Adding Data Loss Prevention Rules

  1. Go to Devices.
  2. Select a Messaging Security Agent.
  3. Click Configure Policy.

    A new screen appears.

  4. Click Data Loss Prevention.

    A new screen appears.

  5. Click Add.

    A new screen appears.

  6. Select the message part that you want to evaluate. The Messaging Security Agent can filter email messages by:
    • Header (From, To, and Cc)

    • Subject

    • Body

    • Attachment

  7. Add a rule.

    To add a rule based on a keyword:

    1. Select Keyword.
    2. Type the keyword in the field shown. The keyword must be from 1 to 64 alphanumeric characters long.

    3. Click Next.

    To add a rule based on auto-generated expressions:

    1. See Regular Expressions for guidelines on defining regular expressions.

    2. Select Regular expression (auto-generated).

    3. In the provided field type a Rule Name. This field is required.

    4. In the Example field, type or paste an example of the kind of string (up to 40 characters long) that the regular expression is intended to match. The alphanumeric characters appear in all caps in the shaded area with rows of boxes beneath the Example field.

    5. If there are any constants in the expression, select them by clicking the boxes in which the characters are displayed.

      As you click each box, its border turns red to indicate that it is a constant and the auto-generation tool modifies the regular expression shown below the shaded area.

      Note:

      Non-alphanumeric characters (such as spaces, semicolons, and other punctuation marks) are automatically considered constants and cannot be toggled into variables.

    6. To verify that the generated regular expression matches the intended pattern, select Provide another example to verify the rule (Optional).

      A test field appears below this option.

    7. Type another example of the pattern that you just entered.

      For example, if this expression is to match a series of account numbers of the pattern “01-EX????? 20??”, then type another example that matches, such as “01-Extreme 2010” and then click Test.

      The tool validates the new sample against the existing regular expression and places a green check mark icon next to the field if the new sample matches. If the regular expression does not match the new sample, a red X icon appears next to the field.

      Warning:

      Regular expressions created using this tool are case-insensitive. These expressions can match only patterns with the exact same number of characters as your sample; they cannot evaluate a pattern of “one or more” of a given character.

    8. Click Next.

    To add a rule based on user-defined expressions:

    Warning: Regular expressions are a powerful string-matching tool. Ensure that you are comfortable with regular expression syntax before using these expressions. Poorly written regular expressions can dramatically impact performance. Trend Micro recommends starting with simple regular expressions. When creating new rules, use the “archive” action and observe how Data Loss Prevention manages messages using the rule. When you are confident that the rule has no unexpected consequences, you can change the action.
    1. See Regular Expressions for guidelines on defining regular expressions.

    2. Select Regular expression (user-defined).

      A Rule Name and Regular Expression field display.

    3. In the provided field type a Rule Name. This field is required.

    4. In the Regular Expression field type a regular expression, beginning with a “.REG.” prefix, up to 255 characters long including the prefix.

      Warning:

      Be very careful when pasting into this field. If any extraneous characters, such as an OS-specific line feed or an HTML tag, is included in the content of your clipboard, the expression pasted will be inaccurate. For this reason, Trend Micro recommends typing the expression by hand.

    5. To verify that the regular expression matches the intended pattern, select Provide another example to verify the rule (Optional).

      A test field appears below this option.

    6. Type another example of the pattern that you just entered (40 characters or less).

      For example, if this expression is to match a series of account numbers of the pattern “ACC-????? 20??” type another example that matches, such as “Acc-65432 2012” and then click Test.

      The tool validates the new sample against the existing regular expression and places a green check mark icon next to the field if the new sample matches. If the regular expression does not match the new sample, a red X icon appears next to the field.

    7. Click Next.

  8. Select an action for the Messaging Security Agent to take when a rule is triggered (For descriptions, see Scan Targets and Actions for Messaging Security Agents):
    • Replace with text/file

      Note:

      You cannot replace text from the From, To, Cc, or subject fields.

    • Quarantine entire message

    • Quarantine message part

    • Delete entire message

    • Archive

    • Pass entire message

  9. Select Notify recipients to set the Messaging Security Agent to notify the intended recipients when Data Loss Prevention takes action against a specific email message.

    For various reasons, you may want to avoid notifying external mail recipients that a message containing sensitive information was blocked. Select Do not notify external recipients to only send notifications to internal mail recipients. Define internal addresses from Operations > Notification Settings > Internal Mail Definition.

  10. Select Notify senders to set the Messaging Security Agent to notify the intended senders when Data Loss Prevention takes action against a specific email message.

    For various reasons, you may want to avoid notifying external mail senders that a message containing sensitive information was blocked. Select Do not notify external senders to only send notifications to internal mail senders. Define internal addresses from Operations > Notification Settings > Internal Mail Definition.

  11. In the Advanced Options section, click the plus (+) icon to expand the Archive Setting subsection.
    1. In the Quarantine directory field, type the path to the folder for Data Loss Prevention to place quarantined email or accept the default value: <Messaging Security Agent Installation folder>\storage\quarantine
    2. In the Archive directory field, type the path to the folder for Data Loss Prevention to place archived email or accept the default value: <Messaging Security Agent Installation folder>\storage\backup for content filter
  12. Click the plus (+) icon to expand the Replacement Settings subsection.
    1. In the Replacement file name field, type the name of the file that Data Loss Prevention will replace an email message with when a rule using the “Replace with text/file” action is triggered, or accept the default value.
    2. In the Replacement text field, type or paste the content of the replacement text for Data Loss Prevention to use when an email message triggers a rule whose action is “Replace with text/file” or accept the default text.
  13. Click Finish.

    The wizard closes and returns to the Data Loss Prevention screen.