ESA/CES Quarantine Order when Flagged by Multiple Services

Available Languages

Updated:June 23, 2020
Document ID:214588

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes the behavior of the Cisco Email Security Appliance (ESA) and Cloud Email Security (CES) devices when an email is flagged by multiple services for quarantining and the flow fo the email through the rest of the email pipeline.

    Prerequisites

    Requirements

    There are no specific requirements for this document.

    Components Used

    The information in this document is based on Cisco ESA with AsyncOS 12.1.0 version.

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Background Information

    Emails that flows through the Cisco ESA and CES devices for filtering follows the email work queue pipeline. The pipeline is static and if there are multiple actions from multiple services defined to flag an email for the quarantines, it does not follow the order as per the pipeline; instead, the ESA/CES quarantines it with its own order.

    Note: Emails that are flagged with actions set to (Final Action) will take immediate precedence and exit the work queue processing.

    What Happens to the Email when Flagged by Multiple Services for Quarantine?

    The email is prioritized into the Policy Virus Outbreak (PVO) quarantine first. There is no specific order which policy quarantine it goes into as the PVO lists every other quarantine the email is also held in. After the email is released out of one of the PVO quarantines, it is held in any respective quarantines to be flagged in.

    After the email was released (either manually or through the timer where default action is set to release) the emails then enter the spam quarantine. When the email is released from the spam quarantine, it transverses into the delivery queue for final delivery thereafter.

    Note: An email that is deleted off one PVO quarantine, will remove the email from all subsequent quarantines it's held in as well.

    • Messages released from Policy and Virus quarantines are rescanned by the anti-virus, advanced malware protection, and graymail engines.
    • Messages released from the Outbreak quarantine are rescanned by the anti-spam, anti-virus, and AMP engines.
    • Messages released from the File Analysis quarantine are rescanned for threats.
    • Messages with attachments are rescanned by the file reputation service upon release from Policy, Virus, and Outbreak quarantines.

    Initial email injection with filtering done by the ESA. In this output you see it is flagged by the spam quarantine, virus quarantine, and policy quarantine:

    Thu Jun 27 12:51:03 2019 Info: Start MID 378951 ICID 391696
    Thu Jun 27 12:51:03 2019 Info: MID 378951 ICID 391696 From: <matt@lee2.com>
    Thu Jun 27 12:51:10 2019 Info: MID 378951 ICID 391696 RID 0 To: <matthewtestdomain@cisco.com>
    Thu Jun 27 12:51:14 2019 Info: MID 378951 Subject 'Test email with AV EICAR and other triggers'
    Thu Jun 27 12:51:15 2019 Info: MID 378951 ready 3292 bytes from <matt@lee2.com>
    Thu Jun 27 12:51:15 2019 Info: MID 378951 matched all recipients for per-recipient policy matt in the inbound table
    Thu Jun 27 12:51:15 2019 Info: MID 378951 interim verdict using engine: CASE spam positive
    Thu Jun 27 12:51:15 2019 Info: MID 378951 using engine: CASE spam positive
    Thu Jun 27 12:51:15 2019 Info: ISQ: Tagging MID 378951 for quarantine
    Thu Jun 27 12:51:15 2019 Info: MID 378951 interim AV verdict using Sophos VIRAL
    Thu Jun 27 12:51:15 2019 Info: MID 378951 antivirus positive 'EICAR-AV-Test'
    Thu Jun 27 12:51:15 2019 Info: MID 378951 AMP file reputation verdict : MALWARE
    Thu Jun 27 12:51:15 2019 Info: MID 378951 attachment 'testAV.txt'
    Thu Jun 27 12:51:15 2019 Info: MID 378951 URL https://ihaveabadreputation.com has reputation -9.3 matched Condition: URL Reputation Rule
    Thu Jun 27 12:51:15 2019 Info: MID 378951 Custom Log Entry:  - Match whole word filter
    Thu Jun 27 12:51:15 2019 Info: ISQ: Tagging MID 378951 for quarantine (X-Ironport-Quarantine)
    Thu Jun 27 12:51:15 2019 Info: MID 378951 quarantined to "Policy" (content filter:contnet_quarantine)
    Thu Jun 27 12:51:15 2019 Info: MID 378951 quarantined to "Virus" (a/v verdict:VIRAL)
    Thu Jun 27 12:51:15 2019 Info: Message finished MID 378951 done
    Thu Jun 27 12:51:15 2019 Info: ICID 391696 close

    Once investigated inside the quarantine, email held in the PVO quarantine you marked are seen, as well as any other quarantines it flags to be in.

    After it releases from this quarantine, it logs this event in your mail_logs and reflects on the other quarantines as well that it is no longer available in the other quarantine.

    Thu Jun 27 12:52:59 2019 Info: MID 378951 released from quarantine "Virus" (manual) t=104

    Release it out of the PVO quarantine that remains allow the emails to travel to the flagged spam quarantine thereafter.

    Thu Jun 27 12:54:15 2019 Info: MID 378951 released from quarantine "Policy" (manual) t=180
    Thu Jun 27 12:54:15 2019 Info: MID 378951 released from all quarantines
    Thu Jun 27 12:54:15 2019 Info: MID 378951 matched all recipients for per-recipient policy matt in the inbound table
    Thu Jun 27 12:54:15 2019 Info: MID 378951 interim AV verdict using Sophos VIRAL
    Thu Jun 27 12:54:15 2019 Info: MID 378951 antivirus positive 'EICAR-AV-Test'
    Thu Jun 27 12:54:15 2019 Info: MID 378951 AMP file reputation verdict : MALWARE
    Thu Jun 27 12:54:15 2019 Info: ISQ: Tagging MID 378951 for quarantine (X-Ironport-Quarantine)
    Thu Jun 27 12:54:15 2019 Info: MID 378951 queued for delivery
    Thu Jun 27 12:54:15 2019 Info: RPC Delivery start RCID 13914 MID 378951 to local IronPort Spam Quarantine
    Thu Jun 27 12:54:15 2019 Info: ISQ: Quarantined MID 378951
    Thu Jun 27 12:54:15 2019 Info: RPC Message done RCID 13914 MID 378951
    Thu Jun 27 12:54:15 2019 Info: Message finished MID 378951 done

    There on the final release of the spam quarantine, the email is destined for the delivery queue.

    Thu Jun 27 12:55:33 2019 Info: Start MID 378952 ICID 0 (ISQ Released Message)
    Thu Jun 27 12:55:33 2019 Info: ISQ: Reinjected MID 378951 as MID 378952
    Thu Jun 27 12:55:33 2019 Info: MID 378952 ICID 0 From: <matt@lee2.com>
    Thu Jun 27 12:55:33 2019 Info: MID 378952 ICID 0 RID 0 To: <matthewtestdomain@cisco.com>
    Thu Jun 27 12:55:33 2019 Info: MID 378952 Subject '[WARNING: MALWARE DETECTED][SPAM] Test email with AV EICAR'
    Thu Jun 27 12:55:33 2019 Info: MID 378952 ready 9661 bytes from <matt@lee2.com>
    Thu Jun 27 12:55:33 2019 Info: MID 378952 queued for delivery

    Related Information

    Revision History

    Revision Publish Date Comments
    1.0
    01-Jul-2019
    Initial Release

    Contributed by

    • Mathew Huynh
      Cisco Advance Services

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products