cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1591
Views
0
Helpful
15
Replies

Quarantine Notification - Sent AFTER message is released

ppdnetman
Level 1
Level 1

Our C350 correctlty sends an automated notification to the email recipient when an encrypted mail has been detected and quarantined.

However when mail is manually released from the quarantine, the user receives the released mail message, but in addition to this, another (2nd) notification is sent to the email recipient with a prepended [WARNING : MESSAGE ENCRYPTED] subject.

I would like to STOP this 2nd notification being sent by IronPort as it is proving to be confusing to the end user (when they receive their released mail + another notification).

Can you guide me in configuring this.

Many thanks.

15 Replies 15

kluu_ironport
Level 2
Level 2

Would it be possible if you can provide two things:


1. In the content filter that quarantines if it detects an encrypted message, can you provide what the actions are for the content filter? Just copy and paste it here. Thanks.


2. Also, using either "findevent" or "grep" on the command line or message tracking on the GUI, can you see if you can locate in the mail_logs the details of the message when it was released. This may shed some light on what is occurring.

Below is a snippet of what it will look like when it's released from "Policy" quarantine.

Thu Sep  4 15:18:48 2008 Info: MID 48 released from quarantine "Policy" (manual) t=117
Thu Sep 4 15:18:48 2008 Info: MID 48 released from all quarantines
Thu Sep 4 15:18:48 2008 Info: MID 48 matched all recipients for per-recipient policy DEFAULT in the outbound table
Thu Sep 4 15:18:48 2008 Info: MID 48 queued for delivery
Thu Sep 4 15:18:48 2008 Info: New SMTP DCID 54 interface 74.201.91.95 address 209.85.133.114 port 25
Thu Sep 4 15:18:48 2008 Info: Delivery start DCID 54 MID 48 to RID [0]
Thu Sep 4 15:18:50 2008 Info: Message done DCID 54 MID 48 to RID [0]
Thu Sep 4 15:18:50 2008 Info: MID 48 RID [0] Response '2.0.0 OK 1220541530 b3si19088679ana.7'
Thu Sep 4 15:18:50 2008 Info: Message finished MID 48 done

stevenhands
Level 1
Level 1

Hi,

I had the same problem when configuring our C350s. This seems to be a bug in the release process where the second AV scan on release also fires off a notification. Since the email is being released, this second notification should be suppressed.

To get around this I had to do the following:

1. Instead of using the AV policy to quarantine, choose Deliver As Is, but add a custom header (such as X-AV-Encrypted = TRUE).

2. Create a content filter to look for the custom header and quarantine/notify if the header exists.

Steve.

ppdnetman
Level 1
Level 1

Steve,

thanks for your reply - sounds like a good, logical workaround.

HOWEVER, I think ironport should be be looking to fix this bug; we have paid a lot of money for our IronPort c350 appliances and we should not be need to implement a workaround to fix their code.

ppdnetman
Level 1
Level 1

The Default Anti Virus Policy is configured as follows:


Mail Policies: Anti-Virus

Encrypted Messages:

Action Applied to Message: Quarantine

Modify Message Subject: Prepend [WARNING : MESSAGE ENCRYPTED]

Advanced

Other Notification: Recipients: Notification: Encrypted (Text Resource)


*************************************************

Thu Sep 4 12:47:02 2008 Info: MID 1157339 released from quarantine "Virus" (manual) t=1796
Thu Sep 4 12:47:02 2008 Info: MID 1157339 released from all quarantines
Thu Sep 4 12:47:02 2008 Info: MID 1157339 matched all recipients for per-recipient policy Authorised_Recieve_PPD in the inbound table
Thu Sep 4 12:47:03 2008 Info: MID 1157339 interim AV verdict using Sophos ENCRYPTED
Thu Sep 4 12:47:03 2008 Info: MID 1157339 antivirus encrypted
Thu Sep 4 12:47:03 2008 Info: Start MID 1157667 ICID 0
Thu Sep 4 12:47:03 2008 Info: MID 1157667 was generated based on MID 1157339 by antivirus
Thu Sep 4 12:47:03 2008 Info: MID 1157667 ICID 0 From:
Thu Sep 4 12:47:03 2008 Info: MID 1157667 ICID 0 RID 0 To:
Thu Sep 4 12:47:03 2008 Info: MID 1157667 queued for delivery
Thu Sep 4 12:47:03 2008 Info: MID 1157339 queued for delivery
Thu Sep 4 12:47:03 2008 Info: Delivery start DCID 690245 MID 1157667 to RID [0]
Thu Sep 4 12:47:03 2008 Info: Message done DCID 690245 MID 1157667 to RID [0]
Thu Sep 4 12:47:03 2008 Info: MID 1157667 RID [0] Response 'Ok'
Thu Sep 4 12:47:03 2008 Info: Message finished MID 1157667 done

*************************************************

Thanks for you help in this matter!!

kluu_ironport
Level 2
Level 2

Jason, Steve,

If you think that the AsyncOS is not behaving as you expected it to, you should open a ticket with IronPort customer support and they can file a bug on your behalf.


Steve,

thanks for your reply - sounds like a good, logical workaround.

HOWEVER, I think ironport should be be looking to fix this bug; we have paid a lot of money for our IronPort c350 appliances and we should not be need to implement a workaround to fix their code.

jweck_ironport
Level 1
Level 1

Hi Jason & Steve,

did you receive advise from IronPort Support regarding a fix for this behaviour? We're seeing the exact problem when releasing quarantined mails. The recipient will receive a second notification.

Best regards,

jweck

jasongurtz
Level 1
Level 1

We experience this too and it is annoying. However, it's not annoying enough to go through the bother of opening a ticket, spending time on the phone, etc...

Hopefully Ironport will care enough to fix these simple and obvious things w/o a ticket.

ppdnetman
Level 1
Level 1

No, this [fairly major] bug has still not been fixed by IronPort.

The only 'workaround' is that which is mentioned above by: sjhands (steve) which will work, but as I have previously mentioned, IronPort should really fix the bug - we should not have to use a workaround to fix bad code, given the purchase cost of a C350 + annual support.

Jason

kyerramr
Level 1
Level 1

Our apologies, if this has caused any inconvenience. This is being tracked as bug # 48976

jweck_ironport
Level 1
Level 1

Our apologies, if this has caused any inconvenience. This is being tracked as bug # 48976


Cheers Kyerramr, that's highly appreciated. Is there any way for us to track this specific bug? Is there some sort of customer accessible url that we could enquire?

Thank you in advance for your response.

Best regards,

jweck

kyerramr
Level 1
Level 1

Unfortunately there is no database for bug and bug fixes that can be viewed by the customers at this time. However, any critical bug which is fixed gets listed in the release notes of new AsyncOS versions.

In regard to this particular bug, I will make a note to post an update as we get a milestone for a fix.

What are the affected AsyncOS version?

I don't see anyone mention AsyncOS version whenever they post problems. Usually, different AsyncOS version may have different outcome thus always a good practice to mention it.

ppdnetman
Level 1
Level 1

That's a good point - it is often useful to state the deployed version of AsyncOS relating to were the problem is being experienced.

However, it is a given in this case that we are talking about the latest release of AsyncOS - because the bug is still outstanding and has not been fixed, but rather has been given a bugfix tracking number [#48976].

If the bug was only found in earlier releases, and had been fixed by a later release of the software then this would have been offered as a solution - i.e it would have been suggested to upgrade software to AsyncOs version XXX to fix the bug.

Since this has not been suggested, it is a fair assumption that it is the latest release of AsyncOs that is being discussed.

I hope that this clarifies.

Kind regards,

Jason

Hi Jason,

Thanks for the clarification. Looks like my environment is also subjected to this bug... since we just upgraded to 6.5.1-005.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: