Showing results for 
Search instead for 
Did you mean: 
Cisco Secure Email Support Community

Product Support Talos Support Cisco Support Reference + Current Release
Gateway Reputation Lookup Open a support case Secure Email Guided Setup
Gateway: 14.0.0-698
Cloud Gateway Email Status Portal Support & Downloads
Email and Web Manager: 14.0.0-404
Email and Web Manager Web & Email Reputation Worldwide Contacts Product Naming Quick Reference
Reporting Plug-in:
Encryption Bug Search
Encryption Plug-in:
Cloud Mailbox Notification Service
Outlook Add-in(s): More info


Send original email with stripped attachment

Hi all,

i am on ESA 600V, need this:

* receive a message with virus

* strip virus (with notification "the attachment was stripped due virus...") but SEND the entire original email to the user


How can this be achieved? I suppose cannot do this via incoming mail policy.



A few steps:


go into mail policies, possibly default

select Anti-Virus settings

scroll down to section Virus infected Messages

go to Advanced section and set your required delivery options


the only options are:


Deliver as is; no help as you can imagine

Deliver as attachment; no help since you cannot strip virus

Quarantine; no help since it goes to quarantine queue

Drop; no help since it is completely dropped


What i need is to completely remove the viral attachment but give the user the original "eml" email file.


You want to do two things to make this work


a) on top of the AV section select the box : Drop infected attachments if a virus is found - valid for all cases

b) select deliver as RFC822 to new message, as the virus was already removed in the previous step 

Mathew Huynh
Cisco Employee

Hey Slicciardola,

echoing the other contributors.
You can also change your antivirus setting per mail policy at the top to 'scan for viruses only" then under it click the check-box "Drop infected attachments if a virus is found"

What this option does is open the top menu of "Repaired messages" where you can strip the email of the virus attachment, it replaces the attachment removed with a text file which shows the attachment which was stripped and due to what reason and delivers the original email to the end user.

You can also add the prepend or append on subject line as you desire as well.


Hi all,

thanks, this solution seems to work!

Would it be possible even to defang a url into body of email, in addition?

So to recap:

* Virus found

* Attachment stripped but original email sent as attachment

* Defang of malicious urls into body




Defang of url in the attachment isn't possible.

You could use the "safe print" feature to convert any documents that have executable code in them to something than won't execute, or to make the link unclickable...

It's in version 13.0

Hey Slicciardola,

As per Ken, if you're looking to defang URLs inside attachments - you would need to consider the version 13 feature. Bearing in mind at the moment version 13 is on a limited deployment early code release - so there may still be some hiccups being looked into but should be safe for production.

Otherwise, it is possible to defang malicious URLs in the email body (body only) through the use of URL filtering.
GUI > Security Services > URL Filtering -> Enable

GUI > Incoming Content Filters > Add a new content filter
Condition -> You could use any condition if you want a customized rule or leave it blank for an 'always on' filter, depending on you.
Action -> URL Reputation -> Select Malicious URLs -> Set to Defang the URL
Submit this content filter and deploy it into your incoming mail policies per policy basis.

The action here would ONLY trigger if conditions are met then it will defang malicious URLs accordingly by removing the a href and adding [BLOCKED] on the url body itself.

Content for Community-Ad