This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Attachment Quarantine

I have a question about how the appliance handles attachments and haven't been able to get a good answer from the documentation.

I had a user ask recently about an email that was quarantined with an attachment. I released the message, but the attachment was not there. I checked the quarantine again and it's gone now.

I am using the default rule, 'SophosLabs Suspect Attachments' for dealing with attachments, I have it set to 'Quarantine and Continue'. Did the device just drop the attachment when it was quarantined? If so, is there a way to change this behavior so the attachment can be recovered? If it is still there, how do I get it to the user?

Thank you for your help.

:57168


This thread was automatically locked due to age.
  • Hi Okrobpr

    The appliance uses true file type detection and does not care what they are called or what content is contained within them.

    there are a few different type of files you can create rules for.

    Unscannable - some portion of the file is not scannable or corrupted in some way.
    Encrypted - some portion of the file contains information that is encrypted
    Suspect - Files that do not match their final extension name (or that have more then one extension/period)

    Examples:
    a file with a corrupted byte may be un-scannable
    a password protected zip is encrypted
    a .txt file that is renamed to a .doc file is suspect

    These rules apply to all files contained within the actual file as well. Here are a couple of samples.

    pmx_load.txt:
    extensions:
    .txt
    filetypes:
    Plain text/ASCII/UTF-8

    This file contains a single text file with nothing out of the ordinary.

    script.sh:
    extensions:
    .exe
    .txt
    filetypes:
    Executable/ELF
    Plain text/ASCII/UTF-8
    mime types:
    application/octet-stream
    application/x-elf

    In this case this script file contains binary executable information, so it is seen as both a .exe file as well as .txt file.

    pmx-qdir-20150316T155046.tar.gz:
    extensions:
    .eml
    .gz
    .tar
    .tgz
    .txt
    filetypes:
    Archive/GZIP
    Archive/TAR
    Mail/MIME email message
    Plain text/ASCII/UTF-8
    mime types:
    application/x-gzip
    application/x-tar

    This is a compressed gzip.tar file that contains an email . so it shows up as several files as well as text and an .eml or email file.

    There are many other examples of files I could list, however when you create a rule based on one particular type you must also consider that the document may have other file types you may not wish to block.

    For example:

    A pdf file may contain pictures and text and other elements, so if you have a rule to quarantine all .jpg files its possible this file type may trigger.

    Unfortunately sometimes troubleshooting attachment issues can be tough, as good rule of thumb use the search tool to locate the email and check what "hits" or rules triggered on the email. You may find the best solution is to exclude the recipient from that particular rule or that perhaps the rule is triggering on rules like the Suspect attachments (for example an automated PDF machine may automatically name files like test.pdf.from.shipping.pdf this is will automaticity trigger that rule.

    In regards to drop file and continue, this option will discard the file and send the email to the user, where as quarantine file and continue will do the same but hold the file in the quarantine for up to 30 days.

    There is only a maximum time things are kept in quarantine, not a minimum. So when the quarantine runs out of space it will delete the oldest messages first, including attachments. If you wish to keep files or quarantine longer you will need to configure the backup options to export the quarantine.