Cisco Cisco Email Security Appliance C680 User Guide
4-16
Cisco IronPort AsyncOS 7.6 for Email Daily Management Guide
OL-25138-01
Chapter 4 Quarantines
Working with Messages in System Quarantines
•
The GUI only shows the scheduled exit time from the quarantines to which the user has access. (For
a given message, there is a separate exit time for each quarantine.)
a given message, there is a separate exit time for each quarantine.)
•
The GUI will show whether the message is also stored in any other quarantines:
Figure 4-11
Searching Quarantines
•
The user will not be told the names of the other quarantine(s) holding the message.
•
Releasing a message only affects the queues to which the user has access.
•
If the message is also queued in other quarantines not accessible to the user, the message will remain
in quarantine, unchanged, until acted upon by users who have the required access to the remaining
quarantines (or until it is released “normally” via early or normal expiration).
in quarantine, unchanged, until acted upon by users who have the required access to the remaining
quarantines (or until it is released “normally” via early or normal expiration).
System Quarantines and Virus Scanning
Once a message has been released for delivery from all queues in which is has been quarantined, it will
be rescanned for viruses and spam (assuming anti-virus and spam are enabled on that mail policy) before
it can be delivered.
be rescanned for viruses and spam (assuming anti-virus and spam are enabled on that mail policy) before
it can be delivered.
When a message is released from quarantine it is scanned for viruses and spam by the anti-virus and
anti-spam engines (if anti-virus is enabled). If the verdict produced matches the verdict produced the
previous time the message was processed, the message is not re-quarantined. Conversely, if the verdicts
are different, the message could be sent to another quarantine.
anti-spam engines (if anti-virus is enabled). If the verdict produced matches the verdict produced the
previous time the message was processed, the message is not re-quarantined. Conversely, if the verdicts
are different, the message could be sent to another quarantine.
The rationale is to prevent messages from looping back to the quarantine indefinitely. For example,
suppose a message is encrypted and therefore sent to the Virus quarantine. If an administrator releases
the message, the anti-virus engine still will not be able to decrypt it; however, the message should not
be re-quarantined or a loop will be created and the message will never be released from the quarantine.
Since the two verdicts are the same, the system bypasses the Virus quarantine the second time.
suppose a message is encrypted and therefore sent to the Virus quarantine. If an administrator releases
the message, the anti-virus engine still will not be able to decrypt it; however, the message should not
be re-quarantined or a loop will be created and the message will never be released from the quarantine.
Since the two verdicts are the same, the system bypasses the Virus quarantine the second time.
System Quarantines and Alerts
An alert is sent whenever a quarantine reaches or passes 75% and 95% of its capacity. The check is
performed when a message is placed in the quarantine. So, if adding a message to the Policy quarantine
increases the size to or past 75% of the capacity specified, an alert is sent:
performed when a message is placed in the quarantine. So, if adding a message to the Policy quarantine
increases the size to or past 75% of the capacity specified, an alert is sent:
Warning: Quarantine "Policy" is 75% full
For more information about Alerts, see the “System Administration” chapter in the Cisco IronPort
AsyncOS for Email Configuration Guide.
AsyncOS for Email Configuration Guide.
System Quarantines and Logging
AsyncOS individually logs all messages that are quarantined:
Info: MID 482 quarantined to "Policy" (message filter:policy_violation)