https://community.checkpoint.com/t5/Firewall-and-Security-Management/Email-Threat-Extraction-Allow-and-extracted-anyways/m-p/204618#M54384 <P>Hi there,</P><P>i just have issues in understanding how our Checkpoint NGFW handles mails sometimes. Were using the MTA function.</P><P>one of our employees received an email with the hint that sandblast has removed some contents. There are PDF files on that mail that gets missed.</P><P>&nbsp;</P><P>I checked the firewall log. Usually i can recover the MAIL or the FILE by those IDs through the scrub send_orig commands</P><P>I found the mentioned mail with Action "Allow". Even though there is extracted content, seen in the screenshot.</P><P>Its now allowed, or not?</P><P>If i try to resend the mail through "scrub send_orig_email {mailid} all" the mail wont get received by the employee. I get the message "Original mail was sent to "employees mail" "</P><P>Where to have a further look for this now? Can i check if the Mail really is on hold?&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Thanks in Advance</P><DIV class="">&nbsp;</DIV><P>&nbsp;</P> Wed, 31 Jan 2024 06:19:01 GMT SWBW_Florian 2024-01-31T06:19:01Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Email-Threat-Extraction-Allow-and-extracted-anyways/m-p/204618#M54384 <P>Hi there,</P><P>i just have issues in understanding how our Checkpoint NGFW handles mails sometimes. Were using the MTA function.</P><P>one of our employees received an email with the hint that sandblast has removed some contents. There are PDF files on that mail that gets missed.</P><P>&nbsp;</P><P>I checked the firewall log. Usually i can recover the MAIL or the FILE by those IDs through the scrub send_orig commands</P><P>I found the mentioned mail with Action "Allow". Even though there is extracted content, seen in the screenshot.</P><P>Its now allowed, or not?</P><P>If i try to resend the mail through "scrub send_orig_email {mailid} all" the mail wont get received by the employee. I get the message "Original mail was sent to "employees mail" "</P><P>Where to have a further look for this now? Can i check if the Mail really is on hold?&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Thanks in Advance</P><DIV class="">&nbsp;</DIV><P>&nbsp;</P> Wed, 31 Jan 2024 06:19:01 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Email-Threat-Extraction-Allow-and-extracted-anyways/m-p/204618#M54384 SWBW_Florian 2024-01-31T06:19:01Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Email-Threat-Extraction-Allow-and-extracted-anyways/m-p/205527#M54385 <P>I'd start by checking the ATRG for Threat Extraction, which includes some debug steps:&nbsp;<A href="https://support.checkpoint.com/results/sk/sk114807" target="_blank">https://support.checkpoint.com/results/sk/sk114807</A>&nbsp;</P> Thu, 08 Feb 2024 23:04:54 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Email-Threat-Extraction-Allow-and-extracted-anyways/m-p/205527#M54385 PhoneBoy 2024-02-08T23:04:54Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Email-Threat-Extraction-Allow-and-extracted-anyways/m-p/207692#M54386 <P>thanks phoneboy</P><P>i will try to work through that</P> Mon, 04 Mar 2024 06:15:50 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Email-Threat-Extraction-Allow-and-extracted-anyways/m-p/207692#M54386 SWBW_Florian 2024-03-04T06:15:50Z