Solved: Bypass AMP

jtsai8585 · ‎06-26-2017

How would I configure Ironport to bypass File Analysis for specific domains that sends us email continuously with attachments? File Analysis is configured to Quarantine and I see file get backed up in the quarantine pending File Analysis. I would like these specific documents to flow through quickly.

dmccabej · ‎06-28-2017

Hello,

The easiest method has already been mentioned, where you would need to either setup a new mail policy and disable AMP on that policy and/or disable AMP for any mail policies that include senders you wish to exclude AMP scanning on.

Another option would be to setup a message filter similar to below :

+++

SKIP-AMP:
if (mail-from == "(?i)@cisco\\.com")
{
log-entry("*** SKIP AMP-CHECK ***");
skip-ampcheck();
}
.

+++

or

+++

SKIP-AMP-DICTIONARY:
if (mail-from-dictionary-match ('SKIP-AMP-DOMAINS'))
{
log-entry("*** SKIP AMP-CHECK-DICTIONARY ***");
skip-ampcheck();
}
.

+++

Thanks!

-Dennis M.

View solution in original post

Ken Stieers · ‎06-26-2017

Create a new incoming mail policy, give it a name, set it to be inserted before your other policies. Click on "Add user" and then set the domain you want to skip as a sender, click ok.

Then in the grid, click on "(use default)" under "Advanced Malware Protection", and select "No"

jtsai8585 · ‎06-27-2017

You are suggesting creating duplicate policy for every policy I have where above each one, there is one to skip AMP? Sounds really inefficient and I'll need to create a lot of bypass policies....

Ken Stieers · ‎06-27-2017

No, I said create "a new incoming policy" ie. ONE, before your other policies.

If you were to put one between policies, you'd only ever hit the top one, as the policy engine works top down, and only fires on one policy...

jtsai8585 · ‎06-27-2017

Each policy I have is capturing various domain name and email address with different settings for Content Filters. If I set just 1 policy above all, it will affect AMP yes but it will affect all of my other policies where the domain / email exist. So this is not doable unless I create a duplicate policy for every existing one. That would be difficult to mange.

Libin Varghese · ‎06-28-2017

You can certainly modify the AMP configuration for your existing incoming mail policies without creating duplicates.

If you have a mail policy specific for domain1.com for example, you could modify the AMP configuration for that domain. You do not need to add another mail policy for domain1.com.

However, if you have domain2.com for which there are no existing incoming mail policies then we would need to create a new one as Ken suggested.

As the objective is to prevent file analysis from quarantine of emails you could just modify the action for AMP from quarantine to deliver instead of turning it off completely if you still wish for them to be scanned.

- Libin V

jtsai8585 · ‎06-28-2017

I don't think this can be done cleanly in the mail policy. The Policy may contain domain1 but it also contain domain2 through 50. If I modify AMP policy on this layer, it affects all domains on the policy not just domain1 unless i create duplicate policy and move domain1 out of it.

I am setting File Analysis for deliver instead of quarantine now because of the delay but this defeats the whole purpose of stopping zero day office docs which are unable to be scanned effectively by AV & Malware.

Anyway to monitor infected files that was NOT caught by AV? (monitor mail_log? built in alerting?) As 90%+ file flagged by AMP is already flagged by AV also.

dmccabej · ‎06-28-2017