内容过滤表达式设置代码

技术支持

企业产品

Kaspersky Secure Mail Gateway

附录

审核事件记录中的规则设置代码

内容过滤表达式设置代码

2024年12月12日

ID 287432

如果在事件日志设置中启用了审核事件和修改设置的日志记录，则当“内容过滤”模块的表达被编辑时，有关更改的详细信息会记录在审核日志事件中。

下表显示了“内容过滤”模块表达的设置在审核日志记录中如何被编码。

“主要”选项卡上，审核事件记录中的表达设置代码

“内容过滤”模块中的表达设置	审核事件记录中的代码	示例
“表达式”表中的“状态”拨动开关	`scanSettings.cfScanSettings.expressions` `{<expression number>, <expression name>}.enable` 可能的值： `true`，如果表达被启用。 `false`，如果表达被禁用。当条件创建时，切换开关会自动启用，并记录相应的审核事件。	使用表达创建的规则，或在现有规则中创建的新表达： `scanSettings.cfScanSettings.expressions{1, Some expression name}.name[][Some expression name]` `scanSettings.cfScanSettings.expressions{1, Some expression name}.Index[][1]` `scanSettings.cfScanSettings.expressions{1, Some expression name}.actions.action[][Skip]` `scanSettings.cfScanSettings.expressions{1, Some expression name}.actions.backup[][true]` `scanSettings.cfScanSettings.expressions{1, Some expression name}.actions.mark[][MARK_FOR_EXPRESSION]` `scanSettings.cfScanSettings.expressions{1, Some expression name}.conditionsJoiningOperation[][AllTrue]` 修改的表达： `scanSettings.cfScanSettings.expressions{1, Some expression name}.name[Some expression name][New expression name]` `scanSettings.cfScanSettings.expressions{1, Some expression name}.Index[1][2]` `scanSettings.cfScanSettings.expressions{1, Some expression name}.actions.action[Skip][Reject]` `scanSettings.cfScanSettings.expressions{1, Some expression name}.actions.backup[true][false]` `scanSettings.cfScanSettings.expressions{1, Some expression name}.actions.mark[MARK_FOR_EXPRESSION][NEW_MARK_FOR_EXPRESSION]` `scanSettings.cfScanSettings.expressions{1, Some expression name}.conditionsJoiningOperation[AllTrue][AnyTrue]` 改变一个表达的位置会改变该规则的所有其他表达的位置。因此，有关其他表达位置变化的行也被记录下来。 `scanSettings.cfScanSettings.expressions{2, Some expression 2 name}.Index[2][3]` `scanSettings.cfScanSettings.expressions{3, Some expression 3 name}.Index[3][4] etc` 删除了表达的规则或删除的表达： `scanSettings.cfScanSettings.expressions{1, New expression name}.enable[false][]` `scanSettings.cfScanSettings.expressions{1, New expression name}.name[New expression name][]` `scanSettings.cfScanSettings.expressions{1, New expression name}.actions.action[Reject][]` `scanSettings.cfScanSettings.expressions{1, New expression name}.actions.backup[false][]` `scanSettings.cfScanSettings.expressions{1, New expression name}.actions.mark[NEW_MARK_FOR_EXPRESSION][]` `scanSettings.cfScanSettings.expressions{1, New expression name}.conditionsJoiningOperation[AnyTrue][]`
表达式名称	`scanSettings.cfScanSettings.expressions` `{Number, Name}.name`
位置	`scanSettings.cfScanSettings.expressions` `{<expression number>, <expression name>}.` `conditions{<condition number>, AttachmentFormat}.attachmentFormat.` `dictionaries` 该记录将包含已连接或已断开连接的词典的 ID。
表达式匹配时的操作	`scanSettings.cfScanSettings.expressions` `{<expression number>, <expression name>}.` `actions.action` 可能的值： `Skip`，如果选择了“跳过”。 `DeleteAttachment`，如果选择了“删除附件”。 `Reject`，如果选择了“拒绝”。 `DeleteMessage`，如果选择了“删除邮件”。
将原始邮件放入备份	`scanSettings.cfScanSettings.expressions` `{<expression number>, <expression name>}.` `actions.backup`
要添加到邮件主题的文本	`scanSettings.cfScanSettings.expressions` `{<expression number>, <expression name>}.` `actions.mark`
逻辑连接类型	`scanSettings.cfScanSettings.expressions` `{<expression number>, <expression name>}.` `conditionsJoiningOperation` 可能的值： `AllTrue`，如果选择了“仅当所有条件匹配时”。 `AnyTrue`，如果选择了“如果一个或多个条件匹配”。

“对标头的操作”选项卡上，审核事件记录中的表达设置代码

“内容过滤”模块中的表达设置	审核事件记录中的代码	示例
删除标头 – 文本	`scanSettings.cfScanSettings.expressions` `{<表达式编号>, <表达式名称>}.` `headersToChange.headersToDelete.textList`	使用表达创建的规则，或在现有规则中创建的新表达： `scanSettings.cfScanSettings.expressions` `{1, Some expression name}.headersToChange.` `headersToDelete.textList.Added[X-MS-Exchange-Abc X-MS-Exchange-Def]` 修改的表达： `scanSettings.cfScanSettings.expressions` `{1, Some expression name}.headersToChange.` `headersToDelete.textList.Added[X-MS-Exchange-Ghi X-MS-Exchange-Xyz]` `scanSettings.cfScanSettings.expressions` `{1, Some expression name}.headersToChange.` `headersToDelete.textList.Removed[X-MS-Exchange-Def]` 删除了表达的规则或删除的表达： `scanSettings.cfScanSettings.expressions` `{1, Some expression name}.headersToChange.` `headersToDelete.textList.Removed[X-MS-Exchange-Abc X-MS-Exchange-Ghi X-MS-Exchange-Xyz]`
删除标头 – 通配符	`scanSettings.cfScanSettings.expressions` `{<expression number>, <expression name>}.` `headersToChange.headersToDelete.wildcardList`	使用表达创建的规则，或在现有规则中创建的新表达： `scanSettings.cfScanSettings.expressions` `{1, Some expression name}.headersToChange.` `headersToDelete.wildcardList.Added[X-MS-Exchange-%2A]` 修改的表达： `scanSettings.cfScanSettings.expressions` `{1, Some expression name}.headersToChange.` `headersToDelete.wildcardList.Added[X-MS-Exchange-%2Aabc]` `scanSettings.cfScanSettings.expressions` `{1, Some expression name}.headersToChange.` `headersToDelete.wildcardList.Removed[X-MS-Exchange-%2A]` 删除了表达的规则或删除的表达： `scanSettings.cfScanSettings.expressions` `{1, Some expression name}.headersToChange.` `headersToDelete.wildcardList.Removed[X-MS-Exchange-%2Aabc]`
删除标头 – 正则表达式	`scanSettings.cfScanSettings.expressions` `{<expression number>, <expression name>}.` `headersToChange.headersToDelete.regexList`	使用表达创建的规则，或在现有规则中创建的新表达： `scanSettings.cfScanSettings.expressions` `{1, Some expression name}.actions.headersToChange.` `headersToDelete.regexList.Added[X-KSMG.+]` 修改的表达： `scanSettings.cfScanSettings.expressions` `{1, Some expression name}.actions.headersToChange.` `headersToDelete.regexList.Added[X-MS.+]` `scanSettings.cfScanSettings.expressions` `{1, Some expression name}.actions.headersToChange.` `headersToDelete.regexList.Removed-KSMG.+]` 删除了表达的规则或删除的表达： `scanSettings.cfScanSettings.expressions` `{1, Some expression name}.actions.headersToChange.` `headersToDelete.regexList.regexList.Removed[X-MS.+]`
修改标头	`scanSettings.cfScanSettings.expressions` {`<expression number>, <expression number>}.` `headersToChange.headersToModify` 列表中的值表示为记录对：一个表示标头名称，另一个表示值。如果添加或删除了标头，则此类事件由两个记录表示： 1. 添加或删除标头的记录，形式如下： `scanSettings.cfScanSettings.expressions` `{<expression number>, <expression name>}.` `headersToChange.headersToModify{N}.<header name>` 2. 添加或删除标头的值的记录，其形式如下： `scanSettings.cfScanSettings.expressions` `{<expression number>, <expression name>}.` `headersToChange.headersToModify{N}.<header value>` 如果只更改了一对的标头，则该对的修改将由以下形式的单个记录表示： `scanSettings.cfScanSettings.expressions` `{<expression number>, <expression name>}.` `headersToChange.headersToModify{N}.<header name>` 如果只更改了一对的标头值，则该对的修改将由以下形式的单个记录表示： `scanSettings.cfScanSettings.expressions` `{<expression number>, <expression name>}.` `headersToChange.headersToModify{N}.<header value>` 其中 N 是该对在对列表中的序列号。如果某个对的序列号发生变化，则该对的修改将由以下形式的单个记录表示： `scanSettings.cfScanSettings.expressions` `{<expression number>, <expression name>}.` `headersToChange.headersToModify{N}.<serial number>`	使用表达创建的规则，或在现有规则中创建的新表达： `scanSettings.cfScanSettings.expressions{1,` `Some expression name}.headersToChange.` `headersToModify{1}.name[][X-MS-Exchange-Abc]` `scanSettings.cfScanSettings.expressions{1,` `Some expression name}.headersToChange.` `headersToModify{1}.value[][123]` `scanSettings.cfScanSettings.expressions{1,` `Some expression name}.headersToChange.` `headersToModify{2}.name[][X-MS-Exchange-Def]` `scanSettings.cfScanSettings.expressions{1,` `Some expression name}.headersToChange.` `headersToModify{2}.value[][456]` `scanSettings.cfScanSettings.expressions{1,` `Some expression name}.headersToChange.` `headersToModify{3}.name[][X-MS-Exchange-Ghi]` `scanSettings.cfScanSettings.expressions{1,` `Some expression name}.headersToChange.` `headersToModify{3}.value[][789]` 修改的表达： `scanSettings.cfScanSettings.expressions{1,` `Some expression name}.headersToChange.` `headersToModify{1}.name[X-MS-Exchange-Abc][]` `scanSettings.cfScanSettings.expressions{1,` `Some expression name}.headersToChange.` `headersToModify{1}.value[123][]` `scanSettings.cfScanSettings.expressions` `{1, Some expression name}.headersToChange.` `headersToModify{2}.value[456][444]` `scanSettings.cfScanSettings.expressions` `{1, Some expression name}.headersToChange.` `headersToModify{2}.Index[2][1]` `scanSettings.cfScanSettings.expressions` `{1, Some expression name}.headersToChange.` `headersToModify{3}.name[X-MS-Exchange-Ghi][X-PT-Ghi]` `scanSettings.cfScanSettings.expressions` `{1, Some expression name}.headersToChange.` `headersToModify{3}.Index[3][2]` `scanSettings.cfScanSettings.expressions` `{1, Some expression name}.headersToChange.` `headersToModify{3}.name[][X-MS-Exchange-Xyz]` `scanSettings.cfScanSettings.expressions` `{1, Some expression name}.headersToChange.` `headersToModify{3}.value[][111]` 删除了表达的规则或删除的表达： `scanSettings.cfScanSettings.expressions` `{1, Some expression name}.headersToChange.` `headersToModify{1}.name[X-MS-Exchange-Def][]` `scanSettings.cfScanSettings.expressions` `{1, Some expression name}.headersToChange.` `headersToModify{1}.value[444][]` `scanSettings.cfScanSettings.expressions` `{1, Some expression name}.headersToChange.` `headersToModify{2}.name[X-PT-Ghi][]` `scanSettings.cfScanSettings.expressions` `{1, Some expression name}.headersToChange.` `headersToModify{2}.value[789][]` `scanSettings.cfScanSettings.expressions` `{1, Some expression name}.headersToChange.` `headersToModify{3}.name[X-MS-Exchange-Xyz][]` `scanSettings.cfScanSettings.expressions` `{1, Some expression name}.headersToChange.` `headersToModify{1}.value[111][]`

Kaspersky Endpoint Security for Business Advanced: Adaptive security of your company

Web and device controls. Data encryption. Centralized and convenient management from a single console.

Kaspersky Premium Support (MSA): High‑priority incident processing

Telephone and web ticket support. Fast response, monitoring and health check. Submit a request and activate the contract (MSA).

您觉得这篇文章有帮助吗？

我们可以做什么更好？

感谢您的反馈！你正在帮助我们进步。