Preview Tool

Cisco Bug: CSCvs24630 - Add different conditions/actions in content filter when McAfee/Sophos AV results are different

Last Modified

Dec 13, 2019

Products (1)

  • Cisco Email Security Appliance

Known Affected Releases


Description (partial)

Email containing "Ownerprotection" PDF coming in, McAfee is marking the file as encrypted and Sophos marking as clean. 

At AntiVirus Scan only one MessageHeader can be added, but with two A/V Scanners (McAfee&Sophos) there are sometimes two different results! But only one header to add...
Specially at write-protected PDF-files McAfee often mark the attachment as encrypted but it?s only write-protected not encrypted! --> Sophos scan the file because reading is allowed. So the result is clean.
The problem: Many different partner/customer are sending write-protected PDF, without encryption, but they are getting handled as encrypted and moved to quarantine. --> Every mail in quarantine have to be verified in detail by security team, where efforts are growing just due to write-protected files...

Currently content filter is having option that deal with "attachment protection" and gives condition either to identify a message contains a password protected file or not.

When there is the possibility to add a message header value depending on A/V Scanner (e.g. two different headers) There is the possibility to change the handling at content filters if the attachment is PDF and A/V result didn?t match, e.g. when a PDF is marked as Encrypted AND Clean -> Clean, then handle as Clean.
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.