Unscannable Content Feature:
With the release of MEG 7.6, the appliance is now able to detect emails that would cause a scan to crash or otherwise fail and not return an error. Usually scanning these emails results in the connection being dropped, and in the event that a remote retryer resends the mail, a loop develops with the email scan crashing. The appliance will now detect this after several attempts and takes a pre-configured action.
Detection of unscannable content is available on all SMTP and Webmail policies (enabled by default).
Unscannable content detection suggests a scan crash or timeout, which is often caused by issues in programmed software. To fix it, McAfee needs to obtain and analyze such unscannable content. The unscannable content detection feature will help collect sample email messages that trigger a scan crash or timeout.
How it works
When this feature is enabled, a unique signature is calculated for each email message sent through the appliance. A tracking file (size=0) containing the unique signature in the file name is created under the /scandir partition before a scan is attempted.
NOTE: The impact to disk space is minor and the file will be deleted upon completion of the scan. If the scan crashes or times out, the file will be left in place and will be detected by a process that checks the tracker directory for old files once per minute.
If a failed scan is detected, the appliance will take the unique signature and increment a counter in the backend database. The appliance will look up the counter value for the message unique signature using the internal database to check how many times the scan of a message with a matching signature has failed. If it is less than the configurable threshold, a scan will be performed. If the counter value for the unique signature reaches the configured threshold, the appliance will not attempt to scan the message, but will perform the configured unscannable content action(s).
NOTE: Seemingly identical messages composed using the same email clients might have different encapsulation boundaries (for example) and may therefore be treated as two separate, unique messages.
How to configure the unscannable content detection feature
- Open the appliance management console by selecting Email, Email Configuration, Protocol Configuration, Connection Settings (SMTP), Unscannable content options.
- Select Enable detection of unscannable content.
- Configure the values for Maximum number of failed scan attempts and Period before content previously detected as unscannable can be rescanned.
NOTE: McAfee recommends using the default values.
- Select Email, Email Policies.
- Select the policy on which you want to configure unscannable content detection.
- For the policy, select Content handling, Corrupt or Unreadable Content, Unscannable Content.
- Configure the action(s) for unscannable content.
NOTE: If the quarantining option is enabled, you can capture unscannable content in your quarantine area, and later provide it to McAfee Support for analysis.
- Click OK.
- Click Apply Changes.
How to search for detection of unscannable content
Message Search in the dashboard is now capable of searching for unscannable content.
- Select Reports, Message Search.
- Click Message status.
- Select one of the listed statuses.
- Click Category.
- Select Unscannable Content.
- Click Search/Refresh.
NOTE: The conversation log will now list the unscannable content message; its SCAN section will notify you that Mail could not be scanned after several attempts.