Guest

Preview Tool

Cisco Bug: CSCvs24630 - Add different conditions/actions in content filter when McAfee/Sophos AV results are different

Last Modified

Dec 13, 2019

Products (1)

  • Cisco Email Security Appliance

Known Affected Releases

12.1-000

Description (partial)

Symptom:
Email containing "Ownerprotection" PDF coming in, McAfee is marking the file as encrypted and Sophos marking as clean. 

At AntiVirus Scan only one MessageHeader can be added, but with two A/V Scanners (McAfee&Sophos) there are sometimes two different results! But only one header to add...
Specially at write-protected PDF-files McAfee often mark the attachment as encrypted but it?s only write-protected not encrypted! --> Sophos scan the file because reading is allowed. So the result is clean.
The problem: Many different partner/customer are sending write-protected PDF, without encryption, but they are getting handled as encrypted and moved to quarantine. --> Every mail in quarantine have to be verified in detail by security team, where efforts are growing just due to write-protected files...

Conditions:
Currently content filter is having option that deal with "attachment protection" and gives condition either to identify a message contains a password protected file or not.

When there is the possibility to add a message header value depending on A/V Scanner (e.g. two different headers) There is the possibility to change the handling at content filters if the attachment is PDF and A/V result didn?t match, e.g. when a PDF is marked as Encrypted AND Clean -> Clean, then handle as Clean.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.