ā07-05-2017 12:42 AM
Hi All,
I have newly installed ESA in my environment. In my ESA when an incoming email comes with an excel or pdf attachment the AMP gives the verdict UNSCANNABLE. Please could you help me how to scan documents files with ESA AMP.
Wed Jul 5 11:25:11 2017 Info: MID 9 matched all recipients for per-recipient policy Users-Policy in the inbound table
Wed Jul 5 11:25:11 2017 Info: ICID 10 close
Wed Jul 5 11:25:11 2017 Info: MID 9 interim verdict using engine: CASE spam negative
Wed Jul 5 11:25:11 2017 Info: MID 9 using engine: CASE spam negative
Wed Jul 5 11:25:11 2017 Info: MID 9 interim AV verdict using Sophos CLEAN
Wed Jul 5 11:25:11 2017 Info: MID 9 antivirus negative
Wed Jul 5 11:25:11 2017 Info: MID 9 AMP file reputation verdict : UNSCANNABLE
Wed Jul 5 11:25:11 2017 Info: MID 9 Outbreak Filters: verdict negative
Wed Jul 5 11:25:12 2017 Info: MID 9 queued for delivery
Wed Jul 5 11:25:12 2017 Info: New SMTP DCID 67 interface 172.17.98.6 address 10.0.9.123 port 25
Wed Jul 5 11:25:12 2017 Info: SDS_CLIENT: URL scanner enabled=0
Wed Jul 5 11:25:13 2017 Info: Delivery start DCID 67 MID 9 to RID [0]
Wed Jul 5 11:25:13 2017 Info: Message done DCID 67 MID 9 to RID [0]
Wed Jul 5 11:25:13 2017 Info: MID 9 RID [0] Response 'Message accepted for delivery'
Wed Jul 5 11:25:13 2017 Info: Message finished MID 9 done
Wed Jul 5 11:25:18 2017 Info: DCID 67 close
Regards
Uzair Hussain
ā07-05-2017 02:37 AM
Hi,
The AMP verdict of unscannable could show up if there is no connectivity to the cloud server or network issues.
To verify connectivity you should be able to telnet to cloud servers from the appliance using the below commands.
telnet cloud-sa.amp.sourcefire.com 443
telnet panacea.threatgrid.com 443
File reputation would use port 32137 unless configured to use SSL as per the below article.
https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118785-technote-esa-00.html
Once connectivity has been confirmed you are review the logs named "amp" on the appliance to confirm it is working as expected.
Thank You!
Libin Varghese
ā07-05-2017 08:31 AM
Hi there,
unscannable can also apply to the following other cases we have seen :
-encrypted zip exe file
-password protected MS or PDF file
-corrupt file
-winzip 7s file type ( there is a known bug with that)
ā10-31-2017 07:55 AM
Is there an attachment size limit that would make the file unscannable by AMP?
@marc.luescherFRE wrote:
Hi there,
unscannable can also apply to the following other cases we have seen :
-encrypted zip exe file
-password protected MS or PDF file
-corrupt file
-winzip 7s file type ( there is a known bug with that)
ā10-31-2017 08:22 AM
There is a size limit for attachments to be uploaded for analysis.
File size can be 0 bytes (i.e., empty), and no greater than 100MB in size.
However, file size issues would log specific errors in the amp logs.
File reputation should not come up as unscannable as a result of this.
- Libin V
ā10-31-2017 08:30 AM
ā10-31-2017 06:16 PM
I would recommend looking at the amp logs for this email to see if there was a specific reason logged.
This particular unscannable message would not be due to the attachment size.
- Libin V
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide