search cancel



Article ID: 172923


Updated On:


Email Email Threat Detection and Response


The Auto Remediation feature is part of "Email Threat Detection and Response" under the Email Security.Cloud services. This feature remediates any email that is already delivered which is later determined to have contain Malware from the end users' inboxes.

The below steps explain how it actually works:

  • Email Security Service receives and email for a user
  • The email is scanned and determined to be clean
  • The email is delivered to the end user
  • After the email is delivered, the Email Threat Detection and Response, Cynic Service determines that the email contained malware
  • The service then triggers a kind of recall to delete/move the delivered emails from the end users inbox
  • The operation is complete and successful once the email from the end user's inbox is deleted..



The Auto Remediation Settings tab is located in the ClientNet portal under:  Dashboard > Services > Email Services > Email Threat Detection and Response

You must first set up your Microsoft Office 365 service to work correctly with Auto Remediation.  Click the Manage Tenants option to set up permissions to allow Auto Remediation access to your users' inboxes.

The following permissions are required on Office 365.  These are automatically granted once you sign in and link to your Office 365 tenant account.


Enable Auto-Remediation and specify an action.

You must specify the action that is applied to any messages that Auto Remediation identifies as containing malware.

  • Move to Folder
  • Permanently Delete


Alerts settings are configured under Dashboard > Services > Email Services > Anti-Malware > Alert Settings.


Frequently Asked Questions

When does auto-remediate attempts to remediate a message?

The Cynic scan is configured with a max hold time, going to 0 (immediate delivery) to 20 min, in increments of 5 minutes. The Auto-Remediation will activate when an email has been delivered after going beyond the hold time stated and having been classified as malicious then. This can happen from seconds after the delivery, to minutes, as this is entirely dependent on the nature of the content of the email.