Change unscannable attachment AV behavior for specific mail servers
My default Mail Policies for Anti-Virus are set to quarantine attachments are unscannable, which is acceptable for 99% of the senders I receive mail from. However, I have a few vendors who will randomly send me unscannable attachments (PDF) due to different employees using different products to generate the PDF where sometimes they can be scanned and other times they cannot.
I'd like to change the behavior of unscannable attachments for these senders. I know I can do this with a new Mail Policy set to target the senders email addresses/domain and the associated AV actions set to deliver unscannable items. However, this are susceptible to spoofing of the email address and could allow unscannable attachment to be delivered from an untrusted source. So, I would like to add another layer of checking, the mail server IP. The vendors in questions run their own dedicated mail servers and are not on a shared mail service.
So I was thinking I can still create a new Mail Policy to target the sender email addresses/domains, but set the unscannable action to add a custom header (ie. X-AV-UNSCANNABLE) . Create an Incoming Content Filter that looks for the X-AV-UNSCANNABLE customer header AND checks that "Remote IP/Hostname" is NOT one of the IP's I want to allow unscannable attachments. Set the action to drop attachments and quarantine. Apply this Incoming Content Filter to the Mail Policy that targets these specific email addresses/domain.
This combination would thus drop/quarantine attachments if someone is spoofing a trusted vendor email address/domain and sends an unscannable attachment. Since this content filters would only ever apply in the first place if the envelope sender is a trusted vendor, it should minimize processing load.
The one quirk in this idea that I've found so far is that "Remote IP/Hostname" cannot take a dictionary list and only accepts 1 entry. This would require me to create 1 content filter per remote mail server IP/hostnamae and stack those content filters on the associated mail policy. Right now this only impacts 2 vendors so only 2 content filters, but there is possibility for this to grow over time.
Does this sound like it will do what I want it to do? Any concerns with additional load from this? (I use Cisco Hosted Email Security, not on-prem appliances). Other concerns? Better ways to do this? Am I being too paranoid?
With the enhancements in ISE 3.0 for integrating with Azure AD via SAML IdP, it is now possible to leverage Microsoft Single Sign-On for multiple ISE Portals (for example Sponsor and Guest/BYOD Portals).
At the time of this writing, ISE cann...
With the enhancements in ISE 3.0 for integrating with Azure AD via SAML IdP, it is now possible to create a BYOD Flow to provide Wireless network access using an employee’s Azure AD credentials.
The table below shows the whole Cisco Security solutions + Splunk integrations add-ons. Kindly let me know if I have missed some add-ons or if there are any new updates. Thank you!
Hope this will be helpful for everyone who is looking for Splunk in...
A python based script to generate report if there are disabled rules under an Access Control Policy and an option to delete those rules in bulk.
Step 1 Download the script on PCStep 2 Make sure python3 is installed on PC and have reach...
A python based script to generate report if there are double logging on FMC ACP (logging at beginning and end), having rule action "Allow" or "Trust". (Option1 )
Also, the logging at the begging will be disabled if logging is detected for both beginning ...