Malware Scanning

Cloud App Security scans email messages, Teams chat messages, files, and Salesforce object records. Malware Scanning uses Trend Micro's virus scan engine to detect emerging threats.

Configuring Malware Scanning

  1. Configure Rules settings.
    Option Description

    Apply to

    (Exchange Online and Gmail only) Select the scope of email messages that Malware Scanning applies to.

    • All messages

    • Incoming messages

      Note:

      Incoming messages means that this policy applies only to incoming email messages sent from non-internal domains.

    Malware Scanning

    • Scan all files, true file types, or specific file types for malware

    • Select whether to leverage the Predictive Machine Learning engine to detect emerging unknown security risks. For details, see About Predictive Machine Learning.

      For a new policy, this check box is selected by default.

    • (Exchange Online and Gmail only) Select whether to scan the message body.

    • Select whether to enable IntelliTrap.

      IntelliTrap helps reduce the risk of viruses that use real-time compression algorithms to bypass network security by blocking real-time compressed executable files and pairing them with other malware characteristics. Because IntelliTrap identifies such files as security risks and may incorrectly block safe files, consider quarantining (not deleting) files after enabling IntelliTrap.

    • Select whether to let Trend Micro collect suspicious file information to improve the detection capabilities of the Advanced Threat Scan Engine and the Predictive Machine Learning engine.

      Note:

      If you enable this option, Trend Micro only checks potentially risky files and encrypts all content before transferring any information. By stripping out specific personal information and keeping only anonymous behavior profiles, Trend Micro can maintain your privacy while discovering new threats.

      For a new policy, this check box is selected by default.

    Active Content Sanitizing

    (Exchange Online only) Select whether to enable and configure actions specifically for email messages that contain active content such as macros in attached Microsoft office files.

    When detecting the presence of supported active content, whether it is malicious, Cloud App Security takes the configured action.

    This option applies to uncompressed files in received email messages from external and internal senders.

    In the Action section, you can configure to sanitize the attached file or pass, quarantine, or delete the entire email message upon detection of active content. If Sanitize file is selected, Cloud App Security removes the active content from the file and delivers the email message with the sanitized file.

    Note:

    The email message will still go through the other security filters in the same policy.

    If Cloud App Security fails to remove the active content, it will take the Pass action, that is, to deliver the email message with the original file to the intended recipient.

  2. Configure Action settings.

    Cloud App Security protects cloud applications and services by executing specified actions after detecting a file that matches scanning conditions. The action depends on the performed scan, the affected application or service, and the configured actions for that scan.

    • Exchange Online policies

    Option Description

    Action

    • Trend Micro recommended action: Perform scan actions recommended by Trend Micro and select whether to send notifications.

    • Customized action for detected threats: Select to specify an action for each threat and then select whether to send notifications.

    Advanced Options

    Specify the Replacement file name and Replacement text that Cloud App Security uses when an unscannable message arrives. Cloud App Security replaces the file/text with the configured replacement information.

    Unscannable Message Options

    Select actions for password protected files. Specify replacement text that replaces a file/text if an unscannable message arrives.

    For password-protected compressed files, Cloud App Security leverages the message content (subject, body, and attachment names) to heuristically extract the files to detect any malicious payload that may be embedded in the files. If such a file is successfully extracted, Cloud App Security scans it and takes configured action upon violation of the policy; if the extraction fails, the file will be handled based on the settings for Password-protected compressed files in the policy.

    Cloud App Security supports the following compression types: 7z and zip.

    Note:

    This is available for both Exchange Online and Gmail.

    • SharePoint Online, OneDrive, Microsoft Teams (Teams and Chat), Box, Dropbox, and Google Drive policies

    Option Description

    Action

    • Trend Micro recommended action: Perform scan actions recommended by Trend Micro and select whether to send notifications.

    • Customized action for detected threats: Select to specify an action for each threat and then select whether to send notifications.

    Advanced Options

    Specify text to replace the original file content when a file is quarantined or deleted.

    Note:

    This is not applicable for Teams Chat.

    Unscannable File Options

    Select actions for password protected files.

    • Gmail policies

    Option Description

    Action

    • Trend Micro recommended action: Perform scan actions recommended by Trend Micro and select whether to send notifications.

    • Customized action for detected threats: Select to specify an action for each threat and then select whether to send notifications.

    Unscannable Message Options

    Select actions for password protected files.

    • Salesforce policies

    Option Description

    Action

    • Trend Micro recommended action: Perform scan actions recommended by Trend Micro and select whether to send notifications.

    • Customized action for detected threats: Select to specify an action for each threat and then select whether to send notifications.

    Advanced Options

    • Specify text to amend to the file name if the Tag file name action is selected.

      Note:
      • The Tag file name action adds a tag to the file name to warn stakeholders about threats detected in uploaded files. In the Web Reputation and Data Loss Prevention security filters, Salesforce admins can separately configure actions, including Pass, Quarantine, Delete, and Tag file name, for files.

      • The tag cannot exceed 20 characters or contain unsupported characters (/ \ : * ? < > " |).

    • Specify text to replace the original file content when a file is quarantined or deleted.

    Unscannable Message Options

    Select actions for password protected files.

  3. Configure Notification settings.
    Option Description

    Notify administrator

    Specify message details to notify administrators that Cloud App Security detected a security risk and took action on an email message, attachment, or file.

    Notification threshold sets limits on messages to send. Threshold settings include:

    • Send consolidated notifications periodically: Cloud App Security sends an email message that consolidates all the notifications for a period of time. Specify the period of time by typing a number in the box and selecting hour(s) or day(s).

    • Send consolidated notifications by occurrences: Cloud App Security sends an email message that consolidates notifications for a set number of filtering actions. Specify the number of virus/malware occurrences by typing a number in the box.

    • Send individual notifications: Cloud App Security sends an email message notification every time Cloud App Security performs a filtering action.

    Notify User

    Exchange Online and Gmail: Specify message details that notify recipients that Cloud App Security detected a security risk and took action on their email message or attachment.

    SharePoint Online, OneDrive, Microsoft Teams (Teams), Box, Dropbox, and Google Drive: Specify message details that notify the user who updated a file that Cloud App Security detected a security risk and took action on their file.

    Salesforce: Specify message details that notify the user who updated a Salesforce object record that Cloud App Security detected a security risk and took action on the update.

    Teams Chat: Cloud App Security does not provide this option. When a chat message was blocked, a notification "This message was blocked." provided by Microsoft appears in the sender's private chat window. Message senders can click What can I do? to view more information about the blocked messages.

    Note:

    When specifying a notification message, include relevant tokens and edit the message content as desired. For details about tokens, see Token List.

  4. Click Save or select another policy configuration on the left navigation to continue with additional rules.

About Predictive Machine Learning

Trend Micro Predictive Machine Learning uses advanced machine learning technology to correlate threat information and perform in-depth file analysis to detect emerging unknown security risks through digital DNA fingerprinting, API mapping, and other file features. Predictive Machine Learning is a powerful tool that helps protect your environment from unidentified threats and zero-day attacks.

After detecting an unknown or low-prevalence file, Cloud App Security scans the file using the Advanced Threat Scan Engine to extract file features and sends the report to the Predictive Machine Learning engine. Through use of malware modeling, Predictive Machine Learning compares the sample to the malware model, assigns a probability score, and determines the probable malware type that the file contains.