cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3804
Views
5
Helpful
3
Replies

Bypass ESA AMP for Sender

Greg Hopp
Beginner
Beginner

I have a phishing training vendor who wants to send us email with file attachments.  The attachments contain VB code that makes my Ironport's AMP service think they are malicious.  The attachments get uploaded to a sandbox for analysis, test positive for malware, and the Ironport dutifully deletes them from the AMP quarantine.

 

Is there  a way to whitelist a particular sender so file attachments are not uploaded to Talos for AMP inspection?

2 Accepted Solutions

Accepted Solutions

Libin Varghese
Cisco Employee
Cisco Employee

To bypass amp scanning for a particular sender you could either add a message filter from the CLI with action skip-ampcheck() ; or create a separate incoming mail policy from the WebUI with the sender as a member and turn off amp scanning for that particular incoming mail policy.

 

Regards 

Libin Varghese 

View solution in original post

Libin,

That did the trick, thanks.  I was focused on Content Filters and sorta forgot about creating a new policy.  My solution was to create a policy that skips ALL scans: anti-Spam, anti-Virus, AMP, Graymail, Content & Outbreak filters in order to allow the email with the attachment through.

That's not exactly a desirable policy to apply to everyone, so I narrowed the policy down to just the sender domains the phishing email would be coming from by clicking "Following Senders" and entering in the domains separated by commas.  That seems to work great.  Our phish tests for employees have resumed!

View solution in original post

3 Replies 3

Libin Varghese
Cisco Employee
Cisco Employee

To bypass amp scanning for a particular sender you could either add a message filter from the CLI with action skip-ampcheck() ; or create a separate incoming mail policy from the WebUI with the sender as a member and turn off amp scanning for that particular incoming mail policy.

 

Regards 

Libin Varghese 

Libin,

That did the trick, thanks.  I was focused on Content Filters and sorta forgot about creating a new policy.  My solution was to create a policy that skips ALL scans: anti-Spam, anti-Virus, AMP, Graymail, Content & Outbreak filters in order to allow the email with the attachment through.

That's not exactly a desirable policy to apply to everyone, so I narrowed the policy down to just the sender domains the phishing email would be coming from by clicking "Following Senders" and entering in the domains separated by commas.  That seems to work great.  Our phish tests for employees have resumed!

Glad to hear its working as per your requirement.

 

- Libin V

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: