Messaging Gateway

Hi,

We are using Symantec Brightmail Gateway 8.0.3-11 and made some basic rules.

First of all, We have a Virus rule that says: Clean the message

And then we have a compliance rule setup with theese settings:

If the file metadata is in the attachment list "True Type Executable Files"
Hold message in Spam Quarantine
Send notification "EXE violation notification"


If i send a test email with a EXE attached to our environment, SBG successfully removes the exe, quaratines the email and sends a notification to the recipient.

The problem is that when SBG receives an executable that is virus infected, the email enters SBG, it still quarantines the email and still sends a notification.

Verdict: Verdict Filter Policy Group Details
Virus  virus: clean message (default)  default  packed.generic.265 
Spam  spam default  None  
Content Compliance violation: Quarantine Inbound Executable Files Violations default  None
Actions taken: Archive the message, Send notification, Clean the message, Modify the subject line, Hold message in Spam Quarantine


SBG finds this email as SPAM too, so i could probably change the SPAM rule to delete the message, but our company policy says i cant delete any emails so thats not possible.

Is there any way i can tell SBG to clean the virus and then skip the compliance rule because the EXE has been removed(?).

BR

Themac

I am wondering why you would want a viral EXE file delivered to your users? It is VERY rare that an EXE that was virus infected is anything more than a virus. Even though we clean the message, we keep the name the same and just clear out the contents. So the file is still an EXE file and will still trip on your rule.

I am also wondering why you want viral executables to be able to go to users, but not clean EXE files? This seems backwards. Can you explain?

After a certain time in the spam quarantine, the messages do get deleted, right? Why wait when these files are obviously of no use to anyone in your company and will just waste their time looking at an email that is obviously spam and viral?

Hi,

I think you missunderstod me a bit.

1. We want all virus infected files to be cleaned out. End users shouldnt have to be bothered by virus infected emails at all...
2. We want to quarantine all clean executable files. Our idea was that if someone sends a executable file to our company, the email will be quaratined and a notification is sent to the recipient of the email. If the end user has requested that exe, helpdesk would manually release the email to the end user.

After all, i dont know its the best way to go. Maybe we have to come up with some other plan with our rules.

Maybe we should change our Virus policy from "clean" to "delete". It might solve our problem with the compliance rule?


BR

Themac

That sounds like a good idea. When we 'clean' a file, we just scoop out the innards, like cleaning a pumpkin. Its still an EXE and it'll continue on through the mail system as one. So, if you don't want to waste anyone's time it, just delete it.

What you have described is exactly how the gateway should be working, so thats why I am confused on what you would want it to do instead.

Great, I will change the Virus rule to delete the message.

Thanks for the input!