Release action on File Analysis timeout

Gonsauro · ‎09-25-2022

When a uploaded suspicious file to amp reputation server dont have a veredict after the 1 hour default timer, it was released from the "File Analysis" quarantine and delivered to the end user

Is there any option to move it from the temporal file analysis quarantine to a policy, more persistent one, after the timeout?

The docs talks about adding a header in case that a early release was done on the file, it applyies to a timeouted one without verdict? In that case, it seems that it cannot match a content filter looking for the "early release" header, because it was already procesed by the cf, and the file analysis pending just holds the file at the end of processing flow and delivers or do the action on malicius verdict (as mail policy sets) but do not process it againts the content filters when a timeout release was done

SriramV · ‎09-25-2022

you can keep the email in quarantine until File Analysis is complete

Mail Policies > Incoming Mail Policies > Policy Name > Advanced Malware Protection > Messages with File Analysis Pending:

UdupiKrishna · ‎09-25-2022

This is an expected design. When an email is sent to policy quarantine and released, it will not be processed/scanned either by message or content filters.

Upon release it will be rescanned by engines like AS, AV, AMP etc. (depending on the quarantine) but not the filters