Support Center > Search Results > SecureKnowledge Details
Threat Emulation logs show "Detect" for e-mail attachments instead of "Prevent" when Threat Extraction blade is also enabled
Symptoms
  • SmartView Tracker / SmartLog logs from Threat Emulation blade show malicious files being detected in e-mail attachments rather than being prevented (as per Threat Prevention profile) in the following scenario:

    1. Both the Threat Emulation and Threat Extraction blades are enabled on the Security Gateway
    2. Mail Transfer Agent (MTA) is enabled and configured on the Security Gateway
    3. SandBlast Parallel Extraction Hotfix is installed on the Security Gateway
      (refer to sk108074; this hotfix was integrated into R77.30 Jumbo Hotfix Accumulator since Take_128).
    4. E-mails with attachments are sent over SMTP
Cause

When Threat Extraction blade finishes scanning of an attachment inside an e-mail before Threat Emulation blade finishes the emulation process, the Mail Transfer Agent (MTA) passes the e-mail as-is.

This generates the "Detect" log, as there was no actual file to "Prevent".


Solution
Note: To view this solution you need to Sign In .