Cisco Cisco Email Security Appliance C170 Guia Do Utilizador
8-9
Cisco IronPort AsyncOS 7.6 for Email Configuration Guide
OL-25136-01
Chapter 8 Anti-Virus
Users will always be notified if their messages were modified in any way because they were infected
with a bad attachment. You can configure a secondary notification action, as well (see
with a bad attachment. You can configure a secondary notification action, as well (see
). The notify action is not needed to inform users that a message was
modified if you choose to drop infected attachments.
•
X-IronPort-AV Header
All messages that are processed by the Anti-Virus scanning engine on the appliance have the header
X-IronPort-AV:
added to messages. This header provides additional information to you when
debugging issues with your anti-virus configuration, particularly with messages that are considered
“unscannable.” You can toggle whether the X-IronPort-AV header is included in messages that are
scanned. Including this header is recommended.
“unscannable.” You can toggle whether the X-IronPort-AV header is included in messages that are
scanned. Including this header is recommended.
Message Handling Settings
You configure the virus scanning engine to handle four distinct classes of messages that are received by
a listener, with separate actions for each.
a listener, with separate actions for each.
summarizes the actions the system performs when
the virus scanning engine is enabled. See also
for the GUI configuration.
For each of the following message types, you can choose which actions are performed. The actions are
described below (see
described below (see
). For example, you
can configure your anti- virus settings for virus-infected messages so that the infected attachment is
dropped, the subject of the email is modified, and a custom alert is sent to the message recipient.
dropped, the subject of the email is modified, and a custom alert is sent to the message recipient.
Repaired Message Handling
Messages are considered repaired if the message was completely scanned and all viruses have been
repaired or removed. These messages will be delivered as is.
repaired or removed. These messages will be delivered as is.
Encrypted Message Handling
Messages are considered encrypted if the engine is unable to finish the scan due to an encrypted or
protected field in the message. Messages that are marked encrypted may also be repaired.
protected field in the message. Messages that are marked encrypted may also be repaired.
Note the differences between the encryption detection message filter rule (refer to “Encryption Detection
Rule” in the “Using Message Filters to Enforce Email Policies” chapter of the Cisco IronPort AsyncOS
for Email Advanced Configuration Guide) and the virus scanning actions for “encrypted” messages. The
encrypted message filter rule evaluates to “true” for any messages that are PGP or S/MIME encrypted.
The encrypted rule can only detect PGP and S/MIME encrypted data. It does not detect password
protected ZIP files, or Microsoft Word and Excel documents that include encrypted content. The virus
scanning engine considers any message or attachment that is password protected to be “encrypted.”
Rule” in the “Using Message Filters to Enforce Email Policies” chapter of the Cisco IronPort AsyncOS
for Email Advanced Configuration Guide) and the virus scanning actions for “encrypted” messages. The
encrypted message filter rule evaluates to “true” for any messages that are PGP or S/MIME encrypted.
The encrypted rule can only detect PGP and S/MIME encrypted data. It does not detect password
protected ZIP files, or Microsoft Word and Excel documents that include encrypted content. The virus
scanning engine considers any message or attachment that is password protected to be “encrypted.”
Note
If you upgrade from a 3.8 or earlier version of AsyncOS and you configured Sophos Anti-Virus
scanning, you must configure the Encrypted Message Handling section after you upgrade.
scanning, you must configure the Encrypted Message Handling section after you upgrade.
Unscannable Message Handling
Messages are considered unscannable if a scanning timeout value has been reached, or the engine
becomes unavailable due to an internal error. Messages that are marked unscannable may also be
repaired.
becomes unavailable due to an internal error. Messages that are marked unscannable may also be
repaired.