Message with a suspicious attachment gets re-scanned only once when it leaves the Suspect Virus Quarantine on Symantec Messaging Gateway appliance

book

Article ID: 178077

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

A message with a suspicious attachment gets re-scanned only once when leaves the Suspect Virus Quarantine.

Symptoms
A message with a suspicious attachment is scanned by SMG the first time and then it is placed into the Suspect Virus Quarantine. After the specified time value, the default value being 6 hours, the message is released from the quarantine to be re-scanned using the virus definitions available on the appliance..

 

Resolution

This behavior is by design.

The message will stay in the Suspect Virus Quarantine until one of the following conditions are met: 

  • The default time interval for automatic message release from the Suspect Virus Quarantine is reached. The default value is 6 hours. It can be configured here: Virus->Settings->Suspect Virus Settings, on the Quarantine Settings page, inside the "Message Release" section. The field is called "Automatically release messages older than".
  • The manual release of the message from the Suspect Virus Quarantine. The message is manually released from the quarantine.
  • The Suspect Virus Quarantine's maximum size limit has been exceeded. If the maximum size of the quarantine size limit is exceeded and the maximum size limit is enabled in the web user interface, the messages in the quarantine will be deleted to make room for new messages. The maximum limit is configurable here: Virus->Settings->Suspect Virus Settings, on the Quarantine Settings page, inside the "Message Release" section. The field is called "Maximum size of the Suspect Virus Quarantine".
  • The existing compliance policy is evaluated and acted upon. Depending on what your compliance policy is set to do for messages with attachments, that policy will be evaluated and actions inside it will be performed on the messages with attachments.

 


Note: The default value of 6 hours can be adjusted on the configuration page mentioned above. However, it is crucial to make sure the new time value is set in such a way that the appliance has enough time to download the latest AV definitions.
The available antivirus definitions will be used to scan the suspicious attachment once the message is released from the Suspect Virus Quarantine.