Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1297
Views
5
Helpful
4
Replies

Message filter (or other way?) to send a copy of a viral email to another address

slicciardola
Level 1
Level 1

‎12-16-2019 06:17 AM

Hi all,

is there a way to achieve this?

1 email with viral attachment ---> send copy to specific email address and then process the usual pipeline, maybe with MF or any other way?

Thanks in advance

Bye

Labels:
0 Helpful
4 Replies 4

Ken Stieers
VIP
VIP

‎12-16-2019 06:52 AM

Eassage filters happen to early, no AV has happened yet. You'll have to AV policybto deliver, and maybe add a header but then catch it with a content filter keyed of that header. There may already be header you can use, added by the AV process, but adding one yourself makes it a known quantity....

Mathew Huynh
Cisco Employee
Cisco Employee
In response to Ken Stieers

‎12-16-2019 03:56 PM

Hey slicciardola,

Ken's method is the right way to do it.
Message filters happens at the start of the pipeline, so you'll need to configure your AV policy (per mail policy) to set to 'deliver' and prepend a custom X-header

After which you will need to a content filter against the X-Header and then you can take action accordingly to send a copy to an alternative mail address, then drop/quarantine the original email so the end user does not receive a virus infected email.

Alternatively as well, inside your antvirus settings per mail policy, at the bottom when you set to deliver, if you want to redirect -ALL- emails which are viral to a specific mail box completely (the original viral email) then you can simply configure that inside the antivirus settings as there's an option for "Modify Message Recipient:" which allows you to redirect the email. This means the original email which is marked as virus will go that recipient and nothing is kept on the ESA/dropped.

Regards,
Mathew
0 Helpful

marc.luescherFRE
Spotlight
Spotlight

‎12-16-2019 06:59 AM

 

There is a workaround you could try:

 

In your mail policy select the outbreak filters section:

 

Enable the following two settings:

 

Include the X-IronPort-Outbreak-Status headers: Enable for all messages

include the X-IronPort-Outbreak-Description header: Enable
set Message Modification Threat Level:   to 1 or at least 3

 

 

Create a message filter and check for the existence of the x-header above and sent a copy of the message to an alternate host for processing.

 

I hope that helps

 

-Marc

0 Helpful

slicciardola
Level 1
Level 1
In response to marc.luescherFRE

‎12-16-2019 07:12 AM

Surely i will try, thanks!

0 Helpful
Customers Also Viewed These Support Documents