Microsoft appears in the sender's private chat window. Message senders can click What can I do? to view more information about the blocked messages. Salesforce: Specify message details that notify the user who updated a Salesforce object record that Cloud App Security detected a security risk and took action on the update. |
When specifying a notification message, include relevant tokens and edit the message content as desired. For details about tokens, see Token List.