Attachment Quarantine

Question

I have a question about how the appliance handles attachments and haven't been able to get a good answer from the documentation.

I had a user ask recently about an email that was quarantined with an attachment. I released the message, but the attachment was not there. I checked the quarantine again and it's gone now.

I am using the default rule, 'SophosLabs Suspect Attachments' for dealing with attachments, I have it set to 'Quarantine and Continue'. Did the device just drop the attachment when it was quarantined? If so, is there a way to change this behavior so the attachment can be recovered? If it is still there, how do I get it to the user?

Thank you for your help.

This thread was automatically locked due to age.

Red_Warrior · Accepted Answer

Hi Okrobpr 
 
The appliance uses true file type detection and does not care what they are called or what content is contained within them. 
 
there are a few different type of files you can create rules for. 
 
Unscannable - some portion of the file is not scannable or corrupted in some way. 
Encrypted - some portion of the file contains information that is encrypted 
Suspect - Files that do not match their final extension name (or that have more then one extension/period) 
 
Examples: 
a file with a corrupted byte may be un-scannable 
a password protected zip is encrypted 
a .txt file that is renamed to a .doc file is suspect 
 
These rules apply to all files contained within the actual file as well. Here are a couple of samples. 
 
pmx_load.txt: 
	extensions: 
 .txt 
	filetypes: 
 Plain text/ASCII/UTF-8 
 
This file contains a single text file with nothing out of the ordinary. 
 
script.sh: 
	extensions: 
 .exe 
 .txt 
	filetypes: 
 Executable/ELF 
 Plain text/ASCII/UTF-8 
	mime types: 
 application/octet-stream 
 application/x-elf 
 
In this case this script file contains binary executable information, so it is seen as both a .exe file as well as .txt file. 
 
pmx-qdir-20150316T155046.tar.gz: 
	extensions: 
 .eml 
 .gz 
 .tar 
 .tgz 
 .txt 
	filetypes: 
 Archive/GZIP 
 Archive/TAR 
 Mail/MIME email message 
 Plain text/ASCII/UTF-8 
	mime types: 
 application/x-gzip 
 application/x-tar 
 
This is a compressed gzip.tar file that contains an email . so it shows up as several files as well as text and an .eml or email file. 
 
There are many other examples of files I could list, however when you create a rule based on one particular type you must also consider that the document may have other file types you may not wish to block. 
 
For example: 
 
A pdf file may contain pictures and text and other elements, so if you have a rule to quarantine all .jpg files its possible this file type may trigger. 
 
Unfortunately sometimes troubleshooting attachment issues can be tough, as good rule of thumb use the search tool to locate the email and check what "hits" or rules triggered on the email. You may find the best solution is to exclude the recipient from that particular rule or that perhaps the rule is triggering on rules like the Suspect attachments (for example an automated PDF machine may automatically name files like test.pdf.from.shipping.pdf this is will automaticity trigger that rule. 
 
In regards to drop file and continue, this option will discard the file and send the email to the user, where as quarantine file and continue will do the same but hold the file in the quarantine for up to 30 days. 
 
There is only a maximum time things are kept in quarantine, not a minimum. So when the quarantine runs out of space it will delete the oldest messages first, including attachments. If you wish to keep files or quarantine longer you will need to configure the backup options to export the quarantine.