cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Antivirus reset-both action for mail protocols

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
BillKuo
L0 Member
‎09-20-2016 02:07 AM
‎09-20-2016 02:07 AM

Antivirus reset-both action for mail protocols

Hi!

 

We enable the blocking email viruses  attachement  by setting the antivirus profile with an action “reset-both” for SMTP.  The virus attachement could be blockded, however the sender’s mail server keep retry until timeout and no undelivered mail message returned to sender.

 

Please advice? Thank you!


Device : PA3050, PANOS 7.08

0 Likes
Reply
pulukas
L7 Applicator
‎09-20-2016 03:06 AM
‎09-20-2016 03:06 AM

For SMTP related functions you will want to set the action to "block".  This will send a SMTP 541 message to the sending server so it stops trying to deliver the message.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
Reply
Hithead
L4 Transporter
‎09-20-2016 06:49 AM
‎09-20-2016 06:49 AM

hi,

 

you mean "drop"?..."block" is not available...

Reply
SHKP
L0 Member
‎09-20-2016 06:07 PM
‎09-20-2016 06:07 PM

Yes, "Block" action is not availiable anymore. I wondering it was related to response feature had been change. 

 

https://www.paloaltonetworks.com/documentation/70/pan-os/newfeaturesguide/content-inspection-feature...

0 Likes
Reply
mivaldi
L7 Applicator
‎04-14-2017 11:35 AM
‎04-14-2017 11:35 AM

Reset Client, Reset Server and Reset Both will all send an SMTP 541 message followed by the appropriate resets.

 

Reference:

https://live.paloaltonetworks.com/t5/Featured-Articles/Tips-amp-Tricks-Complete-Action-List-in-Profi...

0 Likes
Reply
SARowe_NZ
L3 Networker
‎11-29-2017 02:42 PM
‎11-29-2017 02:42 PM

Hey,

 

The SMTP 541 official definition is:

 

541

The recipient address rejected your message: normally, it's an error caused by an anti-spam filter.

Your message has been detected and labeled as spam. You must ask the recipient to whitelist you

 

Can someone confirm that this will not cause the SMTP server to stop sending ALL email, and this action only drops the email containing the malware?

 

We receive all email from an upstream / external mail filtering/relay service and occassionally some viruses get through. We want to stop this at the firewall, but are concerned changing the default action on the AV profile will result in all mail from the external relay being stopped once an event is detected and the SMTP 541 response is sent.

 

Thanks,
Shannon

0 Likes
Reply
Raido
L7 Applicator
‎11-30-2017 11:10 AM
‎11-30-2017 11:10 AM

In case of SMTP protocol only email with virus will get 541 back. Others are not affected.

POP and IMAP don't have this capability built into the protocol.

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI
Reply
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

Latest Blogs
Latest Posts
Privacy Policy Terms of Use
Copyright 2007 - 2021 - Palo Alto Networks