The Advanced Threat Protection (ATP) service analyzes inbound email attachments with most MIME types and publicly accessible direct download links in a separate, secured cloud sandbox, detecting new threats and determining whether to block such messages. ATP offers protection against advanced malware, zero-day exploits, and targeted attacks not detected by the Barracuda Email Security Service virus scanning features. Enable ATP on the ATP Settings page.
Advanced Threat Protection Options
Configure policies on the Inbound Settings > Content Policies page, and specify how and when attachments are scanned on the ATP Settings page.
Deliver First, then Scan
When selected, the ATP service attempts to scan the mail in real time. If the ATP scan completes in real time and a virus is detected, the message is blocked and is not delivered. If the ATP scan does not complete in real time, the message is delivered; if the ATP service determines the attachment to be suspicious or virus-infected upon completion, the recipient is notified, and if Notify Admin is set to Yes, an email alert is sent to the specified admin address.
Figure 1. Scan is Complete in Real Time; no Threat Detected.
Figure 2. Mail is Delivered Before Scan Complete; Threat Detected.
Scan First, then Deliver
When selected, the ATP service scans new messages with attachments before delivery. If a virus is detected in an attachment, or the attachment is a known threat, the message is blocked, otherwise, the message is delivered to the recipient.
Figure 3. Attachment is Recognized as a Known Threat.
Figure 4. Attachment is Scanned and Determined to be Suspicious.
Figure 5. No Threat Detected in Attachment.
Advanced Threat Protection Disabled
When set to No, ATP is disabled.
Advanced Threat Protection Exemptions
When ATP is set to either Deliver First, then Scan or Scan First, then Deliver, you can exempt sender email addresses, sender domains, recipient email addresses, recipient domains, or sender IP addresses from ATP scanning in the ATP Exemptions section on the ATP Settings page.
Scanned File Types
Table 1 lists example file types scanned by the ATP service.
Table 1.
MIME Type | File Extension |
---|---|
application/pdf | |
application/msword | .doc |
application/vnd.ms-powerpoint | .ppt |
application/vnd.ms-excel | .xls |
application/x-msaccess | .mdb |
application/vnd.openxmlformats-officedocument.presentationml.presentation | .pptx |
application/x-dosexec | .exe |
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet | .xlsx |
application/vnd.microsoft.portable-executable | .exe |
application/x-executable | .exe |
application/vnd.ms-cab-compressed | .cab |
text/x-msdos-batch | .bat |
text/html | .htm, html |
text/calendar | .ics |
application/rtf | .rtf |
application/vnd.android.package-archive | .apk |
application/zip | .zip |
application/x-tar | .tar |
application/java-archive | .jar |
application/javascript | .js |
application/vnd.openxmlformats-officedocument.wordprocessingml.document | .docx |
Administrator Notification
When Deliver First, then Scan is selected, select Yes for Notify Admin to notify the administrator when a virus is detected by the ATP service in a scanned attachment. The email notification includes the sender, recipient, attachment type, and detected virus. Enter the admin email address in the ATP Notification Email field address. Infected attachments are listed in the ATP Log.
User Notification
If the ATP service determines an attachment is suspicious or virus-infected, the recipient is notified, and the Message Log displays the action as Advanced Threat Protection.
Additionally, the Message Log displays: Envelope From: no-reply@barracudanetworks.com
ATP Exemptions
When ATP is set to either Deliver First, then Scan or Scan First, then Deliver, you can exempt sender email addresses, sender domains, recipient email addresses, recipient domains, or sender IP addresses from ATP scanning. Attachments from exempted entries are not sent to the ATP cloud. Note that these exemptions apply to ATP scanning only and do not apply to Barracuda Email Security Service virus scanning. Note that the exemption is for the envelope from address or envelope from domain. To add an exemption by "envelope from" address or "envelope from" domain:
- In the Exemptions by Email Address / Domains section, enter the email address or domain in the Exemptions field.
- Select Sender or Recipient.
- Optionally, enter a Comment for the exemption.
- Click Add; the exemption displays in the list.
Message Log
Messages blocked or deferred by the ATP service are listed in the Message Log with the following codes listed in the Reason column:
- Advanced Threat Protection – Message is blocked by the ATP service due to an infected attachment.
- Pending Scan (Scan First, then Deliver enabled) – Message is deferred while the attachment is scanned. The mail server retries until the scan is complete. Once complete, if no virus is detected, the message is delivered.
- ATP Service Unavailable – Message is deferred because the ATP service is temporarily unavailable. The message is retried and, when the scan is complete and if no virus is detected, the message is delivered.
View ATP Statistics
The Dashboard page displays statistics of scanned attachments determined to be infected by the ATP service.
Deferred Delivery
If a message scanned by ATP is quarantined or blocked (for example, ATP determines the message attachment is suspicious), the admin can select to deliver the message.
The Email Delivery Warning dialog box displays a list of attachments, one or more of which is suspected of being Infected. If you want to deliver the email and the associated attachments, first review the report for each attachment.Determine Whether to Deliver Message