Threat Protection

On the Configuration sidebar, select Policy > Threat protection to configure various policy options for inbound and outbound messages.

By adding a policy rule you can control how the appliance will handle messages containing known viruses, unscannable attachments, encrypted attachments, or suspect attachment types. For each of these message categories, actions can be configured for a specific set of users.

Additionally, you can configure DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework) functionality by adding a policy rule.

If the default policy settings do not suit your organization's needs, you can modify them (see the encrypted attachments example later in this section). The threat categories and their default settings are as follows:

Viruses: Messages containing known viruses. By default, messages containing viruses are discarded for all users. A notification is not sent, and no banner is added. This rule cannot be deleted.
Unscannable attachments: Messages with attachments that cannot be scanned (for reasons other than encryption). By default, unscannable attachments are delivered to all users. A banner is added advising users that the message is not guaranteed to be virus-free and should not be opened unless it is an expected message.
Encrypted attachments: Messages with attachments that could not be scanned specifically because of encryption. By default, encrypted attachments are delivered to all users. A banner is added advising users that the message is not guaranteed to be virus-free and should not be opened unless it is an expected message.
SophosLabs Suspect Attachments: Messages with attachment types that are likely to contain viruses. By default, for all users, messages with suspect attachments are quarantined, the attachments are removed, and the messages are delivered. A banner is added advising users that potentially dangerous attachments were identified and removed.
DKIM (DomainKeys Identified Mail) test verification DKIM provides a way of verifying the reputation of senders using cryptographic authentication. Creating DKIM policy rules can attach an identifier to outbound messages, and can verify the identifier of incoming messages.
SPF (Sender Policy Framework) SPF provides a way to verify that a message does not have a forged sender address. For senders that provide an SPF record, creating an inbound policy rule will ensure that the envelope sender address has not been forged.
Sandstorm Sandstorm provides a higher level of security by performing real-time, in-depth threat analysis of potentially malicious messages. Suspicious messages are sent for analysis. If found to be infected, messages are dropped, else delivered to the respective recipient.
Time-of-Click (ToC) Protection ToC Protection provides protection against any malicious hyperlinks (URLs) in a message at the time a user clicks. All hyperlinks (URLs) present in a message are encoded by the appliance at the time of delivery. When a user clicks any of the links, appliance dynamically determines the reputation of that link and performs actions as per configured policy(s) for that reputation.
Note
Action performed on URL click is that specified in the policy at the time that email is processed by the Email Appliance.

Rules for these threat categories can be configured by clicking on the description. Rules are processed in order of their priority. A rule's priority can be changed by clicking the up or down arrow to the left of the rule description.