I can't be the only person making a last-minute jump from v6.7.2 to v7.x. I decided to implement v7.6. I want to share what I learned as I was setting up my dictionaries. Please feel free to share your experiences or recommendations on how to improve on my processes.
So, where are the dictionaries?...
6.7.2 - Compliance > Content Analysis > Dictionaries
7.6 - Email > DLP and Dictionaries > Compliance Dictionaries
In v6.7.2, the default behavior is a weighted or "score" based dictionary. In v7.6, this is no longer the default. If you request that McAfee support convert your old dictionaries for you, don't be surprised when you import the dictionary(s) in 7.6 and all the weights you associated with your dictionary entries are gone. Be aware that the dictionaries you import will not be applied or visible in the system until after the change is saved.
Restoring the dictionary entries' weight values is a manual process (as far as I can determine). I used a utility to monitor the https traffic between my browser and the MEG and the process for dictionary changes appears to be that the local browser pulls down the XML dictionary content for local processing. This means that dictionary changes are submitted back to the MEG all at once--not one at a time. It would probably not be possible (or at least not very easy) to update dictionary weights or add entries using a third-party fuzz utility.
Also, you cannot change a dictionary to being score based if it is already in use in an email policy. The dictionary will first need to be removed from use in any policies. The dictionary list does tell you if a dictionary happens to be in use by a policy--but not by which policy. After a dictionary is no longer in use by any policies, you can change it to being score based. (You can only rename a dictionary when it is not being used by any policies too.)
To use a score based dictionary, double click on the name of the dictionary and check the box for "Score based". You will be prompted to provide a score to assign to all dictionary entries. (The default value is 10.) Be aware that when you change a dictionary's configuration to "score based", you will lose the ability to take advantage of some of the more advanced dictionary term features, like conditional logic.
Now, where to I setup the policies?...
6.7.2 - Compliance > Content Analysis > Manage Rules / Apply Rules
7.6 - Email > Email Policies
On 7.6, there is a default policy for inbound mail or you can create your own. However, if you create a new policy, you are going to have to provide rule criteria. For filtering ALL inbound messages based upon custom dictionaries, it makes sense to me to just set it up in the default policy. In the default policy, click on the "Compliance: [Disabled]" link under the Compliance heading. There is a wizard that guides you through the setup process at this point. This is also where you will be able to provide a value for the dictionary threshold.
I'm still feeling my way through this new interface so please forgive me if any of the above information is incorrect. I'm learning as I go. Again, please share any information on easier ways to do this if you know of a better way. I hope this helps someone else. Thanks!
on 4/4/14 10:55:36 AM EDT