Unscannable Content Feature:
With the release of MEG 7.6, the appliance is now able to detect emails that would cause a scan to crash or otherwise fail and not return an error. Usually scanning these emails results in the connection being dropped, and in the event that a remote retryer resends the mail, a loop develops with the email scan crashing. The appliance will now detect this after several attempts and takes a pre-configured action.
Detection of unscannable content is available on all SMTP and Webmail policies (enabled by default).
Unscannable content detection suggests a scan crash or timeout, which is often caused by issues in programmed software. To fix it, McAfee needs to obtain and analyze such unscannable content. The unscannable content detection feature will help collect sample email messages that trigger a scan crash or timeout.
How it works
When this feature is enabled, a unique signature is calculated for each email message sent through the appliance. A tracking file (size=0) containing the unique signature in the file name is created under the /scandir partition before a scan is attempted.
NOTE: The impact to disk space is minor and the file will be deleted upon completion of the scan. If the scan crashes or times out, the file will be left in place and will be detected by a process that checks the tracker directory for old files once per minute.
If a failed scan is detected, the appliance will take the unique signature and increment a counter in the backend database. The appliance will look up the counter value for the message unique signature using the internal database to check how many times the scan of a message with a matching signature has failed. If it is less than the configurable threshold, a scan will be performed. If the counter value for the unique signature reaches the configured threshold, the appliance will not attempt to scan the message, but will perform the configured unscannable content action(s).
NOTE: Seemingly identical messages composed using the same email clients might have different encapsulation boundaries (for example) and may therefore be treated as two separate, unique messages.
How to configure the unscannable content detection feature
How to search for detection of unscannable content
Message Search in the dashboard is now capable of searching for unscannable content.
NOTE: The conversation log will now list the unscannable content message; its SCAN section will notify you that Mail could not be scanned after several attempts.
I'd like to raise a glass to the clever guy or gal who came up with the euphemism "unscannable content." Having this additional level of policy controllable abstraction to that scanning sure beats the heck out of the "emails that crash the scanner that drop and then come back and get retried some time soon" game. The quaratining feature sounds like it makes debugging and reporting things way easier too. Thanks John for taking the time to document it.
on 12/14/13 12:52:47 AM CST