When the Messaging Gateway (SMG) Threat Defense "Monitor - Early release: Deliver immediately with no delay" policy is configured with the default Inspection Time of "exceeds 0 seconds", some messages may not get the Early release action as expected.

If a message's scan time is less than 1 second, it does not meet the criteria of "inspection time exceeds 0 seconds". This is due to how scan time is stored for Threat Defense which has a granularity of 1 second. This can commonly occur when SMG has cached results for all the attachment in the message, since all scan results are cached the scan time is effectively 0 seconds.

This is expected behavior and SMG is working as designed.

In the default configuration for the Monitoring policies, scan times under one second which return an Advanced Threat verdict will result in the message being deleted without taking the Early Release action.