The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
The Email Security Appliance (ESA) uses the Advanced Malware Protection (AMP) feature which contains two main functions:
File Analysis uploads message attachments for sandbox analysis to ThreatGrid Cloud servers.
Understand the "Upload Limit Reached" Alert
Message Tracking can show emails were unscanned by Advanced Malware Protection (AMP) because they reached the upload limit.
02 Dec 2019 14:11:36 (GMT +01:00) Message 12345 is unscannable by Advanced Malware Protection engine. Reason: Upload Limit Reached
In the new ThreatGrid sample limits model, these limits are the number of samples that devices are allowed to upload for file analysis on per organization basis. All integrated devices (WSA, ESA, CES, FMC, etc.) as well as AMP for Endpoints are entitled to 200 samples per day, regardless of the number of devices.
This is a shared limit (not a limit per device), and this applies to licenses bought after 12/1/2017.
Note: This counter is not reset every day, instead, this works as a 24 hours roll over period.
In a cluster of 4 ESAs with a 200 upload samples limit, if the ESA1 uploads 80 samples at 10:00 today, then, only 120 more samples can be uploaded among the 4 ESAs (shared limit) from today at 10:01 until tomorrow at 10:00, when the first 80 slots are released.
How can you Check the Number of Samples your ESAs have Uploaded in the past 24 Hours?
ESA: Navigate to Monitor > AMP File Analysis report and check the Files Uploaded for Analysis section.
SMA: Navigate to Email > Reporting > AMP File Analysis report and check the Files Uploaded for Analysis section.