Skip to main content
Welcome to Virtru's support portal. As we work to make this page more accessible to screen readers, please contact us at support@virtru.com for technical support.

Creating Custom DLP Rules

Trevor Foskett
  • Updated

About

As a Virtru administrator, you have the ability to create your own custom Data Loss Prevention (DLP) rules in addition to the stock DLP rules provided by Virtru. DLP rules are supported by all of our email products, except our mobile apps (iOS, Android). 

This article will break down the configuration options available and show you how to put together custom rules in your Control Center.

Jump To:

Search Fields
Search Operators
DLP Actions
Creating Your Rules
Refreshing the Rules

 

Search Fields

Rules can be configured to scan the following parts of an outbound email:

  • Email Sender: The user composing the email.
  • Email TO: Email address(es) in the email's TO: field.
  • Email CC: Email address(es) in the email's CC: field.
  • Email BCC: Email address(es) in the email's BCC: field.
  • Recipient: Email address(es) in any or all of the TO:, CC:, or BCC: fields.
  • Email Body: The body text of the email, including any signatures or legal disclaimers.
  • Email Subject: The subject line of the email.
  • Attachments: The presence of attachments (yes/no), file type, and count of the message's attachment(s).
  • Attachment Content: The contents of an attached file. For Chrome extension users, only searchable PDF and plain text (.txt, .csv, .html, etc.) file types are currently supported. For more information, visit Can DLP rules scan for Attachment Content? 

 

Search Operators

Depending on the field you've specified for your scan, different search operators will be available to you.  These operators are defined below.

Is In:

Available for Email Sender only and only when your organization has installed Virtru for your G Suite Domain.  Allows you to specify that this rule should only apply to senders within specific OUs or Groups.

Is:

Available for Email Sender, TO, CC, BCC, Recipient, and Attachment Content.  Matches the full content exactly.

Is Not:

Available for Email Sender, TO, CC, BCC, Recipient, and Attachment Content.  Fires only when the search term is not a perfect match for the full content of the specified field.

Contains:

Available for Email Sender, TO, CC, BCC, Recipient, Email Subject and Body, and Attachment Content. Fires when the search term is found within the specified field. The Email Sender, TO, CC, BCC, and Recipient fields, can be used to qualify by email domain name (e.g. "Contains Gmail.com").  When used with Subject, Body, or Attachment Content, acts as a keyword search.

Caution

It's common practice with other encryption solutions to use a subject line keyword such as #secure# to trigger an automatic encryption event. Using "contains", this is not compatible with all Virtru products. Special characters such as # , $ , or [ ], are not supported by our "Contains" rule when using the Gmail Browser Plugin. Setting a rule to "Contains: Secure", however, will trigger on #secure# in the subject line. If you'd like to flag only on #secure# - or another keyword containing special characters - use "Matches Pattern" instead (see below).

Does Not Contain:

Available for Email Sender, TO, CC, BCC, Recipient, Email Subject and Body, and Attachment Content. Will only fire if the search term is not present in the designated field.

Matches Pattern:

Available for Email Body, Subject, and Attachment Content. Uses Regular Expressions (RegEx) to match consistently formatted number and text patterns such as Social Security Numbers or email addresses.  There are several resources online to help generate RegEx to suit your needs, including RegExLib.com and Regular Expressions 101 (make sure to select the ECMAScript (JavaScript) Flavor on the left).

Do Exist / Do Not Exist / Exist of Type / Count More Than / Count Less Than:

These options are available only for the Attachments search field and will trigger based on the existence, type, or count of attachments included in an email. When configuring rules by type, be sure to use the filename extension without a period (e.g., "pdf", not ".pdf" (without the quotes)) and to use separate lines to search different file types.

 

DLP Actions

Virtru's DLP rules can trigger several different actions when matching content is detected in an email.  These actions are defined below.

Log Only:

Log Only rule will take no noticeable action on an outgoing email. If the email is being sent unencrypted, the rule will have no effect at all. If the email is sent encrypted, however, any Log Only rules triggered by that email will be logged in that email's Validation Report in the Virtru Control Center.

Note

Log Only rules cannot be used to override or create exceptions to other rules; they simply do not take an action. For example, a rule set to "Log Only" the Social Security number 123-45-6789 will not prevent that sequence from being flagged by another SSN rule.

Warn:

A rule set to Warn will trigger an alert to the end user when they click "Send".  The warning dialog will show the offending content, pointing out the rule(s) that triggered the content to be flagged.  The end user has the option to either send the message encrypted ("Protect & Send"), or disregard the warning and send unencrypted ("Send Anyway").

Example Warning prompt

Encrypt Email:

An Encrypt rule will encrypt the email automatically as soon as the user hits Send.  They'll see the Virtru encryption animation without any option to have the email go out unencrypted.

Block:

For compatible platforms, a Block rule will stop an email from going out altogether. Gmail users will receive an alert providing details on the block and instructions to remove the sensitive content. Customer-Hosted Gateway users will receive a bounce message.

This function is only available for Gmail and Customer-Hosted Gateway users. In order to configure this setting, admins must be using the "New Control Center."

Add TO recipient(s)*:

An email address or addresses you designate will be added automatically to the email's TO: field when the user clicks Send.  Though this addition is quick, the end-user can see that the address is added if they're looking at the TO: field.  It can also be seen in the TO: field if the end user views their sent messages; recipients will also see this address in the TO: field.

Add CC recipient(s)*:

An email address or addresses you designate will be added automatically to the email's CC: field when the user clicks Send.  As above, end users may be aware of this addition, as will recipients.

Add BCC recipient(s)*:

An email address or addresses you designate will be added automatically to the email's BCC: field when the user clicks Send.  As above, end users may be aware of this addition.  Non-BCC'd recipients will not be aware of the addition.

Add Content*:

The content you've specified will be added to the end of the email.

Strip Attachments*:

Any and all attachments on that outgoing email will be removed before the email is sent.  This will happen automatically after the end user hits Send.

Expire*:

An Expire rule will automatically set an access expiration for the email after a given period of time (in minutes, hours, days, or months).

Disable Forwarding*:

The email will be accessible by the recipient(s) but not any user to whom a recipient may forward that email.

Watermarking*:

Applicable attachments within the email will be watermarked with the reader's email address when they open the file in the Secure Reader. Downloading of applicable files will be blocked. Learn more about Watermarking.

Persistent Protection*:

Applicable attachments within the email will become tdf.html files that are only accessible in the Secure Reader. Downloading of applicable files will be blocked. Learn more about Persistent Protection.

One-Click Auth*:

This allows the recipients to access a secure message without authentication. Learn more about Require Authentication.

*These DLP actions are not compatible with the Outlook 365 add-in.

Creating Your Rules

Once you've decided on the field to scan, how you'd like that search performed, and the action to take when the rule is triggered, it's time to create your rule via the Virtru Control Center.

1. Log into the Virtru Control Center with your Virtru administrator account.

Virtru Dashboard login screen

2. Select Email Rules from the options on the left.

Control Center Email Rules page

3. Scroll to the bottom of the page and click the + under Custom Rules to create a new rule.

New Custom Rule button

4. Enter a title and description for your new rule. 

Rule editor

5. In the If statement, select a field to search and your search operator. Then enter the content to look for.  Click the check mark to save this piece of your rule.

Example If statement field

Pro Tip

Once you've saved this piece of your rule, you'll have the option to add an "OR" statement in addition to the already visible "AND":

If statement field with or option

6. In the Then section, add the action(s) you'd like this rule to take when triggered.

Example Then field

7. Click Save & Exit to save your changes. Your rule is complete!

Cancel and Save & Exit buttons

 

Refreshing the Rules

DLP rule changes are not immediately pulled in on every platform but will automatically update on regular intervals. The automatic intervals and how to manually refresh per platform can be found below:

Platform

Manual Refresh

Automatic Refresh Rate
Virtru for Gmail Refresh Browser Page up to 3 hours
Virtru for Outlook Desktop Extension Restart Outlook up to 3 hours
Virtru for Outlook 365 Add-In

Open the Add-in Menu and Select Refresh User Settings

Outlook 365 Menu

 up to 12 hours
Virtru-Hosted Gateway n/a seconds
Customer-Hosted Gateway Restart the applicable containers up to 3 hours

 

Related articles