Guest

Preview Tool

Cisco Bug: CSCvu74467 - Feature to get Message unscannable condition in content filter

Last Modified

Jul 30, 2020

Products (1)

  • Cisco Email Security Appliance

Known Affected Releases

11.0.0-274

Description (partial)

Symptom:
In the Global scan behaviour settings, when the option Assume the attachment matches the search pattern set to yes , If a message has attachments that were not scanned for any reason by the Email Security Appliance (ESA) causes the message filter or content filter rule to evaluate as "true" on  a random content filter. The current solution and workaround from Cisco is to "Assume attachment matches pattern if no scanned for any reason" is to set it to "no". But changing that setting changes the security posture as it is now going to let emails through that have not passed all the security checks. Furthermore there is no way to whitelist specific senders/recipients where these emails are being incorrectly triggered.
This scan behaviour should be implemented as a content filter (ie Message Unscannable) this way we would be able to use the mail policy to whitelist certain sender/recipients for problem emails that are legitimate, but also be able to quarantine any messages that are unscannable as a default. 

This would also make troubleshooting easier as it will not match random content filters, but match the one that is configured for unscannable messages.

Conditions:
Currently the scan behavior is set to Assume the attachment matches the search pattern set to yes. This is due to security requirement reasons. But we are getting repeatable results where legitimate emails are getting quarantined. Furthermore when trying to whitelist encrypted or corrupt email attachments, as the scan behaviour now does not trigger on attach-protected or attach-corrupt it triggers on a random content filter and the whitelist can not be implemented.

Impact to the business is we are unable to whitelist legitimate email that gets caught by this behavior. Hence clients can not get legitimate emails and it is causing excessive load on our release team to keep up with the requests. 
Troubleshooting this issue is impossible as there is no indication that the equal was quarantined due to scan behaviour. The logs we get states it was quarantined due to the content filter it randomly decided to match.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.