Video Screencast Help

Unexpected behaviour for Content Violation outbound policies

Created: 26 Jun 2011 • Updated: 28 Jun 2011 | 5 comments
This issue has been solved. See solution.

My Objective is to make a Policy to check for Mail Size .For each incoming mail ,if the size is greater than x ,I want it to end up in a Content Qurantine Folder named XX  where someone will check the request and approve or reject it .Similary for each outgoing email ,if the size is greater than x ,I want it to end up in the same Content Qurantine Folder named XX  where someone will check the request and approve or reject it .

Now the Problem is that for inbound ,email is quarantined to the right/desired content quarantine folder but For  Outgoing ,it goes to Information quarantine folder and from there ,it goes to delivery queue .I can see that it is detected by the right policy but it doesn't take the desired action . 

It is not limited to size only .It happens for any other outbound policy .

I have already opened a ticket with symantec however they are taking some time and haven't provided me any diagnosis yet so I was wondering if someone here faced this problem and resolved it .

My current setup is only pilot and not production .

Discussion Filed Under:

Comments 5 CommentsJump to latest comment

TSE-JDavis's picture

When you look at the message audit log, what are the verdicts? This happens when there are conflicting policies and the multiple-verdict engine makes an information compliance entry instead of quarantining the message.

Subhani's picture

 I have pasted the verdict below .It shows the exact Policy(and Policy group) which is supposed to block the email . 

In my setup ,I am attaching a Legal disclaimer to all outgoing emails as well as bounce attack signature in order to block the emails which failed bounce attack validation check .

 

Verdict Filter Policy Policy Group Details Message Part Matching Text
Bounce attack signature present 
static bounce attack prevention sign 
default  None   —   — 
Content Filtering violation: ORG  Legal Disclaimer 
Org.legal disclaimer 
default  None  header — from  org_domain.com 
Content Filtering violation: Org- Global Email Size Policy (Outgoing) 
org - global email size policy (outgoing) 
default  None   —   — 

 

Actions taken: Create an informational incident, Send notification, Add annotation, Bounce attack signature added 

TSE-JDavis's picture

I was suspecting a disclaimer. Which item has priority in your content filtering list? That is, which one is above the other? I would suggest putting this size limitation policy at or near the top so it has priority over the disclaimer policy.

SOLUTION
pbaggiol's picture

Per above suggestion, if more than 1 CF Policy fires, only a subset of actions from subsequent firing CF policies actually occur.   One example of this, is that subsequent "Deliver to Content Qurantine" actions, downgrade into creating incidents instead.

This has been the behavior since 7.x, and is under investigation for improvement in a future release.

Subhani's picture

@Jdavis ,Thanks a million for pointing it out .I wanted to know how to change the Poilcy priority but than after your comment ,I noticed that it can be done from the GUI .I did it and now it is working fine .

Thanks for your support on this one .By the way ,symantec enterprise support hasn't given me any suggestion or solution so far and it is 13 days now . Case was opened on June 15 ,2011 (case number :414-878-361).This is something which should be improved .