This article describes what happens when two negative conditions are used in the same compliance policy to create a Quarantine Incident in the "Quarantine Incidents" folder on a Symantec Messaging Gateway appliance with the "all" or "any" setting specified in "Which of the following conditions must be met", where the "Approved Action" is to deliver message normally and "Reject Action" is to delete the message.
The following explanations are taken from the on-line "help" and the Administration Guide for version 9.5.3. However, it is not clear that the dictionary based on the "filenames" condition needs to have both the filename AND an extension (i.e. "bob.log" and not just "bob" even if it used in the "filenames" condition. So, an enhancement request to change the wording inside the on-line help and the Administration Guide to reflect the actual current behavior has been filed for a future version of the SMG appliance.
The following explanation is from the online help for SMG:
(X & Y) - Groups conditions.
All of the conditions in the group appear indented under the first condition, except the first one. Grouping conditions in this way links them by the AND operator. All of the conditions in the checked groups must be met before the policy is violated. When you select Any from Which of the following conditions must be met, you can link multiple groups by the OR operator. A message must fulfill all of the conditions of one group, all the conditions of another group, or single condition before the policy is violated.
(X), (Y) - Ungroups the conditions.
This option only applies to conditions that are indented. When you ungroup conditions, the policy is triggered when Symantec Messaging Gateway detects a match of X condition or Y condition.
The following explanation is from Administration Guide for SMG:
About negative conditions and negative rules
You can create more effective policies when you understand how negative conditions and negative rules are evaluated. Negative conditions and negative rules are the conditions and rules that consist of any of the following match verbs:
Does not match regular expression
Does not match pattern
Does not contain
Does not start with
Does not end with
Does not match exactly
You can apply these match verbs to any of the following message parts:
A negative rule is triggered when the message part is present and contains at least one of the match verbs that you specify in the policy.
The policy is not violated when either of the following events occur:
The message part is not present
The message part is present, but the contents do not contain at least one of the match verbs that you specify in the policy
For example, assume that you create a content filtering policy. In this policy, the action is to create an incident if the file metadata does not contain an extension from Dictionary A.
The policy is violated when both of the following events occur:
The message has an attachment
The attachment name does not have an extension from Dictionary A
The policy is not violated if either of the following events occur:
The message does not have attachment
The message does have an attachment, but the attachment's name has an extension from Dictionary A
The current behavior of the SMG version 9.5.3:
The “does not contain”clause is essentially “is not” for this compliance policy , so “filename does not contain words from dictionary” is the same as “filename is not in the dictionary”.
The “&” inside “(X & Y)" is overriding the “All” for “Which of the following conditions must be met”. This means that “If the filename does not contain words from Dictionary1” & “If the extension does not contain words from Dictionary2” with “All” stays exactly the same, meaning that using the “&” and “ALL” is redundant just for two conditions. So, the condition is still the same: If the filename does not contain words from Dictionary1 & if the extension does not contain words from Dictionary2.
How does it work for the attachment with a filename “bob.log"?
Evaluating the first condition separately: For the Dictionary1 condition, ‘bob.log’ is not inside “Dictionary1”, which produces “FALSE”. That result is negated, which is now TRUE.
Evaluating second condition separately: For our Dictionary2 condition, “log” is inside “Dictionary2”, which produces “TRUE”. That result is negated, which is now FALSE.
Combining both results with the “&”: TRUE & FALSE => FALSE
Because the result was “FALSE” when the policy wants “TRUE” to fire the condition, this policy should not be applied, so the message should be delivered without triggering the policy.
The setup details:
Dictionary1 = contains file names and their extensions, one per line. Note: this is the correct usage of the "filename" dictionary condition.
Dictionary2 = contains file extensions only, without file names, one per line.
The compliance policy setup:
Policy name: Two-negatives-do-not-make-a-positive
"Track violations of this policy in the dashboard and reports" setting: checked
"Apply to" setting: Inbound and outbound messages
"Which of the following conditions must be met" setting: "All"
If the file name does not contain words from dictionary "Dictionary1" &
If the file extension does not contain words from dictionary "Dictionary2"
Note: Joining (also known as "grouping") is when both conditions are used with "&" by using the "(X & Y)" button. Keeping these two conditions separate (also known as "ungrouping") is when both conditions are used with the "(X),(Y)" button.
"Create quarantine incident in "Quarantine Incidents"