Positive and negative content filtering rule condition examples

You can create more effective policies when you understand how positive rule conditions and negative rule conditions are evaluated.
Positive rules are rules in which a condition must be present to trigger a verdict. An example of a positive rule is:
If any part of the message contains 2 or more words from dictionary "Financial Keywords."
If the message contains two or more words from the Financial Keywords dictionary, a verdict is triggered.
Negative rules are rules in which a condition must not be present to trigger a verdict. An example of a negative rule is:
does not contain Subject
.
Positive and negative rule match verbs and examples lists conditions that have positive and negative rules, and gives examples of when messages trigger verdicts and when they do not.
Positive and negative rule match verbs and examples
Condition
Example 1:
The message has no attachments. Only content within the body matches the condition. No other parts of the message match the conditions.
Example 2:
The message has one attachment. No other parts of the message match the conditions.
Example 3:
The message has multiple attachments. Only one attachment matches the conditions. No other parts of the message match the conditions.
Text in the subject, body or attachments:
Contains
n
or more words from dictionary
Triggers a verdict
Does not trigger a verdict
Triggers a verdict
Text in the subject, body or attachments:
Does not contain
n
or more words from dictionary
Triggers a verdict
Does not trigger a verdict
Triggers a verdict
Text in the subject, body or attachments:
Matches regular expression
Triggers a verdict
Does not trigger a verdict
Triggers a verdict
Text in the subject, body or attachments:
Does not match regular expression
Triggers a verdict
Does not trigger a verdict
Triggers a verdict
Text in the subject, body or attachments:
Matches pattern
Triggers a verdict
Does not trigger a verdict
Triggers a verdict
Text in the subject, body or attachments:
Does not match pattern
Triggers a verdict
Does not trigger a verdict
Triggers a verdict
Attachment or body part:
Is in the attachment list
Triggers a verdict
Does not trigger a verdict
Triggers a verdict
Attachment or body part:
Is not in the attachment list
Triggers a verdict
Does not trigger a verdict
Triggers a verdict
Attachment or body part:
Has a file name which contains
Triggers a verdict if the message has an embedded file with a matching name
If not, does not trigger a verdict
Does not trigger a verdict
Triggers a verdict
Attachment or body part:
Has a file name which does not contain
Triggers a verdict if the message has an embedded file with a matching name
If not, does not trigger a verdict
Does not trigger a verdict
Triggers a verdict
Attachment or body part:
Has a MIME type which is
Triggers a verdict if the message has an embedded file with a matching name
If not, does not trigger a verdict
Does not trigger a verdict
Triggers a verdict
Attachment or body part:
Has a MIME type which is not
Triggers a verdict if the message has an embedded file with a matching name
If not, does not trigger a verdict
Does not trigger a verdict
Triggers a verdict
Attachment or body part:
Has a file name from dictionary
Triggers a verdict if the message has an embedded file with a matching name
If not, does not trigger a verdict
Does not trigger a verdict
Triggers a verdict
Attachment or body part:
Has a file name not from dictionary
Triggers a verdict if the message has an embedded file with a matching name
If not, does not trigger a verdict
Does not trigger a verdict
Triggers a verdict
Attachment or body part:
Has a file extension from dictionary
Triggers a verdict if the message has an embedded file with a matching name
If not, does not trigger a verdict
Does not trigger a verdict
Triggers a verdict
Attachment or body part:
Has a file extension not from dictionary
Triggers a verdict if the message has an embedded file with a matching name
If not, does not trigger a verdict
Does not trigger a verdict
Triggers a verdict
For the condition
Attachment or body part: Is in attachment list
, SMG evaluates attachments and any objects that are embedded in message bodies for true file type, true file class, file name, file extension, and MIME.
For the condition
Attachment or body part: Is not in attachment list
, SMG evaluates attachments and the objects that are embedded in message bodies for true file type and true file class. SMG does not test for file name, extension, or MIME type for this condition.