Policy Actions

The following tables describe the actions Deep Discovery Email Inspector performs for the selected actions in a matched policy rule in each operating mode.

Table 1. Actions and operation modes: Content filtering rules

Action

Operation Mode

MTA Mode

SPAN/TAP Mode

BCC Mode

Delete message

  • Deletes the email message from the mail queue

  • Does not apply subsequent policy rules in the same policy on the email message

  • Does not deliver the email message

  • Deletes the email message from the mail queue

  • Deletes the email message from the mail queue

Block and quarantine

  • Stores a copy in the quarantine area

  • Does not apply subsequent rules in the same policy on the email message until you resume the scanning process on the Detections > Quarantine screen.

  • You can release a quarantined message using the web console

  • Deletes the email message from the mail queue

  • Deletes the email message from the mail queue

Strip all attachments

  • Replaces suspicious attachments with a text file

  • If configured, tags the email message subject and inserts the X-header before delivery

  • Applies subsequent rules in the same policy on the email message.

Note:

Attachments and extracted URLs from attachments in detected email messages are not sent to Virtual Analyzer for analysis. Only extracted URLs from the message body and subject are sent to Virtual Analyzer for analysis.

  • Applies subsequent rules in the same policy on the email message.

  • Applies subsequent rules in the same policy on the email message.

Pass and tag

  • Applies subsequent rules in the same policy on the email message

  • If configured, tags the email message subject and inserts the X-header before delivery

  • Applies subsequent rules in the same policy on the email message

  • Applies subsequent rules in the same policy on the email message

Deliver directly

  • Does not apply subsequent policy rules in the same policy on the email message

  • Delivers the email message to the recipient

  • Deletes the email message from the mail queue

  • Deletes the email message from the mail queue

Encrypt message

  • Encrypts messages after applying all other non-terminal actions

  • Applies subsequent rules in the same policy on the email message

  • Not applicable

  • Not applicable

Sanitize file

  • Removes active content (such as macros) from Microsoft Office files

  • Applies subsequent rules in the same policy on the email message

  • If configured, tags the email message subject and inserts the X-header before delivery

  • Applies subsequent rules in the same policy on the email message

  • Applies subsequent rules in the same policy on the email message

Send notification

  • Sends a notification to all message recipients and contact email addresses specified in the notification template

  • Sends a notification to all message recipients and contact email addresses specified in the notification template

  • Not applicable

Table 2. Actions and operation modes: Data loss prevention (DLP) rules

Action

Operation Mode

MTA Mode

SPAN/TAP Mode

BCC Mode

Delete message

  • Deletes the email message from the mail queue

  • Does not apply subsequent policy rules in the same policy on the email message

  • Does not deliver the email message

  • Deletes the email message from the mail queue

  • Deletes the email message from the mail queue

Block and quarantine

  • Stores a copy in the quarantine area

  • Does not apply subsequent rules in the same policy on the email message until you resume the scanning process on the Detections > Quarantine screen.

  • You can release a quarantined message using the web console

  • Deletes the email message from the mail queue

  • Deletes the email message from the mail queue

Strip all attachments

  • Replaces suspicious attachments with a text file

  • Applies subsequent rules in the same policy on the email message.

  • If configured, tags the email message subject and inserts the X-header before delivery

Note:

Attachments and extracted URLs from attachments in detected email messages are not sent to Virtual Analyzer for analysis. Only extracted URLs from the message body and subject are sent to Virtual Analyzer for analysis.

  • Applies subsequent rules in the same policy on the email message.

  • Applies subsequent rules in the same policy on the email message.

Pass and tag

  • Applies subsequent rules in the same policy on the email message

  • If configured, tags the email message subject and inserts the X-header before delivery

  • Applies subsequent rules in the same policy on the email message

  • Applies subsequent rules in the same policy on the email message

Encrypt message

  • Encrypts messages after applying all other non-terminal actions

  • Applies subsequent rules in the same policy on the email message

  • Not applicable

  • Not applicable

Send notification

  • Sends a notification to all message recipients and contact email addresses specified in the notification template

  • Sends a notification to all message recipients and contact email addresses specified in the notification template

  • Not applicable

Table 3. Actions and operation modes: Antispam rules

Action

Operation Mode

MTA Mode

SPAN/TAP Mode

BCC Mode

Delete message

  • Deletes the email message from the mail queue

  • Does not apply subsequent policy rules in the same policy on the email message

  • Does not deliver the email message

  • Deletes the email message from the mail queue

  • Deletes the email message from the mail queue

Block and quarantine

  • Stores a copy in the quarantine area

  • Does not apply subsequent rules in the same policy on the email message until you resume the scanning process on the Detections > Quarantine screen.

  • You can release a quarantined message using the web console

  • Deletes the email message from the mail queue

  • Deletes the email message from the mail queue

Pass and tag

  • Applies subsequent rules in the same policy on the email message

  • If configured, tags the email message subject and inserts the X-header before delivery

  • Applies subsequent rules in the same policy on the email message

  • Applies subsequent rules in the same policy on the email message

Send notification

  • Sends a notification to all message recipients and contact email addresses specified in the notification template

  • Sends a notification to all message recipients and contact email addresses specified in the notification template

  • Not applicable

Table 4. Actions and operation modes: Threat protection rules

Action

Operation Mode

MTA Mode

SPAN/TAP Mode

BCC Mode

Delete message

  • Deletes the email message from the mail queue

  • Does not deliver the email message

  • Deletes the email message from the mail queue

  • Deletes the email message from the mail queue

Block and quarantine

  • Stores a copy in the quarantine area

  • Does not deliver the email message

  • Stores a copy in the quarantine area

  • Stores a copy in the quarantine area

Strip attachments, redirect links to blocking page, and tag

  • Replaces suspicious attachments with a text file

  • Redirects suspicious links to a blocking page

  • If configured, tags the email message subject and inserts the X-header before delivery

  • Deletes the email message from the mail queue

  • Deletes the email message from the mail queue

Strip attachments, redirect links to warning page, and tag

  • Replaces suspicious attachments with a text file

  • Redirects suspicious links to a warning page

  • If configured, tags the email message subject and inserts the X-header before delivery

  • Delivers the email message to the recipient

  • Deletes the email message from the mail queue

  • Deletes the email message from the mail queue

Pass and tag

  • If configured, tags the email message subject and inserts the X-header before delivery

  • Deletes the email message from the mail queue

  • Deletes the email message from the mail queue

Quarantine the original message when attachments cannot be stripped

  • If no strip attachment action is specified or no attachment exists, sends the message to the quarantine area

  • Not applicable

  • Not applicable

Quarantine a copy of the original message when stripping attachments or redirecting links

  • If a strip attachment action or a redirect link is specified, stores a copy in the quarantine area

  • Not applicable

  • Not applicable

Attempt to clean before stripping attachments

  • If a strip attachment action is specified, performs the clean attachment action

  • If the clean attachment action is not successful or no strip attachment action is selected, deletes the attachment

  • Not applicable

  • Not applicable

Send notification

  • Sends a notification to all message recipients and contact email addresses specified in the notification template

  • Sends a notification to all message recipients and contact email addresses specified in the notification template

  • Not applicable

Note:
  • In policies, the terminal actions are Delete message, Block and quarantine, and Deliver directly. For policies with multiple rules, Deep Discovery Email Inspector applies only one terminal action on detected messages. After applying a terminal action on a message for a matched rule, Deep Discovery Email Inspector does not match the message against subsequent rules in the policy.

    For example, if a policy contains one content filtering rule, one antispam protection rule, and one threat protection rule, and Deep Discovery Email Inspector applies the Delete message action on a message based on the content filtering rule matched, Deep Discovery Email Inspector does not apply the antispam and threat protection rules on the message.

  • For policies with multiple rules, Deep Discovery Email Inspector applies all non-terminal actions on messages for matched rules before delivery or until a terminal action is applied.

    As an example, you configure a policy containing one or more content filtering rules, one or more data loss prevention (DLP) rules, one or more antispam rules, and one threat protection rule. If Deep Discovery Email Inspector applies the Strip all attachments action on a message based on the content filtering rule or DLP rule that is first matched, Deep Discovery Email Inspector will continue to scan the messages until a terminal action or all subsequent rules are applied (except Virtual Analyzer submission for attachments).

    If Deep Discovery Email Inspector does not apply a strip attachment action on a message based on one or more preceding rules matched, Deep Discovery Email Inspector will continue to scan the messages until a terminal action or all subsequent rules are applied (including Virtual Analyzer submission for attachments).

  • When applying multiple actions on a message, Deep Discovery Email Inspector applies the Encrypt message action as the last non-terminal action.