cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2468
Views
0
Helpful
2
Replies

Quarantine and Send a DLP Encrypted Message?

Mike Kwilosz
Level 1
Level 1

So I'm trying to do something that from what I can see doesn't appear to be capable by the Ironport Appliance.  I would like to be able to setup a way so when someone sends an email out the Ironport Appliance scans it with its DLP capabilities if it catches that there is a reason to trigger the DLP service it will encrypt the message and send it on its way out but also keep a copy in a quarantine so I can have a team go back and review these at a later date.

From what I can tell so far it appears I have to decide on one or the other.  Either I set it up to allow the message to be encrypted and sent or I configure the DLP Policy to quarantine the message and then through the Quarantine I can release it and encrypt.

I think due to the flow process on the Ironport I wouldn't be able to apply a Message Filter to accomplish this either but maybe thats the solution to this.

Just as a side note I already have this in place in a Content Filter format for email messages that get manually encrypted per a keyword in the subject line.  When the message is sent it is caught by the content filter that notices the message should be encrypted.  At that point it encrypts the message and allows it to continue through but at the same time it saves a copy of the message in a quarantine.  I'm looking to accomplish the same thing just instead of manual encryption I would like the DLP policy to catch that a message needs encryption.

Anyone have any ideas on this?

Thanks,

Mike

1 Accepted Solution

Accepted Solutions

Andreas Mueller
Level 4
Level 4

Hello Mike,

one possible solution would be to flag encryption on a DLP policy, and also aktivate the action "Send Copy (Bcc)"  in the advanced options to send that message to a specific mailbox on your internal mailserver.  If you rather want the message to be stored on the quarantines on the IronPort appliance, another possible approach would be to use an internal fake domain (quarantine@local), and an smtp route that injects the message again, where you set up a filter that all messages coming from the internal interface of the IronPort are going to a quarantine. You could even set up a dedicated listener for that.

Just a quick thought on the topic,

Andreas

View solution in original post

2 Replies 2

Andreas Mueller
Level 4
Level 4

Hello Mike,

one possible solution would be to flag encryption on a DLP policy, and also aktivate the action "Send Copy (Bcc)"  in the advanced options to send that message to a specific mailbox on your internal mailserver.  If you rather want the message to be stored on the quarantines on the IronPort appliance, another possible approach would be to use an internal fake domain (quarantine@local), and an smtp route that injects the message again, where you set up a filter that all messages coming from the internal interface of the IronPort are going to a quarantine. You could even set up a dedicated listener for that.

Just a quick thought on the topic,

Andreas

Thank you for the response.  I could see how this would work but I was hoping there might be just a little bit cleaner way to do the email to quarantine portion.  No doubt though this would definitely work.

Thanks,

Mike