06-09-2016 02:05 AM
Quick question: Can the ESA be configured to virusscan E-mails which are released from the spam quarantine?
Solved! Go to Solution.
08-17-2016 11:06 AM
Hi,
From the Async OS User guide
Released messages from the spam quarantine proceed directly to the destination queue, skipping any further work queue processing in the email pipeline.
Also mentioned in the below article
http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118286-technote-csa-00.html
Although this should not be required as a email destined for the spam quarantine is scanned by the anti-virus engine. The released email hence is not scanned again.
For a positively identified spam the email is tagged to be delivered to the spam quarantine, however the email would continue the rest of the workqueue processing anti-virus, content filters, etc and the email is delivered to the spam quarantine only at the end of the workqueue.
Hope the above information helps.
Regards
Libin
06-09-2016 09:26 AM
Per the help docs, that is done by default.
Go to help, in the ToC, go to Understanding the Email Pipeline -> Work Queue / Routing -> Quarantines
You'll find this:
You can filter incoming or outgoing messages and place them into quarantines. Quarantines are special queues or repositories used to hold and process messages. Messages in quarantines can be delivered or deleted, based on how you configure the quarantine.
The following Work Queue features can send messages to quarantines:
• File Analysis (Advanced Malware Protection)
Messages delivered from quarantines are re-scanned for threats.
06-10-2016 02:11 AM
08-17-2016 11:06 AM
Hi,
From the Async OS User guide
Released messages from the spam quarantine proceed directly to the destination queue, skipping any further work queue processing in the email pipeline.
Also mentioned in the below article
http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118286-technote-csa-00.html
Although this should not be required as a email destined for the spam quarantine is scanned by the anti-virus engine. The released email hence is not scanned again.
For a positively identified spam the email is tagged to be delivered to the spam quarantine, however the email would continue the rest of the workqueue processing anti-virus, content filters, etc and the email is delivered to the spam quarantine only at the end of the workqueue.
Hope the above information helps.
Regards
Libin
03-03-2020 08:18 AM
I think this is a *massive* security concern. Let's say a spam arrives that contains some kind of zero-day or not yet known virus. The mail is sent to the spam quarantine, undetected by the AV scanner. Now the mail sits in the Quarantine for a couple of days and in the meantime AV vendors release an update to their patterns that would detect the virus contained in the quarantined spam. User releases spam mail after a couple of days, and it's not scanned for viruses again?
What, really? Cisco, that must be some kind of bad attempt of satire, I hope?
Please register this as a serious bug.
03-03-2020 09:53 AM
Hi,
You understood it wrong, there is no security flaw, and it worked like this when the product was Ironport, not Cisco; if the e-mail is positively identified as SPAM, before is quarantined it goes through the virus check as well. Look at the work queue:
Regards,
Cristian Matei.
03-03-2020 10:26 AM
@Cristian Matei wrote:Hi,
You understood it wrong, there is no security flaw, and it worked like this when the product was Ironport, not Cisco; if the e-mail is positively identified as SPAM, before is quarantined it goes through the virus check as well. Look at the work queue:
No, I did not understand it wrong. You did not understand what I said. Please read again.
The concern is that when a mail contains a virus that is NOT YET known by Sophos / McAfee and is quarantined to Spam, then when it's released it is not scanned again, even though Sophos or McAfee might have updated their signatures in the meantime.
- Mail contains virus
- AV scanner does not know the virus yet
- mail gets quarantined to spam
- one day later, AV scanner knows the virus
- 6 days later, user releases mail from quarantine
- mail is not re-scanned, even though AV knows the virus now
- user gets infected
- big fat security flaw, end of story.
This needs to be addressed ASAP.
03-04-2020 01:17 AM
03-04-2020 02:52 AM
Thanks Prathman. Could you please raise the severity of this bug? It's currently classified as enhancement, which is not enough. This should be treated as a serious flaw in the design that needs to be resolved ASAP.
03-04-2020 03:01 AM
05-19-2020 04:00 AM
Hi @ppreenja - any updates on this? We consider this a bug and a security issue.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: