cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Cisco Secure Email Support Community

Product Support Talos Support Cisco Support Reference + Current Release
Gateway Reputation Lookup Open a support case Secure Email Guided Setup
Gateway: 14.0.1-033
Cloud Gateway Email Status Portal Support & Downloads docs.ces.cisco.com
Email and Web Manager: 14.1.0-227
Email and Web Manager Web & Email Reputation Worldwide Contacts Product Naming Quick Reference
Reporting Plug-in: 1.1.0.136
Encryption Bug Search
Encryption Plug-in: 1.2.1.167
Cloud Mailbox Notification Service
Outlook Add-in(s): More info

1033
Views
5
Helpful
2
Replies
cryptochrome
Beginner

AMP File Reputation: Move malicious mails to quarantine

Hi,

today we started evaluating the ESA AMP File Reputation service. I was really surprised to find that the only options available to deal with malicious emails are "drop" and "deliver as is". No quarantine. Why, Cisco. Why? :-/

Surprises aside, there is an advanced option there that would allow me to send emails with verdict "malicious" to an alternate destination host. Could I simply send the message back to the ESA itself (127.0.0.1 or IP of a listener) and then use a content filter that acts on the X-Amp-Result header to move those emails to a policy quarantine?

2 REPLIES 2
ppreenja
Cisco Employee

Hello,

 

For your requirement, you create a content filter with a condition set to check for header "X-Amp-Result" with a value of "MALICIOUS" i.e. X-Amp-Result = MALICIOUS.

 

Then take the action of quarantine in the same filter and submit and apply to the concerned incoming policy.

 

In AMP settings for the same incoming policy, you can set the option for "Message with Malware Attachments" of "Action Applied to Message" to be set as "Deliver As Is".

 

This is will allow emails with malware content detected to be quarantined.

 

Cheers,

Pratham

Thanks Pratham. I should have thought about that myself. It was obvious :)  

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: ISE- Guest and Posture Troubleshooting (34%)

Content for Community-Ad