Document Properties Content Groups

Document Properties groups are intended to control access to files based on file properties such as file name, size, etc. They can also be used to control access to password-protected documents and archives, and to images containing text.

Note: The AND logic is applied to all file properties specified within a Document Properties group. For example, to control access to files larger than 5 MB in size and password-protected documents and archives, create two separate Document Properties groups: one group for files larger than 5 MB in size and another group for password-protected documents and archives. If these file properties are specified within the same Document Properties group and then Content-Aware Rule based on this content group is created, this rule will only control password-protected documents and archives that are larger than 5 MB.

There are no predefined (built-in) Document Properties content groups to use. The following procedure describes how to create custom Document Properties groups.

4. In the upper pane of the dialog box that appears, under Content Database, click the drop-down arrow next to Add Group, and then click Document Properties.

•File name - Specify the file names. Wildcards, such as * and ? can be used. An asterisk (*) matches any series of characters or no characters. For example, *.txt matches any file name with the extension of txt. The question mark (?) matches any single character. For example, ????.* matches any file name composed of 4 characters and any extension. Multiple file names must be separated by a semicolon (;), for example, *.doc; *.docx.

•Modified - Specify the last modification date/time of the file. To do so, in the Modified list, click any of the following options:

•Not older than - The last modification date/time must not be older than the specified number of seconds, minutes, hours, days, weeks, months, or years.

•Older than - The last modification date/time must be older than the specified number of seconds, minutes, hours, days, weeks, months, or years.

Note: The Modified options do not apply to files transmitted over the network. In this case, the last modification date/time is disregarded during content analysis.

•File size - Specify the file size in bytes, kilobytes, megabytes, gigabytes or terabytes. To do so, in the File size list, click any of the following options:

•Password protected - Enables the group to detect and control password-protected archives, PDF files, Microsoft Office documents (.doc, .xls, .ppt, .vsd, .docx, .xlsx, .pptx, .vsdx), and AutoCAD 2012 documents (.dwg files).

When a group has the Password protected check box selected, rules based on that group detect and control archives and other supported file types where a password is used to restrict access to the file and/or the file’s contents. For a list of the supported archive types, see the Inspection of files within archives feature description.

In the latter two cases, the Archives content inspection on read or Archives content inspection on write setting must be enabled. Otherwise, in those cases DeviceLock will not consider the given file to be password-protected.

The rules based on the group that has the Password protected check box cleared do not account for password-protection of files being inspected.

Note: An “allow” rule based on a group that has the Password protected check box selected takes precedence over “deny” rules (if any), and will allow the transfer of any matching content. An “allow” rule based on a complex group takes precedence in a situation where the logically connected chain of groups that allows the given content includes a group with the Password protected check box selected.

•Text extraction not supported - Control access to unsupported file formats. If this check box for a Document Properties group is selected, and then a Content-Aware Rule based on this content group is created, this rule will control access to all files in an unsupported format. All supported file formats are listed in the ContentLock and NetworkLock section (see Expansive coverage of multiple file formats and data types).

This parameter can be used to allow transfer of split (or multi-volume) .cab or .rar archives that by default cannot be unpacked and analyzed in case there are active content-aware rules combined with Archives content inspection on read or Archives content inspection on write options enabled in Service options. “Allow” Content-Aware Rules based on Document Properties group with the Text extraction not supported flag enabled take precedence over deny rules and allow the transfer of any matching content, including the transfer of split (or multi-volume) archives.

•Contains text - Detect and control access to images based on whether or not they contain text. If the Contains text check box for a Document Properties group is selected, and then a complex Content-Aware Rule is created based on this content group and the Images, CAD & Drawing built-in content group (File Type Detection) combined by AND logic, this rule will check whether supported image files contain text and control access to text images. Clear the Contains text check box if it is not desired to detect and control access to text images. For information on the supported image file types, see the Text in picture detection feature description.

Having selected the Contains text check box, specify the amount of text that images must contain. The amount of text is expressed as a percentage of the total image area. For example, if text occupies ½ of the image, the amount of text makes 50%. If an image contains only text, the amount of text is 100%.

Note: The Contains text parameter also applies to other supported file formats (see Expansive coverage of multiple file formats and data types). In this case, the percentage refers to the ratio of the text size in characters to file size in bytes.

•Accessed by process - Specify the name of the process accessing the document’s file. Wildcards, such as asterisks (*) and question marks (?), can be used. Multiple process names must be separated by a semicolon (;), for example, explorer.exe; notepad.exe.

•Additional Parameters - Configure the group to recognize various properties of inspected documents, such as built-in and custom properties of Microsoft Office documents and other document types, senders and recipients of instant messages and emails, and classification labels applied by third-party products like Boldon James Classifier.

•Different parameters are combined by AND logic, that is, the group recognizes a document if it matches each of the parameters configured. Thus, for a document to be recognized by a group that has the Title and Subject parameter values specified, both the Title and Subject properties of the document must have the respective values. If it is required to combine parameters by OR logic, one could configure a Complex group by adding to it a separate Document Properties group for each parameter.

•It is possible to specify multiple values for the same parameter by separating them with a semicolon. In this case, the values are combined by OR logic, so that the group recognizes a document if it matches any of the values specified. Thus, if Report; Account is specified in the Title parameter, then the group recognizes documents that have the Title property value of Report or Account.

•Title, Subject, Tags, Company, Manager, Comments, Authors, Categories, Last saved by - These fields are used to enter values matching some frequently used properties of documents subjected to control. Supported are properties of MS Office documents (.docx, .xlsx, .pptx, .vsdx), .pdf, and compound documents. The title of the field corresponds to the property name specified in document management applications such as MS Office Word or Adobe Acrobat.

Each field allows the use of wildcards: an asterisk (*) denotes any group of characters or no characters; a question mark (?) denotes a single arbitrary character. In a filed, multiple values can be entered by separating them with a semicolon (;). Example of entering two values with wildcards: *Report*; *Account*.

Values entered in different fields are combined by AND logic. If multiple values are entered in the same field, they are combined by OR logic.

•Custom & classification fields - This field can be used to enter values matching built-in or custom properties of documents subjected to control. Supported are properties of MS Office documents (.docx, .xlsx, .pptx), .pdf and compound documents.

To enter a single value for some property, use the following syntax: <property name>=<property value>. Thus, Division=Sales represents the value of Sales for the Division property. To enter multiple values for the same property, separate them with a comma. In this case, values are combined by OR logic. Thus, Division=Sales,Finance represents the value of Sales OR Finance for the Division property.

To enter values for multiple properties, separate property entries by a semicolon, such as <name1>=<value11>,<value12>; <name2>=<value21>. Values of different properties are combined by AND logic while different values of the same property are combined by OR logic. Thus, Division=Sales,Finance; Office=Head Office represents the value of Sales OR Finance for the Division property AND the value of Head Office for the Office property.

By using the Custom & classification fields box, the group can also be configured to recognize classification labels of third-party products like Boldon James Classifier that save their label values in document properties. If the label is the exact value of some property, then, to recognize it, one can use the syntax described above: <property name>=<property value>. The value of whichever property of the document serves for the designation of the label is determined by the settings of the third-party product.

To set up the group to recognize Boldon James Classifier’s SISL labels, a syntax is used that indicates the ID of the uid element of the desired label: uid=<ID value>. The ID value can be found from the XML data of the SISL label stamped on a document classified. For further details, see Recognizing Boldon James Classifier Labels.

In the Custom & classification fields box, a semicolon (;) can be used as a separator to enter more than one entry designating document properties and/or classification labels. All semicolon-separated entries are combined by AND logic.

Note: To assist with configuring the group, the Custom & classification fields box stores previous entries and provides them for selection from the drop-down list supplementing this box.

•Local sender ID(s), Remote recipient ID(s) - These fields are used to enter identifiers of local users sending and/or identifiers of remote users receiving instant messages subjected to control. Separate identifiers with a comma (,) or semicolon (;). Use wildcards (* and ?) as may be required.

Note: Local sender ID(s) and Remote recipient ID(s) apply only to protocols. In content-aware rules for devices these parameters have no effect.

User identifiers can be specified for the following protocols: ICQ Messenger, Jabber, Mail.ru Agent, Skype, Telegram, Viber, WhatsApp, Zoom.

•Local sender E-mail(s), Remote recipient E-mail(s) - These fields are used to enter addresses of local users sending and/or addresses of remote users receiving emails subjected to control. Separate addresses with a comma (,) or semicolon (;). Use wildcards (* and ?) as may be required.

Note: Local sender E-mail(s) and Remote recipient E-mail(s) apply only to protocols. In content-aware rules for devices these parameters have no effect.

Use the following format for an email address: <user>@<domain> (or <user>/<domain> for IBM Notes). An asterisk (*) can be used to specify a group of addresses. For example, *@domain.com (or */domain for IBM Notes) identifiers all email addresses in the specified domain.

•Since the sender and recipient cannot be checked during upload of attachments to the Web server, we do not recommend the use of these parameters in the content security policies for Web Mail users. For security reasons, DeviceLock does not allow uploading attachments to the Web server if the rule that allows sending attachments via Web Mail employs Local sender E-mail(s) or Remote recipient E-mail(s).

•Rules that control sending emails via Web Mail allow saving draft messages that do not specify restricted senders or recipients, which may enable unauthorized persons to access the content you want to protect. For this reason, using such a rule is not advisable.

•To allow or deny the transfer of particular content between specific persons, we recommend the use of Complex content groups where a Document Properties group that specifies the desired senders and/or recipients is combined by AND logic with other content groups (File Type Detection, Keywords, etc.).

The new content group created is added to the existing list of content groups under Content Database in the upper pane of the dialog box for managing content-aware rules.