Cisco Community
English
Register
New community login process starting July 13 - LEARN MORE HERE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Cisco Secure Email Support Community
Product Support Talos Support Cisco Support Reference + Current Release
Gateway Reputation Lookup Open a support case Secure Email Guided Setup
Gateway: 14.0.0-698
Cloud Gateway Email Status Portal Support & Downloads docs.ces.cisco.com
Email and Web Manager: 14.0.0-404
Email and Web Manager Web & Email Reputation Worldwide Contacts Product Naming Quick Reference
Reporting Plug-in: 1.1.0.136
Encryption Bug Search
Encryption Plug-in: 1.2.1.167
Cloud Mailbox Notification Service
Outlook Add-in(s): More info
1191
Views
5
Helpful
7
Replies
slicciardola
Beginner
Beginner
‎10-15-2019 02:32 AM
‎10-15-2019 02:32 AM

Send original email with stripped attachment

Hi all,

i am on ESA 600V, need this:

* receive a message with virus

* strip virus (with notification "the attachment was stripped due virus...") but SEND the entire original email to the user

 

How can this be achieved? I suppose cannot do this via incoming mail policy.

Thanks

Labels:
0 Helpful
7 REPLIES 7
marc.luescherFRE
Enthusiast
Enthusiast
‎10-15-2019 05:51 AM
‎10-15-2019 05:51 AM

A few steps:

 

go into mail policies, possibly default

select Anti-Virus settings

scroll down to section Virus infected Messages

go to Advanced section and set your required delivery options

0 Helpful
slicciardola
Beginner
Beginner
In response to marc.luescherFRE
‎10-15-2019 06:01 AM
‎10-15-2019 06:01 AM

Hi,

the only options are:

 

Deliver as is; no help as you can imagine

Deliver as attachment; no help since you cannot strip virus

Quarantine; no help since it goes to quarantine queue

Drop; no help since it is completely dropped

 

What i need is to completely remove the viral attachment but give the user the original "eml" email file.

Thanks

0 Helpful
marc.luescherFRE
Enthusiast
Enthusiast
In response to slicciardola
‎10-15-2019 07:41 AM
‎10-15-2019 07:41 AM

You want to do two things to make this work

 

a) on top of the AV section select the box : Drop infected attachments if a virus is found - valid for all cases

b) select deliver as RFC822 to new message, as the virus was already removed in the previous step 

0 Helpful
Mathew Huynh
Cisco Employee
Cisco Employee
‎10-15-2019 02:25 PM
‎10-15-2019 02:25 PM

Hey Slicciardola,

echoing the other contributors.
You can also change your antivirus setting per mail policy at the top to 'scan for viruses only" then under it click the check-box "Drop infected attachments if a virus is found"

What this option does is open the top menu of "Repaired messages" where you can strip the email of the virus attachment, it replaces the attachment removed with a text file which shows the attachment which was stripped and due to what reason and delivers the original email to the end user.

You can also add the prepend or append on subject line as you desire as well.

Regards,
Mathew
0 Helpful
slicciardola
Beginner
Beginner
In response to Mathew Huynh
‎10-16-2019 07:24 AM
‎10-16-2019 07:24 AM

Hi all,

thanks, this solution seems to work!

Would it be possible even to defang a url into body of email, in addition?

So to recap:

* Virus found

* Attachment stripped but original email sent as attachment

* Defang of malicious urls into body

 

 

Thanks!!!

0 Helpful
Ken Stieers
Engager
Engager
In response to slicciardola
‎10-16-2019 08:06 AM
‎10-16-2019 08:06 AM

Defang of url in the attachment isn't possible.



You could use the "safe print" feature to convert any documents that have executable code in them to something than won't execute, or to make the link unclickable...

It's in version 13.0






Mathew Huynh
Cisco Employee
Cisco Employee
In response to slicciardola
‎10-16-2019 02:12 PM
‎10-16-2019 02:12 PM

Hey Slicciardola,

As per Ken, if you're looking to defang URLs inside attachments - you would need to consider the version 13 feature. Bearing in mind at the moment version 13 is on a limited deployment early code release - so there may still be some hiccups being looked into but should be safe for production.

Otherwise, it is possible to defang malicious URLs in the email body (body only) through the use of URL filtering.
GUI > Security Services > URL Filtering -> Enable

GUI > Incoming Content Filters > Add a new content filter
Condition -> You could use any condition if you want a customized rule or leave it blank for an 'always on' filter, depending on you.
Action -> URL Reputation -> Select Malicious URLs -> Set to Defang the URL
Submit this content filter and deploy it into your incoming mail policies per policy basis.

The action here would ONLY trigger if conditions are met then it will defang malicious URLs accordingly by removing the a href and adding [BLOCKED] on the url body itself.

Regards,
Mathew
0 Helpful
Latest Contents
#CiscoChat Live - Cisco Secure Email + SecureX: Extending em...
Created by greghami on 07-22-2021 09:45 AM
3
0
3
0
Join us for a detailed discussion of the integrations between Cisco Secure Email and SecureX. We’ll share the various ways that SecureX provides greater visibility across the Cisco Security landscape and demonstrate how Secure Email is the ... view more
Mobile number field placeholder customization
Created by sivsivar on 07-19-2021 06:57 AM
0
0
0
0
    ISE 2.7 FCS   To display default country code and Place holder customization please follow the below steps.   Upload the attached js file in Custom Portal Files. Go to portal and add the below script in the Registration Form pag... view more
Orbital Query Corner - Two Views of PrintNightmare
Created by brmcmaho on 07-16-2021 02:43 PM
0
10
0
10
Part 1: The Basics Hard-copy printing may feel very “old school” now, but a recent flurry of activity related to the print spooler service on Windows operating systems has brought one of the oldest IT applications back into the spotlight again.  Our... view more
Python on Secure Email Vulnerability Concerns [July 2021]
Created by Robert Sherwin on 07-14-2021 06:12 AM
0
0
0
0
Python on Cisco Secure Email The Python package used in our appliances is not a standard deployment --- just like AsyncOS is not your typical FreeBSD (a free and open-source Unix-like operating system descended from the Berkeley Software Distributio... view more
Cisco ISE, WLC and Umbrella Tripartite Pact
Created by meddane on 07-12-2021 06:56 AM
0
0
0
0
 Wireless Controller WLC integration with Cisco ISE for access control through 802.1X is one of the most popular deployment in the network security field. Now is the employee PC safe after the authentication and authorization?even after the posture o... view more
Content for Community-Ad