cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1123
Views
5
Helpful
3
Replies
Highlighted
Beginner

Bypass ESA AMP for Sender

I have a phishing training vendor who wants to send us email with file attachments.  The attachments contain VB code that makes my Ironport's AMP service think they are malicious.  The attachments get uploaded to a sandbox for analysis, test positive for malware, and the Ironport dutifully deletes them from the AMP quarantine.

 

Is there  a way to whitelist a particular sender so file attachments are not uploaded to Talos for AMP inspection?

Everyone's tags (5)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: Bypass ESA AMP for Sender

To bypass amp scanning for a particular sender you could either add a message filter from the CLI with action skip-ampcheck() ; or create a separate incoming mail policy from the WebUI with the sender as a member and turn off amp scanning for that particular incoming mail policy.

 

Regards 

Libin Varghese 

Beginner

Re: Bypass ESA AMP for Sender

Libin,

That did the trick, thanks.  I was focused on Content Filters and sorta forgot about creating a new policy.  My solution was to create a policy that skips ALL scans: anti-Spam, anti-Virus, AMP, Graymail, Content & Outbreak filters in order to allow the email with the attachment through.

That's not exactly a desirable policy to apply to everyone, so I narrowed the policy down to just the sender domains the phishing email would be coming from by clicking "Following Senders" and entering in the domains separated by commas.  That seems to work great.  Our phish tests for employees have resumed!

3 REPLIES 3
Cisco Employee

Re: Bypass ESA AMP for Sender

To bypass amp scanning for a particular sender you could either add a message filter from the CLI with action skip-ampcheck() ; or create a separate incoming mail policy from the WebUI with the sender as a member and turn off amp scanning for that particular incoming mail policy.

 

Regards 

Libin Varghese 

Beginner

Re: Bypass ESA AMP for Sender

Libin,

That did the trick, thanks.  I was focused on Content Filters and sorta forgot about creating a new policy.  My solution was to create a policy that skips ALL scans: anti-Spam, anti-Virus, AMP, Graymail, Content & Outbreak filters in order to allow the email with the attachment through.

That's not exactly a desirable policy to apply to everyone, so I narrowed the policy down to just the sender domains the phishing email would be coming from by clicking "Following Senders" and entering in the domains separated by commas.  That seems to work great.  Our phish tests for employees have resumed!

Cisco Employee

Re: Bypass ESA AMP for Sender

Glad to hear its working as per your requirement.

 

- Libin V