Meraki

Community

AMP does it scan email attachments

jordeliason
Just browsing
‎Oct 4 2017 8:59 AM
‎Oct 4 2017 8:59 AM

AMP does it scan email attachments

Hello,

 

We are wondering if AMP Advanced Malware Protection scans email attachments? Lets consider two scenarios. One scenario is the email is flowing unencrypted. The other is encrypted email server connection.

 

Your input is appreciated.

 

Thank you, Jordan

0 Kudos
8 Replies 8
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 4 2017 12:24 PM
‎Oct 4 2017 12:24 PM

My understanding is that it does - provided that the communications are not encrypted.

0 Kudos
In response to PhilipDAth
BHC_RESORTS
Head in the Cloud
‎Oct 5 2017 10:49 AM
‎Oct 5 2017 10:49 AM

@PhilipDAth wrote:

My understanding is that it does - provided that the communications are not encrypted.

Only if it were on port 80 (so webmail). 

BHC Resorts IT Department
0 Kudos
Dashboard_DJ
Meraki Alumni (Retired)
Meraki Alumni (Retired)
‎Oct 5 2017 5:42 AM
‎Oct 5 2017 5:42 AM

@jordeliason, Here's a quick explanation from the AMP KB.

 

The MX Security Appliance will block HTTP-based file downloads based on the disposition received from the AMP cloud. If the MX receives a disposition of malicious for the file download, it will be blocked. If the MX receives a disposition of clean or unknown, the file download will be allowed to complete.

 

The supported file types for inspection are:

MS OLE2 (.doc, .xls, .ppt)
MS Cabinet (Microsoft compression type)
MS EXE
ELF (Linux executable)
Mach-O/Unibin (OSX executable)
Java (class/bytecode, jar, serialization)
PDF
ZIP (regular and spanned)*
EICAR (standardized test file)
SWF (shockwave flash 6, 13, and uncompressed)
 

* This includes the inspection of XML-based Microsoft Office file types (.docx, .xlsx, etc...).

In response to Dashboard_DJ
lpopejoy
A model citizen
‎Oct 5 2017 7:21 AM
‎Oct 5 2017 7:21 AM

@Dashboard_DJthis means that SMTP traffic would NOT be inspected, correct?  In other words, AMP file scanning is limited to traffic on port 80?

0 Kudos
In response to lpopejoy
Dashboard_DJ
Meraki Alumni (Retired)
Meraki Alumni (Retired)
‎Oct 5 2017 8:05 AM
‎Oct 5 2017 8:05 AM

Correct on both.
0 Kudos
In response to Dashboard_DJ
BHC_RESORTS
Head in the Cloud
‎Oct 5 2017 10:50 AM
‎Oct 5 2017 10:50 AM

@Dashboard_DJ wrote:

@jordeliason, Here's a quick explanation from the AMP KB.

 

The supported file types for inspection are:


ZIP (regular and spanned)*
 

 

I thought ZIP scanning was currently disabled? Seem to recall something about that in firmware notes.

BHC Resorts IT Department
0 Kudos
CJ_Ramsey
Meraki Employee
Meraki Employee
‎Oct 5 2017 2:20 PM
‎Oct 5 2017 2:20 PM

If you wanted to scan email attachments specifically for file disposition, your best bet would be to look at using a Cisco Email Security Appliance or Cloud Email Security, both of which will allow you to layer on AMP.

In response to CJ_Ramsey
Enrico_Romero
Here to help
‎Oct 5 2017 7:15 PM
‎Oct 5 2017 7:15 PM

CJ_Ramsey is right. Since the AMP is only scanning the NETWORK and it is not scanning the incoming and outgoing EMAIL traffic. Best to use Email Security Solution of Cisco.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.