I am fairly new to the IronPort email security appliances and was hoping someone could provide some guidance on how to accomplish the following. I need to configure exporting or providing access to our security team to directly export messages from the virus/malware quarantine for offline analysis. Can this be accomplished, if so how? Is there a way to zip or encrypt messages in the quarantine and have them released to a spefic mailbox account which our security team owns?
There are couple of methods you can achieve copy of messages however there no way of zip or encrypt message. You can open TAC case and log a feature request for zip or encrypt messages in quarantine.
To do this you would first need to modify your "anti spam policy" to add custom header and deliver the message (instead of setting the action to quarantine)
1) Go under "Mail Policies" > Click the desired policy Under "Positively-Identified Spam Settings" - "Apply This Action to Message" set action to Deliver
Now click on "Advanced" and locate "Add Custom Header". Enter X-Ironport-Quarantine in the text field located on the right side of "Header:"
2) Next navigate to "Mail Policies" > "Incoming Content Filters" Click on "Add Filter ..." and create a filter with Conditions - "Other Header" - "Header Name" X-Ironport-Quarantine - "Header exists" Action - "Send Copy (BCC)" enter the bcc address
Note: For virus quarantine copy of a message can be also achieve by keeping header same or different. In case of different headers, please add a second condition in above content filter.
++ if you would like to copy All type of messages (positive, suspected) then add headers option needs to be enable under all Actions in AnitSpam and Antivirus in incoming/outgoing mail policy.
How to have a copy of all released messages from IPAS quarantine? (only if you choose to release messages)
The quarantine has no option to add an email address for a bcc copy of the released message. The workaround is to save the configuration file on a local computer in order to open and edit it. In the configuration file, look for this tag under the Euq configuration:
email address firstname.lastname@example.org which is behind the quarantine option "Notify IronPort Upon Message Release", should be replaced This email address can be replaced with any email address where a copy of released messaged should be sent to. After saving the configuration and loading it back to the appliance, also make sure the "Notify IronPort Upon Message Release" is enabled in the spam quarantine's configuration on the GUI
* The procedure described here should be used by customers who need to keep track about what is leaving their company, in terms of email messages.
A way to allow your security team to access the virus quarantine is to define a custom user role (system admin / user roles) where you can define a role that only allows access to specified quarantines, and then specify just the virus quarantine. Then you can define a new admin user (system admin / users) that only has that custom role. All that use can then do is manage the virus quarantine. From there the user can search and view the message content, and download any attachments for offline analysis.
Usually no news means good news in security, but how do you know what is working, what could be better and where you should invest? Introducing the Cisco Security Outcomes Study.
We commissioned an independent survey of 4,800 active security a...
Cisco is happy to announce their Fall release, FTD 6.7/ASA 9.15.1/FXOS 2.9, which consists of 104 features across 24 initiatives, addressing technical debt while staying true to our five core investment areas: Ease of Use and Deployment, Unified Policy an...
Hi Team, I have one exclusion provided by internal team which is Is it right way to exclude ? *\Program Files\XYZ\* , as per Cisco Docs i see its not recommended because it will create performance issue when we use * at starting , So...
Central Log Management using Cisco Security Analytics and Logging, December 2nd at 8am-9:30am PT
Cisco Security Analytics and Logging is Cisco’s Central Log Management solution for Network Operations and Security Outcomes. It is delivered both as a c...