04-22-2020 04:35 AM
Hi,
today we started evaluating the ESA AMP File Reputation service. I was really surprised to find that the only options available to deal with malicious emails are "drop" and "deliver as is". No quarantine. Why, Cisco. Why? :-/
Surprises aside, there is an advanced option there that would allow me to send emails with verdict "malicious" to an alternate destination host. Could I simply send the message back to the ESA itself (127.0.0.1 or IP of a listener) and then use a content filter that acts on the X-Amp-Result header to move those emails to a policy quarantine?
04-23-2020 07:46 PM
Hello,
For your requirement, you create a content filter with a condition set to check for header "X-Amp-Result" with a value of "MALICIOUS" i.e. X-Amp-Result = MALICIOUS.
Then take the action of quarantine in the same filter and submit and apply to the concerned incoming policy.
In AMP settings for the same incoming policy, you can set the option for "Message with Malware Attachments" of "Action Applied to Message" to be set as "Deliver As Is".
This is will allow emails with malware content detected to be quarantined.
Cheers,
Pratham
04-24-2020 02:47 AM
Thanks Pratham. I should have thought about that myself. It was obvious :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide