How do I allow executables to bypass Attachment Manager?

It is possible to use Attachment Manager and Early Detection Filtering to allow executables to safely bypass Postini.

Follow these recommendations:

  • Set up Attachment Manager to allow all email from Approved Senders to bypass Inbound Attachment Manager filters.
  • Set Executables to Bounce.
  • Enable Early Detection Filtering.

This will allow executable from the senders you specify to bypass Attachment Manager.

Important: To do this safely, read the instructions on this page thoroughly before you begin. See the "About Early Detection Filtering" section at the bottom of this page.

To allow all email from Approved Senders to bypass Inbound Attachment Manager filters:

  1. From the Orgs & Users tab, choose the relevant Org to open the Organization Management page.
  2. In the Inbound Servers section, click Attachment Manager.
  3. Click Edit.
  4. Select the check box to allow all email from Approved Senders to bypass Inbound Attachment Manager.
  5. Click Save.

To set Executables to Bounce:

  1. From the Orgs & Users tab, choose the relevant Org to open the Organization Management page.
  2. In the Inbound Servers section, click Attachment Manager.
  3. Click Filters.
  4. In the System Threats section, select Bounce from the Executables drop-down list.
  5. Click Save.

To enable Early Detection Filtering:

  1. From the Orgs & Users tab, choose the relevant Org to open the Organization Management page.
  2. In the Inbound Servers section, click Virus Blocking.
  3. For Early Detection Filtering, select On from the drop-down list.
  4. Click Save.

Important:

  • Be sure to have Scan inside compressed files and Binary scanning enabled to filter non approved senders.
  • Attachment Manager only looks at org level Approved Senders. Do not add domain names, instead use the full senders email address.
  • If not using the Approved Senders list, be sure to set Attachment Manager to ignore executables and allow Early Detection Filtering to filter out all potential viruses.

About Early Detection Filtering

Please be aware that Approved Senders -- even though they are trusted -- can still inadvertently send out viruses. There is still a potential to get a virus or zero hour virus from an Approved Sender; therefore, we suggest that you enable Early Detection Filtering.

Early Detection Filtering will quarantine all potential virus threats. The messages are placed in a penalty box for 8 hours (user quarantine), and after 8 hours the message is rescanned for viruses. If the message does not contain a virus, it will automatically be delivered to the recipient. If it does contain a virus, the filter name in Quarantine will change to virus and the message will remain in the user quarantine.

Warnings:

  • If users have access to deliver messages from the Quarantine, there is a potential that they could deliver a message that has yet to be identified as a virus. Messages can be delivered from the Quarantine before the 8 hour penalty has expired.
  • If after 8 hours a message is identified as a virus, it will follow the User Org level virus disposition settings. If it is set to bounce or blackhole, the message will disappear from the user quarantine.

For a user to view and/or deliver a message that is quarantined due to Early Detection Filtering, they must have the following access rights: Pending Quarantine (+) Read to view, Modify to deliver.

Disclaimer: For maximum protection from viruses, it's preferable to bounce executables rather than use Early Detection Filtering. In other words, if your users are receiving no executables, there is no chance of a virus. The above steps may not meet your contractual service level agreement on virus misses; therefore, please review your contract before following any of the above suggestions.


For a checklist of security best practices and links to other important resources for your service, visit Postini Security Central.