cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Cisco Secure Email Support Community

Product Support Talos Support Cisco Support Reference + Current Release
Gateway Reputation Lookup Open a support case Secure Email Guided Setup
Gateway: 14.0.1-033
Cloud Gateway Email Status Portal Support & Downloads docs.ces.cisco.com
Email and Web Manager: 14.0.0-418
Email and Web Manager Web & Email Reputation Worldwide Contacts Product Naming Quick Reference
Reporting Plug-in: 1.1.0.136
Encryption Bug Search
Encryption Plug-in: 1.2.1.167
Cloud Mailbox Notification Service
Outlook Add-in(s): More info

2384
Views
5
Helpful
3
Replies
Greg Hopp
Beginner

Bypass ESA AMP for Sender

I have a phishing training vendor who wants to send us email with file attachments.  The attachments contain VB code that makes my Ironport's AMP service think they are malicious.  The attachments get uploaded to a sandbox for analysis, test positive for malware, and the Ironport dutifully deletes them from the AMP quarantine.

 

Is there  a way to whitelist a particular sender so file attachments are not uploaded to Talos for AMP inspection?

2 ACCEPTED SOLUTIONS

Accepted Solutions
Libin Varghese
Cisco Employee

To bypass amp scanning for a particular sender you could either add a message filter from the CLI with action skip-ampcheck() ; or create a separate incoming mail policy from the WebUI with the sender as a member and turn off amp scanning for that particular incoming mail policy.

 

Regards 

Libin Varghese 

View solution in original post

Libin,

That did the trick, thanks.  I was focused on Content Filters and sorta forgot about creating a new policy.  My solution was to create a policy that skips ALL scans: anti-Spam, anti-Virus, AMP, Graymail, Content & Outbreak filters in order to allow the email with the attachment through.

That's not exactly a desirable policy to apply to everyone, so I narrowed the policy down to just the sender domains the phishing email would be coming from by clicking "Following Senders" and entering in the domains separated by commas.  That seems to work great.  Our phish tests for employees have resumed!

View solution in original post

3 REPLIES 3
Libin Varghese
Cisco Employee

To bypass amp scanning for a particular sender you could either add a message filter from the CLI with action skip-ampcheck() ; or create a separate incoming mail policy from the WebUI with the sender as a member and turn off amp scanning for that particular incoming mail policy.

 

Regards 

Libin Varghese 

View solution in original post

Libin,

That did the trick, thanks.  I was focused on Content Filters and sorta forgot about creating a new policy.  My solution was to create a policy that skips ALL scans: anti-Spam, anti-Virus, AMP, Graymail, Content & Outbreak filters in order to allow the email with the attachment through.

That's not exactly a desirable policy to apply to everyone, so I narrowed the policy down to just the sender domains the phishing email would be coming from by clicking "Following Senders" and entering in the domains separated by commas.  That seems to work great.  Our phish tests for employees have resumed!

View solution in original post

Glad to hear its working as per your requirement.

 

- Libin V