Change unscannable attachment AV behavior for specific mail servers
My default Mail Policies for Anti-Virus are set to quarantine attachments are unscannable, which is acceptable for 99% of the senders I receive mail from. However, I have a few vendors who will randomly send me unscannable attachments (PDF) due to different employees using different products to generate the PDF where sometimes they can be scanned and other times they cannot.
I'd like to change the behavior of unscannable attachments for these senders. I know I can do this with a new Mail Policy set to target the senders email addresses/domain and the associated AV actions set to deliver unscannable items. However, this are susceptible to spoofing of the email address and could allow unscannable attachment to be delivered from an untrusted source. So, I would like to add another layer of checking, the mail server IP. The vendors in questions run their own dedicated mail servers and are not on a shared mail service.
So I was thinking I can still create a new Mail Policy to target the sender email addresses/domains, but set the unscannable action to add a custom header (ie. X-AV-UNSCANNABLE) . Create an Incoming Content Filter that looks for the X-AV-UNSCANNABLE customer header AND checks that "Remote IP/Hostname" is NOT one of the IP's I want to allow unscannable attachments. Set the action to drop attachments and quarantine. Apply this Incoming Content Filter to the Mail Policy that targets these specific email addresses/domain.
This combination would thus drop/quarantine attachments if someone is spoofing a trusted vendor email address/domain and sends an unscannable attachment. Since this content filters would only ever apply in the first place if the envelope sender is a trusted vendor, it should minimize processing load.
The one quirk in this idea that I've found so far is that "Remote IP/Hostname" cannot take a dictionary list and only accepts 1 entry. This would require me to create 1 content filter per remote mail server IP/hostnamae and stack those content filters on the associated mail policy. Right now this only impacts 2 vendors so only 2 content filters, but there is possibility for this to grow over time.
Does this sound like it will do what I want it to do? Any concerns with additional load from this? (I use Cisco Hosted Email Security, not on-prem appliances). Other concerns? Better ways to do this? Am I being too paranoid?
When we said the word “hybrid” in the past, it usually recalled the image of a new variety of plant or maybe an electric car. These days, it applies to the workplace too.
The future of work isn’t “changing” to a h...
Thanks for attending our Ask the Experts (ATXs) session! Here’s the post-session resources for easy reference.
New to ATXs? An ATXs session, offered at no cost, is an hour of real-time learning led by Cisco experts, who will answer your technology q...
Cisco Secure Endpoint
New packages fit for every organization
Every Cisco Secure Endpoint (formerly AMP for Endpoints) package comes with Cisco SecureX built-in. It’s our cloud-native platform that integrates all your security solutions into one view wit...
Our Cisco experts and guests chat about how the integration of Cisco Secure Firewall + Secure Workload is securely accelerating application delivery by allowing NetOps to start running at DevOps speed, and what that means for business success.