<index_int>

Enter the index number of the profile.

If the profile does not currently exist, it will be created.

<profile_name>

Enter the name of the profile.

To view a list of existing entries, enter a question mark ( ? ).

action-cdr <content-action-profile_name>

If you want to override action-default <content-action-profile_name> for CDR features such as html-content-action {convert-to-text | modify-content}, select an action profile. See profile content-action.

action-default <content-action-profile_name>

Select a content action profile. See profile content-action.

This default setting applies only to sub-scans that do not have their own individually configured action, such as action-cdr <content-action-profile_name>.

action-image-classification <content-action-profile_name>

If you want to override action-default <content-action-profile_name> for image classification, select an action profile. See profile content-action.

action-max-size <content-action-profile_name>

If you want to override action-default <content-action-profile_name> for max-size <KB_int>, select an action profile. See profile content-action.

action-policy-match <content-action-profile_name>

If you want to override action-default <content-action-profile_name> for a sender policy match, select an action profile. See profile content-action.

action <content-action-profile_name>

If you want to override action-default <content-action-profile_name> for patterns {<file-type_name> ...}, select an action profile. See profile content-action.

action <content-action-profile_name>

If you want to override action-default <content-action-profile_name> for dict-score <threshold_int>, select an action profile. See profile content-action.

archive-max-recursive-level <threshold_int>

Enter the maximum compression nesting depth. Valid range is 1-36. action-default <content-action-profile_name> will be applied if the file has too many layers of compression.

This setting applies only if block-recursive is selected in archive-scan-option {detect-password-protected block-on-failure-to-decompress block-recursive}.

archive-scan-option {detect-password-protected
block-on-failure-to-decompress
block-recursive}

Select whether to:

• detect-password-protected: Detect when files are encrypted with a password. Also configure detect-password-archive-option {detect-only | attempt-to-decrypt }.

• block-on-failure-to-decompress: Apply action-default <content-action-profile_name> when an archive cannot be decompressed if the compression algorithm is unknown (such as a bad magic byte), or if the decompress-max-ratio <ratio_int> or decompress-max-size <size_int> are exceeded, and therefore the file cannot be scanned. (This does not include decompression failure due to exceeding archive-max-recursive-level <threshold_int>, which is configured separately.)

• block-recursive: Detect archives with nested compression, such as when a ZIP file is inside another ZIP file. Also configure archive-max-recursive-level <threshold_int>. Deselect to skip files that have too many levels of compression.

This setting applies only if detect-archive-status {enable | disable} is enable.

cdr-file-type-option {office pdf}

Select which file type(s) to apply content disarming and reconstruction (CDR) to:

• office: Microsoft Office attachments, including embedded files inside of them(nested compression is not supported).
• pdf: PDF attachments, including documents inside of archives (nested compression is not supported).

See also file content-disarm-reconstruct.

cdr-office-metadata-action {keep | remove}

Select whether to keep or remove potentially sensitive document property metadata. Also configure metadata-type-option {...}.

Currently DOCX, PPTX, and XLSX files are supported.

comment "<comment_str>"

Enter a description or comment.

decrypt-password-auto-option {built-in-password-list
user-defined-password-list
words-in-email-content}

Select which kinds of password to try to automatically decrypt files:

• built-in-password-list: Predefined list of common passwords as passwords for the attachment file. Predefined passwords are built-in and may be updated when the FortiMail software is updated

• user-defined-password-list: Passwords that administrators configure for attachment files. To configure the passwords, see file decryption password.

• words-in-email-content: Search for the word "password" in the email and try words around it as passwords for the attachment file. The password may be separated by a space character or:

  -,.:

  If the word "password" does not exist, then FortiMail tries words in the email body.

  Multiple languages are supported for the word "password". "Password" translations are built-in and may be updated when the FortiMail software is updated.

  For example, if the email has a sentence such as:

  To open the document, please use password: 123456. If you cannot open it, please contact us.”

  and if decrypt-password-num-of-words <words_int> is 2, then FortiMail tries these words in sequential order:

  1. please

  2. use

  3. 123456

  4. If

This setting applies only if auto-decrypt is selected in decrypt-password-method {auto-decrypt prompt-user-input}.

decrypt-password-method {auto-decrypt prompt-user-input}

Select which methods to try if an attachment file is password-protected:

• auto-decrypt: Try to automatically decrypt the document or archive in order to scan its contents. To select which passwords to try, also configure decrypt-password-auto-option {built-in-password-list user-defined-password-list words-in-email-content}.

• prompt-user-input: Temporarily quarantine the email while FortiMail emails the sender, prompting them to provide the attachment file passwords so that the files can be scanned. Quarantine retention time limits apply (retention-period <days_int>). Once the attachment is decrypted, any remaining scans and delivery are resumed. Also configure:

  • decrypt-password-quarantine-type {system-quarantine | domain-quarantine}

  • decrypt-password-quarantine-folder <folder_name>

  • decrypt-password-notification-disclaimer <notification_name>

This setting applies only if attempt-to-decrypt is selected in either or both:

• detect-password-archive-option {detect-only | attempt-to-decrypt }

• detect-password-office-option {detect-only | attempt-to-decrypt }

decrypt-password-notification-disclaimer <notification_name>

Select which notification template to use for the file password prompt.

This setting applies only if decrypt-password-method {auto-decrypt prompt-user-input} is prompt-user-input.

decrypt-password-num-of-words <words_int>

Enter how many nearby words to try as the attachment file's password.

This setting applies only if you select words-in-email-content in decrypt-password-auto-option {built-in-password-list user-defined-password-list words-in-email-content}.

decrypt-password-quarantine-folder <folder_name>

Select which folder will be used to temporarily store email until the sender responds to the password prompt. To configure a quarantine folder, see <folder_name>.

This setting applies only if decrypt-password-method {auto-decrypt prompt-user-input} is prompt-user-input.

decrypt-password-quarantine-type {system-quarantine | domain-quarantine}

Select whether to use the system-level or domain-level quarantine to temporarily store email while FortiMail waits for the sender to respond to the file password prompt.

This setting applies only if decrypt-password-method {auto-decrypt prompt-user-input} is prompt-user-input.

defersize <KB_int>

Enter the attachment size threshold in kilobytes for deferred delivery. See also defer-delivery-starttime <time_str> and defer-delivery {enable | disable}.

To disable the limit, enter 0.

Alternatively, configure max-size <KB_int>.

detect-archive-status {enable | disable}

Enable to scan archives such as ZIP files according to archive-scan-option {detect-password-protected block-on-failure-to-decompress block-recursive}.

Disable to skip those scans.

Note: This setting does not enable or disable other archive settings in the content profile such as the content monitor setting scan-archive {enable | disable}.

detect-office-status {enable | disable}

Enable to scan Microsoft Office, Open Office, and Adobe PDF files according to office-scan-option {detect-password-protected detect-embedded-component}.

Disable to skip those scans.

Note: This setting does not enable or disable other Office or PDF settings in the content profile, such as the CDR setting cdr-file-type-option {office pdf} and the content monitor settingsscan-office {enable | disable} and scan-pdf {enable | disable}.

detect-password-archive-option {detect-only | attempt-to-decrypt }

Select either:

• detect-Only: Apply action-default <content-action-profile_name>.

• attempt-to-decrypt: Try to decrypt the files using passwords in decrypt-password-method {auto-decrypt prompt-user-input} in order to continue scanning the file's contents. If the file cannot be decrypted and therefore the file cannot be scanned, apply action-default <content-action-profile_name>.

This setting applies only if detect-archive-status {enable | disable} is enable.

detect-password-office-option {detect-only | attempt-to-decrypt }

Select either:

• detect-Only: Apply action-default <content-action-profile_name>.

• attempt-to-decrypt: Try to decrypt the files using passwords in decrypt-password-method {auto-decrypt prompt-user-input} in order to continue scanning the file's contents. If the file cannot be decrypted and therefore the file cannot be scanned, apply action-default <content-action-profile_name>.

This setting applies only if detect-office-status {enable | disable} is enable.

dict-score <threshold_int>

Enter the number of times that an email must match the dictionary profile before it will receive the action configured in action <content-action-profile_name>.

Note: The score is based on matches in each individual dictionary profile, not the total in dictionary-group <dictionary-group_name>.

dictionary-group <dictionary-group_name>

Select which dictionary profile group the content monitor profile will use to find matching text. See profile dictionary-group.

See also information on dictionary profiles.

dictionary-profile <dictionary-profile_name>

Select which dictionary profile the content monitor profile will use to find matching text.

See also information on dictionary profiles.

dictionary-type {group | profile}

Select which will be used to find matching text, either:

• profile: Dictionary profile. Also configure dictionary-profile <dictionary-profile_name>.

• group: Group of dictionary profiles. Also configure dictionary-group <dictionary-group_name>.

Also configure dict-score <threshold_int>.

html-active-content-action {keep | remove}

Select to either keep or remove scripts such as JavaScript.

This setting applies only if html-content-action {convert-to-text | modify-content} is modify-content.

html-content-action {convert-to-text | modify-content}

Select either:

• convert-to-text: Convert HTML email to plain text.

  Note: Hidden text is removed. For details, see html-hidden-content-action {keep | remove}.

• modify-content: Modify the URLs and JavaScript in <script> or <embed> tags in HTML content, using the settings:

  • html-active-content-action {keep | remove}

  • html-content-url-action {click-protection | click-protection-isolator | isolator | keep | neutralize | remove}

  • html-content-url-selection {tag-attribute tag-content}

  FortiMail will also add:

  X-FEAS-ATTACHMENT-FILTER: Contains HTML tags.

  to the message headers.

This setting applies only if check-html-content is selected in scan-option {block-fragmented-email bypass-on-smtp-auth check-html-content check-max-num-of-attachment check-text-content policy-match}.

html-content-url-action {click-protection | click-protection-isolator | isolator | keep | neutralize | remove}

If html-content-action {convert-to-text | modify-content} is modify-content, select how FortiMail will modify the HTML:

• keep: Keep the URL. Do not remove or modify it.

• remove: Delete the URL.

• click-protection: Rewrite the URL to point to FortiMail instead. If the recipient goes to the URL, perform the scans and actions in the global click handling settings ( see system fortiguard url-protection).

• click-protection-isolator: Similar to click-protection, except that if the URL is not blocked, then FortiMail redirects the recipient to continue browsing indirectly, through FortiIsolator.

• isolator: Redirect the recipient to continue browsing indirectly, through FortiIsolator (see isolator-url-base <FortiIsolator_url>).

• neutralize: Modify the URL to make it inactive when clicked, but still easy to determine what the original URL was. For example, a link to:

  https://www.example.com

  is changed to:

  hxxps:\\www[.]example[.]com

This setting applies only if check-html-content is selected in scan-option {block-fragmented-email bypass-on-smtp-auth check-html-content check-max-num-of-attachment check-text-content policy-match}.

html-content-url-selection {tag-attribute tag-content}

Select where CDR modifications should apply:

• tag-attribute: Link URLs in attributes, such as the href attribute in:

  <a href="https://example.com/?tracker=...">

  <a href="file:///\\10.0.0.1\path\doc.rtf!command...">

  (The second URL could be an Office COM moniker exploit via SMB.)

• tag-content: Link text such as Unsubscribe. Phishers and spammers may use link text to trick recipients into clicking the link, but it actually does something else, such as detecting that the user monitors this mailbox.

  Note: Link tags can contain other HTML tags nested inside, such as:

  <a href="https://example.com">Link text

  <span>Span text</span>

  </a>

  Only link text directly inside the <a> tag is modified. Nested tags' text such as inside <span> will not be modified, unless due to html-hidden-content-action {keep | remove}.

This setting applies only if html-content-action {convert-to-text | modify-content} is modify-content.

html-hidden-content-action {keep | remove}

Select to either keep or remove text and images that look hidden or transparent to email users, but could be used for prompt injections of AI LLM such as Microsoft Copilot, or for surveillance, tracking, or marketing that uses personally identifiable information (PII) without permission (also called spy pixels, which could be used instead of cookies). Examples include:

• images with a src URL on a remote server and inline style attributes such as:

  • visibility: hidden;

  • display: none;

  • width: 1px; height: 1px;

• text and any nested HTML tags with:

  • visibility: hidden;

  • display: none;

  • color: transparent;

  • font-size: 0;

• comment tags, except for comments by Microsoft Outlook

image-analysis-scan {enable | disable}

Enable to scan images for content that you may want to block. Also configure image-classification-status {enable |disable}, etc.

This setting is available only with a valid feature license, and if status {enable | disable} (global setting) is enabled.

image-classification-profile <image-classification-profile_name>

Select which image analysis profile to use to define which categories to scan for, such as weapons, personal identification, or QR codes. Also configure score-threshold-weapon <score_int> etc.

This setting is available only with a valid feature license, and if image-classification-status {enable |disable} is enabled.

image-classification-status {enable |disable}

Enable to classify images by their subject. Also configure image-classification-profile <image-classification-profile_name>.

This setting is available only with a valid feature license, and if image-analysis-scan {enable | disable} is enabled.

max-num-of-attachment <limit_int>

Enter how many attachments are allowed in one email message. Valid range is from 1 to 100.

This setting applies only if check-max-num-of-attachment is selected in scan-option {block-fragmented-email bypass-on-smtp-auth check-html-content check-max-num-of-attachment check-text-content policy-match}.

max-size-option {message | attachment}

Select whether to apply max-size <KB_int> to either the body of the email message or attached files.

max-size-status {enable | disable}

Enable to apply max-size <KB_int>.

max-size <KB_int>

Enter the maximum size threshold in kilobytes (KB). Also configure max-size-option {message | attachment}. Then if you want to override action-default <content-action-profile_name> for this scan, also configure action-max-size <content-action-profile_name>.

To disable deferred delivery, enter 0.

This setting applies only if max-size-status {enable | disable} is enable.

office-detect-embedded-option {check-msoffice
check-msoffice-vba
check-msvisio
check-openoffice
check-pdf}

Similar to an archive, documents can sometimes contain scripts, video, graphics, sounds, and other files that are used by the document. By wrapping files within a document instead of linking to the file on a separate, external location, a document becomes more portable. However, it also means that documents with other files nested inside can be used to hide infected files.

Enable to detect other files embedded within the attachment file, and then select which embedded files to scan. Rules from config attachment-scan also apply to embedded files.

Disable to skip scanning of embedded files.

This setting applies only if you select detect-embedded-component in office-scan-option {detect-password-protected detect-embedded-component}.

office-scan-option {detect-password-protected
detect-embedded-component}

Select whether to:

• detect-password-protected: Detect when files are encrypted with a password. Also configure detect-password-office-option {detect-only | attempt-to-decrypt }.

• detect-embedded-component: Detect other files embedded within the attachment file. Also configure office-detect-embedded-option {check-msoffice check-msoffice-vba check-msvisio check-openofficecheck-pdf}.

This setting applies only if detect-office-status {enable | disable} is enable.

operator {is | is-not}

Select either:

• Is: Perform action <content-action-profile_name> if the file type matches patterns {<file-type_name> ...}.

• Is Not: Perform action <content-action-profile_name> if the file type does not match.

For example, if you want to reject all attachments that are executable software for Microsoft Windows platforms, you would configure:

• status {enable | disable}: enable

• patterns {<file-type_name> ...}: executable_windows

• operator {is | is-not}: is

• action <content-action-profile_name>: reject

Other file types would not match this rule and could trigger a different action in later rules or scans.

patterns {<file-type_name> ...}

Select which file types of attachments will be scanned or omitted from the scan, depending on your configuration of operator {is | is-not}.

For multiple file types, separate each entry with a space. To configure more file types, see file filter.

This setting applies only if status {enable | disable} is enable.

scan-archive {enable | disable}

Enable to use the content monitor profile to scan archives such as ZIP files for specified words or phrases.

scan-office {enable | disable}

Enable to use the content monitor profile to scan Microsoft Word and Open Office documents for specified words or phrases.

scan-option {block-fragmented-email
bypass-on-smtp-auth
check-html-content
check-max-num-of-attachment
check-text-content
policy-match}

Select which option(s) to use:

• block-fragmented-email: Detect and block fragmented email. Some mail user agents, such as Microsoft Outlook, can fragment big emails into multiple sub-message to bypass limits on email size, but this can also be used to bypass scanning.

• bypass-on-smtp-auth: Omit content profile scanning if the SMTP session is authenticated.

• check-html-content: Detect hypertext markup language (HTML) email and perform content disarming and reconstruction (CDR). Also configure action-cdr <content-action-profile_name> and html-content-action {convert-to-text | modify-content}.

• check-max-num-of-attachment: Limit how many attachments are allowed in each email message. Also configure max-num-of-attachment <limit_int>.

• check-text-content: Detect URLs and perform content disarming and reconstruction (CDR) in plain text email. Also configure action-cdr <content-action-profile_name> and text-content-action {click-protection | click-protection-isolator | isolator | neutralize | remove-url}.

• policy-match: Defer mail delivery from specific senders configured in the policy. Also configure action-policy-match <content-action-profile_name>.

  By sending low-priority, bandwidth-consuming email such as newsletter digest or marketing campaigns at scheduled times, you can conserve bandwidth at peak time so that high priority email can be sent more quickly. See also mailsetting preference.

Separate multiple options with a space.

scan-pdf {enable | disable}

Enable to use the content monitor profile to scan Adobe PDF documents for specified words or phrases.

status {enable | disable}

Enable or disable the profile.

status {enable | disable}

Enable or disable the rule.