I was wondering if there's a way to run a report of all outgoing messages that were NOT scanned by either anti-virus or DLP or anything. We had a major DLP incident and it was not caught because the file size was too large and it skipped the scan.
Looking for a way to find these messages so we can go back and look into those to see if there were any other incidents.
Environment: Cisco M300V running version 11.1.0-131
There is no report but if you are syslogging the mail_logs off box you could run something to look for the Message to Large indicators and create a report. Other than that you'd have to grep the logs that are being stored off-box for the same.
Since you can’t specifically set a Content Filter on attachment size but you can on message size which includes body + attachment I would suggest add a content filter as a condition and then the action is add Log Entry and then you can search for the log entry.
The other alternative is a Message Filter which does support attachment-size rule. Refer to the User Guide for Message Filter processing. Keep in mind Message Filters happen before spam scanning so you could end up with some log entries that get dropped due to spam scanning and other engines.