Symantec Encryption Product Community

I have managed Symantec Encryotion Management Server.

My Objective: Aurtomatically encrypt emails between internal users.

Condition: If body or attachment (Office docs) contains certain data (key words).

Please advise on how to configure such mail policy.

Hi, Mehmood,

I would try like this:

Conditions:
If any of the following are true
Message has an attachment whose type         is          application/msword
Message body                                       matches pattern      (here you will have to specify regex pattern for the certain data or you can choose contains providing - portion of the mail/message body)

Actions:
Send (encrypt/signed) Encrypt to Recipient's key

---------------

MIME type list for the configuration is avilable below:

http://www.freeformatter.com/mime-types-list.html

HTH

Hi Adam,

Should this be in outbound mail policy chain?

I already have a rule for a group, which encrypts emails among the users of a dictionary. This rule is placed at #1 in outbound policy chain. This encrypts emails if the senders or recipients are in the dictionary.

Now I want to create a new rule to apply the condition as you advised. This will be among certain users in a group or dictionary. Should I place it at #2?

Also, please specify the condtion for attachments of all MSOffice docs(word, excel, PPT)

Encrypt Body if it conatins data such as credit card info, phone nos, date of births etc.

I am working for a Bank, so need to secure customers' data.

Credit card info etc, that is very difficult to create.  You will need to know a LOT of regex to create flexible rules here.

But the rule for that is Message Body Matches Pattern, then you put in your Regex.

I would highly suggest to rethink this policy.  There are many many ways people can format such things.

Hi, Mehmood,

For the testing purposes I would run this policy not in production envrionment of if it's not possible you can do it out of your working hours.

a) outbound policy

b) I would setup as #1 for the testing purposes

Other message attachment MIME types are as follow

application/vnd.ms-powerpoint       - ppt
application/vnd.ms-excel                - xls
application/msword                         - doc
application/vnd.ms-project              - mpp
application/x-mspublisher               - pub
application/onenote                        - onetoc
application/vnd.visio                       - vsd
application/vnd.openxmlformats-officedocument.presentationml.presentation  - pptx
application/vnd.openxmlformats-officedocument.wordprocessingml.document - docx

If you need more they are on the link below:

http://www.freeformatter.com/mime-types-list.html

Regarding Credit card you need to apply specifc regex (regular expression) example below:

(^|[^0-9])([1-9][0-9]{3.EN_US} ?[0-9]{4.EN_US} ?[0-9]{4.EN_US} ?[0-9]{4.EN_US})([^0-9]|$)

All of this information are available on the Help of SEMS if you press F1 and type in search the Regular Expressions

Below are copy and paste examples:

Data
 Example
 Regular Expression
 
Phone number
 (555)555-4567
 \(?[2-9][0-9]{2}[\)-.][2-9][0-9]{2}[-.][0-9]{4}
 
Email address
 joe@example.com
 [a-zA-Z0-9._%-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,6}
 
Credit card number
 1234 1234 1234 1234
 [1-9][0-9]{3} ?[0-9]{4} ?[0-9]{4} ?[0-9]{4}
 
Social Security Number
 123-45-6789
 [0-9]{3}-[0-9]{2}-[0-9]{4}
 
City, state abbreviation
 Palo Alto, CA
 .*, [A-Z][A-Z]
 
2-character state abbreviation
 CA
 [A-Z][A-Z]
 
Zip code
 12345
 [0-9]{5}(-[0-9]{4})?
 
Dollar amounts, with leading $ symbol
 $3.95
 \$[0-9]+.[0-9][0-9]
 
Date, numeric
 2003-08-06
 [0-9]{4}-[0-9]{2}-[0-9]{2}
 
Date, alpha-numeric
 Jan 3, 2003
 (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\.? (3[0-1]|[1-2][0-9]|0?[0-9]), [0-9]{4}
 
HTTP URL
 http://www.example.com
 https?://(([012][0-9]{0,2}\.){3}[012][0-9]{0,2}|([a-zA-Z0-9]+\.)+[a-zA-Z0-9]{2,6})(/.*)?
 
IP address
 123.123.123.123
 ([012][0-9]{0,2}\.){3}[012][0-9]{0,2}
 
A blank line
 
 ^$
 
HTH

Thumbs up.  This is a very handy reference.

Needs to be thoroughly tested and different rules added for different formatting.

I could write a date of birth dozens of different ways.  The same with credit card numbers.  I might put 2 spaces, or a tab between the number blocks, or I might not put any spaces in at all, or i might use dashes, or slashes.  Then you will need rules to trigger encryption on expiry dates and SCC digits etc.

Hi Adam,

If i set it as #1, then what would happen to the one that is already at #1, it will be moved down to #2. So when moved down would it work?

It would move into the 2nd chain if nothing in chain 1 is triggered.  So you need to configure the policy for such.

It looks like you want to trigger encryption from something thats already matching in chain 1, so moving this new rule into #1 with the AND rule to say AND it needs to contain x y z.

Hi Alex,

application/vnd.ms-powerpoint       - ppt
application/vnd.ms-excel                - xls
application/msword                         - doc

These 3 doesn't encrypt office 2010 files, as they have .docx .pptx .xlsx

tried: 

application/vnd.openxmlformats-officedocument.wordprocessingml.document 

&  application/vnd.openxmlformats-officedocument.spreadsheetml.sheet

Still no luck

application/pdf & application/jpeg -works fine.

What do i enter for office 2010 with extn docx .pptx .xlsx

Hi Alex,

The regex for credit card on SEM help is: [1-9][0-9]{3} ?[0-9]{4} ?[0-9]{4} ?[0-9]{4}

would this match for all credit cards(visa, master, diner, amex..)

Please advise.

Hi Alex,

MIME types for docx, pptx & xlsx does not encrypt the email:

Rule:

Message has an attachment whose type         is  

application/vnd.openxmlformats-officedocument.presentationml.presentation  - pptx
 

application/vnd.openxmlformats-officedocument.wordprocessingml.document - docx

application/vnd.openxmlformats-officedocument.spreadsheetml.sheet - xlsx

That will only work if its in the format of this: 1111 2222 3333 4444

Anything other than that exact format and it won't work. If i do it like 1111222233334444 it wont trigger for example.

Do you have "If all of the following are true" set or "If any of the following are true"?

Hi Alex,

I've set as "If any of the following are true"

updated policy on client, logged off&on, Re-enrolled.. still doesn't work!

I've defined a dictionary for Senders & Recipients.

If all of the following are true:

   Sender address is in dictionary test-group

    Recipient address is in dictionary test-group

 And any of the following are true:

  Message body matches pattern \b4008[ -]*61\d{2}[ -]*\d{4}[ -]*

And Action as:

Send (encrypted/signed)    Finishes processing  

Action:  Send (encrypted/signed)

Send the message with the following options:

   Encrypt to:      Recipient's Key

  Require verified key   Require end-to-end key

When a suitable recipient key cannot be found: Bounce

Now the email is sent encrypted to the recipient in the dictionary & sent unencrypted to anyone who is not in the dictionary.

What is wnat to achieve is: send encypted to the user in the dictionary & block the same email to the user who is not in the dictionary or key not found.

Contd....

The email should be blocked to any user whose key is not found.

I suggest creating a rule above this in the chain that will automatically move users who meet the criteria but are NOT in the dictionary to go to an outbound mail chain that blocks the email.

Alex,

If the sender is in the Dictionary.

& If any recipient is not in the dictioary, the email is blocked to all the recipients, including those in the dictioary.

& But when all the recipients are in the dictionary the email is sent encrypted.

Rule one:

If all are true: Sender in the dictionary TEST

If None are true: Recipient in the dictioary TEST

If Message body matches pattern

send to Chain that Bounces.

Rule Two:

If all are true: Sender in the dictionary TEST

If Message body matches pattern

Send Encrypted

(Still not met the objective: Send encypted to the user in the dictionary & block the same email to the user who is not in the dictionary.)

I would create a rule thus:

Rule 1:

If all are true: Sender not in dictionary TEST

If message body matches pattern

Go to chain that bounces

Rule 2

If all are true: Recipient not in the dictionary TEST

If message body matches pattern

Go to chain that bounces

Rule 3

If All are true, Sender is in dictionary TEST

If recipient is in dictionary TEST

If message body matches pattern

Send encrypted

Remember, the email will work top down going through rules to see if it matches.  In the above scenario, if the email matches the pattern, it will only be sent if ALL recipients and the sender is in that dictionary.  Otherwise, it will bounce.  This will also bounce if there is just 1 recipient who is not in the dictionary, because it will match rule 2, and bounce.

Hi Alex,

Did exactly as you described. And the message is going encrypted to the recipient in the dictionary & unencrypted to the ones who are not in the dictionary.

Is my chain that bounces is correct?

Chain that bounces:

Rule: If any of the following are true:
Message body matches pattern.

Action: Bounce message

You dont even need to set any rules for the bounce one.  Just bounce message.  Then retest.  The method I described should work.  If you look in the mail logs, you can see which rules it hits and where it goes, let me know which rules its getting through

The mail log on the client says that the mail is encrypted to the user in the dictionary & the sent unsecured to others. The logs do not show which rule the mail hits.

It should do, change the logging to Verbose.  All email going out states which rules it hits.