cancel
Showing results for 
Search instead for 
Did you mean: 

Quarantine and viruses

Community Veteran
Posts: 26,341
Thanks: 598
Fixes: 8
Registered: 10-04-2007

Quarantine and viruses

Does IronPort do virus checking?
If so and you have quarantine turned on do they get quarantined?
(I've tried sending myself the EICAR test virus from http://www.aleph-tec.com/eicar/index.php and while I've received the email confirming the virus email has been sent, I've not received the virus file, nor notification of the email being quarantined and I can't find it if I log in to IronPort Quarantine)
jelv (a.k.a Spoon Whittler)
   Why I have left Plusnet (warning: long post!)   
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£13/month)
Mobile: iD mobile (£4/month)
14 REPLIES
pierre_pierre
Grafter
Posts: 19,757
Registered: 30-07-2007

Re: Quarantine and viruses

I have had one since migration, they go to the original mail box ie abcd@ , might end up in the default
Community Veteran
Posts: 26,341
Thanks: 598
Fixes: 8
Registered: 10-04-2007

Re: Quarantine and viruses

Have you got quarantine turned on?
jelv (a.k.a Spoon Whittler)
   Why I have left Plusnet (warning: long post!)   
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£13/month)
Mobile: iD mobile (£4/month)
Community Gaffer
Community Gaffer
Posts: 12,800
Thanks: 634
Fixes: 62
Registered: 04-04-2007

Re: Quarantine and viruses

Got this one from an account that doesn't have Quarantine switched on. I'm using the test virus here.
From: Email Alerting Service <unquarantine@quarantine.force9.co.uk>
Subject: Alert: An email addressed to you has been quarantined
To: "User" <user@example.com>
Date: Fri, 12 Dec 2008 11:00:08 +0000
Message-Id: <4.3.2.7.0.20001102202253.00adb610@localhost>
Dear Force9 Customer,
You are receiving this mail because you have an active virus-scanning
service, and either a banned file extension or an email containing
a virus has been sent to your address.
The mail was sent to you from:
*      "WebMaster" <webmaster-vir@declude.com>
The subject line of the mail received was:
*      Test eicar.com file [eicarplain]
In order to protect you, this email has been stored on our servers
and quarantined.  If you wish to retrieve this, please send an
email to unquarantine@quarantine.force9.co.uk containing the following information;
----------------------- SUPPORT INFORMATION ----------------------
Quarantine-Id: 4af3eb0568500861daba08499393edd619473
Message-Id: <4.3.2.7.0.20001102202253.00adb610@localhost>
To: "User" <user@example.com>
----------------------- SUPPORT INFORMATION ----------------------
It should be possible to reply to this mail to retrieve your email,
as long as your email application includes this entire message in
the reply.
Kind Regards,
Customer Support.

Just tried sending to an account with Quarantine switched on and the virus quarantine notificaiton is yet to arrive Sad

Bob Pullen
Plusnet Products Team
If I've been helpful then please give thanks ⤵

Community Veteran
Posts: 26,341
Thanks: 598
Fixes: 8
Registered: 10-04-2007

Re: Quarantine and viruses

Have you looked to see if it is in quarantine? I wasn't in mine (I sent the test to to a mailbox name not an alias to remove that possible confusion).
jelv (a.k.a Spoon Whittler)
   Why I have left Plusnet (warning: long post!)   
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£13/month)
Mobile: iD mobile (£4/month)
Community Gaffer
Community Gaffer
Posts: 12,800
Thanks: 634
Fixes: 62
Registered: 04-04-2007

Re: Quarantine and viruses

I can't jelv as it's a non-subscription account. I'll try it on a subscription account once I've fiddled with some settings.

Bob Pullen
Plusnet Products Team
If I've been helpful then please give thanks ⤵

pierre_pierre
Grafter
Posts: 19,757
Registered: 30-07-2007

Re: Quarantine and viruses

@jelv  I am not on quarantine
Community Veteran
Posts: 26,341
Thanks: 598
Fixes: 8
Registered: 10-04-2007

Re: Quarantine and viruses

So your first reply was totally irrelevant to this topic - thanks for the clarification.
jelv (a.k.a Spoon Whittler)
   Why I have left Plusnet (warning: long post!)   
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£13/month)
Mobile: iD mobile (£4/month)
pierre_pierre
Grafter
Posts: 19,757
Registered: 30-07-2007

Re: Quarantine and viruses

Quote from: jelv
Does IronPort do virus checking?
If so and you have quarantine turned on do they get quarantined?

Sorry I thought I answered Part one of the question
bobp
Grafter
Posts: 64
Registered: 29-06-2007

Re: Quarantine and viruses

Just tried sending the EICAR test virus.  The clean notification arrived.  The 'virus' has not  - nor is it in quarantine.  (I still have quarantine turned on as I did under Postini)  So it seems increasingly likely that there is a problem with th quaranine system as it is set up for plusnet.
bobp
Superuser
Superuser
Posts: 8,876
Thanks: 407
Fixes: 36
Registered: 06-04-2007

Re: Quarantine and viruses

I suggest trying the declude link that the other Bob P provided.
I'm not using IronPort spam quarantine but my experience is the same as reported by those who are - I received the aleph-tec notification message but not the one with the EICAR virus, nor notification it had been quarantined. It isn't in the Spam folder and I have Edge Protection (Blatant Spam Deletion) off.
However I did receive quarantine notification for the test from declude.
David
bobp
Grafter
Posts: 64
Registered: 29-06-2007

Re: Quarantine and viruses

Now tested quarantine using all the EICAR posibilities at declude
Whilst many ended up in quarantine the following vulnerabilities were allowed through to my mailbox: space gap, encoded zip, blank folding, boudary space gap, long boundary and partial (fragmented).  clsid was also allowed through but that does not matter.
bobp
Community Gaffer
Community Gaffer
Posts: 12,800
Thanks: 634
Fixes: 62
Registered: 04-04-2007

Re: Quarantine and viruses

After enabling Quarantine on a subscription account and trying again I found that the virus was quarantined by IronPort as spam. When I clicked 'Release' it was forwarded to my mailbox unscathed.
My concern about this is the fact that this isn't what the help pages say should happen and there's no indication from IronPort that the email is a virus Sad

Bob Pullen
Plusnet Products Team
If I've been helpful then please give thanks ⤵

Superuser
Superuser
Posts: 8,876
Thanks: 407
Fixes: 36
Registered: 06-04-2007

Re: Quarantine and viruses

Is there, in fact, only one IronPort quarantine which is used for both spam and viruses? I wondered if there were two since users not using spam quarantine still have viruses quarantined.
David
Community Gaffer
Community Gaffer
Posts: 12,800
Thanks: 634
Fixes: 62
Registered: 04-04-2007

Re: Quarantine and viruses

@spraxyt, the virus Quarantining is done by the Plusnet mail delivery servers (the mx.cores) whereas the spam Quarantining is managed by the IronPort 'M-Series' servers.

Bob Pullen
Plusnet Products Team
If I've been helpful then please give thanks ⤵