After activating Office 365 Mail or Gmail, Avanan performs several calibration processes for the Anti-Phishing engine.
The processes include:
- Scanning 13 months of email metadata (sender, recipient, subject, time) in users’ mailboxes to determine the communication patterns.
- Automatic identification of MTAs placed before Microsoft or Google. It could affect SPF checks and other aspects of detection.
While these processes are running, Avanan Portal will be in Learning Mode. You can see a banner at the top of the dashboard. Also, you can see the progress of the Learning Mode in the Dashboard tab.
Note – To complete these processes, it takes a couple of minutes to 48 hours, depending on the number of protected mailboxes and the volume of their emails.
In Learning Mode, no email will be flagged as phishing or spam. All Anti-Phishing scans return Phishing Status as Clean and the Detection Reason as Learning Mode.
All other security engines work as usual in the Learning Mode and flag the malware, DLP, Shadow IT, and anomalies. Avanan automatically exits Learning Mode after the calibration processes are complete.
Note - If a Prevent (Inline) policy rule is added, Learning Mode automatically stops.
While in Learning Mode, and at times for a while after it is completed, Anti-Phishing engine automatically adjusts these parameters to fine-tune the detection accuracy:
- Upstream MTAs - In Learning Mode, Avanan automatically detects and adds MTAs to the list. It does not delete MTAs added manually by administrators. See Upstream Message Transfer Agents.
- Phishing Confidence Level (Threshold)
Note - If administrators configured the phishing confidence level to a value different from the default value, Avanan does not change this value.
After activating the SaaS application, Avanan performs backward scanning of its content in parallel to live scanning.
The backward scanning period for SaaS applications is as follows:
|SaaS Application||Scanning Period|
|Office 365 Email||
|Office 365 OneDrive||No backward scanning|
|Google Drive||14 days|
|Slack||No backward scanning|
|Microsoft Teams||No backward scanning|
|Office 365 SharePoint||No backward scanning|
|Citrix ShareFile||14 days|
Note - If you need backward scanning for your accounts or to extend the backward scanning period, contact Avanan Support.
After activating the SaaS application, Avanan starts scanning all the files and emails for any threats in real-time.
The Dashboard (Security Overview) page shows the security events found if any. At the bottom of the overview screen, you can see the status of active scans of your SaaS applications. Depending on the amount of data, this stage may take time.
Note - The number of active users may exceed the number of licensed users in the SaaS and does not necessarily reflect the number of Avanan licenses required.
Click Active users to review the list of users. This opens a query in the Custom Queries under Analytics & Reports tab.
For example, in Office 365, Shared Mailboxes do not require a separate license in Avanan but are counted as active users.
Note - By default, after activating a SaaS application, policies get created for threats (phishing and malware). For DLP, there is no default policy.