Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3920
Views
5
Helpful
3
Replies

Bypass ESA AMP for Sender

Go to solution
Greg Hopp
Level 1
Level 1

‎12-04-2017 12:52 PM - edited ‎03-08-2019 07:29 PM

I have a phishing training vendor who wants to send us email with file attachments.  The attachments contain VB code that makes my Ironport's AMP service think they are malicious.  The attachments get uploaded to a sandbox for analysis, test positive for malware, and the Ironport dutifully deletes them from the AMP quarantine.

 

Is there  a way to whitelist a particular sender so file attachments are not uploaded to Talos for AMP inspection?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Libin Varghese
Cisco Employee
Cisco Employee

‎12-04-2017 03:47 PM

To bypass amp scanning for a particular sender you could either add a message filter from the CLI with action skip-ampcheck() ; or create a separate incoming mail policy from the WebUI with the sender as a member and turn off amp scanning for that particular incoming mail policy.

 

Regards 

Libin Varghese 

View solution in original post

Go to solution
Greg Hopp
Level 1
Level 1
In response to Libin Varghese

‎12-12-2017 04:41 AM

Libin,

That did the trick, thanks.  I was focused on Content Filters and sorta forgot about creating a new policy.  My solution was to create a policy that skips ALL scans: anti-Spam, anti-Virus, AMP, Graymail, Content & Outbreak filters in order to allow the email with the attachment through.

That's not exactly a desirable policy to apply to everyone, so I narrowed the policy down to just the sender domains the phishing email would be coming from by clicking "Following Senders" and entering in the domains separated by commas.  That seems to work great.  Our phish tests for employees have resumed!

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Libin Varghese
Cisco Employee
Cisco Employee

‎12-04-2017 03:47 PM

To bypass amp scanning for a particular sender you could either add a message filter from the CLI with action skip-ampcheck() ; or create a separate incoming mail policy from the WebUI with the sender as a member and turn off amp scanning for that particular incoming mail policy.

 

Regards 

Libin Varghese 

Go to solution
Greg Hopp
Level 1
Level 1
In response to Libin Varghese

‎12-12-2017 04:41 AM

Libin,

That did the trick, thanks.  I was focused on Content Filters and sorta forgot about creating a new policy.  My solution was to create a policy that skips ALL scans: anti-Spam, anti-Virus, AMP, Graymail, Content & Outbreak filters in order to allow the email with the attachment through.

That's not exactly a desirable policy to apply to everyone, so I narrowed the policy down to just the sender domains the phishing email would be coming from by clicking "Following Senders" and entering in the domains separated by commas.  That seems to work great.  Our phish tests for employees have resumed!

0 Helpful

Go to solution
Libin Varghese
Cisco Employee
Cisco Employee
In response to Greg Hopp

‎12-12-2017 04:42 AM

Glad to hear its working as per your requirement.

 

- Libin V

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents