Hey everyone,
In our log we always have different entries concerning the content, either "remove active content" or "content disarm and reconstruction".
What are the differences here? Do these entries both come from the content profile or is there another origin?
Sounds like they are both related to the CDR function. It could be based on different actions being taken (such as links being removed from a PDF vs attachment scanning from SandBox)
Can you paste the actual log messages so we can help you better?
Hey Graham,
Thank you for your reply.
These are the two different cases in the log:
Content disarm and reconstruction always applies when it concerns a file. Mostly FortiMail classified it as Attachment Filter.
With remove content, unfortunately it is never specified exactly why, only that he has removed the active content.
Thank you in advance!
Jannick
Without seeing the raw logs themselves I will take a hunch that the "remove active content" is the log message stating that CDR is removing clickable URLs from email messages.
Can you reference the raw logs with the Classifiers referenced here: https://docs.fortinet.com/document/fortimail/7.0.0/log-reference/47449/log-message-dispositions-and-...
Might help narrow down what you're looking at.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.