06-01-2016 08:16 AM
Hello,
Can we have a filter to decide an action on mail attachment during the AV scan?
For e.g.) 1. Only strip and quarantine password protected attachments and deliver other attachments to recipients ?
2. Strip and quarantine the unscannable files and release the rest of the mail to recipient as part of AV scan ?
Thanks,
Rajeev
06-01-2016 12:43 PM
Hi Rajeev,
Give the following a try:
Q1)
You can create a content filter with condition attachment-protected "which will look for passworded/encrypted attachments". and set the two actions the first one is drop_attachments("") and the second action to quarantine("Policy") or if you want to send it to the virus quarantine then replace the second action to insert header X-IronPort-AV with value Yes.
Q2)
You can set the action for unscannable file in the anti-virus engine to deliver from the advanced setting add a header > then create a filter that will have a condition to see if that header exist and set two actions drop_attachments("") and insert header X-IronPort-AV with value Yes, so that it will be send to the virus quarantine.
Regards
Raed
06-01-2016 12:50 PM
Hi Raed,
thanks for your suggestions.
i have tried a similar content filter without any luck, the problem is if the mail has multiple attachments, normal files and password protected file then the action is applied on both.
how do we overcome this ?
Thanks,
Rajeev
06-01-2016 01:32 PM
True for multiple attachments the action will be implemented on both, check this ESA Content Filters for Email Messages with Multiple Attachments "the example in the article might be different but the point is that is confirm the actions for multiple attachments will be taken on all if one matches" since this is the way the filters will act by design.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide