Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8074
Views
0
Helpful
6
Replies

ESA AMP UNSCANNABLE issue

uzair.infotech
Level 1
Level 1

‎07-05-2017 12:42 AM

Hi All,

I have newly installed ESA in my environment. In my ESA when an incoming email comes with an excel or pdf attachment the AMP gives the verdict UNSCANNABLE. Please could you help me how to scan documents files with ESA AMP.

Wed Jul  5 11:25:11 2017 Info: MID 9 matched all recipients for per-recipient policy Users-Policy in the inbound table
Wed Jul  5 11:25:11 2017 Info: ICID 10 close
Wed Jul  5 11:25:11 2017 Info: MID 9 interim verdict using engine: CASE spam negative
Wed Jul  5 11:25:11 2017 Info: MID 9 using engine: CASE spam negative
Wed Jul  5 11:25:11 2017 Info: MID 9 interim AV verdict using Sophos CLEAN
Wed Jul  5 11:25:11 2017 Info: MID 9 antivirus negative
Wed Jul  5 11:25:11 2017 Info: MID 9 AMP file reputation verdict : UNSCANNABLE
Wed Jul  5 11:25:11 2017 Info: MID 9 Outbreak Filters: verdict negative
Wed Jul  5 11:25:12 2017 Info: MID 9 queued for delivery
Wed Jul  5 11:25:12 2017 Info: New SMTP DCID 67 interface 172.17.98.6 address 10.0.9.123 port 25
Wed Jul  5 11:25:12 2017 Info: SDS_CLIENT: URL scanner enabled=0
Wed Jul  5 11:25:13 2017 Info: Delivery start DCID 67 MID 9 to RID [0]
Wed Jul  5 11:25:13 2017 Info: Message done DCID 67 MID 9 to RID [0]
Wed Jul  5 11:25:13 2017 Info: MID 9 RID [0] Response 'Message accepted for delivery'
Wed Jul  5 11:25:13 2017 Info: Message finished MID 9 done
Wed Jul  5 11:25:18 2017 Info: DCID 67 close

Regards

Uzair Hussain

1 person had this problem
Labels:
0 Helpful
6 Replies 6

Libin Varghese
Cisco Employee
Cisco Employee

‎07-05-2017 02:37 AM

Hi,

The AMP verdict of unscannable could show up if there is no connectivity to the cloud server or network issues.

To verify connectivity you should be able to telnet to cloud servers from the appliance using the below commands.

telnet cloud-sa.amp.sourcefire.com 443
telnet panacea.threatgrid.com 443

File reputation would use port 32137 unless configured to use SSL as per the below article.

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118785-technote-esa-00.html

Once connectivity has been confirmed you are review the logs named "amp" on the appliance to confirm it is working as expected.

Thank You!

Libin Varghese 

0 Helpful

marc.luescherFRE
Spotlight
Spotlight
In response to Libin Varghese

‎07-05-2017 08:31 AM

Hi there,

unscannable can also apply to the following other cases we have seen :

-encrypted zip exe file

-password protected MS or PDF file

-corrupt file

-winzip 7s file type ( there is a known bug with that)

0 Helpful

Mr. Phil
Level 1
Level 1
In response to marc.luescherFRE

‎10-31-2017 07:55 AM

Is there an attachment size limit that would make the file unscannable by AMP?

@marc.luescherFRE wrote:

Hi there,

 

unscannable can also apply to the following other cases we have seen :

-encrypted zip exe file

-password protected MS or PDF file

-corrupt file

-winzip 7s file type ( there is a known bug with that)

 

 


 

0 Helpful

Libin Varghese
Cisco Employee
Cisco Employee
In response to Mr. Phil

‎10-31-2017 08:22 AM

There is a size limit for attachments to be uploaded for analysis.

 

File size can be 0 bytes (i.e., empty), and no greater than 100MB in size.

 

However, file size issues would log specific errors in the amp logs.

 

File reputation should not come up as unscannable as a result of this.

 

- Libin V

0 Helpful

Mr. Phil
Level 1
Level 1
In response to Libin Varghese

‎10-31-2017 08:30 AM

Thanks for the quick reply.
This is what I'm seeing (timestamps removed):
Message 1653736 size 22430156 exceeds max size 2097152 for Anti-Spam scanning by CASE
Message 1653736 scanned by Anti-Virus engine Sophos. Interim verdict: CLEAN
Message 1653736 scanned by Anti-Virus engine. Final verdict: Negative
Message 1653736 scanned by Advanced Malware Protection engine. Final verdict: UNSCANNABLE
Message 1653736 contains attachment 'FCR SLA - 2017-10-27-10-00-18.xlsx' (SHA256 066be09818941512e34e0349976bb02ca8176e9e02d29649054adc8e1fe116f7).
Message 1653736 attachment 'FCR SLA - 2017-10-27-10-00-18.xlsx' archive contents unpacked for processing.
Message 1653736 attachment 'FCR SLA - 2017-10-27-10-00-18.xlsx' scanned by Advanced Malware Protection engine. File Disposition: Unscannable
Message 1653736 attachment 'sheet1.xml' scanned by Advanced Malware Protection engine. File Disposition: Unknown
Message 1653736 contains attachment 'FCR SLA - 2017-10-27-10-00-18.xlsx'.
Message 1653736 encountered message scanning error: Size Limit Exceeded
The message is well below 100mb, but they are consistently flagged as unscannable by AMP.
0 Helpful

Libin Varghese
Cisco Employee
Cisco Employee
In response to Mr. Phil

‎10-31-2017 06:16 PM

I would recommend looking at the amp logs for this email to see if there was a specific reason logged.

 

This particular unscannable message would not be due to the attachment size.

 

- Libin V

0 Helpful
Customers Also Viewed These Support Documents