Hi,
thanks for your reply! I do not believe this has something to do with PVO settings, since this does not affect all emails. The email in question remained about 7 minutes in the "File Analysis" PVO.

What is also striking is the fact, that this obviously only affects mails with with unknown attachments and which have to be sent to the sandbox for analysis. Based on my research, emails with known malicious files are never delivered to the user's inbox and are blocked as expected.

Since the emails are released from SMA PVO ("File analysis") to Exchange we hit a relay policy which seems to be automatically and hidden be configured when centralized quarantine is used.
We currently do not have enabled AMP on outgoing mail policies. Is it recommended to enable AMP also on an outgoing email policy? Since we also write the AMP result into the mail headers, would it be an approach to configure an outgoing content filter which matches emails with this AMP result in the headers? Or are content filters not applied when the email is released from centralized quarantine?

Thank you,
R.

Hi,
I suspect, I have found the reason for this behavior:
AMP only supports "deliver as is" or "drop" for positively detected mails/attachments. Since we have decreased the treshold value for AMP scoring and the fact that this also results in false positive detections, we do not drop the emails but deliver them.
I thought, creating a content filter which matches the X-AMP-Result header and moving the mail into a central quarantine gives us the ability to manually release false positives if needed. But it seems this only works for known hashes, since the result for a known malware hash is immediately available.
On the other hand, the X-AMP-Result header is only written when the mail leaves the file analysis quarantine. However, because no further content or message filters are applied after the release, this email is not moved to the quarantine. Instead, it is delivered directly to the recipient's inbox.
Any approach how to handle this behavior? Writing a custom header as action for malware attachments seems to not work also because of the missing processing of further content filters when the mail leaves the file analysis quarantine.
Thank you!
R.

FA cloud service assigns threat score to attachment after scanning it. then provides this info to AMP server which in turn gives this info to ESA. The message released from SMA File Analysis again should proceed in ESA's queue processing (mail policy, scanning by engines, as well as AMP). AMP will identify it as a malicious if assigned threat score will be equal or higher than configured AMP FA score threshold.

you can also share Message Tracking sample to check.

Hi,
this is wrong. Released emails from SMA do not go through any filters (no message filter, no content filter, ...), since these filters do not exist on the SMA. The mails are relayed directly from SMA to Exchange.

I am sorry to disagree, but this is still wrong. To proof this I have created the following message filter:

Detect_AMP_after_analysis:
if (remote-ip == "<IP_of_SMA>") AND ((header('X-AMP-Result') == 'MALICIOUS') OR (header('X-AMP-CustomResult') == 'MALICIOUS'))
{log-entry("AMP filter triggered");}

I have added the header "X-AMP-CustomResult" additionally in the AMP settings in the section what should happen for malicious attachments. But this filter is not triggered even AMP-detected emails are relayed from SMA to Exchange.

Salam!
How can I troubleshoot this?