Troubleshooting Image Control issues

book

Article ID: 178917

calendar_today

Updated On:

Products

Email Security.cloud

Issue/Introduction

 

Resolution

A legitimate image was incorrectly detected by Image Control heuristics (False Positive)

  • Consider changing the Sensitivity of the heuristics filter to a lower setting.
  • There is no way to adjust the heuristics themselves, only the sensitivity level. When the sensitivity level cannot be changed further, the solution is using the Approved Images, Approved Senders and Approved Recipients lists or using the mechanics available in other filters of the service (Anti-Spam, Data Protection).
  • If you don't have the image to add to the Approved Images list, as a result of the action taken by the filter, consider setting the heuristics detection action to Copy suspected mail to the Image Control administrator or Redirect suspected mail to the Image Control administrator.

An undesired image was not detected by Image Control (False Negative)

  • Ensure that the email was scanned by the Email Security Services, by trying to find it using the Email Track and Trace tool available in the ClientNet portal or by verifying that the email headers contain the Symantec relay specific entries - Received: from mailX.bemtaXXX.messagelabs.com.
  • Consider changing the Sensitivity of the heuristics filter to a higher setting. We do not recommend going higher than Medium, in order to prevent frequent false positives.
  • There is no way to adjust the heuristics themselves, only the sensitivity level. When the sensitivity level cannot be changed further, the only solution is using the Blocked Images list or using the mechanics available in other filters of the service (Anti-Spam, Data Protection).
  • It is by design that the overall verdict for an email is calculated based on the average of all contained images. It is possible that an email may not be detected if it contains one bad image among multiple legitimate emails.

Images in your Approved or Blocked images lists do not appear to be triggering correctly

  • The Approved Images and Blocked Images lists are based on the MD5 hash of the files. This means that the lists only match against identical image files as the ones that were submitted. Any change to an image file will change its hash value and prevent the service from identifying it.
  • The most efficient way to obtain an image from an email without modifying its hash value is by saving the email as HTML. This will extract all images, which can be used to upload to the approved or blocked senders list.
  • You may need to compare the MD5 hash of an image present in the approved or blocked lists against the MD5 hash of another image, as found through the Email Track and Trace tool or as extracted from an email, to clarify whether they have identical MD5 hashes or not. To do this follow the steps below:
    • Log in to the ClientNet portal
    • Access Services > Image Control
    • Click on the Approved Images or Blocked Images tab, as needed to locate the desired image
    • Click on the name of the image you are looking for in the Description column
    • The MD5 hash is located in the URL of the new window, at the end, after the text Signature=.
      • Example: https://clients.messagelabs.com/...&Signature=3c995e4d5b01d53921b2ea96a03597a6
    • To see the MD5 hash of an image in the Email Track and Trace tool search for the email that contained it, click on the email for details and then go to the Attachments tab
    • To obtain the MD5 hash of an image located on your PC you can download and use the FCIV command line tool provided by Microsoft, among other solutions