Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1498
Views
5
Helpful
5
Replies

Content Filter acts before antivirus module

Go to solution
ismailov9991
Level 1
Level 1

‎06-14-2016 11:03 PM

Hi, i have a content filter on Ironport that copies incoming messages to several mailboxes.

Message with virus came to one mailbox. At first Ironport copied this message to other mailboxes and then put this message to quarantine. (Screenshot attached)

Users received this message with virus.

Why ironport didn't put to quarantine at first? why did it copy a message before an antivirus module? 

Labels:
Preview file
174 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee

‎06-23-2016 06:47 PM

Hello Ismail,

The reason for this is the quarantine on AV engine -flags- the email for qurantining but still pushes the email to go through the rest of the queue and services.

As such the email will be going through the content filters, and here it will trigger against that BCC filter before going to the quarantine, so the copy will be sent and once it finishes all content filters, it will be quarantined.

So to stop this behaviour I would advise to edit your anti-virus setting, where there is a virus found on the email, as you have set it to quarantine, click on the advanced tab, add a custom header with a value such as X-Virus and True

Then add a new content filter.

Condition -> Other Header -> X-Virus -> Value : True

Action -> Skip remaining content filters

And order this above your BCC filter.

This way if it is required to go to the quarantine, it will not trigger on other filters and go right to the quarantine.

Regards,

Matthew

View solution in original post

0 Helpful

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee
In response to ismailov9991

‎06-30-2016 03:50 PM

Hello Ismail,

Yep, that will drop immediately.

All drop actions on the services and filters are immediate action so it will not go through any other services or filters.

I hope this helps.

Thanks!

Matthew

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee

‎06-23-2016 06:47 PM

Hello Ismail,

The reason for this is the quarantine on AV engine -flags- the email for qurantining but still pushes the email to go through the rest of the queue and services.

As such the email will be going through the content filters, and here it will trigger against that BCC filter before going to the quarantine, so the copy will be sent and once it finishes all content filters, it will be quarantined.

So to stop this behaviour I would advise to edit your anti-virus setting, where there is a virus found on the email, as you have set it to quarantine, click on the advanced tab, add a custom header with a value such as X-Virus and True

Then add a new content filter.

Condition -> Other Header -> X-Virus -> Value : True

Action -> Skip remaining content filters

And order this above your BCC filter.

This way if it is required to go to the quarantine, it will not trigger on other filters and go right to the quarantine.

Regards,

Matthew

0 Helpful

Go to solution
ismailov9991
Level 1
Level 1
In response to Mathew Huynh

‎06-30-2016 04:38 AM

If i change Action to Drop Message with Virus, Will it help to drop message before content filter works?

0 Helpful

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee
In response to ismailov9991

‎06-30-2016 03:50 PM

Hello Ismail,

Yep, that will drop immediately.

All drop actions on the services and filters are immediate action so it will not go through any other services or filters.

I hope this helps.

Thanks!

Matthew

0 Helpful

Go to solution
Alibek Ismailov
Level 1
Level 1
In response to Mathew Huynh

‎07-12-2016 10:08 PM

I can drop a virus message or skip BCC filter if message has a header.

But what can i do if message is spam, sometimes good messages are marked like spam, and i can't drop it or skip BCC filter if message has a header.

I can't look all spam messages with header in quarantine, because there are a lot of spam messages. I can look all virus messages with header in quarantine, it is few.  

0 Helpful

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee
In response to Alibek Ismailov

‎07-12-2016 10:12 PM

Hello Alibek,

For your question, if you believe the spam engine is marking an email as positive spam when it should not be, what I would suggest is.

Create a seperate mail policy, add the Envelope Sender of this email that has gotten triggered false positively.

On the policy, set spam scanning to deliver positive spam as is or quarantine it to the spam quarantine.

Set your  Spam quarantine options to 'notify cisco on release'.

Once done, when emails are being false positively marked by this sender and it goes into the quarantine, and you release it, it will send a copy to Cisco Spam database to show this email should be marked as legitimate.

Then if the automated system does not correct it and you see it recur; please contact Cisco TAC and let us know of the emails in question (sender, recipient, subject) that was being marked this way so we can investigate it for you in your TAC case.

Regards,

Matthew

Customers Also Viewed These Support Documents