Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
398
Views
0
Helpful
1
Replies

Outbreak Filters Quarantine and Release behaviour

REJR77
Level 1
Level 1

‎01-24-2024 01:50 AM

Hi,

In an ESA / SMA deployment, I have a Incoming Mail Policy where I have 1 content filter applied and also Outbreak Filter enabled (with default retention of 1h)

Can you confirm the behaviour when the VOF detects an email, quarantine it and releae it ?

I had one case, where the email was detected/quarantined by the VOF, and then released, but the content filter was not applied.

Regards

Labels:
0 Helpful
1 Reply 1

betliu
Cisco Employee
Cisco Employee

‎03-21-2024 05:14 AM - edited ‎03-21-2024 05:31 AM

Hi,

the message will be sent to the Outbreak Quarantine if the threat level for a message equals or exceeds the threshold you configured in below Step1, (1=lowest threat, 5=highest threat)

>Step1: configure retention that the messages stay in the Outbreak Quarantine

path: Mail Policies>Incoming Mail Policies>edit  'Outbreak Filter' in one of policy

Here, you can specify the 'Quarantine Threat Level' and the maximum amount of time that messages stay in the Outbreak Quarantine. You can specify different retention times for messages that may contain viral attachments and messages that may contain other threats, like phishing or malware links.

betliu_2-1711024215452.png

 

>Step2:configure what action performed on messages in outbreak quarantine

path: Monitor>Policy, Virus and Outbreak Quarantines>Outbreak

1. There are two primary default actions:

  • Delete—The message is deleted.
  • Release—The message is released for delivery (When a message is released from all queues in which is has been quarantined rescanning occurs, Messages released from the Outbreak quarantine are rescanned by the anti-spam, AMP, and anti-virus engines.)

2. Messages are automatically removed from the quarantine under the following circumstances,When a message is automatically removed from a quarantine, the default action is performed on that message:

  • Normal Expiration—the configured retention time is met for a message in the quarantine
  • Early Expiration—messages are forced from quarantines before the configured retention time is reached. This can happen when:
    The size limit for all quarantines
  • You delete a quarantine that still holds messages.

betliu_1-1711021640377.png

 

 

 

0 Helpful
Customers Also Viewed These Support Documents