After upgrade, quarantining more items than usual

Doug Maxfield · ‎06-15-2017

Good Morning,

We recently upgraded our ESA to version 10.0.0-203 from 9.6.0-041 in preparation for migration to Email Cloud Security. Since the upgrade, we have noticed a tremendous upswing in the number of emails that have been marked "Encrypted". Before the upgrade, we were averaging 4 - 5 per week, with no "False Positives". Since the upgrade, we are averaging 4 - 5 per day plus numerous "False Positives". The tracking history shows "Encrypted", but once released to the Email Admins, there is no encryption/passwords associated to the file. It is starting to impact our business because sender are becoming confused. Emails that were received previously are now being "flagged" as encrypted.

We have opened a TAC (682480982) but wanted to see if anyone else has experienced the same issue. We are using the McAfee AV for scanning on this appliance.

Any help or ideas is appreciated.

Thanks,

Doug

Libin Varghese · ‎06-17-2017

Hi Doug,

The McAfee engine was updated a few months back, however the engine would have updated even while you were on the previous Async OS 9.6 release.

Haven't seen this being reported on Async OS 10 as such.

Hopefully, the TAC engineer can test this out using the sample files being seen as encrypted and provide further evaluation.

Thank You!

Libin Varghese

Doug Maxfield · ‎06-26-2017

Update on this issue:

Discovered that the updated McAfee scanning engine is doing a better job of "catching" encrypted attachments than the previous version.

http://www.cisco.com/c/en/us/support/docs/field-notices/642/fn64277.html

We will need to decide on what to do now.

Libin Varghese · ‎06-26-2017

Thank you for the update Doug.