Hello,

We had opened a bug (link below) with Cisco regarding an issue with the scanning engine. We had discovered that any file attachments in the newer Microsoft Office formats (XLSX|DOCX|XLSM|DOCM|PPTX|PPTM)  that are greater than 7MB will not be scanned by the Ironport DLP system. The scanning engine simply fails and does not provide any indication of the scanning failure, stops processing further rules, and then sends the email along regardless of the attachments content. This has been confirmed by Cisco in the bug below and we are currently waiting on a fix.

We are concerned that there may be other people allowing attachments that are larger than 7MB to be sent who are currently unaware of this issue. This means if you were to have a sender email a file from within your organization with a large amount of data in office formats, it would be sent through without being blocked, encrypted, or warning no matter what rules you have in place. 

We've had to force Microsoft Office newer file formats (ie, do attachments larger than 7MB to work around this issue. We had expected a fix to come forward very quickly. In the mean time, the community should be made aware of this issue as anyone running Ironport may not be aware that files are being sent unscanned. 

Link to bug: https://tools.cisco.com/quickview/bug/CSCus61684

Example of a filter/work around you could create to force encryption on the below file types 7mb or larger below:

Encrypt7MBandLarger: if (sendergroup == "Your Outgoing Sender Group Name ") AND ((attachment-size >=
7340032) AND (attachment-filename ==
"(?i)\\.(XLSX|DOCX|XLSM|DOCM|PPTX|PPTM)$")) {
                         encrypt ("Your encryption profile name", 0);