cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1469
Views
10
Helpful
4
Replies

Report of Outgoing Messages NOT Scanned

TriZzz
Level 1
Level 1

Hey All,

 

I was wondering if there's a way to run a report of all outgoing messages that were NOT scanned by either anti-virus or DLP or anything. We had a major DLP incident and it was not caught because the file size was too large and it skipped the scan.

 

Looking for a way to find these messages so we can go back and look into those to see if there were any other incidents.

 

Environment: Cisco M300V running version 11.1.0-131

 

Thank you so much!

4 Replies 4

Tom Foucha
Cisco Employee
Cisco Employee

There is no report but if you are syslogging the mail_logs off box you could run something to look for the Message to Large indicators and create a report. Other than that you'd have to grep the logs that are being stored off-box for the same.

Thanks Tom,

 

Would that be the same if we wanted a report of all attachments over 5MB? Since that's the limit, maybe a work-a-round would be to search by message/file size? I appreciate the input!

Since you can’t specifically set a Content Filter on attachment size but you can on message size which includes body + attachment I would suggest add a content filter as a condition and then the action is add Log Entry and then you can search for the log entry.

The other alternative is a Message Filter which does support attachment-size rule. Refer to the User Guide for Message Filter processing. Keep in mind Message Filters happen before spam scanning so you could end up with some log entries that get dropped due to spam scanning and other engines.

Thank you for your help, Tom! It's much appreciated. I'll go back to our security team and let them know!