Block Emails or Files including archives or Social Posts using Keywords

From Secure Web Gateway
Jump to: navigation, search


When you have confidential information in your organization and someone from internal users just leaked the information intentionally or unintentionally, then what will happen? Huge productivity loss.

There are various mediums for data leakage. Users can upload important document to internet, even though your content filtering software does not allow users to upload Microsoft Word and Microsoft XL files, users can act smart and creates an archive using those files and tries to upload achieved files. You cannot simply block archives in your organization because there are people who simply use archive to transfer log files of large sizes.

There are other users who simply take information out of Microsoft Word and Microsoft XL and simply send an Email to third party.

In modern era, these kind of data leaks are become a challenge for organizations. Organizations are in a quest for content filtering software’s which can deeply inspect archive files and able to identify whether the archive or emails which contains certain keyword matches.

This challenge is also big for security experts because when there is an upload the post data formation is different for Gmail / Google Drive/ Media fire/ Drobox etc. The wide range of formations of post data made it difficult for security experts to derive concrete solution to these challenges.

But SafeSquid come up with Advanced DLP solution embedded into SafeSquid SWG, which analyzes post data, deeply inspect archives using file decomposition methods and able to identify whether archive or emails or social media posts contains certain keyword matches. Based on the match you can take effective actions like block upload if user is so and so or block if the destination website is so and so.  

The Advanced DLP solution can be managed from SafeSquid Self Service portal there you can create various keyword expression matches. SafeSquid SWG will download those keyword expressions and loads into memory. When an archive is uploaded or email is written, SafeSquid SWG analyzes Post data and transmit it to the ClamAV daemon for Signatures verification. If the keyword expression matches ClamAV daemon responds with match. SafeSquid will take respective action based on match.


Manage Keyword Signatures using Self Service portal

Configure SafeSquid SWG for using Custom Signatures

Open SafeSquid Interface and move to ClamAV Section under real time content security.


Click on Global and Enable ClamAV Section.


You will see following.


Enable policy in the subsection for signature detection.


You will see following.


Save Settings.


Note: Once you configured policy as shown above go to Support and click on Refresh button for refreshing subscription details.

Testing Signature detection

Test using office documents

Set proxy settings in client browser and open Gmail. You must see that SafeSquid has inspected your mail traffic other wise blocking is not going to happen.

2017-08-09 17-20-30.png

Create a Microsoft file using your set of keywords and also prepare a archive.


Now try to attach file. SafeSquid Should block attachment.

2017-08-09 17-28-46.png

That's it. Your created signatures are in the action and your data is safe.



Test using archive files

Attach your archive and you should see that archive is blocked by SafeSquid.

2017-08-09 17-31-00.png



Test using emails

Create an email draft using set of keywords for which you have created signatures.

SafeSquid will identify them and blocks. You can see that Save Failed in gmail compose box.

2017-08-09 17-35-32.png


When you click on send then the mail will be keep on in Sending mode. It will not cross user desktop and your data is safe.
2017-08-09 17-37-09.png

Test using social media posts

Open and login using your credentials.

Then try to post a status update. When you click on submit, you will not see your post on facebook.RTENOTITLE

Even if you try to post from your timeline you will not be able to move ahead and post your status with specified keywords.RTENOTITLE

You are not even allowed to post any comments with specified keywords.RTENOTITLE

You can perform same tests with any of the websites by posting data with specified keywords. You are not allowed to post such an important information.


Check SafeSquid logs

You can view SafeSquid logs for troubleshooting. If things are not working as explained.


Check ClamAV daemon Status

Check whether ClamAV daemon is running or not.


If you found that ClamAV daemon is not running then restart using following command.

/etc/init.d/clamav-daemon restart

Check Signatures File

If ClamAV service is running then check whether you have signatures database file on disk or not using locate command.

root@sab:~# updatedb && locate safesquid.ldb

Check ANTIVIRUS profiles applicability. 


If You still has any problems you can send us mail at