06-26-2017 04:52 PM
How would I configure Ironport to bypass File Analysis for specific domains that sends us email continuously with attachments? File Analysis is configured to Quarantine and I see file get backed up in the quarantine pending File Analysis. I would like these specific documents to flow through quickly.
Solved! Go to Solution.
06-28-2017 10:17 AM
Hello,
The easiest method has already been mentioned, where you would need to either setup a new mail policy and disable AMP on that policy and/or disable AMP for any mail policies that include senders you wish to exclude AMP scanning on.
Another option would be to setup a message filter similar to below :
+++
SKIP-AMP:
if (mail-from == "(?i)@cisco\\.com")
{
log-entry("*** SKIP AMP-CHECK ***");
skip-ampcheck();
}
.
+++
or
+++
SKIP-AMP-DICTIONARY:
if (mail-from-dictionary-match ('SKIP-AMP-DOMAINS'))
{
log-entry("*** SKIP AMP-CHECK-DICTIONARY ***");
skip-ampcheck();
}
.
+++
Thanks!
-Dennis M.
06-26-2017 06:45 PM
Create a new incoming mail policy, give it a name, set it to be inserted before your other policies. Click on "Add user" and then set the domain you want to skip as a sender, click ok.
Then in the grid, click on "(use default)" under "Advanced Malware Protection", and select "No"
06-27-2017 09:32 AM
You are suggesting creating duplicate policy for every policy I have where above each one, there is one to skip AMP? Sounds really inefficient and I'll need to create a lot of bypass policies....
06-27-2017 09:40 AM
No, I said create "a new incoming policy" ie. ONE, before your other policies.
If you were to put one between policies, you'd only ever hit the top one, as the policy engine works top down, and only fires on one policy...
06-27-2017 10:01 AM
Each policy I have is capturing various domain name and email address with different settings for Content Filters. If I set just 1 policy above all, it will affect AMP yes but it will affect all of my other policies where the domain / email exist. So this is not doable unless I create a duplicate policy for every existing one. That would be difficult to mange.
06-28-2017 05:33 AM
You can certainly modify the AMP configuration for your existing incoming mail policies without creating duplicates.
If you have a mail policy specific for domain1.com for example, you could modify the AMP configuration for that domain. You do not need to add another mail policy for domain1.com.
However, if you have domain2.com for which there are no existing incoming mail policies then we would need to create a new one as Ken suggested.
As the objective is to prevent file analysis from quarantine of emails you could just modify the action for AMP from quarantine to deliver instead of turning it off completely if you still wish for them to be scanned.
- Libin V
06-28-2017 09:01 AM
I don't think this can be done cleanly in the mail policy. The Policy may contain domain1 but it also contain domain2 through 50. If I modify AMP policy on this layer, it affects all domains on the policy not just domain1 unless i create duplicate policy and move domain1 out of it.
I am setting File Analysis for deliver instead of quarantine now because of the delay but this defeats the whole purpose of stopping zero day office docs which are unable to be scanned effectively by AV & Malware.
Anyway to monitor infected files that was NOT caught by AV? (monitor mail_log? built in alerting?) As 90%+ file flagged by AMP is already flagged by AV also.
06-28-2017 10:17 AM
Hello,
The easiest method has already been mentioned, where you would need to either setup a new mail policy and disable AMP on that policy and/or disable AMP for any mail policies that include senders you wish to exclude AMP scanning on.
Another option would be to setup a message filter similar to below :
+++
SKIP-AMP:
if (mail-from == "(?i)@cisco\\.com")
{
log-entry("*** SKIP AMP-CHECK ***");
skip-ampcheck();
}
.
+++
or
+++
SKIP-AMP-DICTIONARY:
if (mail-from-dictionary-match ('SKIP-AMP-DOMAINS'))
{
log-entry("*** SKIP AMP-CHECK-DICTIONARY ***");
skip-ampcheck();
}
.
+++
Thanks!
-Dennis M.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide