We've been getting a lot of emails with documents (and presumably macros) attached recently and I would like to use the Disarm policy. I've enabled it for a look but it's not working as fully as I'd like. I haven't done a whole lot with creating policies on the system, but hopefully you can give some pointers. Ideally, I'd like the following:
1. Document with macro is received.
2. Macro is disarmed and document is sent to recipient with Subject Line modified to say that it has been disarmed. (I have done this already)
3. Quarantine the original email message so if the recipient believes the attachment to be legitimate, we can release it to them.
If item 3 cannot be done, then can I set a policy so that it just quarantines all messages with macros?
We're running version 10.6.2-7.