How can I "Release" a Prevented Email

Dean_Fuller · ‎2017-09-06

Hi all,

If an email has been prevented due to a Threat Emulation detection, what is the most efficient way (if any) of releasing the email so that it will be delivered to the end user?

I can think of the first two steps being:

Whitelist the MD5 of the file in the Threat Prevention policy.
Remove the hash from the tecli cache.

But I'm not sure if it's possible to then reprocess the email, I would think this is possible due to the fact that Postfix can do this.

Any questions just shout.

Thanks!

Thomas_Werner · ‎2017-09-06

Hi Dean,

currently there is no full "original email" quarantine for TE. This is only available for TX (Threat Extraction).

We are currently working on extending the "malicious email" handling by adding features like "flagging" malicious mails via X-header and/or BCCing original mails to a quarantine mailbox.

Today you can recover the original attachment via TEs forensic report in our logging. The email content itself (mail body) is by default delivered to the end user with malicious attachment replaced - so he is aware that the attachment was removed.

Regards Thomas

Dean_Fuller · ‎2017-09-06

Hi Thomas,

Thanks very much for the reply.

In our Threat Prevention policy under "Threat Emulation Settings > Advanced > Mail Transfer Agent Configuration", we currently have it set to "If a prevented email contains malicious attachments = Block the mail". So emails with detected attachments are not sent to the intended recipient. I'm guessing there is some sort of quarantine queue (or similar) where these emails will end up?

Thanks.

Thomas_Werner · ‎2017-09-06

No - "Block mail" will block the complete email with a NDR to the sender.

That´s why it is recommended to use "Allow the email without the attachment" - in addition the recipient can verify that the email was really not expected and valid.

Regards Thomas

Dean_Fuller · ‎2017-09-07

Hi Thomas,

Thanks very much for the explanation.

While I agree allowing the recipient to verify the email themselves can be useful, I think it's also possible that it could lead to a large volume of users requesting that "valid" invoice when a malspam campaign comes knocking.

Thanks.

Thomas_Werner · ‎2017-09-14

Hi Dean,

we are currently working on adding the following abilities to our MTA solution:

- Customize e-Mail Body to be able to specify/explain threats better to end users

- in case of a malicious email additionally send the original mail as an attachments to another "quarantine" inbox

Short term plan is to have both available via a HF in October.

Please contact your local Check Point team in case you want to evaluate it (you can reference my name also).

Regards Thomas

Blason_R · ‎2018-04-27

Hello ,

Can we release the blocked attachment from threat emulation(Cloud) in version R80.10 ? User gets the E-mail like original attachment is malicious. So how to release the same ?

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS

Thomas_Werner · ‎2018-04-27

You can only get the original file from the TE forensic report.

Within this report you get a download link.

If you regularly need this feature I would contact your local CP team and get the hotfix to send original emails to a BCC quarantine.

Regards Thomas

Thomas_Werner · ‎2018-05-04

BCC feature is explained here:

Customization of an Email body for an End User when Threat Emulation blade detects malware

Regards Thomas

Rajesh_Sawant · ‎2018-09-04

R80.20 has many new MTA related features to use such as change email subject,Customize email body & send copy to quarantine folder etc.

Are you a member of CheckMates?

How can I "Release" a Prevented Email