Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
353 Views 1 Reply Latest reply: Dec 14, 2013 12:51 AM by Regis RSS
jfults McAfee Employee 13 posts since
Nov 20, 2009
Currently Being Moderated

Oct 11, 2013 9:25 AM

New Unscannable Content Feature in MEG 7.6

Unscannable Content Feature:

 

https://kc.mcafee.com/corporate/index?page=content&id=KB79035

 

With the release of MEG 7.6, the appliance is now able to detect emails that would cause a scan to crash or otherwise fail and not return an error. Usually scanning these emails results in the connection being dropped, and in the event that a remote retryer resends the mail, a loop develops with the email scan crashing. The appliance will now detect this after several attempts and takes a pre-configured action.

 

Detection of unscannable content is available on all SMTP and Webmail policies (enabled by default).

 

Unscannable content detection suggests a scan crash or timeout, which is often caused by issues in programmed software. To fix it, McAfee needs to obtain and analyze such unscannable content. The unscannable content detection feature will help collect sample email messages that trigger a scan crash or timeout.

 

How it works
When this feature is enabled, a unique signature is calculated for each email message sent through the appliance. A tracking file (size=0) containing the unique signature in the file name is created under the /scandir partition before a scan is attempted.

 

NOTE: The impact to disk space is minor and the file will be deleted upon completion of the scan. If the scan crashes or times out, the file will be left in place and will be detected by a process that checks the tracker directory for old files once per minute.

 

If a failed scan is detected, the appliance will take the unique signature and increment a counter in the backend database. The appliance will look up the counter value for the message unique signature using the internal database to check how many times the scan of a message with a matching signature has failed. If it is less than the configurable threshold, a scan will be performed. If the counter value for the unique signature reaches the configured threshold, the appliance will not attempt to scan the message, but will perform the configured unscannable content action(s).

 

NOTE: Seemingly identical messages composed using the same email clients might have different encapsulation boundaries (for example) and may therefore be treated as two separate, unique messages.

 

How to configure the unscannable content detection feature

  1. Open the appliance management console by selecting Email, Email Configuration, Protocol Configuration, Connection Settings (SMTP), Unscannable content options.
  2. Select Enable detection of unscannable content.
  3. Configure the values for Maximum number of failed scan attempts and Period before content previously detected as unscannable can be rescanned.
        NOTE: McAfee recommends using the default values.
  4. Select Email, Email Policies.
  5. Select the policy on which you want to configure unscannable content detection.
  6. For the policy, select Content handling, Corrupt or Unreadable Content, Unscannable Content.
  7. Configure the action(s) for unscannable content.
        NOTE: If the quarantining option is enabled, you can capture unscannable content in your quarantine area, and later provide it to McAfee Support for analysis.
  8. Click OK.
  9. Click Apply Changes.

How to search for detection of unscannable content
Message Search in the dashboard is now capable of searching for unscannable content.

  1. Select Reports, Message Search.
  2. Click Message status.
  3. Select one of the listed statuses.
  4. Click Category.
  5. Select Unscannable Content.
  6. Click Search/Refresh.

NOTE: The conversation log will now list the unscannable content message; its SCAN section will notify you that Mail could not be scanned after several attempts.

  • Regis Champion 457 posts since
    Oct 6, 2010
    Currently Being Moderated
    1. Dec 14, 2013 12:52 AM (in response to jfults)
    Re: New Unscannable Content Feature in MEG 7.6

    I'd like to raise a glass to the clever guy or gal who came up with the euphemism "unscannable content."     Having this additional level of policy controllable abstraction to that scanning  sure beats the heck out of the "emails that crash the scanner that drop and then come back and get retried some time soon" game.    The quaratining feature sounds like it makes debugging and reporting things way easier too.     Thanks John for taking the time to document it.

     

     

     

    on 12/14/13 12:52:47 AM CST

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points