The Advanced Threat Protection (ATP) service analyzes inbound email attachments with most file types and publicly accessible direct download links in a separate, secured cloud environment, detecting new threats and determining whether to block such messages. ATP offers protection against advanced malware, zero-day exploits, and targeted attacks, such as phishing, not detected by Email Gateway Defense virus scanning features. Enable ATP on the ATP Settings page.
Advanced Threat Protection Options
Configure policies on the Inbound Settings > Content Policies page, and specify how and when attachments are scanned on the ATP Settings page.
Deliver First, then Scan
When selected, the ATP service attempts to scan the mail in real time. If the ATP scan completes in real time and a malicious artifact is detected, the message is blocked and is not delivered. If the ATP scan does not complete in real time, the message is delivered; if the ATP service determines the attachment to be suspicious or malware-infected upon completion, the recipient is notified, and if Notify Admin is set to Yes, an email alert is sent to the specified admin address.
Figure 1. Scan is Complete in Real Time; no Threat Detected.
Figure 2. Mail is Delivered Before Scan Complete; Threat Detected.
Scan First, then Deliver
When selected, the ATP service scans new messages with attachments before delivery. If a malicious artifact is detected in an attachment, or the attachment is a known threat, the message is blocked, otherwise, the message is delivered to the recipient.
Figure 3. Attachment is Recognized as a Known Threat.
Figure 4. Attachment is Scanned and Determined to be Suspicious.
Figure 5. No Threat Detected in Attachment.
Advanced Threat Protection Disabled
When set to No, ATP is disabled.
Advanced Threat Protection Exemptions
When ATP is set to either Deliver First, then Scan or Scan First, then Deliver, you can exempt sender email addresses, sender domains, recipient email addresses, recipient domains, or sender IP addresses from ATP scanning in the ATP Exemptions section on the ATP Settings page.
Scanned File Types
Table 1 lists the common file types scanned by the ATP service. Note that this is not an extensive list.
Table 1.
| File Type | File Extension |
|---|---|
| Adobe Acrobat | |
| MS Office | .doc, .ppt, .xls, .mdb, .docx, .ppx, .xlsx |
| Executable | .exe |
| Windows Cabinet File | .cab |
| DOS Batch | .bat |
| HTML | .htm, html |
| iCalendar | .ics |
| Rich Text Format | .rtf |
| Android Package Kit | .apk |
| ZIP | .zip |
| TAR | .tar |
| Java Archive | .jar |
| Javascript | .js |
Administrator Notification
When Deliver First, then Scan is selected, select Yes for Notify Admin to notify the administrator when a malicious artifact is detected by the ATP service in a scanned attachment. The email notification includes the sender, recipient, attachment type, and detected malware. Enter the admin email address in the ATP Notification Email field address. Infected attachments are listed in the ATP Log.
User Notification
If the ATP service determines an attachment is suspicious or malware-infected, the recipient is notified, and the Message Log displays the action as Advanced Threat Protection.
Additionally, the Message Log displays: Envelope From: no-reply@barracudanetworks.com
ATP Exemptions
When ATP is set to either Deliver First, then Scan or Scan First, then Deliver, you can exempt sender email addresses, sender domains, recipient email addresses, recipient domains, or sender IP addresses from ATP scanning. Attachments from exempted entries are not sent to the ATP cloud. Note that these exemptions apply to ATP scanning only and do not apply to Email Gateway Defense virus scanning. Note that the exemption is for the envelope from address or envelope from domain. To add an exemption by "envelope from" address or "envelope from" domain:
- In the Exemptions by Email Address / Domains section, enter the email address or domain in the Exemptions field.
- Select Sender or Recipient.
- Optionally, enter a Comment for the exemption.
- Click Add; the exemption displays in the list.
Message Log
Messages blocked or deferred by the ATP service are listed in the Message Log with the following codes listed in the Reason column:
- Advanced Threat Protection – Message is blocked by the ATP service due to an infected attachment.
- Pending Scan (Scan First, then Deliver enabled) – Message is deferred while the attachment is scanned. The sending mail server must retry until the scan is complete. Once complete, if no malicious artifact is detected, the message is delivered.
- ATP Service Unavailable – Message is deferred because the ATP service is temporarily unavailable. The message is retried and, when the scan is complete and if no malicious artifact is detected, the message is delivered.
View ATP Statistics
The Dashboard page displays statistics of scanned attachments determined to be infected by the ATP service.
Deferred Delivery
If the message is deferred, the sending mail server must retry the deferred message. Note the following events that can occur:
- The sending mail server retries the deferred message. If the ATP scan completes, the message is delivered or blocked.
- The sending mail server retries the deferred message for longer than 2 hours. If the pending ATP scan does not complete within that time period, the message is quarantined.
- The sending mail server does not retry the deferred message. The message can be downloaded by the admin and sent as an attachment to the recipient.
If a message scanned by ATP is quarantined or blocked (for example, ATP determines the message attachment is suspicious), the admin can select to deliver the message.
The Email Delivery Warning dialog box displays a list of attachments, one or more of which is suspected of being Infected. If you want to deliver the email and the associated attachments, first review the report for each attachment.Determine Whether to Deliver Message