Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1822
Views
0
Helpful
5
Replies

amp / threat grid timeout on mail attachment analysis

cos_nantes
Level 1
Level 1

‎04-14-2020 07:51 AM

Hello,

 

I have a question about cisco amp and threat grid. Is it possible to block a mail when the file attachment analysis takes too long time, and then send a mail to alert about this analysis ?

 

Regards

Labels:
0 Helpful
5 Replies 5

marc.luescherFRE
Spotlight
Spotlight

‎04-14-2020 09:22 AM

You can extend the File Analysis release time from 30 Minutes to 120 Minutes.

 

We never had a single message taking more then 52 min. That way emails would only get released once AMP checks are completed.

0 Helpful

cos_nantes
Level 1
Level 1
In response to marc.luescherFRE

‎04-15-2020 12:50 AM

Thanks for your reply.

 

And can ask you where is this option ? I searched in threat grid and in file reputation and analysis settings in the email security appliance but i can't find any option about this time.

 

Regards

0 Helpful

marc.luescherFRE
Spotlight
Spotlight
In response to cos_nantes

‎04-15-2020 03:54 AM

If you have a SMA , connect to your SMA and go into the policy virus and outbreak quarantine view.

if you have only ESA, then go into the same option on your ESA ( under security services ?)

 

Look for a quarantine called File Analysis

 

Click on the File Analysis quarantine name.

 

This should open the definition of the PVO and one option will be called retention period. Increase the retention period to the maximum values you wanted like 120 min. Submit and Commit and you should be all set.

 

From now on AMP will only release messages to end users when 120 min are expired and the AMP verdict was still not received. We have never seen such long wait times in production ever so you should be all set. It is more likely that you will get a corrupt document.

 

I hope that helps

 

-Marc

 

0 Helpful

cos_nantes
Level 1
Level 1
In response to marc.luescherFRE

‎04-15-2020 07:25 AM

I don't understand, the PVO Quarantines option isn't activated on our ESA or SMA. But we have the file analysis activated under AMP option on ESA wich is link with our threat grid server. So is the PVO option is required to set the timeout option ?

 

Thanks for your time.

 

Regards

 

0 Helpful

marc.luescherFRE
Spotlight
Spotlight
In response to cos_nantes

‎04-15-2020 08:18 AM

Let me try to explain how AMP and File Analysis are tied together

 

AMP puts every email message in an internal PVO queue called "File Analysis" when a file which is classified by AMP preclassification as "needing to be uploaded" is being processed.

 

The file and the corresponding email will remain in this queue until one of the following is happening:

a) the verdict from ThreatGrid/AMP came back and the message can be released form File Analysis

b) the retention timeout period of the File Analysis Queue (default 30 Min) has expired and there was no verdict yet from ThreatGrid/AMP, so the email is released 

c) a retrospective alert, should MAR be enabled would at a later time still pull any bad messages from O365, should a malicious verdict come back after 30 Min.

 

I just checked our testsystem. Should you have centralized quarantines enabled the queue will be on your SMA, in the other case it will be on your ESA under Monitor/Policy, Virus and Outbreak Quarantines.

 

I hope this helps futher.

 

-Marc

0 Helpful
Customers Also Viewed These Support Documents