https://live.paloaltonetworks.com/t5/general-topics/is-pa-capable-to-scan-for-malware-in-activesync-outlook365/m-p/545314#M111530 <P>Hi,</P> <P>We have PA-850 appliances with Wildfire and AV licenses.</P> <P>Recently we enabled the decryption of email traffic and now we are dealing with the data protection officer, he is asking us to detail what exactly is being inspected.</P> <P>At first I thought all attachments and URL were inspected.&nbsp; But then I found some information about link analysis only happening for SMTP traffic.</P> <P><A href="https://docs.paloaltonetworks.com/advanced-wildfire/administration/advanced-wildfire-overview/advanced-wildfire-concepts/email-link-analysis" target="_blank">https://docs.paloaltonetworks.com/advanced-wildfire/administration/advanced-wildfire-overview/advanced-wildfire-concepts/email-link-analysis</A></P> <P>For file analysis, I could not find any mention about the application protocol supported.&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/advanced-wildfire/administration/advanced-wildfire-overview/advanced-wildfire-concepts/file-analysis" target="_blank">https://docs.paloaltonetworks.com/advanced-wildfire/administration/advanced-wildfire-overview/advanced-wildfire-concepts/file-analysis</A></P> <P>We are using Microsoft native protocols (activesync, ms-exchange,office365,...) and mapi-over-http and rpc-over-http. SMTP is not allowed because security reasons.</P> <P>I assume that files transferred using HTTP are being scanned, but what about if a file is transferred using any other protocol? is Paloalto doing something?</P> <P>&nbsp;</P> <P>thanks</P> <P>&nbsp;</P> Thu, 08 Jun 2023 15:35:16 GMT JoseCortijo 2023-06-08T15:35:16Z https://live.paloaltonetworks.com/t5/general-topics/is-pa-capable-to-scan-for-malware-in-activesync-outlook365/m-p/545314#M111530 <P>Hi,</P> <P>We have PA-850 appliances with Wildfire and AV licenses.</P> <P>Recently we enabled the decryption of email traffic and now we are dealing with the data protection officer, he is asking us to detail what exactly is being inspected.</P> <P>At first I thought all attachments and URL were inspected.&nbsp; But then I found some information about link analysis only happening for SMTP traffic.</P> <P><A href="https://docs.paloaltonetworks.com/advanced-wildfire/administration/advanced-wildfire-overview/advanced-wildfire-concepts/email-link-analysis" target="_blank">https://docs.paloaltonetworks.com/advanced-wildfire/administration/advanced-wildfire-overview/advanced-wildfire-concepts/email-link-analysis</A></P> <P>For file analysis, I could not find any mention about the application protocol supported.&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/advanced-wildfire/administration/advanced-wildfire-overview/advanced-wildfire-concepts/file-analysis" target="_blank">https://docs.paloaltonetworks.com/advanced-wildfire/administration/advanced-wildfire-overview/advanced-wildfire-concepts/file-analysis</A></P> <P>We are using Microsoft native protocols (activesync, ms-exchange,office365,...) and mapi-over-http and rpc-over-http. SMTP is not allowed because security reasons.</P> <P>I assume that files transferred using HTTP are being scanned, but what about if a file is transferred using any other protocol? is Paloalto doing something?</P> <P>&nbsp;</P> <P>thanks</P> <P>&nbsp;</P> Thu, 08 Jun 2023 15:35:16 GMT https://live.paloaltonetworks.com/t5/general-topics/is-pa-capable-to-scan-for-malware-in-activesync-outlook365/m-p/545314#M111530 JoseCortijo 2023-06-08T15:35:16Z https://live.paloaltonetworks.com/t5/general-topics/is-pa-capable-to-scan-for-malware-in-activesync-outlook365/m-p/545362#M111534 <P>Let me caveat this by saving the PAN already must have a detection signature for it. Meaning it will not scan/send attachments to wildfire, etc.</P> <P>&nbsp;</P> <P>Hello,</P> <P>Yes if the traffic is not encrypted. But also not guaranteed. For email traffic its best to utilize an actual email scanning appliance or service. I would go with an online scanner rather than an onsite appliance for several reasons.</P> <P>&nbsp;</P> <P>Regards,</P> Thu, 08 Jun 2023 20:54:06 GMT https://live.paloaltonetworks.com/t5/general-topics/is-pa-capable-to-scan-for-malware-in-activesync-outlook365/m-p/545362#M111534 OtakarKlier 2023-06-08T20:54:06Z https://live.paloaltonetworks.com/t5/general-topics/is-pa-capable-to-scan-for-malware-in-activesync-outlook365/m-p/545462#M111543 <P>Thanks for your reply. I performed tests accessing with outlook client and OWA, both decrypted flows. I can confirm that via HTTP the virus is detected and the connection reset. Via outlook, the virus travels safely until the destination mailbox <span class="lia-unicode-emoji" title=":winking_face:">😉</span> so it is consistent with the documentation, PaloAlto does not inspect Activesync or any other MS email protocol.</P> <P>thanks!</P> Fri, 09 Jun 2023 10:18:38 GMT https://live.paloaltonetworks.com/t5/general-topics/is-pa-capable-to-scan-for-malware-in-activesync-outlook365/m-p/545462#M111543 JoseCortijo 2023-06-09T10:18:38Z