SMTP-Proxy: APT Blocker
If you have purchased and enabled the APT Blocker feature on your Firebox, you can enable APT Blocker in the SMTP proxy to examine mail traffic for APT malware in message attachments.
APT Blocker is part of the same scan process as Gateway AntiVirus. When you enable APT Blocker in a proxy action, APT Blocker scans content only when content matches a proxy action rule configured with the AV Scan action.
APT Blocker and Message Delivery
When you enable APT Blocker in an SMTP proxy action, the Release messages immediately when attachments are submitted for APT Blocker analysis option controls how the SMTP proxy handles delivery of messages which have attachments that are submitted for APT Blocker analysis.
You can configure the SMTP proxy to:
Release messages immediately when an attachment requires APT Blocker analysis
To configure the SMTP proxy to release messages to the receiving MTA before APT Blocker analysis is complete, select the Release messages immediately when attachments are submitted for APT Blocker analysis check box. When you enable APT Blocker in the SMTP proxy action, this option is selected by default. This enables messages to be delivered immediately, before the Firebox receives the APT Blocker analysis result. But it also exposes your network to a greater risk of a zero-day attack delivered as an email attachment.
Hold messages until APT Blocker analysis of all attachments is complete
To protect your network from zero-day attacks sent as email attachments, clear the Release messages immediately when attachments are submitted for APT Blocker analysis check box. This option provides greater protection from zero day attacks. However, this option can cause delivery delays for messages with attachments that require analysis, if the sending MTA times out before APT Blocker analysis is complete.
The SMTP proxy submits files for APT Blocker analysis one at a time. To reduce delivery delays for messages with multiple attachments, senders can attach files as a single archive file. The SMTP proxy submits all of the attachments in an archive file for APT Blocker analysis at the same time.
The option you choose depends on your preferred trade-off between message delivery performance and protection from zero-day attacks.
For more information about APT Blocker analysis, see APT Blocker in the SMTP and IMAP Proxies.
Enable APT Blocker
- From the Edit page for the SMTP proxy action, select the Proxy Action tab.
- Select the APT Blocker tab.
- Select the Enable APT Blocker check box.
By default, the Release messages immediately when attachments are submitted for APT Blocker analysis check box is selected. - If you do not want the SMTP proxy to release messages until after APT Blocker analysis of all attachments is complete, clear the Release messages immediately when attachments are submitted for APT Blocker analysis check box.
- Click Save.
To configure APT Blocker in your SMTP Proxy, from Policy Manager:
- In the SMTP Proxy Action Configuration dialog box, select APT Blocker.
The APT Blocker settings appear.
- Select the Enable APT Blocker check box.
By default, the Release messages immediately when attachments are submitted for APT Blocker analysis check box is selected. - If you do not want the SMTP proxy to release messages until after APT Blocker analysis of all attachments is complete, clear the Release messages immediately when attachments are submitted for APT Blocker analysis check box.
- Click OK.