Using the Keyword & Expression List Parent topic

Keywords are special words or phrases. Add related keywords to a keyword list to identify specific types of data. For example, "prognosis", "blood type", "vaccination", and "physician" are keywords that may appear in a medical certificate. To prevent the transmission of medical certificate files, configure IMSVA to block files containing these keywords.
Expressions are data that have a certain structure. For example, credit card numbers typically have 16 digits and appear in the format "nnnn-nnnn-nnnn-nnnn", making them suitable for expression-based detections.
IMSVA can take action on an email message based on its subject, body, header or attachment. To filter email messages by content, combine keywords or regular expressions in keyword expression lists.

Selecting Scanning Conditions for Content Parent topic

Procedure

  1. Create or modify an "Other" (not an Antivirus) policy.
  2. Under Content, on the Scanning Conditions screen, select the check boxes next to the parts of a message to which you want the content conditions to apply.
  3. Click the link that specifies the part of the message to which you want to configure content conditions.
    The Keyword Expressions screen appears with two columns:
    • Available: Expressions available for use, but not currently in use.
    • Selected: Expressions currently in use.
  4. If configuring expressions for the header, select the check boxes next to the header items where the expression applies.
  5. Click Add.
    The screen for managing keyword expressions appears.
  6. Configure the expressions.
  7. In the Available list, click the expression list to enable.
  8. Click >>.
    The expressions appear in the Selected list.
    To keep an expression list available but temporarily prevent IMSVA from using it, click the expression in the selected list, and then click <<.
  9. Click Save to continue to the scanning conditions selection screen.

Configuring an Expression Parent topic

Configure keywords and regular expressions to enable IMSVA to scan message content. Create keywords or expressions on the Keywords & Expressions screen or during policy creation.
Tip
Tip
Although keywords or expressions can be created during policy creation, Trend Micro recommends creating keywords or expressions before you begin creating policies.
When creating expressions:
  • Start with simple expressions. Modify the expressions if they are causing false alarms or fine tune them to improve detections.
  • Specify criteria when creating expressions. An expression must meet specified criteria before IMSVA subjects it to a policy.

Creating Keywords or Expressions Parent topic

Procedure

  1. Go to PolicyKeywords & Expressions.
    The Keywords & Expressions screen appears.
  2. Click Add.
    The Add Keyword Expression screen appears.
  3. Next to List name, specify a descriptive name.
  4. Next to Match, select one of the following that specifies when IMSVA takes action:
    • Any specified: Message content matches any of the keywords or expressions in the list.
    • All specified: Message content matches all keywords or expressions in the list.
    • Not the specified: Message content does not match any of the keywords or expressions in the list.
    • Only when combined score exceeds threshold: Message content contains one or more keywords or expressions in the list. If only one keyword or expression was detected, its score must be higher than the threshold. If several keywords or expressions are detected, their combined score must be higher than the threshold.
      Next to Total message score to trigger action, specify a number that represents the maximum score for allowed keyword expressions. When you add an expression, you can set a value for the Score.
  5. To create a new keyword expression, do the following:
    1. Click Add.
      The Add Keyword Expression list appears.
    2. Specify the keywords. For a partial match, specify the keyword. To specify an exact match, use \b before and after the keyword.
      For example:
      • keyword matches "keywords", "akeyword"
      • \bkeyword\b matches "keyword" only
    3. Specify a description for the added keyword expression to make it easier to understand.
    4. Click Save.
  6. For IMSVA to consider the capitalization of message content when it uses the filter, select the check box under Case sensitive.
  7. If you selected Only when combined score exceeds threshold:
    1. Specify a threshold in the Total message score to trigger action field.
    2. Select a value from the Score drop-down box.
  8. Click Save.
    The Keywords & Expressions screen appears with the new keyword or expression appearing in the table.

Adding/Editing a Keyword or Expression during Policy Creation/Modification Parent topic

Procedure

  1. Create or modify an "Other" (not an Antivirus) policy.
  2. Under Content on the Scanning Conditions screen, click the link that specifies the part of the message to which you want to configure content conditions.
    The Keyword Expressions screen appears with two columns.
  3. Click Add or Edit from the Keyword Expressions screen.
    The configuration screen for keyword expression lists appears.
  4. Next to List name, specify a descriptive name.
  5. Next to Match, select one of the following that specifies when IMSVA takes action:
    • Any specified: Message content can match any of the expressions in the list.
    • All specified: Message content must match all the expressions in the list.
    • Not the specified: Message content must not match any of the expressions in the list.
    • Only when combined score exceeds threshold: Next to Total message score to trigger action, specify a number that represents the maximum score for allowed keyword expressions. When you add an expression, you can set a value for the Score.
  6. To create an expression, click Add.
    The Add Keyword Expression list appears.
  7. Specify the keywords. For a partial match, specify the keyword. To specify an exact match, use \b before and after the keyword.
    For example:
    • keyword matches "keywords", "akeyword"
    • \bkeyword\b matches "keyword" only
  8. Specify a description for the keywords.
  9. If you selected Only when combined score exceeds threshold:
    1. Specify a threshold in the Total message score to trigger action field.
    2. Select a value from the Score drop-down box.
  10. Click Save.
  11. For IMSVA to consider the capitalization of message content when it uses the filter, select the check box under Case sensitive.
  12. Click Save to continue modifying or creating the policy.

About Regular Expressions Parent topic

IMSVA treats all keyword expressions as regular expressions. IMSVA supports the following regular expressions.
Tip
Tip
Although keywords or expressions can be created during policy creation, Trend Micro recommends creating keywords or expressions before you begin creating policies.

Characters Parent topic

Regular Expression
Description
. (dot)
Any character (byte) except newline
x
The character 'x'
\\
The character '\'
\a
The alert (bell) character (ASCII 0x07)
\b
  1. If this meta-symbol is within square brackets [] or by itself, it will be treated as the backspace character (ASCII 0x08). For example, [\b] or \b
  2. If this meta-symbol is at the beginning (or end) of a regular expression, it means any matched string of the regular expression must check whether the left (or right) side of the matched string is a boundary. For example:
    • \bluck > left side must be the boundary
    • luck\b > right side must be the boundary
    • \bluck\b > both sides must be the boundary
  3. If this meta-symbol appears in the middle of a regular expression, it will cause a syntax error.
\f
The form-feed character (ASCII 0x0C)
\n
The newline (line feed) character (ASCII 0x0A)
\r
The carriage-return character (ASCII 0x0D)
\t
The normal (horizontal) tab character (ASCII 0x09)
\v
The vertical tab character (ASCII 0x0B)
\n
The character with octal value 0n (0 <= n <= 7)
\nn
The character with octal value 0nn (0 <= n <= 7)
\mnn
The character with octal value 0mnn (0 <= m <= 3, 0 <= n <= 7)
\xhh
The character with a hexadecimal value 0xhh, for example, \x20 means the space character

Bracket Expression and Character Classes Parent topic

Bracket expressions are a list of characters and/or character classes enclosed in brackets []. Use bracket expressions to match single characters in a list, or a range of characters in a list. If the first character of the list is the carat ^ then it matches characters that are not in the list.
For example:
Expression Matches
[abc] a, b, or c
[a-z] a through z
[^abc] Any character except a, b, or c
[[:alpha:]] Any alphabetic character (see below)
Each character class designates a set of characters equivalent to the corresponding standard C isXXX function. For example, [:alpha:] designates those characters for which isalpha() returns true (example: any alphabetic character). Character classes must be within bracket expression.
Character class Description
[:alpha:] Alphabetic characters
[:digit:] Digits
[:alnum:] Alphabetic characters and numeric characters
[:cntrl:] Control character
[:blank:] Space and tab
[:space:] All white space characters
[:graph:] Non-blank (not spaces, control characters, or the like)
[:print:] Like [:graph:], but includes the space character
[:punct:] Punctuation characters
[:lower:] Lowercase alphabetic
[:upper:] Uppercase alphabetic
[:xdigit:] Digits allowed in a hexadecimal number (0-9a-fA-F)
For a case-insensitive expression, [:lower:] and [:upper:] are equivalent to [:alpha:].

Boundary Matches Parent topic

Expression Description
^ Beginning of line
$ End of line

Greedy Quantifiers Parent topic

Expression Description
R? Matches R, once or not at all
R* Matches R, zero or more times
R+ Matches R, one or more times
R{n} Matches R, exactly n times
R{n,} Matches R, at least n times
R{n,m} Matches R, at least n but no more than m times
R is a regular expression.
Trend Micro does not recommend using ".*" in a regular expression. ".*" matches any length of letters and the large number of matches may increase memory usage and affect performance.
For example:
If the content is 123456abc, the regular expression ".*abc" match results are:
  • 12345abc
  • 23455abc
  • 3456abc
  • 456abc
  • 56abc
  • 6abc
  • abc
In this example, replace ".*abc" with "abc" to prevent excessive use of resources.

Logical Operators Parent topic

Expression Description
RS R followed by S (concatenation)
R|S Either R or S
R/S An R but only if it is followed by S
(R) Grouping R
R and S are regular expressions

Shorthand and meta-symbol Parent topic

eManager provides the following shorthand for writing complicated regular expressions. eManager will pre-process expressions and translate the shorthand into regular expressions.
For example, {D}+ would be translated to [0-9]+. If a shorthand expression is enclosed in brackets (example: {}) or double-quotes, then IMSVA will not translate that shorthand expression to a regular expression.
Shorthand Description
{D} [0-9]
{L} [A-Za-z]
{SP} [(),;\.\\<>@\[\]:]
{NUMBER} [0-9]+
{WORD} [A-Za-z]+
{CR} \r
{LF} \n
{LWSP} [ \t]
{CRLF} (\r\n)
{WSP} [ \t\f]+
{ALLC} .
eManager also provides the following meta-symbols. The difference between shorthand and meta-symbols is that meta-symbols can be within a bracket expression.
Meta-symbol Description
\s [[:space:]]
\S [^[:space:]]
\d [[:digit:]]
\D [^[:digit:]]
\w [_[:alnum:]]
\W [^_[:alnum:]]

Literal string and escape character of regular expressions Parent topic

To match a character that has a special meaning in regular expressions (example: +), you need to use the backslash \ escape character. For example, to match string C/C++, use the expression C\/C\+\+.
Sometimes, you have to add many escape characters to your expression (example: C\/C\+\+). In this situation, enclose the string C/C++ in double-quotes (example: .REG "C/C++") then the new expression is equivalent to the old one. Characters (except \ which is an escape character) within double-quotes are literal. The following are some examples:
Expression Description
"C/C++" Match string C/C++ (does not include double-quotes)
"Regular\x20Expression" Match string Regular Expression (does not include double-quotes), where \x20 means the space character.
"[xyz]\"foo" Match the literal string: [xyz]"foo
Change the adjacent <space> to "\x20" for the following in a regular expression:
  • .AND.
  • .OR.
  • .NOT.
  • .WILD.

Searching for Policies Using an Expression Keyword Parent topic

Procedure

  1. Select the Policy Search tab.
  2. Next to Keyword, specify an expression keyword to search for policies.
  3. Click Query.
    A list of policies whose expressions contain the specified keyword appear. The associated expression list and expressions are also provided in the list.