SOLVED
Home

ATP - Safe Attachment Modes fully explained

%3CLINGO-SUB%20id%3D%22lingo-sub-54601%22%20slang%3D%22en-US%22%3EATP%20-%20Safe%20Attachment%20Modes%20fully%20explained%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-54601%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20could%20somepone%20point%20to%20a%20full%20documentation%20about%20the%20different%20safe%20attachments%20policy%20modes%20(monitor%2C%20block%2C%20replace%2C%20dynamic%20delivery)%3F%3C%2FP%3E%3CP%3EUnfortunately%20the%20text%20links%20(learn%20more%20...)%20in%20the%20configure%20policy%20windows%20do%20not%20work.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EMonitor%20-%20Continue%20delivering%20the%20message%20after%20malware%20is%20detected%3B%20track%20scan%20results.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EBlock%20-%20Block%20the%20current%20and%20future%20emails%20and%20attachments%20with%20detected%20malware.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EReplace%20-%20Block%20the%20attachments%20with%20detected%20malware%2C%20continue%20to%20deliver%20the%20message.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EDynamic%20Delivery%20-%20Deliver%20the%20message%20without%20attachments%20immediately%20and%20reattach%20once%20scan%20is%20complete.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI've%20tried%20out%20dynamic%20delivery%2C%20but%20my%20users%20are%20unappreciative%20of%20the%20fact%20that%20the%20message%20gets%20delivered%20first%2C%20before%20the%20attachment%20is%20fully%20scanned.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3ESo%20I've%20just%20switched%20to%20%22replace%22%20for%20now%20and%20keep%20the%20in%20the%20dark%20about%20new%20emails%2C%20until%20is%20fully%20scanned.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EWhat%20does%20%3CSTRONG%3Eblock%3C%2FSTRONG%3E%26nbsp%3Bmean%20technically%3F%20What%20is%20considered%20as%26nbsp%3B%3CSTRONG%3Efuture%20emails%3C%2FSTRONG%3E%3F%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-54601%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-54781%22%20slang%3D%22en-US%22%3ERe%3A%20ATP%20-%20Safe%20Attachment%20Modes%20fully%20explained%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-54781%22%20slang%3D%22en-US%22%3E%3CP%3EBlocked%20means%20the%20entire%20message%20is%20scrapped%2C%20not%20just%20the%20attachment.%20Future%20emails%20is%20a%20bit%20dodgy%2C%20I%20guess%20they%20mean%20that%20once%20the%20attachment%20is%20stamped%20as%20malware%2C%20the%20action%20applies%20across%20the%20service.%20Pretty%20much%20what's%20described%20in%20this%20FAQ%20item%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3E%3CSTRONG%3EHow%20does%20Advanced%20Threat%20Protection%20treat%20multiple%20versions%20of%20the%20same%20file%3F%20Does%20ATP%20scan%20duplicates%3F%20For%20example%2C%20if%201%2C000%20users%20received%20the%20same%20file%20would%20ATP%20detonate%20all%201%2C000%20messages%3F%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CBR%20%2F%3EAfter%20the%20first%20file%20is%20scanned%2C%20the%20outcome%20is%20applied%20to%20other%20recipients%20who%20have%20received%20the%20same%20file.%20For%20example%2C%20if%20File%20%231%20was%20sent%20to%20Employee%20A%20and%20blocked%2C%20File%20%231%20will%20be%20blocked%20for%20all%20other%20employees.%20File%20%23%201%20will%20also%20be%20blocked%20by%20reputation%20immediately%20for%20all%20other%20ATP%20tenants.%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETaken%20from%3A%20%3CA%20href%3D%22https%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fmt789012(v%3Dexchg.150).aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fmt789012(v%3Dexchg.150).aspx%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20documentation%20seems%20to%20be%20non-existing%20indeed.%20Flagging%20some%20folks%20on%20MS%20side%20that%20might%20be%20able%20to%20help%3A%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F18274%22%20target%3D%22_blank%22%3E%40Jon%20Orton%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F13660%22%20target%3D%22_blank%22%3E%40Ankur%20Kothari%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Ivan Unger
Valued Contributor

Hi, could somepone point to a full documentation about the different safe attachments policy modes (monitor, block, replace, dynamic delivery)?

Unfortunately the text links (learn more ...) in the configure policy windows do not work.

 

Monitor - Continue delivering the message after malware is detected; track scan results.

Block - Block the current and future emails and attachments with detected malware.

Replace - Block the attachments with detected malware, continue to deliver the message.

Dynamic Delivery - Deliver the message without attachments immediately and reattach once scan is complete.

 

 

I've tried out dynamic delivery, but my users are unappreciative of the fact that the message gets delivered first, before the attachment is fully scanned.

So I've just switched to "replace" for now and keep the in the dark about new emails, until is fully scanned.

What does block mean technically? What is considered as future emails

1 Reply
Solution

Blocked means the entire message is scrapped, not just the attachment. Future emails is a bit dodgy, I guess they mean that once the attachment is stamped as malware, the action applies across the service. Pretty much what's described in this FAQ item:

 

  • How does Advanced Threat Protection treat multiple versions of the same file? Does ATP scan duplicates? For example, if 1,000 users received the same file would ATP detonate all 1,000 messages?

    After the first file is scanned, the outcome is applied to other recipients who have received the same file. For example, if File #1 was sent to Employee A and blocked, File #1 will be blocked for all other employees. File # 1 will also be blocked by reputation immediately for all other ATP tenants.

 

Taken from: https://technet.microsoft.com/en-us/library/mt789012(v=exchg.150).aspx

 

And documentation seems to be non-existing indeed. Flagging some folks on MS side that might be able to help: @Jon Orton @Ankur Kothari

Related Conversations
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Extentions Synchronization
ChirmyRam in Discussions on
3 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
9 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies