Start a conversation

Attachment Processing Flow - VES

While ATP could be simplified as "plugin that tests mail attachments in a sandbox," there are quite a few steps to accomplishing this task. This article breaks down all the steps from policy to end result.

This table breaks down what occurs when either the default ATP policy or a custom policy picks up attachments for processing.

Step Detail What Happens Outcome
1
Policy rules filter in attachments
Attachments are queued
Attachments that match the policy rule(s) are identified.
Attachments are put into the queue for processing.
2
Wait time check
User notification if needed
ATP does a check on available sandboxes and estimates processing time.
 
If estimated wait is under five minutes
  • No action taken
  • Skip to Step 4
If estimated wait is over five minutes
  • ATP sends the end user a "stripped" copy of the email with subject, body of the message, and attachment names
  • Attached to the "stripped" email is a notification informing the user of the delay
  • (Optional) The user may be able to release the email from the queue, if this option is enabled. See detailed Email release process below
  • Proceed to Step 3
3
Files wait in queue
Attachments move along the queue until there is an available sandbox to process them.
When a sandbox is available, move to the next step.
4
Attachments are analyzed by the sandbox
Sandbox generates result
The next available sandbox removes up to five attachments per message from the queue.
The sandbox analyzes each attachment.
Average processing time is about 2 minutes per file.
Each attachment is analyzed by the sandbox. The sandbox outputs two items back to the ATP plugin:
  • a result level (malicious, suspect, no risk found)
  • sandbox logs with analysis details (stored in Email Security's Message Logs)
The sandbox then performs a full reset and processes the next attachment.
5
ATP takes action based on sandbox result
Sandbox result is No Risk Found
Attachment is sent along with the original email message to the end user.
Sandbox result is Suspect
In Email Security, a Suspect file has a threat equivalent to Spam.
Attachment is quarantined.
Attachment is listed as Suspect/Spam on the next Quarantine Report that the user receives.
Depending on user permissions for quarantined items, they may be able to release the suspect file through a link in the Quarantine Report.
Sandbox result is Malicious
In Email Security, a Malicious file has a threat equivalent to Virus.
Attachment is quarantined.
Attachment is listed as Malicious/Virus on the next Quarantine Report that the user receives.
Malicious attachments cannot be released by end users.
 
Choose files or drag and drop files
Was this article helpful?
Yes
No
  1. Carlos Rios

  2. Posted
  3. Updated

Comments