SOLVED

O365 ATP Mail protection

%3CLINGO-SUB%20id%3D%22lingo-sub-711039%22%20slang%3D%22en-US%22%3EO365%20ATP%20Mail%20protection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-711039%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20everyone%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20a%20question%20regarding%20ZAP%20(zero-Hour%20auto%20purge)%2C%20why%20would%20you%20not%20%3CSPAN%3Ewant%20all%20mailboxes%20to%20be%20screened%20by%20ZAP%3F%20I%20mean%20if%20you%20want%20to%20trap%20and%20remove%20a%20malicious%20mail%20that%20has%20already%20been%20delivered%20to%20the%20end%20user%20because%26nbsp%3B%20the%20malware%20wasnt%20detected%20at%20the%20delivery%20but%20afterwards%2C%20why%20you%20would%20not%20want%20to%20detect%20it....%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI'm%20asking%20becuase%20I%20heard%20a%20lot%20of%20false%20asumption%20by%20third%20party%20vendors%20that%20are%20saying%20that%20Microsoft%20doesnt%20scan%20mail%20at%20rest%20but%20since%20ZAP%20is%20doint%20it%20i'm%20trying%20to%20find%26nbsp%3B%20why%20would%20people%20be%20disabling%20it....%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThank%20you%20all%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EP.S%3A%20i'm%20new%20to%20the%20community%20so%20I%20hope%20I%20wrote%20in%20the%20right%20BLOG.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-711154%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20ATP%20Mail%20protection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-711154%22%20slang%3D%22en-US%22%3EHi!%3CBR%20%2F%3E%3CBR%20%2F%3EWould%20recommend%20reading%20this%20-%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fzero-hour-auto-purge%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fzero-hour-auto-purge%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20should%20also%20help%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Feopfieldnotes%2F2018%2F12%2F13%2Fdid-i-get-zapped-by-zap%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.technet.microsoft.com%2Feopfieldnotes%2F2018%2F12%2F13%2Fdid-i-get-zapped-by-zap%2F%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EZAP%20is%20enabled%20by%20default%20on%20all%20mailboxes%20but%20you%20can%20disable%20it%20by%20Powershell%20and%20there%20are%20certain%20conditions%20to%20meet%20such%20as%20spam%20action%20being%20set%20to%20move%20to%20junk%20email%20folder.%3CBR%20%2F%3E%3CBR%20%2F%3EWhilst%20I%20can%E2%80%99t%20see%20any%20real%20reasons%20for%20disabling%20it%20I%20guess%20one%20of%20the%20reasons%20for%20disabling%20it%20on%20subsets%20of%20users%20could%20be%20if%20it%20is%20responsible%20for%20false%20positives%20and%20moving%20legitimate%20mail%20to%20the%20junk.%20Vasil%20Michev%20highlights%20this%20in%20the%20article%20here%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fwww.michev.info%2FBlog%2FPost%2F1063%2Fzap-and-other-enhancements-in-exchange-online-protection%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.michev.info%2FBlog%2FPost%2F1063%2Fzap-and-other-enhancements-in-exchange-online-protection%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20that%20helps%20to%20answer%20your%20question!%3CBR%20%2F%3E%3CBR%20%2F%3EBest%2C%20Chris%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-711363%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20ATP%20Mail%20protection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-711363%22%20slang%3D%22en-US%22%3E%3CP%3ETechnically%2C%20ZAP%20isn't%20%22scanning%20at%20rest%22%20so%20the%20vendors%20didn't%20lie%20on%20that%20part%20(which%20is%20a%20first%20%3AP).%20The%20only%20reason%20why%20you%20might%20want%20it%20disabled%20is%20if%20it%20triggers%20too%20much%20false%20positives.%20There%20are%20some%20challenges%20with%20auditing%2C%20it's%20not%20that%20straightforward%20to%20get%20a%20list%20of%20items%20ZAP%20acted%20upon.%20And%20Microsoft%20never%20got%20through%20the%20various%20compliance-related%20complications%20arising%20from%20performing%20actions%20on%20behalf%20of%20the%20user%2C%20which%20is%20why%20to%20date%20ZAP%20only%20supports%20%22move%20to%20Junk%22%20action%2C%20instead%20of%20delete.%20So%20I%20guess%20you%20can%20extend%20an%20argument%20that%20in%20some%20scenarios%20where%20ZAP%20deleted%20an%20attachment%2C%20this%20can%20create%20a%20complication%2C%20but%20if%20you%20have%20that%20strict%20compliance%20requirements%2C%20you%20probably%20have%20the%20mailbox%20on%20hold%20anyway.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-711586%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20ATP%20Mail%20protection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-711586%22%20slang%3D%22en-US%22%3E%3CP%3EDo%20you%20have%20any%20info%20on%20how%20Microsoft%20is%20%22screening%22%20the%20users%20mailbox%20against%20updated%20signatures%20etc..%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi everyone,

 

I have a question regarding ZAP (zero-Hour auto purge), why would you not want all mailboxes to be screened by ZAP? I mean if you want to trap and remove a malicious mail that has already been delivered to the end user because  the malware wasnt detected at the delivery but afterwards, why you would not want to detect it....

 

I'm asking becuase I heard a lot of false asumption by third party vendors that are saying that Microsoft doesnt scan mail at rest but since ZAP is doint it i'm trying to find  why would people be disabling it....?

 

Thank you all

 

P.S: i'm new to the community so I hope I wrote in the right BLOG.

 

 

 

 

3 Replies
Hi!

Would recommend reading this -

https://docs.microsoft.com/en-us/office365/securitycompliance/zero-hour-auto-purge

This should also help

https://blogs.technet.microsoft.com/eopfieldnotes/2018/12/13/did-i-get-zapped-by-zap/

ZAP is enabled by default on all mailboxes but you can disable it by Powershell and there are certain conditions to meet such as spam action being set to move to junk email folder.

Whilst I can’t see any real reasons for disabling it I guess one of the reasons for disabling it on subsets of users could be if it is responsible for false positives and moving legitimate mail to the junk. Vasil Michev highlights this in the article here

https://www.michev.info/Blog/Post/1063/zap-and-other-enhancements-in-exchange-online-protection

Hope that helps to answer your question!

Best, Chris
best response confirmed by Frederick_Po (Occasional Contributor)
Solution

Technically, ZAP isn't "scanning at rest" so the vendors didn't lie on that part (which is a first :P). The only reason why you might want it disabled is if it triggers too much false positives. There are some challenges with auditing, it's not that straightforward to get a list of items ZAP acted upon. And Microsoft never got through the various compliance-related complications arising from performing actions on behalf of the user, which is why to date ZAP only supports "move to Junk" action, instead of delete. So I guess you can extend an argument that in some scenarios where ZAP deleted an attachment, this can create a complication, but if you have that strict compliance requirements, you probably have the mailbox on hold anyway.

Do you have any info on how Microsoft is "screening" the users mailbox against updated signatures etc..?