I am fairly new to the IronPort email security appliances and was hoping someone could provide some guidance on how to accomplish the following. I need to configure exporting or providing access to our security team to directly export messages from the virus/malware quarantine for offline analysis. Can this be accomplished, if so how? Is there a way to zip or encrypt messages in the quarantine and have them released to a spefic mailbox account which our security team owns?
There are couple of methods you can achieve copy of messages however there no way of zip or encrypt message. You can open TAC case and log a feature request for zip or encrypt messages in quarantine.
To do this you would first need to modify your "anti spam policy" to add custom header and deliver the message (instead of setting the action to quarantine)
1) Go under "Mail Policies" > Click the desired policy Under "Positively-Identified Spam Settings" - "Apply This Action to Message" set action to Deliver
Now click on "Advanced" and locate "Add Custom Header". Enter X-Ironport-Quarantine in the text field located on the right side of "Header:"
2) Next navigate to "Mail Policies" > "Incoming Content Filters" Click on "Add Filter ..." and create a filter with Conditions - "Other Header" - "Header Name" X-Ironport-Quarantine - "Header exists" Action - "Send Copy (BCC)" enter the bcc address
Note: For virus quarantine copy of a message can be also achieve by keeping header same or different. In case of different headers, please add a second condition in above content filter.
++ if you would like to copy All type of messages (positive, suspected) then add headers option needs to be enable under all Actions in AnitSpam and Antivirus in incoming/outgoing mail policy.
How to have a copy of all released messages from IPAS quarantine? (only if you choose to release messages)
The quarantine has no option to add an email address for a bcc copy of the released message. The workaround is to save the configuration file on a local computer in order to open and edit it. In the configuration file, look for this tag under the Euq configuration:
email address firstname.lastname@example.org which is behind the quarantine option "Notify IronPort Upon Message Release", should be replaced This email address can be replaced with any email address where a copy of released messaged should be sent to. After saving the configuration and loading it back to the appliance, also make sure the "Notify IronPort Upon Message Release" is enabled in the spam quarantine's configuration on the GUI
* The procedure described here should be used by customers who need to keep track about what is leaving their company, in terms of email messages.
A way to allow your security team to access the virus quarantine is to define a custom user role (system admin / user roles) where you can define a role that only allows access to specified quarantines, and then specify just the virus quarantine. Then you can define a new admin user (system admin / users) that only has that custom role. All that use can then do is manage the virus quarantine. From there the user can search and view the message content, and download any attachments for offline analysis.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...