Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
777
Views
0
Helpful
1
Replies

AMP - possible to rescan UNSCANNABLES through File Analysis quarantine?

donald dobbins
Level 1
Level 1

‎07-26-2016 10:21 AM

When AMP sends a file off for analysis and is configured to quarantine, it will rescan on release.  So in the event of a malicious verdict, that message we will have dropped.  My question is if something returns as unscannable (cloud service is down) - I want to quarantine this to the File Analysis quarantine using an X-Header and have that rescan on release. Will this work?

Labels:
0 Helpful
1 Reply 1

Mathew Huynh
Cisco Employee
Cisco Employee

‎08-02-2016 10:31 PM

Hello Donald,

I did a test and sent an email through my test lab device.

It got scanned by AMP (albeit unknown result not unscannable), I sent it straight to my policy quarantine instead, released it and it  got rescanned by Anti virus, and AMP again.


Wed Aug 3 15:21:20 2016 Info: MID 1287 matched all recipients for per-recipient policy Matt_test in the inbound table
Wed Aug 3 15:21:20 2016 Info: ICID 911 close
Wed Aug 3 15:21:21 2016 Info: MID 1287 interim verdict using engine: CASE spam negative
Wed Aug 3 15:21:21 2016 Info: MID 1287 using engine: CASE spam negative
Wed Aug 3 15:21:21 2016 Info: MID 1287 interim AV verdict using Sophos CLEAN
Wed Aug 3 15:21:21 2016 Info: MID 1287 antivirus negative
Wed Aug 3 15:21:22 2016 Info: MID 1287 AMP file reputation verdict : UNKNOWN
Wed Aug 3 15:21:22 2016 Info: MID 1287 using engine: GRAYMAIL negative
Wed Aug 3 15:21:22 2016 Info: MID 1287 Outbreak Filters: verdict negative
Wed Aug 3 15:21:22 2016 Info: MID 1287 quarantined to "Policy" (message filter:filter_matt_test)
Wed Aug 3 15:21:22 2016 Info: Message finished MID 1287 done

Wed Aug 3 15:22:16 2016 Info: MID 1287 released from quarantine "Policy" (manual) t=54
Wed Aug 3 15:22:16 2016 Info: MID 1287 released from all quarantines
Wed Aug 3 15:22:16 2016 Info: MID 1287 matched all recipients for per-recipient policy Matt_test in the inbound table
Wed Aug 3 15:22:16 2016 Info: MID 1287 interim AV verdict using Sophos CLEAN
Wed Aug 3 15:22:16 2016 Info: MID 1287 antivirus negative
Wed Aug 3 15:22:16 2016 Info: MID 1287 AMP file reputation verdict : UNKNOWN
Wed Aug 3 15:22:16 2016 Info: MID 1287 using engine: GRAYMAIL negative
Wed Aug 3 15:22:16 2016 Info: MID 1287 queued for delivery

Regards,

Matthew

0 Helpful
Customers Also Viewed These Support Documents