Re: Virus Quarantine - 2 hour delay after manual release

3CoreAV · ‎11-21-2018

Version: 10.0.2-020

When releasing emails from the VIRUS quarantine containing ENCRYPTED flagged documents. The log indicates it is released, however, it then takes up to an extra 2 hours before; according to the logs, it clears all quarantines for re-scan and onward delivery. The logs indicate it was only ever in the ONE quarantine and was released already. So what is the source of the delay? Is the virus quarantine holding on to it? There is no definable delay option in config and these actions are Immediate releases, not Delay releases.

Any ideas? I've seen nothing in changelogs/known bugs.

07 Nov 2018 12:43:56 (GMT +00:00)	Message 42183218 (52994 bytes) from USER@DOMAIN.COM ready.
07 Nov 2018 12:43:56 (GMT +00:00)	Message 42183218 matched per-recipient policy OURPOLICYNAME (multiple domains) for inbound mail policies.
07 Nov 2018 12:43:56 (GMT +00:00)	Incoming connection (ICID 52089597) lost.
07 Nov 2018 12:43:56 (GMT +00:00)	Message 42183218 scanned by Anti-Spam engine: CASE. Interim verdict: Negative
07 Nov 2018 12:43:56 (GMT +00:00)	Message 42183218 scanned by Anti-Spam engine CASE. Interim verdict: definitely negative.
07 Nov 2018 12:43:56 (GMT +00:00)	Message 42183218 scanned by Anti-Spam engine: CASE. Final verdict: Negative
07 Nov 2018 12:43:56 (GMT +00:00)	Message 42183218 scanned by Anti-Virus engine Sophos. Interim verdict: ENCRYPTED
07 Nov 2018 12:43:56 (GMT +00:00)	Message 42183218 scanned by Anti-Virus engine. Found encrypted
07 Nov 2018 12:43:56 (GMT +00:00)	Message 42183218 scanned by Outbreak Filters. Verdict: Negative
07 Nov 2018 12:43:56 (GMT +00:00)	Message 42183218 quarantined to Virus. Anti-Virus verdict ENCRYPTED.
07 Nov 2018 12:45:21 (GMT +00:00)	Message 42183218 released from quarantine Virus after 85 seconds. Reason: manually released.
07 Nov 2018 14:39:29 (GMT +00:00)	Message 42183218 released from all quarantines.
07 Nov 2018 14:39:29 (GMT +00:00)	Message 42183218 matched per-recipient policy OURPOLICYNAME (multiple domains) for inbound mail policies.
07 Nov 2018 14:39:29 (GMT +00:00)	Message 42183218 scanned by Anti-Virus engine Sophos. Interim verdict: ENCRYPTED
07 Nov 2018 14:39:29 (GMT +00:00)	Message 42183218 scanned by Anti-Virus engine. Found encrypted
07 Nov 2018 14:39:29 (GMT +00:00)	Message 42183218 queued for delivery.

Ken Stieers · ‎11-21-2018

Check the time limit on the outbreak quarantine. Based on the tracking, that's where it sat.

3CoreAV · ‎11-21-2018

Hi thanks for the response,

Outbreak Filter Settings: Maximum Quarantine Retention: 1 Day.

However, based on the logs and monitoring, nothing has been in the Outbreak Quarantine since November 1st. I am watching the logs now for 6 released emails since 1300GMT (56minutes).

If I "search across quarantines" in Monitor: Policy, Virus and Outbreak Quarantines for the emails just released from VIRUS quarantine, they aren't found.

They will magically re-appear in about an hour from now. I've been through the CLI showconfig and quarantineconfig etc line by line. I'm stumped.

Recent example:

21 Nov 2018 10:40:40 (GMT +00:00)	Message 42597003 size 649574 exceeds max size 262144 for Anti-Spam scanning by Outbreak Filters
21 Nov 2018 10:40:41 (GMT +00:00)	Message 42597003 scanned by Anti-Spam engine: CASE. Interim verdict: Negative
21 Nov 2018 10:40:41 (GMT +00:00)	Message 42597003 scanned by Anti-Spam engine CASE. Interim verdict: definitely negative.
21 Nov 2018 10:40:41 (GMT +00:00)	Message 42597003 scanned by Anti-Spam engine: CASE. Final verdict: Negative
21 Nov 2018 10:40:41 (GMT +00:00)	Message 42597003 scanned by Anti-Virus engine Sophos. Interim verdict: ENCRYPTED
21 Nov 2018 10:40:41 (GMT +00:00)	Message 42597003 scanned by Anti-Virus engine. Found encrypted
21 Nov 2018 10:40:41 (GMT +00:00)	Message 42597003 quarantined to Virus. Anti-Virus verdict ENCRYPTED.
21 Nov 2018 13:00:53 (GMT +00:00)	Message 42597003 released from quarantine Virus after 8412 seconds. Reason: manually released.

Ken Stieers · ‎11-21-2018

That is weird.

I'd open a TAC case.