AMP and message pipeline

mark fitzgerald · ‎11-06-2015

I have AMP configured to drop malicious attachments, add an x-malware=1 header, and deliver. I then have a content filter that looks for that header and if it exists, quarantines the message. The issue I'm having is that some of these messages are not being quarantined, but are instead being delivered "empty" as in with no attachment OR body content. I've spoken with support and they said that the reason for this behavior was that the message was quarantined in the file analysis quarantine because the attachment was sent to sourcefire for analysis. It was then returned as "malicious" which meant the attachment was dropped. They are saying that it's skipping my content filter because "we don't process through the content filters a second time on release from the quarantine."

I was under the impression from reading the docs and from info Cisco published on-line that "In the mail pipeline AMP comes after Anti-Spam and Anti-Virus engines and before Content Filters and Outbreak Filters. You will be able to do Content Filter inspections and actions based on AMP results."

This to me indicates that upon release, it would actually be the messages first trip through the content filters. I know it's a shot in the dark, but has anyone else experienced this? Is what I'd like to happen not possible?

Mathew Huynh · ‎11-09-2015

Hey Mark,

The AMP engine is indeed behind the content filters, but it looks like if the attachment is sent for sandboxing, and verdict from AMP sees it as malicious, it will remove the attachment (which is what i believe support team has provided on their response).

Just out of curiousity, what is your settings for "Unscannable" and "File Analysis Pending" on the AMP configuration per policy?

Regards

Matthew

mark fitzgerald · ‎11-10-2015

So that information about AMP being in front of the content filters is incorrect?

Unscannable is set to Deliver As Is, because we've had issues with "unscannable" meaning "the scanning engine is down or can't be reached" rather than "this file is unscannable because it's encrypted or corrupted" -- which apparently amounts to the same thing, and resulted in good messages being dropped. Right now, I have file analysis pending set to quarantine, with a header "x-quarantined-for-analysis=1" added.

It would be nice if there was a way to send header-added quarantined messages through the content filters again, so you could evaluate any added custom headers.

I've changed Messages with Malware Attachments to Dropped, since I can't evaluate the headers and quarantine. The quarantine request came from our security guys, as they wanted to have some of these messages sent to a sandbox system for analysis.

Mathew Huynh · ‎11-10-2015

It is correct, my wording may not have been the best.

Spam > Virus > AMP > Content filter > Outbreak

is the workflow.

As per sandboxing, the ESA has a setting to quarantine while pending or sandbox analysis else you can set it to deliver and add a header.

Regards,

Matthew

mark fitzgerald · ‎11-11-2015

Right, that's apparently the issue. We are quarantining while pending analysis, but when it's released from the quarantine, the added header doesn't matter because it doesn't go through the content filters again.

Mathew Huynh · ‎11-12-2015

Hey Mark,

Ah right, thanks for the clarification.

I believe if the Add a custom header is added and it'll go through the rest of the workqueue (so it should also go through content filters) and be sent into the file analysis quarantine, after which it'll have action taken accordingly based on results.

However if it was also flagged for another quarantine (due to header) as well as the AMP quarantine flag in place, it should be released from the AMP quarantine and go into the next flagged quarantine.

Regards,

Matthew

mark fitzgerald · ‎11-12-2015

Hi Matthew,

I think that brings us back to my original question! :) Support told me ""we don't process through the content filters a second time on release from the quarantine."

So that was what I was trying to get a verification on, because behaviorally, that seems to be the case, but the documentation says I can apply a header to messages that are being held in quarantine pending file analysis and then that header should be readable by a content filter.

Mathew Huynh · ‎11-12-2015

Hey Mark,

If AMP flags it for quarantine, it'll finish the workqueue and go to the quarantine last.

However if there a content filter which is set to action the email in any form, it should take action before the email goes to the AMP quarantine. If you set a final drop such as if X-Header -> True, (which was added by AMP settings) and Drop, it will drop the entire email.

But it will not get reinjected into the workqueue again once it leaves the AMP quarantine, as this is not the design

The only service that re-injects into the workqueue (for AS/AV engine scanning) is Outbreak filters.

Regards,

Matthew

mark fitzgerald · ‎11-12-2015

That makes sense. What I assumed I could do was the same thing that I can do if the file attachment is known malicious -- I was applying a header, then quarantining based on that header, rather than dropping the mail outright. But I guess if it goes off to Cisco to be analyzed, and sits in the quarantine while that happens, when it's released it won't go through the content filters again, so it's just delivered, regardless of whether my x-malwaredetected=1 is there or not.