Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
SWBW_Florian
Contributor

Email Threat Extraction - Allow and extracted anyways?

Hi there,

i just have issues in understanding how our Checkpoint NGFW handles mails sometimes. Were using the MTA function.

one of our employees received an email with the hint that sandblast has removed some contents. There are PDF files on that mail that gets missed.

 

I checked the firewall log. Usually i can recover the MAIL or the FILE by those IDs through the scrub send_orig commands

I found the mentioned mail with Action "Allow". Even though there is extracted content, seen in the screenshot.

Its now allowed, or not?

If i try to resend the mail through "scrub send_orig_email {mailid} all" the mail wont get received by the employee. I get the message "Original mail was sent to "employees mail" "

Where to have a further look for this now? Can i check if the Mail really is on hold? 

 

 

Thanks in Advance

 

 

regards
0 Kudos
2 Replies
PhoneBoy
Admin
Admin

I'd start by checking the ATRG for Threat Extraction, which includes some debug steps: https://support.checkpoint.com/results/sk/sk114807 

0 Kudos
SWBW_Florian
Contributor

thanks phoneboy

i will try to work through that

regards
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events