Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
467
Views
0
Helpful
3
Replies

quarantine unscannable messages

Default0815
Level 1
Level 1

‎07-07-2022 12:31 AM

Hi,

Do the settings under "Scan Behavior" take precedence over the settings under "Mail Policies: Anti-Virus"?


If we selct No Actions under:
Actions for Unscannable Messages due to decoding errors found during URL Filtering Actions
Actions for Unscannable Messages due to Extraction Failures
Actions for Unscannable Messages due to RFC Violations

but we select "quarantine" under "Mail Policies -> Anti-Virus -> unscannable Messages".


Will a Mail with "Unscannable Messages due to Extraction Failures" be quarantined due to the Antivirus settings in the Mail Policy?



Labels:
0 Helpful
3 Replies 3

UdupiKrishna
Cisco Employee
Cisco Employee

‎07-07-2022 07:20 PM

For Antivirus, "unscannable message" basically means that AV engine reached its scanning timeout and it's not the same as "extraction failure" under scan behaviour.

 

What's similar is AMP's "Unscannable : Message error" option and yes if the action under AMP is set to quarantine, it will take precedence over the scan behaviour settings. 

0 Helpful

Default0815
Level 1
Level 1
In response to UdupiKrishna

‎07-07-2022 11:03 PM

Thanks,
How can i isolate "Unscannable" Mails and in send the user a notification?
Does the scan behavior take part bevor or after the content filters?

0 Helpful

Dustin Anderson
VIP
VIP

‎07-08-2022 06:36 AM - edited ‎07-08-2022 06:46 AM

I'm sure there is a doc somewhere, but I believe the flow is what the incoming mail policies show. spam->virus->malware->graymail->content filters.

 

But I can't verify as I have seen stuff pending a file analysis get quarantined, but still go through content filters. This may be due to the flow pending analysis.

 

If you want to redirect, but do it with a content filter, then have the message continue and set some type of header flag you can check in a content filter. such as set X-AV-unscannable=true and then use a content filter. The downside is I don't think you can quarantine with a content filter. We redirect to a mailbox we have access to and notify recipient.

 

The only way to quarantine and do content filters that I can think of is you would have to do the x-tag, have a content filter redirect it to a separate listener on the device. You would probably have to change the recipient to an unused address you could key in on in the mail flow policies to cause a different flow so you could set those AV parameters to quarantine. Not an easy setup.

0 Helpful
Customers Also Viewed These Support Documents