Report of Outgoing Messages NOT Scanned

TriZzz · ‎11-08-2018

Hey All,

I was wondering if there's a way to run a report of all outgoing messages that were NOT scanned by either anti-virus or DLP or anything. We had a major DLP incident and it was not caught because the file size was too large and it skipped the scan.

Looking for a way to find these messages so we can go back and look into those to see if there were any other incidents.

Environment: Cisco M300V running version 11.1.0-131

Thank you so much!

Tom Foucha · ‎11-15-2018

There is no report but if you are syslogging the mail_logs off box you could run something to look for the Message to Large indicators and create a report. Other than that you'd have to grep the logs that are being stored off-box for the same.

TriZzz · ‎11-15-2018

Thanks Tom,

Would that be the same if we wanted a report of all attachments over 5MB? Since that's the limit, maybe a work-a-round would be to search by message/file size? I appreciate the input!

Tom Foucha · ‎11-15-2018

Since you can’t specifically set a Content Filter on attachment size but you can on message size which includes body + attachment I would suggest add a content filter as a condition and then the action is add Log Entry and then you can search for the log entry.

The other alternative is a Message Filter which does support attachment-size rule. Refer to the User Guide for Message Filter processing. Keep in mind Message Filters happen before spam scanning so you could end up with some log entries that get dropped due to spam scanning and other engines.

TriZzz · ‎11-15-2018

Thank you for your help, Tom! It's much appreciated. I'll go back to our security team and let them know!