cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

O365 ATP Mail protection

Frederick_Po
Occasional Contributor

‎Jun 20 2019 08:00 AM

‎Jun 20 2019 08:00 AM

O365 ATP Mail protection

Hi everyone,

 

I have a question regarding ZAP (zero-Hour auto purge), why would you not want all mailboxes to be screened by ZAP? I mean if you want to trap and remove a malicious mail that has already been delivered to the end user because  the malware wasnt detected at the delivery but afterwards, why you would not want to detect it....

 

I'm asking becuase I heard a lot of false asumption by third party vendors that are saying that Microsoft doesnt scan mail at rest but since ZAP is doint it i'm trying to find  why would people be disabling it....?

 

Thank you all

 

P.S: i'm new to the community so I hope I wrote in the right BLOG.

 

 

 

 

636 Views
1 Like
3 Replies
Reply
3 Replies
Christopher Hoard

‎Jun 20 2019 08:36 AM

‎Jun 20 2019 08:36 AM

Re: O365 ATP Mail protection

Hi!

Would recommend reading this -

https://docs.microsoft.com/en-us/office365/securitycompliance/zero-hour-auto-purge

This should also help

https://blogs.technet.microsoft.com/eopfieldnotes/2018/12/13/did-i-get-zapped-by-zap/

ZAP is enabled by default on all mailboxes but you can disable it by Powershell and there are certain conditions to meet such as spam action being set to move to junk email folder.

Whilst I can’t see any real reasons for disabling it I guess one of the reasons for disabling it on subsets of users could be if it is responsible for false positives and moving legitimate mail to the junk. Vasil Michev highlights this in the article here

https://www.michev.info/Blog/Post/1063/zap-and-other-enhancements-in-exchange-online-protection

Hope that helps to answer your question!

Best, Chris
1 Like
Reply
best response confirmed by Frederick_Po (Occasional Contributor)
Vasil Michev

‎Jun 20 2019 09:52 AM

‎Jun 20 2019 09:52 AM

Solution

Re: O365 ATP Mail protection

Technically, ZAP isn't "scanning at rest" so the vendors didn't lie on that part (which is a first :P). The only reason why you might want it disabled is if it triggers too much false positives. There are some challenges with auditing, it's not that straightforward to get a list of items ZAP acted upon. And Microsoft never got through the various compliance-related complications arising from performing actions on behalf of the user, which is why to date ZAP only supports "move to Junk" action, instead of delete. So I guess you can extend an argument that in some scenarios where ZAP deleted an attachment, this can create a complication, but if you have that strict compliance requirements, you probably have the mailbox on hold anyway.

1 Like
Reply
Frederick_Po

‎Jun 20 2019 10:56 AM - edited ‎Jun 20 2019 10:57 AM

‎Jun 20 2019 10:56 AM - edited ‎Jun 20 2019 10:57 AM

Re: O365 ATP Mail protection

Do you have any info on how Microsoft is "screening" the users mailbox against updated signatures etc..?

0 Likes
Reply