Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1685
Views
5
Helpful
2
Replies

AMP File Reputation: Move malicious mails to quarantine

cryptochrome
Level 1
Level 1

‎04-22-2020 04:35 AM

Hi,

today we started evaluating the ESA AMP File Reputation service. I was really surprised to find that the only options available to deal with malicious emails are "drop" and "deliver as is". No quarantine. Why, Cisco. Why? :-/

Surprises aside, there is an advanced option there that would allow me to send emails with verdict "malicious" to an alternate destination host. Could I simply send the message back to the ESA itself (127.0.0.1 or IP of a listener) and then use a content filter that acts on the X-Amp-Result header to move those emails to a policy quarantine?

Labels:
0 Helpful
2 Replies 2

ppreenja
Cisco Employee
Cisco Employee

‎04-23-2020 07:46 PM

Hello,

 

For your requirement, you create a content filter with a condition set to check for header "X-Amp-Result" with a value of "MALICIOUS" i.e. X-Amp-Result = MALICIOUS.

 

Then take the action of quarantine in the same filter and submit and apply to the concerned incoming policy.

 

In AMP settings for the same incoming policy, you can set the option for "Message with Malware Attachments" of "Action Applied to Message" to be set as "Deliver As Is".

 

This is will allow emails with malware content detected to be quarantined.

 

Cheers,

Pratham

cryptochrome
Level 1
Level 1
In response to ppreenja

‎04-24-2020 02:47 AM

Thanks Pratham. I should have thought about that myself. It was obvious :)  

0 Helpful
Customers Also Viewed These Support Documents