01-23-2017 12:51 AM
Hello,
is there someway to define an action to delay message for a certain time period and reprocess them again?
for example. I set condition as I like to forward the message to a special quarantine, that quarantine has a specific time range set in which the message gets scanned again.
basically something like "I am unsure if this message is malicious, so I will hold it back until new ruleset of whatever engine (CASE, Outbreak, etc.) arrive) OR basically a message filter command to put a message into the Outbreak Filter pipeline.
any ideas?
much appreciated
thank you
best regards
Daniel
Solved! Go to Solution.
01-23-2017 05:49 AM
Hi Daniel,
I would recommend enabling AMP (File Analysis and File Reputation) feature to temporarily quarantine emails with attachment of unknown reputation. The emails are held in the file analysis quarantine for up to 1 hour (can be configured) while the attachment is analysed by the Cisco cloud server.
Please refer to Chapter 17 of the end user guide for information on the working of AMP.
http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa9-7/ESA_9-7_User_Guide.pdf
I currently do not see an option to re-direct emails to the outbreak quarantine, however, file analysis quarantine is designed to perform the task you are looking to accomplish.
Also, do note an email released from quarantine is not processed through the entire workqueue again.
• Messages released from Policy and Virus quarantines are rescanned by the anti-virus engine.
• Messages released from the Outbreak quarantine are rescanned by the anti-spam and anti-virus engines.
• Messages released from the File Analysis quarantine are rescanned for threats.
• Messages with attachments are rescanned by the file reputation service upon release from Policy, Virus, and Outbreak quarantines.
Thanks
Libin Varghese
01-23-2017 05:49 AM
Hi Daniel,
I would recommend enabling AMP (File Analysis and File Reputation) feature to temporarily quarantine emails with attachment of unknown reputation. The emails are held in the file analysis quarantine for up to 1 hour (can be configured) while the attachment is analysed by the Cisco cloud server.
Please refer to Chapter 17 of the end user guide for information on the working of AMP.
http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa9-7/ESA_9-7_User_Guide.pdf
I currently do not see an option to re-direct emails to the outbreak quarantine, however, file analysis quarantine is designed to perform the task you are looking to accomplish.
Also, do note an email released from quarantine is not processed through the entire workqueue again.
• Messages released from Policy and Virus quarantines are rescanned by the anti-virus engine.
• Messages released from the Outbreak quarantine are rescanned by the anti-spam and anti-virus engines.
• Messages released from the File Analysis quarantine are rescanned for threats.
• Messages with attachments are rescanned by the file reputation service upon release from Policy, Virus, and Outbreak quarantines.
Thanks
Libin Varghese
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide