Forum Discussion
O365 ATP Mail protection
Hi everyone,
I have a question regarding ZAP (zero-Hour auto purge), why would you not want all mailboxes to be screened by ZAP? I mean if you want to trap and remove a malicious mail that has already been delivered to the end user because the malware wasnt detected at the delivery but afterwards, why you would not want to detect it....
I'm asking becuase I heard a lot of false asumption by third party vendors that are saying that Microsoft doesnt scan mail at rest but since ZAP is doint it i'm trying to find why would people be disabling it....?
Thank you all
P.S: i'm new to the community so I hope I wrote in the right BLOG.
Technically, ZAP isn't "scanning at rest" so the vendors didn't lie on that part (which is a first :P). The only reason why you might want it disabled is if it triggers too much false positives. There are some challenges with auditing, it's not that straightforward to get a list of items ZAP acted upon. And Microsoft never got through the various compliance-related complications arising from performing actions on behalf of the user, which is why to date ZAP only supports "move to Junk" action, instead of delete. So I guess you can extend an argument that in some scenarios where ZAP deleted an attachment, this can create a complication, but if you have that strict compliance requirements, you probably have the mailbox on hold anyway.
3 Replies
Technically, ZAP isn't "scanning at rest" so the vendors didn't lie on that part (which is a first :P). The only reason why you might want it disabled is if it triggers too much false positives. There are some challenges with auditing, it's not that straightforward to get a list of items ZAP acted upon. And Microsoft never got through the various compliance-related complications arising from performing actions on behalf of the user, which is why to date ZAP only supports "move to Junk" action, instead of delete. So I guess you can extend an argument that in some scenarios where ZAP deleted an attachment, this can create a complication, but if you have that strict compliance requirements, you probably have the mailbox on hold anyway.
Do you have any info on how Microsoft is "screening" the users mailbox against updated signatures etc..?
- Hi!
Would recommend reading this -
https://docs.microsoft.com/en-us/office365/securitycompliance/zero-hour-auto-purge
This should also help
https://blogs.technet.microsoft.com/eopfieldnotes/2018/12/13/did-i-get-zapped-by-zap/
ZAP is enabled by default on all mailboxes but you can disable it by Powershell and there are certain conditions to meet such as spam action being set to move to junk email folder.
Whilst I can’t see any real reasons for disabling it I guess one of the reasons for disabling it on subsets of users could be if it is responsible for false positives and moving legitimate mail to the junk. Vasil Michev highlights this in the article here
https://www.michev.info/Blog/Post/1063/zap-and-other-enhancements-in-exchange-online-protection
Hope that helps to answer your question!
Best, Chris
