The Barracuda Email Security Gateway provides access to the subscription-based Advanced Threat Protection (ATP) service when you use the Cloud Protection Layer. For information about setting up the Cloud Protection Layer, see Cloud Protection Layer and How to Set Up Your Cloud Protection Layer.
ATP analyzes inbound email attachments with most MIME types and publicly accessible direct download links in a separate, secured cloud sandbox, detecting new threats and determining whether to block such messages. ATP offers protection against advanced malware, zero-day exploits, and targeted attacks not detected by the Barracuda Email Security Gateway virus scanning features. To subscribe to the ATP service, see the Subscriptions section of the DASHBOARD page in the Cloud Protection Layer.
To increase effectiveness and performance, Barracuda’s Advanced Threat Protection uses micro-services to create a multilayered scanning infrastructure that blocks known and unknown threats:
Advanced Threat Protection Options
In the Cloud Protection Layer, configure how and when attachments are scanned on the ATP SETTINGS tab:
Deliver First, Then Scan – When selected, the ATP service attempts to scan the mail in real time. If the ATP scan completes in real time and a virus is detected, the message is blocked and is not delivered. If the ATP scan does not complete in real time, the message is delivered; if the ATP service determines the attachment to be suspicious or virus-infected upon completion, the recipient is notified, and if Notify Admin is set to Yes, an email alert is sent to the specified admin address.
Scan First, Then Deliver – When selected, the ATP service scans messages with attachments before delivery. If a virus is detected in an attachment, the message is blocked, otherwise, the message is delivered to the recipient.
- No – When selected, ATP is disabled.
Advanced Threat Protection Exemptions
When ATP is set to either Deliver First, then Scan or Scan First, then Deliver, you can exempt sender email addresses, sender domains, recipient email addresses, recipient domains, or sender IP addresses from ATP scanning in the ATP Exemptions section on the ATP SETTINGS tab of the Cloud Protection Layer.
Scanned File Types
Table 1 lists example file types scanned by the ATP service.
|MIME Type||File Extension|
When Deliver First, Then Scan is selected, select Yes for Notify Admin to notify the administrator when a virus is detected by the ATP service in a scanned attachment. The email notification includes the sender, recipient, attachment type, and detected virus. Enter the admin email address in the ATP Notification Email field address. Infected attachments are listed in the ATP Log.
If the ATP service determines an attachment is suspicious or virus-infected, the recipient is notified, and the Message Log displays the action as Advanced Threat Protection. Additionally, the Message Log displays:
Envelop From: firstname.lastname@example.org
When ATP is set to either Deliver First, then Scan or Scan First, then Deliver, you can exempt sender email addresses, sender domains, recipient email addresses, recipient domains, or sender IP addresses from ATP scanning. Attachments from exempted entries are not sent to the ATP cloud. Note that these exemptions apply to ATP scanning only and do not apply to Barracuda Email Security Gateway virus scanning.
Messages blocked or deferred by the ATP service are listed in the Cloud Protection Layer Message Log with the following codes listed in the Reason column:
- Advanced Threat Protection – Message is blocked by the ATP service due to an infected attachment.
- Pending Scan (Scan First, Then Deliver enabled) – Message is deferred while the attachment is scanned. The mail server retries until the scan is complete. Once complete, if no virus is detected, the message is delivered.
- ATP Service Unavailable – Message is deferred because the ATP service is temporarily unavailable. The message is retried and, when the scan is complete and if no virus is detected, the message is delivered.
View ATP Statistics
The DASHBOARD page in the Cloud Protection Layer displays statistics of scanned attachments determined to be infected by the ATP service.