Antivirus reset-both action for mail protocols

Reply
L0 Member

Antivirus reset-both action for mail protocols

Hi!

 

We enable the blocking email viruses  attachement  by setting the antivirus profile with an action “reset-both” for SMTP.  The virus attachement could be blockded, however the sender’s mail server keep retry until timeout and no undelivered mail message returned to sender.

 

Please advice? Thank you!


Device : PA3050, PANOS 7.08

L7 Applicator

Re: Antivirus reset-both action for mail protocols

For SMTP related functions you will want to set the action to "block".  This will send a SMTP 541 message to the sending server so it stops trying to deliver the message.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
L4 Transporter

Re: Antivirus reset-both action for mail protocols

hi,

 

you mean "drop"?..."block" is not available...

L0 Member

Re: Antivirus reset-both action for mail protocols

Yes, "Block" action is not availiable anymore. I wondering it was related to response feature had been change. 

 

https://www.paloaltonetworks.com/documentation/70/pan-os/newfeaturesguide/content-inspection-feature...

L6 Presenter

Re: Antivirus reset-both action for mail protocols

Reset Client, Reset Server and Reset Both will all send an SMTP 541 message followed by the appropriate resets.

 

Reference:

https://live.paloaltonetworks.com/t5/Featured-Articles/Tips-amp-Tricks-Complete-Action-List-in-Profi...

L2 Linker

Re: Antivirus reset-both action for mail protocols

Hey,

 

The SMTP 541 official definition is:

 

541

The recipient address rejected your message: normally, it's an error caused by an anti-spam filter.

Your message has been detected and labeled as spam. You must ask the recipient to whitelist you

 

Can someone confirm that this will not cause the SMTP server to stop sending ALL email, and this action only drops the email containing the malware?

 

We receive all email from an upstream / external mail filtering/relay service and occassionally some viruses get through. We want to stop this at the firewall, but are concerned changing the default action on the AV profile will result in all mail from the external relay being stopped once an event is detected and the SMTP 541 response is sent.

 

Thanks,
Shannon

L7 Applicator

Re: Antivirus reset-both action for mail protocols

In case of SMTP protocol only email with virus will get 541 back. Others are not affected.

POP and IMAP don't have this capability built into the protocol.

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE (3.0, 5.0, 6.0, 7.0), PCNSE (6, 7), PCNSI
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!