Some messages may not trigger the expected Early Release action in Symantec Messaging Gateway (SMG) when the Threat Defense policy "Monitor - Early release: Deliver immediately with no delay" is configured with the default Inspection Time of "exceeds 0 seconds."

Symantec Messaging Gateway integrated with Symantec Content Analysis

Messages with a "scan time" under 1 second do not satisfy the "inspection time exceeds 0 seconds" criterion. This is due to how scan time is stored for Threat Defense, which has a granularity of 1 second. This typically happens when the SMG has cached results for all message attachments, effectively resulting in a "scan time" of 0 seconds.

In the Monitor policies default configuration, messages with an Advanced Threat verdict and a scan time under one second will be deleted without receiving the Early Release action.

This is expected behavior and SMG is working as designed.

More information on Thread Defense scanning with Content Analysis integration can be found in the following link:

About threat defense scanning