I do see all the connection events being logged whenever the remote server talks to my internal SMTP server, so routing does not seems to be an issue.

I can see on the connection events basically a confirmation that all my rules are applied and matched, however the mail client still receives the eicar file.

[Edit] attached a picture instead of a clunky table - easier on the eyes.

[Edit 2] seems I forgot a few keywords on my OP. The file inspection do record a malware entry found during the HTTP transfer of the eicar file, but not from a SMTP attachment. This makes a world of a difference from my original question. Updating it accordingly to be clear should anyone else browses it.

I see the logic and would think it should all do as you originally intended.

This is a good question and I have sometimes wondered about the distinction myself - i.e., "If I have AMP for Networks on the FirePOWER device or module then why do I also need AMP licensing on an ESA?".

I'm moving this thread into the FirePOWER forum in hopes that one of the Cisco TAC staff who monitor that forum will chime in with an answer.

Hi Alexandre,

I've no idea why you your sensor is not intercepting the malware, but if were you I try to make things simple: have you tried to send the same attachement from a non SSL enabled mail server, in order to exclude decryption from the equation?

Hello Massimo.

Yes, I did. It does not change anything. See below for a plain SMTP session (no STARTTLS) output. And yet, FMC has the packets listed in the Connection Events, but no Malware has been recorded by the Files dashboard.

3 10:36:30.00 INFO: Opening connection to (mx.example.com) port (25)
3 10:36:30.00 <-- 220 *****************************************************
3 10:36:30.00 --> ehlo me.com 
3 10:36:30.00 <-- 250-mx.example.com Hello netwin.netwinsite.com [198.1.73.205], pleased to meet you
3 10:36:30.00 <-- 250-ENHANCEDSTATUSCODES
3 10:36:30.00 <-- 250-PIPELINING
3 10:36:30.00 <-- 250-8BITMIME
3 10:36:30.00 <-- 250-SIZE
3 10:36:30.00 <-- 250-DSN
3 10:36:30.00 <-- 250-ETRN
3 10:36:30.00 <-- 250-AUTH DIGEST-MD5 CRAM-MD5
3 10:36:30.00 <-- 250-STARTTLS
3 10:36:30.00 <-- 250-XXXXXXXXA
3 10:36:30.00 <-- 250 XXXB
3 10:36:30.00 --> mail from:<hquest@example.com> 
3 10:36:30.00 <-- 250 2.1.0 <hquest@example.com>... Sender ok
3 10:36:30.00 --> rcpt to:<hquest@example.com> 
3 10:36:31.00 <-- 250 2.1.5 <hquest@example.com>... Recipient ok
3 10:36:31.00 --> DATA 
3 10:36:31.00 <-- 354 Enter mail, end with "." on a line by itself
3 10:36:31.00 --> From: hquest@example.com
3 10:36:31.00 --> To: hquest@example.com
3 10:36:31.00 --> x-test-header: Test message from http://reputation-email.com 
3 10:36:31.00 --> Mime-Version: 1.0 
3 10:36:31.00 --> Content-Type: application/octet-stream; 
3 10:36:31.00 --> Content-Disposition: attachment; filename="eicar.com"; 
3 10:36:31.00 --> Subject: Test message from reputation-email.com - EICAR test virus attached 
3 10:36:31.00 --> 
3 10:36:31.00 --> X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* 
3 10:36:31.00 --> . 
3 10:36:31.00 <-- 250 2.0.0 v63FaU5D098202 Message accepted for delivery
3 10:36:31.00 --> quit 
3 10:36:31.00 <-- 221 2.0.0 mx.example.com closing connection

Can you see the file transfer logged in Analysis/files/file events/table view?

Nope. I have a .jar file but not the SMTP attachments.

Sorry if I ask, but are sure that smtp protocol is enabled in your file policy for the right direction?

I think so - see the Inspection policy and file inspection screen capture attachments. More specifically, SMTP is listed under the detailed rule.

That's access policy, can you check file policy also?

Sorry, I missed file policy in your previous post.

If file policy is the same applied to http traffic afaik it should work, have you considered to open a tac case?

What about rule 2?

That rule seems to match any kind of traffic, that way rules 3 and 4 should never been matched.

Have tried to disable it?

Rule #2 is a monitor; it logs all traffic and moves down for next rules to be processed. Rule #3 is HTTP/HTTPS traffic only, so SMTP moves down to the next rule. Earlier I've posted another screen capture showing both monitor and mail inspection rules being matched, so I'm pretty certain the rules are being parsed and processed, however the attachment is not being detected/understood.

I will have a TAC case submit and will update later what the outcome is. Thanks anyway for your suggestions.

Well, so far good news and bad news.

The good news is, my rules are spot on for what I need.

The bad news is, TAC needs to research why FP is not finding the malware on SMTP traffic. And IMAP traffic. And POP3. Encrypted or not...

More to come.

Thanks again for all the suggestions.