Antivirus reset-both action for mail protocols

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Antivirus reset-both action for mail protocols

L0 Member

Hi!

 

We enable the blocking email viruses  attachement  by setting the antivirus profile with an action “reset-both” for SMTP.  The virus attachement could be blockded, however the sender’s mail server keep retry until timeout and no undelivered mail message returned to sender.

 

Please advice? Thank you!


Device : PA3050, PANOS 7.08

6 REPLIES 6

L7 Applicator

For SMTP related functions you will want to set the action to "block".  This will send a SMTP 541 message to the sending server so it stops trying to deliver the message.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

hi,

 

you mean "drop"?..."block" is not available...

Yes, "Block" action is not availiable anymore. I wondering it was related to response feature had been change. 

 

https://www.paloaltonetworks.com/documentation/70/pan-os/newfeaturesguide/content-inspection-feature...

Reset Client, Reset Server and Reset Both will all send an SMTP 541 message followed by the appropriate resets.

 

Reference:

https://live.paloaltonetworks.com/t5/Featured-Articles/Tips-amp-Tricks-Complete-Action-List-in-Profi...

Hey,

 

The SMTP 541 official definition is:

 

541

The recipient address rejected your message: normally, it's an error caused by an anti-spam filter.

Your message has been detected and labeled as spam. You must ask the recipient to whitelist you

 

Can someone confirm that this will not cause the SMTP server to stop sending ALL email, and this action only drops the email containing the malware?

 

We receive all email from an upstream / external mail filtering/relay service and occassionally some viruses get through. We want to stop this at the firewall, but are concerned changing the default action on the AV profile will result in all mail from the external relay being stopped once an event is detected and the SMTP 541 response is sent.

 

Thanks,
Shannon

In case of SMTP protocol only email with virus will get 541 back. Others are not affected.

POP and IMAP don't have this capability built into the protocol.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
  • 7047 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!