Attachment Quarantine

Hi Okrobpr

The appliance uses true file type detection and does not care what they are called or what content is contained within them.

there are a few different type of files you can create rules for.

Unscannable - some portion of the file is not scannable or corrupted in some way.
Encrypted - some portion of the file contains information that is encrypted
Suspect - Files that do not match their final extension name (or that have more then one extension/period)

Examples:
a file with a corrupted byte may be un-scannable
a password protected zip is encrypted
a .txt file that is renamed to a .doc file is suspect

These rules apply to all files contained within the actual file as well. Here are a couple of samples.

pmx_load.txt:
extensions:
.txt
filetypes:
Plain text/ASCII/UTF-8

This file contains a single text file with nothing out of the ordinary.

script.sh:
extensions:
.exe
.txt
filetypes:
Executable/ELF
Plain text/ASCII/UTF-8
mime types:
application/octet-stream
application/x-elf

In this case this script file contains binary executable information, so it is seen as both a .exe file as well as .txt file.

pmx-qdir-20150316T155046.tar.gz:
extensions:
.eml
.gz
.tar
.tgz
.txt
filetypes:
Archive/GZIP
Archive/TAR
Mail/MIME email message
Plain text/ASCII/UTF-8
mime types:
application/x-gzip
application/x-tar

This is a compressed gzip.tar file that contains an email . so it shows up as several files as well as text and an .eml or email file.

There are many other examples of files I could list, however when you create a rule based on one particular type you must also consider that the document may have other file types you may not wish to block.

For example:

A pdf file may contain pictures and text and other elements, so if you have a rule to quarantine all .jpg files its possible this file type may trigger.

Unfortunately sometimes troubleshooting attachment issues can be tough, as good rule of thumb use the search tool to locate the email and check what "hits" or rules triggered on the email. You may find the best solution is to exclude the recipient from that particular rule or that perhaps the rule is triggering on rules like the Suspect attachments (for example an automated PDF machine may automatically name files like test.pdf.from.shipping.pdf this is will automaticity trigger that rule.

In regards to drop file and continue, this option will discard the file and send the email to the user, where as quarantine file and continue will do the same but hold the file in the quarantine for up to 30 days.

There is only a maximum time things are kept in quarantine, not a minimum. So when the quarantine runs out of space it will delete the oldest messages first, including attachments. If you wish to keep files or quarantine longer you will need to configure the backup options to export the quarantine.

Hi Okrobpr

The appliance uses true file type detection and does not care what they are called or what content is contained within them.

there are a few different type of files you can create rules for.

Unscannable - some portion of the file is not scannable or corrupted in some way.
Encrypted - some portion of the file contains information that is encrypted
Suspect - Files that do not match their final extension name (or that have more then one extension/period)

Examples:
a file with a corrupted byte may be un-scannable
a password protected zip is encrypted
a .txt file that is renamed to a .doc file is suspect

These rules apply to all files contained within the actual file as well. Here are a couple of samples.

pmx_load.txt:
extensions:
.txt
filetypes:
Plain text/ASCII/UTF-8

This file contains a single text file with nothing out of the ordinary.

script.sh:
extensions:
.exe
.txt
filetypes:
Executable/ELF
Plain text/ASCII/UTF-8
mime types:
application/octet-stream
application/x-elf

In this case this script file contains binary executable information, so it is seen as both a .exe file as well as .txt file.

pmx-qdir-20150316T155046.tar.gz:
extensions:
.eml
.gz
.tar
.tgz
.txt
filetypes:
Archive/GZIP
Archive/TAR
Mail/MIME email message
Plain text/ASCII/UTF-8
mime types:
application/x-gzip
application/x-tar

This is a compressed gzip.tar file that contains an email . so it shows up as several files as well as text and an .eml or email file.

There are many other examples of files I could list, however when you create a rule based on one particular type you must also consider that the document may have other file types you may not wish to block.

For example:

A pdf file may contain pictures and text and other elements, so if you have a rule to quarantine all .jpg files its possible this file type may trigger.

Unfortunately sometimes troubleshooting attachment issues can be tough, as good rule of thumb use the search tool to locate the email and check what "hits" or rules triggered on the email. You may find the best solution is to exclude the recipient from that particular rule or that perhaps the rule is triggering on rules like the Suspect attachments (for example an automated PDF machine may automatically name files like test.pdf.from.shipping.pdf this is will automaticity trigger that rule.

In regards to drop file and continue, this option will discard the file and send the email to the user, where as quarantine file and continue will do the same but hold the file in the quarantine for up to 30 days.

There is only a maximum time things are kept in quarantine, not a minimum. So when the quarantine runs out of space it will delete the oldest messages first, including attachments. If you wish to keep files or quarantine longer you will need to configure the backup options to export the quarantine.