You can enable APT Blocker in the SMTP and IMAP proxies to help protect your network from zero-day attacks sent in email attachments. A zero-day attack is a new attack that has not been analyzed and identified.
When you enable APT Blocker in the SMTP and IMAP proxies, the proxies send email attachments for APT Blocker analysis and take the configured APT Blocker action based on the detected threat level.
APT Blocker in the SMTP Proxy
When you enable APT Blocker in an SMTP proxy action, you can control how the SMTP proxy handles delivery of messages which have attachments that must be submitted for APT Blocker analysis.
When you enable APT Blocker in the SMTP proxy, the Release messages immediately when attachments are submitted for APT Blocker analysis option is enabled by default. With this option enabled, when the SMTP proxy receives a message with an attachment that has an MD5 value that does not match a previously analyzed file, it releases a message while it submits the file for APT Blocker analysis.
If you disable this option, when the SMTP proxy receives a message with an attachment that has an MD5 value that does not match a previously analyzed file, the proxy holds the message while it submits the attached file for APT Blocker analysis. After APT Blocker analysis of all attachments is complete, the SMTP proxy takes the configured APT Blocker action based on the APT Blocker threat score for the file attachments.
The SMTP proxy submits files for APT Blocker analysis one at a time. To reduce delivery delays for messages with multiple attachments, senders can attach files as a single archive file. The SMTP proxy submits all of the attachments in an archive file for APT Blocker analysis at the same time.
If the SMTP proxy receives the result from APT Blocker analysis before the sending MTA times out, the proxy takes the configured APT Blocker action based on the APT threat level. If the sending MTA times out before the transaction is completed, the message is not delivered and the sending MTA must retry. When the sending MTA resends the message, the SMTP proxy uses the MD5 result from the prior file analysis to match the MD5 value of the file and take the configured APT Blocker action.
If the Firebox cannot connect to the data center to submit the file for APT Blocker analysis, APT Blocker allows the message.
For more information about how to configure APT Blocker in the SMTP proxy, see SMTP-Proxy: APT Blocker.
APT Blocker in the IMAP Proxy
When APT Blocker is enabled in the IMAP proxy, the proxy does not retrieve a message unless all attachments have been analyzed by APT Blocker. If a message has attachments that have not been analyzed by APT Blocker, the IMAP proxy holds the message while it submits the files for APT Blocker analysis. If a message has more than one attachment, the IMAP proxy submits all message attachments for APT Blocker analysis at the same time. APT Blocker analysis can introduce a brief delay in message retrieval.
Unlike the SMTP proxy, the IMAP proxy always holds message when it submits attachments for APT Blocker analysis.
If the IMAP proxy receives the result of APT Blocker analysis before the IMAP server times out, the proxy takes the configured APT Blocker action based on the APT threat level. If the IMAP server times out before the transaction is completed, the message is not retrieved. When the IMAP client tries to fetch the message again later, the IMAP proxy uses the MD5 result from the prior file analysis to match the MD5 value of the file and take the configured APT Blocker action.
If the Firebox cannot connect to the data center to submit the file for APT Blocker analysis, APT Blocker allows the message.
For some email clients (for example, Outlook), the connection is denied by default during the sync process. You must restart the email client. When the email client restarts, the sync process completes successfully and the email client can continue to send and receive messages.
For more information about how to configure APT Blocker in the IMAP proxy, see IMAP-Proxy: APT Blocker.