As a Virtru administrator, you have the ability to create your own custom Data Loss Prevention (DLP) rules in addition to the stock DLP rules provided by Virtru. This article will break down the configuration options available and show you how to put together custom rules in your Control Center.
Rules can be configured to scan the following parts of an outbound email:
- Email Sender: The user composing the email.
- Email TO: Email address(es) in the email's TO: field.
- Email CC: Email address(es) in the email's CC: field.
- Email BCC: Email address(es) in the email's BCC: field.
- Recipient: Email address(es) in any or all of the TO:, CC:, or BCC: fields.
- Email Body: The body text of the email, including any signatures or legal disclaimers.
- Email Subject: The subject line of the email.
- Attachments: The presence of attachments (yes/no), file type, and count of the message's attachment(s).
- Attachment Content: The contents of an attached file. For Chrome extension users, only searchable PDF and plain text (.txt, .csv, .html, etc.) file types are currently supported. For more information, visit Can DLP rules scan for Attachment Content?
Depending on the field you've specified for your scan, different search operators will be available to you. These operators are defined below.
Available for Email Sender only and only when your organization has installed Virtru for your G Suite Domain. Allows you to specify that this rule should only apply to senders within specific OUs or Groups.
Available for Email Sender, TO, CC, BCC, Recipient, and Attachment Content. Matches the full content exactly.
Available for Email Sender, TO, CC, BCC, Recipient, and Attachment Content. Fires only when the search term is not a perfect match for the full content of the specified field.
Available for Email Sender, TO, CC, BCC, Recipient, Email Subject and Body, and Attachment Content. Fires when the search term is found within the specified field. The Email Sender, TO, CC, BCC, and Recipient fields, can be used to qualify by email domain name (e.g. "Contains Gmail.com"). When used with Subject, Body, or Attachment Content, acts as a keyword search.
It's common practice with other encryption solutions to use a subject line keyword such as #secure# to trigger an automatic encryption event. Using "contains", this is not compatible with all Virtru products. Special characters such as # or $ are not supported by our "Contains" rule when using the Gmail Browser Plugin. Setting a rule to "Contains: Secure", however, will trigger on #secure# in the subject line. If you'd like to flag only on #secure# - or another keyword containing special characters - use "Matches Pattern" instead (see below).
Does Not Contain:
Available for Email Sender, TO, CC, BCC, Recipient, Email Subject and Body, and Attachment Content. Will only fire if the search term is not present in the designated field.
Do Exist / Do Not Exist / Exist of Type / Count More Than / Count Less Than:
These options are available only for the Attachments search field and will trigger based on the existence, type, or count of attachments included in an email. When configuring rules by type, be sure to use the filename extension without a period (e.g., "pdf", not ".pdf" (without the quotes)) and to use separate lines to search different file types.
Virtru's DLP rules can trigger several different actions when matching content is detected in an email. These actions are defined below.
A Log Only rule will take no noticeable action on an outgoing email. If the email is being sent unencrypted, the rule will have no effect at all. If the email is sent encrypted, however, any Log Only rules triggered by that email will be logged in that email's Validation Report in the Virtru Control Center.
Log Only rules cannot be used to override or create exceptions to other rules; they simply do not take an action. For example, a rule set to "Log Only" the Social Security number 123-45-6789 will not prevent that sequence from being flagged by another SSN rule.
A rule set to Warn will trigger an alert to the end user when they click "Send". The warning dialog will show the offending content, pointing out the rule(s) that triggered the content to be flagged. The end user has the option to either send the message encrypted ("Protect & Send"), or disregard the warning and send unencrypted ("Send Anyway").
An Encrypt rule will encrypt the email automatically as soon as the user hits Send. They'll see the Virtru encryption animation without any option to have the email go out unencrypted.
Add TO recipient(s):
An email address or addresses you designate will be added automatically to the email's TO: field when the user clicks Send. Though this addition is quick, the end-user can see that the address is added if they're looking at the TO: field. It can also be seen in the TO: field if the end user views their sent messages; recipients will also see this address in the TO: field.
Add CC recipient(s):
An email address or addresses you designate will be added automatically to the email's CC: field when the user clicks Send. As above, end users may be aware of this addition, as will recipients.
Add BCC recipient(s):
An email address or addresses you designate will be added automatically to the email's BCC: field when the user clicks Send. As above, end users may be aware of this addition. Non-BCC'd recipients will not be aware of the addition.
The content you've specified will be added to the end of the email.
Any and all attachments on that outgoing email will be removed before the email is sent. This will happen automatically after the end user hits Send.
An Expire rule will automatically set an access expiration for the email after a given period of time (in minutes, hours, days, or months).
The email will be accessible by the recipient(s) but not any user to whom a recipient may forward that email.
Applicable attachments within the email will be watermarked with the reader's email address when they open the file in the Secure Reader. Downloading of applicable files will be blocked. Learn more about Watermarking.
Applicable attachments within the email will become tdf.html files that are only accessible in the Secure Reader. Downloading of applicable files will be blocked. Learn more about Persistent Protection.
Creating Your Rules
Once you've decided on the field to scan, how you'd like that search performed, and the action to take when the rule is triggered, it's time to create your rule via the Virtru Control Center.
1. Log into the Virtru Control Center with your Virtru administrator account.
2. Select Email Rules from the options on the left.
3. Scroll to the bottom of the page and click the + under Custom Rules to create a new rule.
4. Enter a title and description for your new rule.
5. In the If statement, select a field to search and your search operator. Then enter the content to look for. Click the check mark to save this piece of your rule.
Once you've saved this piece of your rule, you'll have the option to add an "OR" statement in addition to the already visible "AND":
6. In the Then section, add the action(s) you'd like this rule to take when triggered.
7. Click Save & Exit to save your changes. Your rule is complete!
Rules will be automatically updated for users the next time the Virtru extension polls the server for updates (performed every three hours). Refreshing their mailbox will pull in rule updates immediately. Outlook (desktop) users can also pull in new updates under Virtru > Options > Data Loss Prevention Rules > Refresh. To immediately refresh the rules in an On-Prem Gateway, restart the applicable docker containers.