Email scanning order in Email Security.cloud
Article ID: 161438
Updated On:
Products
Issue/Introduction
This article explains the order in which Symantec Email Security.cloud scans inbound email.
Environment
Email Security.cloud
Resolution
Email traffic entering the Symantec.cloud infrastructure is checked and scanned in the following order:
|
Connection Management |
01. SMTP Heuristics |
|
02. Address Validation/Registration |
|
|
03. AntiSpam Approved Senders |
|
|
04. AntiSpam Blocked Senders |
|
|
Connection Management / |
05. SPF |
|
06. DMARC |
|
|
Anti-spam |
07. AntiSpam Public DNS block lists (PBL) |
|
08. AntiSpam Signaturing System |
|
|
Anti-malware |
09. AntiVirus Skeptic |
|
10. AntiVirus Signaturing |
|
|
11. Cynic Sandbox * |
|
|
Anti-Spam |
12. Skeptic Heuristics |
|
13. Newsletters Scanning |
|
|
Image Control |
14. Image Control |
|
EIC |
15. Email Impersonation Control |
|
Data Protection |
16. Data Protection |
|
IOC |
17. IOC Blacklist * |
|
Scan-time Protection |
18. Scan-time Protection |
|
Email Size |
19. Maximum Message Size Setting |
|
Click-time |
20. URL Rewriting * |
|
Isolation |
21. URL Isolation * |
|
22. Attachment Isolation * |
Note: The AntiSpam scanning order will be most effective when enabled according to the AntiSpam best practice settings. When not following best practices, weaker actions such as ''Log Only' will mean that any scanner further down the order will potentially be triggered and their action taken. This is to ensure your protection from harmful or malicious phishing emails.
Stronger actions chosen in the setting configuration for these services like block and delete, redirect, or quarantine will stop scans that are later in the scanning order from happening because the email has already been prevented from delivering to the original recipient. For example, an Anti-Malware conviction will either block or quarantine an email. So data protection scans which are later in the scanning order will not be applied to the anti-malware actioned email.
* requires ETDR (ETDR stands for Email Threat Detection and Response, previously known as ATP Advanced Threat Protection.)
Feedback
