Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3357
Views
0
Helpful
3
Replies

ESA file analysis (AMP)

Go to solution
Greg Dickinson
Level 1
Level 1

‎10-14-2020 08:57 AM

I've read the docs and searched around, and I can't get a definite answer to a question presented to me.  If we have the AMP policy enabled, and have it configured to send "Pending Analysis" messages to the quarantine - will the messages be released immediately upon receiving a verdict, or only when the time limit expires?  Also, is it possible to send a message to the original recipient if their message is "pending analysis", so we don't get "Where is my email?" tickets?

 

Thanks in advance... 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
marc.luescherFRE
Spotlight
Spotlight

‎10-14-2020 09:04 AM

The process is as follows :

 

AMP checks in prescan phase for local defined rules 

AMP moves the file into the quarantine : File Analysis, the defined Default Action "30 Min in our case" defines when the email will be Relased to the intended end user, no matter if there was already a verdict or not

AMP can use MAR (Message Auto Remediation) to remove such emails should the verdict later become malicious.

 

You can not sent a message to the users when the email gets into the quarantine queue but based one experience 99% of all emails will be released to end users in less then 5 Min, so that is a good value for security.

 

I hope that helps

 

-Marc

View solution in original post

0 Helpful

Go to solution
Greg Dickinson
Level 1
Level 1
In response to marc.luescherFRE

‎10-14-2020 09:38 AM

OK, so if the verdict is received before the 30 minute timeout, then the message is released immediately, otherwise it is released after 30 minutes regardless.  Thanks

View solution in original post

0 Helpful
3 Replies 3

Go to solution
marc.luescherFRE
Spotlight
Spotlight

‎10-14-2020 09:04 AM

The process is as follows :

 

AMP checks in prescan phase for local defined rules 

AMP moves the file into the quarantine : File Analysis, the defined Default Action "30 Min in our case" defines when the email will be Relased to the intended end user, no matter if there was already a verdict or not

AMP can use MAR (Message Auto Remediation) to remove such emails should the verdict later become malicious.

 

You can not sent a message to the users when the email gets into the quarantine queue but based one experience 99% of all emails will be released to end users in less then 5 Min, so that is a good value for security.

 

I hope that helps

 

-Marc

0 Helpful

Go to solution
Greg Dickinson
Level 1
Level 1
In response to marc.luescherFRE

‎10-14-2020 09:38 AM

OK, so if the verdict is received before the 30 minute timeout, then the message is released immediately, otherwise it is released after 30 minutes regardless.  Thanks

0 Helpful

Go to solution
marc.luescherFRE
Spotlight
Spotlight
In response to Greg Dickinson

‎10-14-2020 01:05 PM

correct, you can further reduce the retention period from 30 min to 15 min if you have a business need but would advise against if it can be avoided.

0 Helpful
Customers Also Viewed These Support Documents