Send original email with stripped attachment

slicciardola · ‎10-15-2019

Hi all,

i am on ESA 600V, need this:

* receive a message with virus

* strip virus (with notification "the attachment was stripped due virus...") but SEND the entire original email to the user

How can this be achieved? I suppose cannot do this via incoming mail policy.

Thanks

marc.luescherFRE · ‎10-15-2019

A few steps:

go into mail policies, possibly default

select Anti-Virus settings

scroll down to section Virus infected Messages

go to Advanced section and set your required delivery options

slicciardola · ‎10-15-2019

Hi,

the only options are:

Deliver as is; no help as you can imagine

Deliver as attachment; no help since you cannot strip virus

Quarantine; no help since it goes to quarantine queue

Drop; no help since it is completely dropped

What i need is to completely remove the viral attachment but give the user the original "eml" email file.

Thanks

marc.luescherFRE · ‎10-15-2019

You want to do two things to make this work

a) on top of the AV section select the box : Drop infected attachments if a virus is found - valid for all cases

b) select deliver as RFC822 to new message, as the virus was already removed in the previous step

Mathew Huynh · ‎10-15-2019

Hey Slicciardola,

echoing the other contributors.
You can also change your antivirus setting per mail policy at the top to 'scan for viruses only" then under it click the check-box "Drop infected attachments if a virus is found"

What this option does is open the top menu of "Repaired messages" where you can strip the email of the virus attachment, it replaces the attachment removed with a text file which shows the attachment which was stripped and due to what reason and delivers the original email to the end user.

You can also add the prepend or append on subject line as you desire as well.

Regards,
Mathew

slicciardola · ‎10-16-2019

Hi all,

thanks, this solution seems to work!

Would it be possible even to defang a url into body of email, in addition?

So to recap:

* Virus found

* Attachment stripped but original email sent as attachment

* Defang of malicious urls into body

Thanks!!!

Ken Stieers · ‎10-16-2019

Defang of url in the attachment isn't possible.

You could use the "safe print" feature to convert any documents that have executable code in them to something than won't execute, or to make the link unclickable...

It's in version 13.0

Mathew Huynh · ‎10-16-2019

Hey Slicciardola,

As per Ken, if you're looking to defang URLs inside attachments - you would need to consider the version 13 feature. Bearing in mind at the moment version 13 is on a limited deployment early code release - so there may still be some hiccups being looked into but should be safe for production.

Otherwise, it is possible to defang malicious URLs in the email body (body only) through the use of URL filtering.
GUI > Security Services > URL Filtering -> Enable

GUI > Incoming Content Filters > Add a new content filter
Condition -> You could use any condition if you want a customized rule or leave it blank for an 'always on' filter, depending on you.
Action -> URL Reputation -> Select Malicious URLs -> Set to Defang the URL
Submit this content filter and deploy it into your incoming mail policies per policy basis.

The action here would ONLY trigger if conditions are met then it will defang malicious URLs accordingly by removing the a href and adding [BLOCKED] on the url body itself.

Regards,
Mathew