Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5122
Views
5
Helpful
9
Replies

Cisco Ironport ESA - Security Services / Scan Behavior - Impact on AV- & Spam-Scanning?

Go to solution
Linuxy
Level 1
Level 1

‎09-12-2019 06:00 AM

Hi,

 

the administration guide for the ESA (v. 11.1) states:

 

"You can control the behavior of body and attachment scanning, such as the attachment types to be skipped during a scan by configuring the scanning parameters. Use the Scan Behavior page or ... Scan behavior settings are global settings, meaning that they affect the behavior of all the scans."

 

So I am wondering, if this settings only apply to the Attachment-Scanning of content-filters, or also to the AV- and Spam-Engines?

 

Thanks and best regards

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ppreenja
Cisco Employee
Cisco Employee

‎09-21-2019 06:14 AM

Hi Linuxy,

Scanconfig command controls body and attachment scanning in filters only.

The scanconfig command controls the behavior of body and attachment scanning, including specifying the encodings to use when scanning attachments and which attachment types should be skipped when scanning.

The scanconfig command sets these parameters:
1) MIME types of video/*, audio/*, image/* or anything that appears to be a PDF file are skipped (not scanned for content).
2) Nested (recursive) archive attachments up to 50 levels are scanned. (The default is 5 levels.).
3) The maximum size for attachments to be scanned is 25 MB; anything larger will be skipped. (The default is 5 MB and Value must be an integer from 0 to 26214400)
4) Attachments that were not scanned are assumed to not match the search pattern. (This is the default behavior.)

Reference article: https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118119-qanda-esa-00.html

For AV and AS engines, you can have the scan settings configured separately as below:

Antivirus
Login to GUI of ESA and follow the below path:
Security Services-->Anti-Virus-->SOPHOS/McAfee--> Edit Global Settings

Antispam
Login to GUI of ESA and follow the below path:
Security Services-->Anti-SPAM-->Ironport Anti-spam/IMS--> Edit Global Settings

I hope this helps.

Cheers,
Pratham

View solution in original post

9 Replies 9

Go to solution
pchakra2
Cisco Employee
Cisco Employee

‎09-17-2019 03:30 AM

The scanconfig related settings apply to only Filters (Content or Message).

 

The AS and AV, engines have their defined threshold to be configured under the respective security services. 

0 Helpful

Go to solution
Linuxy
Level 1
Level 1
In response to pchakra2

‎09-19-2019 02:22 AM

Hi @pchakra2 

 

Ok, thanks, and what applies this setting to then?

 

Best regards 

 

0 Helpful

Go to solution
pchakra2
Cisco Employee
Cisco Employee
In response to Linuxy

‎09-19-2019 02:44 AM

 

 

Hello,

 

If I understood you correctly, you asked where to the scanconfig thresholds apply.

 

The scanconfig related threshold applies to Filters (Content and Message).

 

Best Regards,

0 Helpful

Go to solution
ppreenja
Cisco Employee
Cisco Employee

‎09-21-2019 06:14 AM

Hi Linuxy,

Scanconfig command controls body and attachment scanning in filters only.

The scanconfig command controls the behavior of body and attachment scanning, including specifying the encodings to use when scanning attachments and which attachment types should be skipped when scanning.

The scanconfig command sets these parameters:
1) MIME types of video/*, audio/*, image/* or anything that appears to be a PDF file are skipped (not scanned for content).
2) Nested (recursive) archive attachments up to 50 levels are scanned. (The default is 5 levels.).
3) The maximum size for attachments to be scanned is 25 MB; anything larger will be skipped. (The default is 5 MB and Value must be an integer from 0 to 26214400)
4) Attachments that were not scanned are assumed to not match the search pattern. (This is the default behavior.)

Reference article: https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118119-qanda-esa-00.html

For AV and AS engines, you can have the scan settings configured separately as below:

Antivirus
Login to GUI of ESA and follow the below path:
Security Services-->Anti-Virus-->SOPHOS/McAfee--> Edit Global Settings

Antispam
Login to GUI of ESA and follow the below path:
Security Services-->Anti-SPAM-->Ironport Anti-spam/IMS--> Edit Global Settings

I hope this helps.

Cheers,
Pratham

Go to solution
cryptochrome
Level 1
Level 1
In response to ppreenja

‎02-10-2020 04:00 AM

@ppreenja wrote:

For AV and AS engines, you can have the scan settings configured separately as below:

Antivirus
Login to GUI of ESA and follow the below path:
Security Services-->Anti-Virus-->SOPHOS/McAfee--> Edit Global Settings

Antispam
Login to GUI of ESA and follow the below path:
Security Services-->Anti-SPAM-->Ironport Anti-spam/IMS--> Edit Global Settings

I hope this helps.

Cheers,
Pratham

Hi, sorry for bringing this old topic back to life, but I just wanted to increase the file size limit for the antivirus scanner. We are on AsyncOS 12.5 and the global settings for the AV scanner don't contain any options for file size. Where exactly do I set this in 12.5?

 

Thanks

 

0 Helpful

Go to solution
ppreenja
Cisco Employee
Cisco Employee
In response to cryptochrome

‎02-10-2020 04:43 AM

Hi , Currently, all attachments are scanned by the AV engines irrespective of their size and there is no option available to configure scan scan size for AV. There is already an enhancement request in place for the same as below: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuv03680 Please add yourself to the notifications once any fix is in place. Cheers, Pratham
0 Helpful

Go to solution
cryptochrome
Level 1
Level 1
In response to ppreenja

‎02-10-2020 11:24 AM

Hi @ppreenja,

 

thanks. If all attachments get scanned, regardless of size, why do we get alerts from our ESA that files could not be scanned due to large file size? I looked at the bug that was posted earlier in this thread, but that bug does not seem to apply to AsyncOS 12.5+. 

Thanks

Sascha

 

0 Helpful

Go to solution
ppreenja
Cisco Employee
Cisco Employee
In response to cryptochrome

‎02-11-2020 03:54 AM

Hi Sascha,

The alert you get for ESA file could not be scanned due to large file size might be for antispam engine as we usually see the same error there.

For your query on the enhancement not mentioning your Async OS version, the enhancements usually mention the Async OS version for which it was reported and usually covers all the Async OS version later than the one which is mentioned until we have the new feature in any latest version.

I hope the above answers your query.

Cheers,
Pratham
0 Helpful

Go to solution
cryptochrome
Level 1
Level 1
In response to ppreenja

‎02-11-2020 11:39 AM

Yes, that explains it, thank you.

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents