About
As a Virtru administrator, you have the ability to create your own custom Security Rules (formerly DLP) in addition to the stock Security Rules provided by Virtru. Security Rules are supported by all of our email products, except our mobile apps (iOS, Android).
This article will break down the configuration options available and show you how to put together custom rules in your Control Center.
Jump To:
Search Fields
Search Operators
Rule Actions
Creating Your Rules
Refreshing the Rules
Search Fields
Rules can be configured to scan the following parts of an outbound email:
- Email Sender: The user composing the email.
- Email TO: Email address(es) in the email's TO: field.
- Email CC: Email address(es) in the email's CC: field.
- Email BCC: Email address(es) in the email's BCC: field.
- Recipient: Email address(es) in any or all of the TO:, CC:, or BCC: fields.
- Message Body: The body text of the email, including any signatures or legal disclaimers.
- Subject Line*: The subject line of the email.
- Attachments: The presence of attachments (yes/no), file type, and count of the message's attachment(s).
- Attachment Content: The contents of an attached file. For Chrome extension users, only searchable PDF and plain text (.txt, .csv, .html, etc.) file types are currently supported. For more information, visit Can Security Rules scan for Attachment Content?
- SMTP Header*: The headers of an email.
*Not supported by all platforms. Please see Security Rule Compatibility Matrix
Search Operators
Depending on the field you've specified for your scan, different search operators will be available to you. These operators are defined below.
Is In:
Available for Email Sender only and only when your organization has installed Virtru for your G Suite Domain. Allows you to specify that this rule should only apply to senders within specific OUs or Groups.
Is:
Available for Email Sender, TO, CC, BCC, Recipient, and Attachment Content. Matches the full content exactly.
Is Not:
Available for Email Sender, TO, CC, BCC, Recipient, and Attachment Content. Fires only when the search term is not a perfect match for the full content of the specified field.
Contains:
Available for Email Sender, TO, CC, BCC, Recipient, Email Subject and Body, and Attachment Content. Fires when the search term is found within the specified field. The Email Sender, TO, CC, BCC, and Recipient fields, can be used to qualify by email domain name (e.g. "Contains Gmail.com"). When used with Subject, Body, or Attachment Content, acts as a keyword search.
Caution
It's common practice with other encryption solutions to use a subject line keyword such as #secure# to trigger an automatic encryption event. Using "contains", this is not compatible with all Virtru products. Special characters such as # , $ , or [ ], are not supported by our "Contains" rule when using the Gmail Browser Plugin. Setting a rule to "Contains: Secure", however, will trigger on #secure# in the subject line. If you'd like to flag only on #secure# - or another keyword containing special characters - use "Matches Pattern" instead (see below).
Does Not Contain:
Available for Email Sender, TO, CC, BCC, Recipient, Email Subject and Body, and Attachment Content. Will only fire if the search term is not present in the designated field.
Matches Pattern:
Available for Email Body, Subject, and Attachment Content. Uses Regular Expressions (RegEx) to match consistently formatted number and text patterns such as Social Security Numbers or email addresses. There are several resources online to help generate RegEx to suit your needs, including RegExLib.com and Regular Expressions 101 (make sure to select the ECMAScript (JavaScript) Flavor on the left).
Do Exist / Do Not Exist / Exist of Type / Count More Than / Count Less Than:
These options are available only for the Attachments search field and will trigger based on the existence, type, or count of attachments included in an email. When configuring rules by type, be sure to use the filename extension without a period (e.g., "pdf", not ".pdf" (without the quotes)) and to use separate lines to search different file types.
Rule Actions
Virtru's Security Rules can trigger several different actions when matching content is detected in an email. These actions are defined below.
Log Only:
A Log Only rule will take no noticeable action on an outgoing email. If the email is being sent unencrypted, the rule will have no effect at all. If the email is sent encrypted, however, any Log Only rules triggered by that email will be logged in that email's Validation Report in the Virtru Control Center.
Note
Log Only rules cannot be used to override or create exceptions to other rules; they simply do not take an action. For example, a rule set to "Log Only" the Social Security number 123-45-6789 will not prevent that sequence from being flagged by another SSN rule.
Warn*:
A rule set to Warn will trigger an alert for client-side plugin users when they click "Send". The warning dialog will show the offending content, pointing out the rule(s) that triggered the content to be flagged. The end user has the option to either send the message encrypted ("Protect & Send"), or disregard the warning and send unencrypted ("Send Anyway").
Encrypt Email:
An Encrypt rule will encrypt the email automatically as soon as the user hits Send. They'll see the Virtru encryption animation without any option to have the email go out unencrypted.
Block*:
For compatible platforms, a Block rule will stop an email from going out altogether. Plugin users will receive an alert providing details on the block and instructions to remove the sensitive content. Gateway users will receive a bounce message.
Add TO recipient(s)*:
An email address or addresses you designate will be added automatically to the email's TO: field when the user clicks Send. Though this addition is quick, the end-user can see that the address is added if they're looking at the TO: field. It can also be seen in the TO: field if the end user views their sent messages; recipients will also see this address in the TO: field.
Add CC recipient(s)*:
An email address or addresses you designate will be added automatically to the email's CC: field when the user clicks Send. As above, end users may be aware of this addition, as will recipients.
Add BCC recipient(s)*:
An email address or addresses you designate will be added automatically to the email's BCC: field when the user clicks Send. As above, end users may be aware of this addition. Non-BCC'd recipients will not be aware of the addition.
Add Content*:
The content you've specified will be added to the end of the email.
Strip Attachments*:
Any and all attachments on that outgoing email will be removed before the email is sent. This will happen automatically after the end user hits Send.
Expire*:
An Expire rule will automatically set an access expiration for the email after a given period of time (in minutes, hours, days, or months).
Disable Forwarding*:
The email will be accessible by the recipient(s) but not any user to whom a recipient may forward that email.
Watermarking*:
Applicable attachments within the email will be watermarked with the reader's email address when they open the file in the Secure Reader. Downloading of applicable files will be blocked. Learn more about Watermarking.
Persistent Protection*:
Applicable attachments within the email will become tdf.html files that are only accessible in the Secure Reader. Downloading of applicable files will be blocked. Learn more about Persistent Protection.
One-Click Auth*:
This allows the recipients to access a secure message without authentication. Learn more about Require Authentication.
*Not supported by all platforms. Please see Security Rule Compatibility Matrix
Creating Your Rules
Once you've decided on the field to scan, how you'd like that search performed, and the action to take when the rule is triggered, it's time to create your rule via the Virtru Control Center.
1. Access the rule builder: Log into the Virtru Control Center with a Virtru administrator account. Open the Email Rules page from the Admin section on the left, and select the Custom Rule Builder option at the top of the page
2. Name the rule: Click the pencil icons to enter a title and description for your new rule
3. Scope the rule: If your organization has synced a Workspace or Entra ID (formerly Azure AD) with Virtru, you have the option to scope your rule
5. Set the rule condition(s): In the If statement, select a field to search and your search operator. Then, enter the content to look for
- To add an alternate condition, select + or
- To add an additional required condition, select + and
6. Set the rule action(s): In the "Then" section, add the action you'd like this rule to take when triggered
- To add an additional action, select + and
8. Click Save & Exit to save your changes. Your rule is complete!
Refreshing the Rules
Security Rule changes are not immediately pulled in on every platform but will automatically update on regular intervals. The automatic intervals and how to manually refresh per platform can be found below:
Platform |
Manual Refresh |
Automatic Refresh Rate |
Virtru for Gmail | Refresh Browser Page | up to 3 hours |
Virtru for Outlook Desktop Extension | Restart Outlook | up to 3 hours |
Virtru for Outlook 365 Add-In |
Open the Add-in Menu and Select Refresh User Settings |
up to 12 hours |
Virtru-Hosted Gateway | n/a | seconds |
Customer-Hosted Gateway | Restart the applicable containers | up to 3 hours |