Cisco Bug: CSCvs24630 - Add different conditions/actions in content filter when McAfee/Sophos AV results are different
Dec 13, 2019
- Cisco Email Security Appliance
Known Affected Releases
Symptom: Email containing "Ownerprotection" PDF coming in, McAfee is marking the file as encrypted and Sophos marking as clean. At AntiVirus Scan only one MessageHeader can be added, but with two A/V Scanners (McAfee&Sophos) there are sometimes two different results! But only one header to add... Specially at write-protected PDF-files McAfee often mark the attachment as encrypted but it?s only write-protected not encrypted! --> Sophos scan the file because reading is allowed. So the result is clean. The problem: Many different partner/customer are sending write-protected PDF, without encryption, but they are getting handled as encrypted and moved to quarantine. --> Every mail in quarantine have to be verified in detail by security team, where efforts are growing just due to write-protected files... Conditions: Currently content filter is having option that deal with "attachment protection" and gives condition either to identify a message contains a password protected file or not. When there is the possibility to add a message header value depending on A/V Scanner (e.g. two different headers) There is the possibility to change the handling at content filters if the attachment is PDF and A/V result didn?t match, e.g. when a PDF is marked as Encrypted AND Clean -> Clean, then handle as Clean.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases