Thursday, 3 December 2015
Palo Alto: Antivirus Feature - Prevent Sending SMTP Server from Resending Blocked Message
Palo Alto antivirus feature is able to block viruses via email by sending a SMTP response code of 541 to the sender. Response code 541 is a code with a description as “Recipient Address Rejected – Blacklist, Anti-Spam, Mailfilter/Firewall Block”.
By default, SMTP, POP3 and IMAP have the default action set to ALERT is because in most cases there is already a dedicated Antivirus gateway solution in place for these protocols. Specifically for POP3 and IMAP, it is not possible to clean files or properly terminate an infected file-transfer in-stream without affecting the entire session. This is due to shortcomings in these protocols to deal with this kind of situation.
If no dedicated Antivirus gateway solution is present for SMTP, it is possible to define a custom Antivirus profile and apply the reset-both action to infected attachments. In such case, a 541 response will be sent back to the sending SMTP server to prevent it from resending the blocked message.
Of course, the custom antivirus profile must be used in the appropriate security policy rules for the SMTP mail transfer.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment