cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

How can I "Release" a Prevented Email

Hi all,

If an email has been prevented due to a Threat Emulation detection, what is the most efficient way (if any) of releasing the email so that it will be delivered to the end user?

I can think of the first two steps being:

  1. Whitelist the MD5 of the file in the Threat Prevention policy.
  2. Remove the hash from the tecli cache.

But I'm not sure if it's possible to then reprocess the email, I would think this is possible due to the fact that Postfix can do this. 

Any questions just shout.


Thanks!

Tags (1)
9 Replies
Employee++
Employee++

Re: How can I "Release" a Prevented Email

Hi Dean,

currently there is no full "original email" quarantine for TE. This is only available for TX (Threat Extraction).

We are currently working on extending the "malicious email" handling by adding features like "flagging" malicious mails via X-header and/or BCCing original mails to a quarantine mailbox.

Today you can recover the original attachment via TEs forensic report in our logging. The email content itself (mail body) is by default delivered to the end user with malicious attachment replaced - so he is aware that the attachment was removed.


Regards Thomas

Re: How can I "Release" a Prevented Email

Hi Thomas,

Thanks very much for the reply.

In our Threat Prevention policy under "Threat Emulation Settings > Advanced > Mail Transfer Agent Configuration", we currently have it set to "If a prevented email contains malicious attachments = Block the mail". So emails with detected attachments are not sent to the intended recipient. I'm guessing there is some sort of quarantine queue (or similar) where these emails will end up?

Thanks.

0 Kudos
Employee++
Employee++

Re: How can I "Release" a Prevented Email

No - "Block mail" will block the complete email with a NDR to the sender.

That´s why it is recommended to use "Allow the email without the attachment" - in addition the recipient can verify that the email was really not expected and valid.

Regards Thomas

Re: How can I "Release" a Prevented Email

Hi Thomas,

Thanks very much for the explanation.

While I agree allowing the recipient to verify the email themselves can be useful, I think it's also possible that it could lead to a large volume of users requesting that "valid" invoice when a malspam campaign comes knocking. 

Thanks.

0 Kudos
Highlighted
Employee++
Employee++

Re: How can I "Release" a Prevented Email

Hi Dean,

we are currently working on adding the following abilities to our MTA solution:

- Customize e-Mail Body to be able to specify/explain threats better to end users

- in case of a malicious email additionally send the original mail as an attachments to another "quarantine" inbox 

Short term plan is to have both available via a HF in October.

Please contact your local Check Point team in case you want to evaluate it (you can reference my name also).

Regards Thomas 

Blason_R
Silver

Re: How can I "Release" a Prevented Email

Hello ,

Can we release the blocked attachment from threat emulation(Cloud) in version R80.10 ? User gets the E-mail like original attachment is malicious. So how to release the same ?

0 Kudos
Employee++
Employee++

Re: How can I "Release" a Prevented Email

You can only get the original file from the TE forensic report.

Within this report you get a download link.

If you regularly need this feature I would contact your local CP team and get the hotfix to send original emails to a BCC quarantine.

Regards Thomas

Employee++
Employee++

Re: How can I "Release" a Prevented Email

Employee
Employee

Re: How can I "Release" a Prevented Email

R80.20 has many new MTA related features to use such as change email subject,Customize email body & send copy to quarantine folder etc.