Release specific messages from quarantine
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-06-2014 10:25 AM
Hello All,
I am fairly new to the IronPort email security appliances and was hoping someone could provide some guidance on how to accomplish the following. I need to configure exporting or providing access to our security team to directly export messages from the virus/malware quarantine for offline analysis. Can this be accomplished, if so how? Is there a way to zip or encrypt messages in the quarantine and have them released to a spefic mailbox account which our security team owns?
Thanks for the help in advance.
- Labels:
-
Email Security

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-08-2014 06:28 PM
Hi,
There are couple of methods you can achieve copy of messages however there no way of zip or encrypt message. You can open TAC case and log a feature request for zip or encrypt messages in quarantine.
Option 1:
To do this you would first need to modify your "anti spam policy" to add custom header and deliver the message
(instead of setting the action to quarantine)
Steps:
1) Go under
"Mail Policies" > Click the desired policy
Under "Positively-Identified Spam Settings" - "Apply This Action to Message" set action to Deliver
Now click on "Advanced" and locate "Add Custom Header".
Enter X-Ironport-Quarantine in the text field located on the right side of "Header:"
Submit changes
2) Next navigate to
"Mail Policies" > "Incoming Content Filters"
Click on "Add Filter ..." and create a filter with
Conditions - "Other Header" - "Header Name" X-Ironport-Quarantine - "Header exists"
Action - "Send Copy (BCC)" enter the bcc address
Note: For virus quarantine copy of a message can be also achieve by keeping header same or different. In case of different headers, please add a second condition in above content filter.
++ if you would like to copy All type of messages (positive, suspected) then add headers option needs to be enable under all Actions in AnitSpam and Antivirus in incoming/outgoing mail policy.
Option 2
How to have a copy of all released messages from IPAS quarantine? (only if you choose to release messages)
The quarantine has no option to add an email address for a bcc copy of the released message. The workaround is to save the configuration file on a local computer in order to open and edit it. In the configuration file, look for this tag under the Euq configuration:
<euq_to_corpus_addr>isq_released_ham@access.ironport.com</euq_to_corpus_addr>
email address ham@access.ironport.com which is behind the quarantine option "Notify IronPort Upon Message Release", should be replaced This email address can be replaced with any email address where a copy of released messaged should be sent to. After saving the configuration and loading it back to the appliance, also make sure the "Notify IronPort Upon Message Release" is enabled in the spam quarantine's configuration on the GUI
* The procedure described here should be used by customers who need to keep track about what is leaving their company, in terms of email messages.
Hope that information helps.
Thanks
Nasir
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-10-2014 01:35 AM
