User Tools

Site Tools


LUCY MANUAL Applies to LUCY versions above 4.7


Start using Screener

Now, when the setup is done. It is time to start using the tool.
If it is not set up yet, please refer to these articles:
Install Screener in Linux
Setup Tutorial for VMware
Setup Tutorial for Virtualbox

Step 1: Domain and SSL certificate

As the first step it is highly recommended to setup Domain and SSL. However, it is not necessary. MSI plugin is able to work with no SSL over IPv4.
This step is a must to make O365 plugin operational, it can not operate via IP address.

Also, with the domain name configured you can create an MX record for the owned domain name to receive reports over SMTP protocol.

At this stage, if an MX record is configured, the Screener is already able to accept the reports. Simply forward a suspicious email as an attachment to the

Step 2: Configure the Plugin

Configure the plugin in Settings → Plugins.
it is necessary to define, which version is going to be used, O365 or MSI.

Step 3: Configure Automatic analyze rules

Configure or leave by default Yara Dictionaries.
Configure or leave by default Yara Rules.
Configure or leave by default Custom Rules.
Configure or leave by default Analyzer Score.

Step 4: Users

Configure additional users if necessary.
Each user has equal permissions, but it is possible to configure different timezones per user.

Step 5: Deploy the plugin

Download and deploy the O365 or MSI plugin.

Step 6: Report an incident

As soon as installed, a button should appear in the Outlook interface.
Simply select a suspicious email in the list and click the button.
The suspicious email is reported and now should appear in the Screener Incidents section.
Or, it can appear in the "Simulations" sections in case if a LUCY email message was reported.

The screener always listens to port 25, so in case if you are planning to report incidents over SMTP, it is enough to create an MX record of the screener domain.

For example:
There is a domain name pointing to the instance. Simply use and the Screener will accept the report.

Step 7: Review the incident

It is possible to review the incoming incidents.
The system will do an automatic analysis of an incident as soon as it is received.
The automatic scan will happen according to the Analyze rules. It will receive some spam score.
The amount of the spam score is unlimited, however, it'll be cut of to 10 since it is a maximum value for an incident.

Step 8: Define the threat

Change the workflow status from Open to In Progress.
Define what should be done with the incident.
Should a user send an abuse?
Should a user rescan the incidents?
As soon as the incident is reviewed by a user, it is possible to define the Resolution for the incident.
It can be Dangerous or Dismissed. As soon as the Resolution is defined, the workflow status for the incident will be automatically set to "Closed".

start_using_screener.txt · Last modified: 2021/04/27 19:08 by lucy