ESET mail notification on quarantine objects

[AVEset 0]

Hello all,

 

I just finished the installation of the ESET Mail and quarantine started capturing questionable emails. the issue is that the user doesn't get the notification that there are files waiting for him/her on the server. Is there a way to configure this one. I as an admin will have a big time hassle to daily communicate with them if they expect or not the email from the external users.

Thanks in advance

 

[filips 44]

Hi,

You can enable quarantine web interface to allow users manage their quarantined emails. (http://help.eset.com/emsx/6.5/en-US/index.html?idh_xmon_quarantine_web.htm)

You can also add "Send mail quarantine reports" task in tools/scheduler, which will send reports to selected users periodically. (http://help.eset.com/emsx/6.5/en-US/index.html?idh_scheduler_task_qreports.htm)

 

[AVEset 0]

Dear Filis,

thank you very much for your help. I d ohave additional question. The users don't have release permission. where can I assign them that permission?

Thank you very much

[filips 44]

Users are only permitted to release spam emails, emails quarantined by content rules or by antivirus can only be released by administrator. This behavior is by design.

Maybe this is the problem in your case? If you are just testing the quarantine, you can use GTUBE string to quarantine email as spam.

Edited April 6, 2017 by filips

[AVEset 0]

Thank you for reply. When I use the webpage domain.com/quarantine ( I added this in local Intranet - in order  not to be asked for the password) and the webpage opens and I see smap messages but as an action I have a radio button only on delete and no selection.

Radio button Release don't exist.

 

[filips 44]

That sounds like the quarantine page is somehow broken. Can you post a screenshot?

[AVEset 0]

Hello, sorry for the wait period but our front Spam filer is doing excellent job only now I got another spam. Here is the picture.

 

[filips 44]

Hi,

the type column says "rule" which means that regular user is not permitted to release such email - only admin.

You can specify quarantine administrators in advanced setup/server/mail quarantine

[AVEset 0]

Thank you very much for the info. What I am confused is that in the manual it is written that each user has full access to his/hers emails. If I setup the user to be admin then they will see all emails from all users in quarantine.

Can you please explain on how to set up this policy?

 

Thanks

[filips 44]

Each user has access to his quarantined emails, but may not be able to do all operations. This is for security reasons.

e.g. If admin creates a rule that prohibits .exe files it would be too easy for the user to just release emails with .exe files. Now he has to request the files from admin.

If you have a specific content rule and want to allow users to release emails quarantined by this rule - this is currently not possible.

Could you give us an example/use case of what you are trying to achieve?

 

thanks

[AVEset 0]

For now I am trying to just enable users to go to the webpage and release their own emails. 

If I go to advanced setup/server/mail quarantine and add user to admin groups then this user will be able to see all emails and not just his own. Even if I delegate access the user will still have no option to release his/hers email.

If you have any best practice regarding the email attachments I would appreciate if you can point me to the right direction.

Thanks for helping and sorry for so many questions but I find this confusing as setup instructions don't cover this additional step.

Edited April 7, 2017 by AVEset

[AVEset 0]

Hi all,

can you please help me with this one I cannot find the way to release the quarantined emails.

Thank you very much.

 

[filips 44]

Hi,

As i wrote above, this is not supported. Regular user cannot release emails quarantined by a content rule - only admin can.

If you quarantined some emails with a rule and want to release them, you have 2 options:
1. log in to the web interface as administrator and release them
2. go to machine where EMSX is installed and release them using GUI

If you want to allow regular users to release emails quarantined by content rule please submit a market requirement.

[AVEset 0]

Hi Filis thank you for the email. I do understand that there should be an admin that is checking all spam emails but also that is quite hard task as admin is not aware or not allowed to do such task. For example DHL invoice marked as a spam is that a real invoice or possible ransomware. IT Admin don't know that as it needs to get in touch with the user to check if this is the email that was expected. Aside to that I have a small to medium company with around 200 users that exchange more than 1000 emails per day. Sure not all are spam but if we start getting a bit higher percentage of spam I would need to employ 2 full time admins just to check with the users if this is the email they expected and release their emails. Now we are getting to the more relevant part which is privacy and where even Admins are not allowed to open the email of the user even if the user is using his/her business mailbox for the personal stuff.

I think there is enough data to give you enough reasons to implement it, apart the obvious that other AV already support that kind of task. Even EFA Freeware project supports it and I think that ESET should do the same.

Please take this into consideration and include this possibility in some of your future releases.

 

[filips 44]

Users can manage their spam emails - both release and delete are allowed on spam emails.

The type column in screenshot you posted says "rule" - it was not quarantined by antispam but by rules. Email can be quarantined by AV protection, AS protection or by rules - the release action depends on this.

I filed an improvement to give administrator control over this behavior to be able to:
1. Create a rule that forbids certain content (e.g. file type policy) - user cannot release such emails
2. Create a rule that defers certain content (e.g. suspected spam) - user can release such emails

 

[AVEset 0]

Dear Filis,

thank you very much for the fast response and detailed explanation. I knew that the scan is performed on the different levels but was not aware that type also changes. As there are different types I do have a question:

Until now I was receiving emails and spam filter before our Exchange was marking spam with X-Header. This header I used and created a - rule - to reroute to the quarantine that in turn user is able to access through URL - but unfortunately not able to release.

How to quarantine properly so that users are able to release it? In your picture I would assume that the type should be Spam type because it has release radio button. How to get to that point that type is defined spam? Do I need to configure something like I did with the rules or this is automatically grouped per level of scan AV, AS or rules? Can you please provide me with the instructions? 

Thank you very much for your answer.

Best regards

[filips 44]

Hi,

unfortunately current version of EMSX does not support what you need. Email can be released by user only if it was quarantined by our antispam protection.