Message or Content Filter Scanning Error Matches Conditions and Takes Action

Available Languages

Download Options

  • PDF     (87.2 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (152.6 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (131.0 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:June 14, 2019
Document ID:214514

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Introduction

This document describes why messages are matching Message or Content filter conditions when a "message scanning error" occurs on the Cisco Email Security Appliance (ESA) and Cloud Email Security (CES) appliance.

Problem

Messages are sent into the ESA/CES for filtering, the mail_logs or message tracking shows the results of "message scanning error" followed by a positive match against the message/content filter that was conducting the scan.

Sample errors found on the mail_logs/message tracking:

Tue Sep  9 13:37:35 2014 Warning: MID 15180223, message scanning error: Size Limit Exceeded
Tue Sep  9 14:27:31 2015 Warning: MID 15180325, message scanning error: Scan Depth Exceeded

Solution

When an email attachment exceeds a threshold configured, a message scanning error is logged. Should the ESA/CES have assume the attachment matches enabled, it will trigger the filter match and action as configured.

Note: Attachment scanning on the ESA/CES has different thresholds which are defined within the scanconfig configuration on the CLI or scan behaviour settings on the GUI.

On the CLI, the feature can be enabled or disabled in the scanconfig command:

myesa.loca> scanconfig


There are currently 5 attachment type mappings configured to be SKIPPED.

Choose the operation you want to perform:
- NEW - Add a new entry.
- DELETE - Remove an entry.
- SETUP - Configure scanning behavior.
- IMPORT - Load mappings from a file.
- EXPORT - Save mappings to a file.
- PRINT - Display the list.
- CLEAR - Remove all entries.
- SMIME - Configure S/MIME unpacking.
[]> setup

1. Scan only attachments with MIME types or fingerprints in the list.
2. Skip attachments with MIME types or fingerprints in the list.
Choose one:
[2]> 

Enter the maximum depth of attachment recursion to scan:
[5]> 

Enter the maximum size of attachment to scan:
[2621440]>

Do you want to scan attachment metadata? [Y]> 

Enter the attachment scanning timeout (in seconds):
[1]> 

If a message has attachments that were not scanned for any reason (e.g. because
of size, depth limits, or scanning timeout), assume the attachment matches the
search pattern? [Y]>

 Ensure all changes are commited by entering the commit command..

On GUI:

  1. Navigate to Security Services then Scan Behaviour
  2. Click Edit the Global Settings
  3. Disable/Enable Assume attachment matches pattern if not scanned for any reason.

For more information about the scanconfig command, see the AsyncOS Advanced User Guide on the Cisco Support Portal.

Related Information

TAC Authored

Contributed by Cisco Engineers

  • Mathew Huynh
    Cisco TAC
  • Jean Orozco
    Cisco TAC

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products