cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Cisco Secure Email Support Community

Product Support Talos Support Cisco Support Reference + Current Release
Gateway Reputation Lookup Open a support case Secure Email Guided Setup
Gateway: 14.0.0-698
Cloud Gateway Email Status Portal Support & Downloads docs.ces.cisco.com
Email and Web Manager: 14.0.0-404
Email and Web Manager Web & Email Reputation Worldwide Contacts Product Naming Quick Reference
Reporting Plug-in: 1.1.0.136
Encryption Bug Search
Encryption Plug-in: 1.2.1.167
Cloud Mailbox Notification Service
Outlook Add-in(s): More info

463
Views
0
Helpful
2
Replies

How can I see WHY a message was encrypted?

On our Postx box, I used to be able to see specifically what caused a message to become encrypted (for example a social security number). It would report what keyword(s) triggered the encryption.

We just replaced the Postx with an IronPort C150 (love it!) and I would like to be able to get the same info. I see that I can go to Monitor -> Content Filters to see which users had encrypted mail, then I can use Message tracking to see details including that the message WAS encrypted, however I would like to see the details of WHAT triggered the content filter.

Thank you.

2 REPLIES 2
kyerramr
Beginner

A way to see what triggered the filter (in your case encryption filter) is to set up one of the actions to your filter to duplicate quarantine, this would send a copy of the message to system quarantine and follow the rest of the path (other actions). This way a copy of the message is sent to the system quarantine and viewing the message in system quarantine would should what content of the message was matched by the filter.

Hope this helps!

-Kishore

steven_geerts
Beginner

I have no experience with the Ironport encryption solutions at all but a possible solution might be to add a second action to your policy that writes the required info into an X- header.
if you enable logging for this header you will see the results in your log files.

I can imagine you do not want the information in the X-header to be public (which is the nature of X- headers).
There are two possible solutions for that.
1) Use numeric codes for the data in the X-header. Only you have the matching table to see what code points to what message filter or filer action.

2) Play around with policies and message filters. They are always executed in the same order (which I do not recall at the moment) if you make sure the first of the two does the detection and adds the header, you can use the second to strip the header out of the message.

Quite complex but possible for sure!

Good luck
Steven

Content for Community-Ad