A way to allow your security

soccerfan811 · ‎03-06-2014

Hello All,

I am fairly new to the IronPort email security appliances and was hoping someone could provide some guidance on how to accomplish the following. I need to configure exporting or providing access to our security team to directly export messages from the virus/malware quarantine for offline analysis. Can this be accomplished, if so how? Is there a way to zip or encrypt messages in the quarantine and have them released to a spefic mailbox account which our security team owns?

Thanks for the help in advance.

Nasir Abbas · ‎03-08-2014

Hi,

There are couple of methods you can achieve copy of messages however there no way of zip or encrypt message. You can open TAC case and log a feature request for zip or encrypt messages in quarantine.

Option 1:

To do this you would first need to modify your "anti spam policy" to add custom header and deliver the message
(instead of setting the action to quarantine)

Steps:

1) Go under
"Mail Policies" > Click the desired policy
Under "Positively-Identified Spam Settings" - "Apply This Action to Message" set action to Deliver

Now click on "Advanced" and locate "Add Custom Header".
Enter X-Ironport-Quarantine in the text field located on the right side of "Header:"

Submit changes

2) Next navigate to
"Mail Policies" > "Incoming Content Filters"
Click on "Add Filter ..." and create a filter with
Conditions - "Other Header" - "Header Name" X-Ironport-Quarantine - "Header exists"
Action - "Send Copy (BCC)" enter the bcc address

Note: For virus quarantine copy of a message can be also achieve by keeping header same or different. In case of different headers, please add a second condition in above content filter.

++ if you would like to copy All type of messages (positive, suspected) then add headers option needs to be enable under all Actions in AnitSpam and Antivirus in incoming/outgoing mail policy.

Option 2

How to have a copy of all released messages from IPAS quarantine? (only if you choose to release messages)

The quarantine has no option to add an email address for a bcc copy of the released message. The workaround is to save the configuration file on a local computer in order to open and edit it. In the configuration file, look for this tag under the Euq configuration:

<euq_to_corpus_addr>isq_released_ham@access.ironport.com</euq_to_corpus_addr>

email address ham@access.ironport.com which is behind the quarantine option "Notify IronPort Upon Message Release", should be replaced This email address can be replaced with any email address where a copy of released messaged should be sent to. After saving the configuration and loading it back to the appliance, also make sure the "Notify IronPort Upon Message Release" is enabled in the spam quarantine's configuration on the GUI

* The procedure described here should be used by customers who need to keep track about what is leaving their company, in terms of email messages.

Hope that information helps.

Thanks

Nasir

David Miller · ‎03-10-2014

A way to allow your security team to access the virus quarantine is to define a custom user role (system admin / user roles) where you can define a role that only allows access to specified quarantines, and then specify just the virus quarantine. Then you can define a new admin user (system admin / users) that only has that custom role. All that use can then do is manage the virus quarantine. From there the user can search and view the message content, and download any attachments for offline analysis.

Release specific messages from quarantine