4.8. Alert, notification and quarantine report emails

Alert and report emails, and certain settings of notification emails can be configured under Settings > Alerts & Reports.

Email Gateway Security will use a specific SMTP relay to deliver all alerts, notifications and reports. This SMTP server can be defined under Settings > Alerts & Reports / SMTP server profile. For further details see 4.6. Server profiles.

images/download/attachments/4658224/image-20200323-122314.png

Common properties

Some properties are common among alerts, notifications and quarantine reports.

Sender email address

Email address from which the alert, notification or quarantine report emails are sent. This is used in the SMTP MAIL FROM command and the email From header.

Recipients

Recipient(s) of the alert, notification or quarantine report email. These are used in the SMTP RCPT TO command and email To header.

Subject

The subject of the notification or quarantine report. This is used in the email Subject header.

Alerts

Email alerts can be configured so that certain users can instantly be notified about the occurrence of certain system events.

SMTP SERVER NOT RESPONDING *

An alert is sent if the inbound SMTP server is not responding as expected

SMTP RELAY NOT RESPONDING *

An alert is sent if an SMTP relay configured in a server profile is not responding as expected

METADEFENDER CORE NOT RESPONDING *

An alert is sent if a MetaDefender Core server configured in a server profile is not responding as expected

METADEFENDER VAULT NOT RESPONDING *

A notification will be sent if a MetaDefender Vault server configured in a server profile is not responding

SCAN FAILURE **

An alert is sent if a scan failure occurs during the processing of an email

SANITIZATION FAILURE **

An alert is sent if a sanitization failure occurs during the processing of an email

DELIVERY OF SANITIZED BLOCKED EMAIL CONTENT **

An alert is sent if a blocked sanitized email is delivered to recipient(s).

Note

MetaDefender Email Gateway Security will only deliver blocked sanitized content to recipient(s) when the option Security Rules > rule / ZERO-DAY MALWARE PREVENTION / Override sanitization behavior / Send sanitized version of blocked files is enabled. For further details see the Zero-Day Malware Prevention section in 4.4. Policy .

EMAIL REFUSED **

An alert is sent when an email is refused by MetaDefender Email Gateway Security.

EMAIL FAILED **

An alert is sent when an email fails processing and is moved to Failed.

EMAIL BYPASSED **

A notification will be sent if Email Gateway Security bypassed scanning an email.

QUEUE SIZE*

A notification will be sent if the MetaDefender Email Gateway Security queue size exceeds the threshold configured for the QUEUE SIZE THRESHOLD value.

Note

A large queue does not necessarily indicate a failure, but can be due to a large influx of emails and processing of them is queued up to ensure optimal performance of MetaDefender Email Gateway Security.

Persistent conditions

* For persistent failures or conditions a notification email will be sent once an hour.

Example

If the queue size keeps exceeding the threshold for hours, then the alert is sent once every hour. But if the queue size is fluctuating around the threshold (sometimes exceeds, sometimes drops below) then the alert is sent every time the threshold is exceeded.

Alert for each occurence

** These alerts are sent every time the condition evaluates to true.

Example

If EMAIL BYPASSED option is set, then an alert is sent every time an email is bypassed by Email Gateway Security.

Priority

Alert emails are handled with priority. When the processing queue is long, alerts won't suffer a delay as alert emails are put to the head of the queue.

Notifications

Notifications are sent when emails are blocked by Advanced Threat Prevention and Security Rules > rule / ADVANCED THREAT PREVENTION / Handling of the email is set to Block email.

Notifying recipients about the blocked email can be enabled by Security Rules > rule / ADVANCED THREAT PREVENTION / Notify recipients if email is blocked.

For further details see the Advanced Threat Prevention section in4.4. Policy.

images/download/attachments/4658224/image-20200323-125306.png

A notification email informs the recipient about the fact that the email was blocked, the blocking reason and the potential next steps.

images/download/attachments/4658224/image-20200323-130104.png

Quarantine reports

MetaDefender Email Gateway Security can be configured to periodically send reports about the quarantine status.

Quarantine reports can be configured under Settings > Alerts & Reports / Quarantine Report.

The Quarantine report schedule can be the following in the MetaDefender Email Gateway Security server's time:

  1. Off: no reports are sent

  2. Hourly: a report is sent at every o'clock

  3. Daily a report is sent every day, at midday

  4. Weekly: a report is sent every Monday, at midday

  5. Monthly: a report is sent on the first day of every month, at midday

With Quarantine report rule the digest email may be restricted to inbound or outbound quarantined items only.

Both the Advanced Threat Prevention and the Zero-Day Malware Prevention (see 4.4. Policy) features can quarantine emails. With Only include quarantined emails that were blocked the quarantine report can be restricted to items quarantined by Advanced Threat Prevention only.

Quarantine report limitation

Quarantine report will not contain more than 1000 entries. If there were more than 1000 new quarantined entries since the last quarantine report you will have to check the actual quarantine for more information. If you set a restriction for reporting only blocked emails and/or reporting only inbound/outbound emails the numbers and entries in the quarantine report will reflect those options.