cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3729
Views
5
Helpful
10
Replies

Virus scan message upon release form spam quarantine?

WHindriks
Level 1
Level 1

Quick question: Can the ESA be configured to virusscan E-mails which are released from the spam quarantine?

1 Accepted Solution

Accepted Solutions

Hi,

From the Async OS User guide

Released messages from the spam quarantine proceed directly to the destination queue, skipping any further work queue processing in the email pipeline.

Also mentioned in the below article

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118286-technote-csa-00.html

Although this should not be required as a email destined for the spam quarantine is scanned by the anti-virus engine. The released email hence is not scanned again.

For a positively identified spam the email is tagged to be delivered to the spam quarantine, however the email would continue the rest of the workqueue processing anti-virus, content filters, etc and the email is delivered to the spam quarantine only at the end of the workqueue.

Hope the above information helps.

Regards

Libin

View solution in original post

10 Replies 10

Per the help docs, that is done by default.

Go to help, in the ToC, go to Understanding the Email Pipeline -> Work Queue / Routing -> Quarantines

You'll find this:

Quarantines

You can filter incoming or outgoing messages and place them into quarantines. Quarantines are special queues or repositories used to hold and process messages. Messages in quarantines can be delivered or deleted, based on how you configure the quarantine.

The following Work Queue features can send messages to quarantines:

 • Spam filters

 • Message Filters

 • Anti-Virus

 • Outbreak Filters

 • Content Filters

 • File Analysis (Advanced Malware Protection)

Messages delivered from quarantines are re-scanned for threats.

If the mail is scanned bij antivirus upon release form the spamquarantine, shouldn't that show in the logs?

Hi,

From the Async OS User guide

Released messages from the spam quarantine proceed directly to the destination queue, skipping any further work queue processing in the email pipeline.

Also mentioned in the below article

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118286-technote-csa-00.html

Although this should not be required as a email destined for the spam quarantine is scanned by the anti-virus engine. The released email hence is not scanned again.

For a positively identified spam the email is tagged to be delivered to the spam quarantine, however the email would continue the rest of the workqueue processing anti-virus, content filters, etc and the email is delivered to the spam quarantine only at the end of the workqueue.

Hope the above information helps.

Regards

Libin

I think this is a *massive* security concern. Let's say a spam arrives that contains some kind of zero-day or not yet known virus. The mail is sent to the spam quarantine, undetected by the AV scanner. Now the mail sits in the Quarantine for a couple of days and in the meantime AV vendors release an update to their patterns that would detect the virus contained in the quarantined spam. User releases spam mail after a couple of days, and it's not scanned for viruses again?

 

What, really? Cisco, that must be some kind of bad attempt of satire, I hope?

 

Please register this as a serious bug. 

Hi,

 

    You understood it wrong, there is no security flaw, and it worked like this when the product was Ironport, not Cisco; if the e-mail is positively identified as SPAM, before is quarantined it goes through the virus check as well. Look at the work queue:

 

https://www.cisco.com/c/en/us/td/docs/security/esa/esa13-0/user_guide/b_ESA_Admin_Guide_13-0/b_ESA_Admin_Guide_12_1_chapter_011.html

 

Regards,

Cristian Matei.


@Cristian Matei wrote:

Hi,

 

    You understood it wrong, there is no security flaw, and it worked like this when the product was Ironport, not Cisco; if the e-mail is positively identified as SPAM, before is quarantined it goes through the virus check as well. Look at the work queue:


No, I did not understand it wrong. You did not understand what I said. Please read again.

 

The concern is that when a mail contains a virus that is NOT YET known by Sophos / McAfee and is quarantined to Spam, then when it's released it is not scanned again, even though Sophos or McAfee might have updated their signatures in the meantime. 

 

- Mail contains virus

- AV scanner does not know the virus yet

- mail gets quarantined to spam

- one day later, AV scanner knows the virus

- 6 days later, user releases mail from quarantine

- mail is not re-scanned, even though AV knows the virus now

- user gets infected

- big fat security flaw, end of story. 

 

This needs to be addressed ASAP. 

 

Hi,

Below enhancement request must be able to address your query:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf90623

I hope it answers your requirement.

Cheers,
Pratham

Thanks Prathman. Could you please raise the severity of this bug? It's currently classified as enhancement, which is not enough. This should be treated as a serious flaw in the design that needs to be resolved ASAP.

Hi,

I'll try to get in touch with the backend teams and see if it's the severity can be increased to have a solution at the earliest.

Cheers,
Pratham

Hi @ppreenja - any updates on this? We consider this a bug and a security issue. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: