Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6498
Views
0
Helpful
2
Replies

AMP [Warning: Attachement Unscanned

Paul Cardelli
Level 1
Level 1

‎04-06-2015 04:08 PM

So it has been about a month or 2 since I finally got my AMP license installed. Today a few of my users are starting to get

[Warning: Attachement Unscanned] on the Subjects of their incoming e-mails. I have a feeling there is something misconfigured on the cloud side of the house, as nothing has changed, and everything is updating fine. Just curious if someone else is having the same issue before I open a ticket?

 

I wish there was a way to make these notices a little cleaner, or have the option to turn them off without shutting down AMP. Seems like when AMP is shut down it no longer can retroactively track files that got through without scanning.

Labels:
0 Helpful
2 Replies 2

neb-ITOps
Level 1
Level 1

‎04-07-2015 03:59 AM

We have our AMP policy for unscannable as 'deliver as is' and have a content filter to quarantine malicious and unscannable attachments with a notification to IT Ops.

 

In answer to your question - I saw a few 'unscannable' attachments today (granted I haven't had AMP enabled for that long because of licensing issues) for .png and .html attachments... unsure why.

 

I'm going to leave it for a few days and see what happens... I'm happy to manually release them from quarantine for now.

0 Helpful

Mathew Huynh
Cisco Employee
Cisco Employee

‎04-07-2015 06:31 PM

Hello Paul,

 

Unscannable can be due to different reasons.

One could be the SHA key does not match the type of file that it is meant to be, or the file could be damaged or corrupted in it's formatting in some one

 

Another would be the scanning couldn't be completed within time-out period or so

Your AMP logs would assist a bit more by grepping the MID which you saw this unscannable into the AMP logs and see why it was registered as unscannable.

 

If you would like, you can change the action of the AMP engine for unscannables rather than prepend the subject as you saw, to stop the prepends for unscannables if it's too frequent.

 

Additionally maybe this setup change may also help:

> ampconfig



File Reputation: Enabled

File Analysis: Enabled





Choose the operation you want to perform:

- SETUP - Configure Advanced-Malware protection service.

- ADVANCED - Set values for AMP parameters (Advanced configuration).

- CLEARCACHE - Clears the local File Reputation cache.

[]> advanced



Enter cloud query timeout?

[2]> 5

 

Regards,

Matthew

0 Helpful
Customers Also Viewed These Support Documents