Positive and negative content filtering rule condition examples
You can create more effective policies when you understand how positive rule conditions and negative rule conditions are evaluated.
Positive rules are rules in which a condition must be present to trigger a verdict. An example of a positive rule is:
If any part of the message contains 2 or more words from dictionary "Financial Keywords."
If the message contains two or more words from the Financial Keywords dictionary, a verdict is triggered.Negative rules are rules in which a condition must not be present to trigger a verdict. An example of a negative rule is:
does not contain Subject
.Positive and negative rule match verbs and examples lists conditions that have positive and negative rules, and gives examples of when messages trigger verdicts and when they do not.
Condition | Example 1: The message has no attachments. Only content within the body matches the condition. No other parts of the message match the conditions. | Example 2: The message has one attachment. No other parts of the message match the conditions. | Example 3: The message has multiple attachments. Only one attachment matches the conditions. No other parts of the message match the conditions. |
|---|---|---|---|
Text in the subject, body or attachments: Contains n or more words from dictionary | Triggers a verdict | Does not trigger a verdict | Triggers a verdict |
Text in the subject, body or attachments: Does not contain n or more words from dictionary | Triggers a verdict | Does not trigger a verdict | Triggers a verdict |
Text in the subject, body or attachments: Matches regular expression | Triggers a verdict | Does not trigger a verdict | Triggers a verdict |
Text in the subject, body or attachments: Does not match regular expression | Triggers a verdict | Does not trigger a verdict | Triggers a verdict |
Text in the subject, body or attachments: Matches pattern | Triggers a verdict | Does not trigger a verdict | Triggers a verdict |
Text in the subject, body or attachments: Does not match pattern | Triggers a verdict | Does not trigger a verdict | Triggers a verdict |
Attachment or body part: Is in the attachment list | Triggers a verdict | Does not trigger a verdict | Triggers a verdict |
Attachment or body part: Is not in the attachment list | Triggers a verdict | Does not trigger a verdict | Triggers a verdict |
Attachment or body part: Has a file name which contains | Triggers a verdict if the message has an embedded file with a matching name If not, does not trigger a verdict | Does not trigger a verdict | Triggers a verdict |
Attachment or body part: Has a file name which does not contain | Triggers a verdict if the message has an embedded file with a matching name If not, does not trigger a verdict | Does not trigger a verdict | Triggers a verdict |
Attachment or body part: Has a MIME type which is | Triggers a verdict if the message has an embedded file with a matching name If not, does not trigger a verdict | Does not trigger a verdict | Triggers a verdict |
Attachment or body part: Has a MIME type which is not | Triggers a verdict if the message has an embedded file with a matching name If not, does not trigger a verdict | Does not trigger a verdict | Triggers a verdict |
Attachment or body part: Has a file name from dictionary | Triggers a verdict if the message has an embedded file with a matching name If not, does not trigger a verdict | Does not trigger a verdict | Triggers a verdict |
Attachment or body part: Has a file name not from dictionary | Triggers a verdict if the message has an embedded file with a matching name If not, does not trigger a verdict | Does not trigger a verdict | Triggers a verdict |
Attachment or body part: Has a file extension from dictionary | Triggers a verdict if the message has an embedded file with a matching name If not, does not trigger a verdict | Does not trigger a verdict | Triggers a verdict |
Attachment or body part: Has a file extension not from dictionary | Triggers a verdict if the message has an embedded file with a matching name If not, does not trigger a verdict | Does not trigger a verdict | Triggers a verdict |
For the condition
Attachment or body part: Is in attachment list
, SMG evaluates attachments and any objects that are embedded in message bodies for true file type, true file class, file name, file extension, and MIME. For the condition
Attachment or body part: Is not in attachment list
, SMG evaluates attachments and the objects that are embedded in message bodies for true file type and true file class. SMG does not test for file name, extension, or MIME type for this condition.