This document describes how to send a sample message to ensure either the Sophos anti-virus or McAfee anti-virus engine is scanning on a Cisco Email Security Appliance (ESA).
How to send a sample message to ensure Anti-Virus engine is scanning on a Cisco Email Security Appliance (ESA)
By sending a sample message with a test viral payload through the ESA, we can trigger the Sophos or McAfee anti-virus engine. Prior to performing the steps listed in this document, you will need to set up your Incoming or Outgoing Mail Policy and configure the mail policy to have anti-virus drop or quarantine virus infected messages. This document uses ASCII code provided from EICAR (www.eicar.org) that will simulate a test virus as an attachment:
Note: Per EICAR: This test file has been provided to EICAR for distribution as the "EICAR Standard Anti-Virus Test File", and it satisfies all the criteria listed above. It is safe to pass around, because it is not a virus, and does not include any fragments of viral code. Most products react to it as if it were a virus (though they typically report it with an obvious name, such as "EICAR-AV-Test").
Create a TXT File
Using the ASCII string above, create a .txt file and place the string as written as the body of the file. You will be able to send this file as an attachment in your sample message.
Sending Sample Message
Depending on how you work, you can send the sample message through the ESA various ways. Two example methods are via UNIX CLI using the mail or from Outlook (or other email application).
firstname.lastname@example.org:~$ echo "TEST MESSAGE w/ ATTACHMENT" | mail -s "A/V test example" -A av.txt email@example.com
Your UNIX environment will need to be properly setup to send or relay mail through your ESA.
Using Outlook (or another email application), you have two choices in sending the ASCII code through: 1) using the created .txt file, 2) direct paste of the ASCII string in the body of the mail message.
Using the .txt file as an attachment:
Using the ASCII string in the body of the mail message:
Your Outlook (or other email application) will need to be properly setup to send or relay mail through your ESA.
On the ESA CLI, use the command tail mail_logs prior to sending the sample message. While watching the mail log you will see the message is scanned and caught by McAfee as "VIRAL":
On this lab ESA, 'Virus Infected Messages' are configured to Quarantine for "Action Applied to Message" on the particular mail policy. The action on your ESA may vary, based on the action taken for virus infected messages handled by anti-virus on your mail policy.