locked
ATP scan takes too long for internal domain users, is there a whitelist or workaround? RRS feed

  • Question

  • We use ATP Scan on Office 365 (Exchange Online). We noticed that it takes a long time sometimes to receive forwarded email (from a desk in the same room) or even just from the scanner to arrive in our mailboxes. Is it possible to create a whitelist or maybe disable the scan from users in the same domain or any other sollution to speed things up? The are over 20 users that are continuously waiting for email with attachments now.
    Wednesday, June 7, 2017 1:44 PM

Answers

  • Hello Andy, thank you for the quick reply. But there is only an exception for receipiants and not for senders. It would be a lot better if we could create a rule that would whitelist internal users. Or maybe it is an idea to assign an extra domainname like atpscan.at and add an alias for all users. If send to the alias they get whitelisted? Or is this also not possible?

    Here is what is avail:

    https://technet.microsoft.com/en-us/library/mt789012(v=exchg.150).aspx

    You can configure an Exchange Transport Rule to insert an X-Header, X-MS-Exchange-Organization-SkipSafeAttachmentProcessing, which Advanced Threat Protection looks for to bypass Advanced Threat Protection scanning.

    You could in theory create a rule that does the same thing for a sender. You would have to test that out.

    • Proposed as answer by Victor.Onofrei Wednesday, June 7, 2017 6:20 PM
    • Marked as answer by GadgetServer Thursday, June 8, 2017 8:28 AM
    Wednesday, June 7, 2017 3:24 PM
  • Hello Andy, thank you for the quick reply. But there is only an exception for receipiants and not for senders. It would be a lot better if we could create a rule that would whitelist internal users. Or maybe it is an idea to assign an extra domainname like atpscan.at and add an alias for all users. If send to the alias they get whitelisted? Or is this also not possible?

    Here is what is avail:

    https://technet.microsoft.com/en-us/library/mt789012(v=exchg.150).aspx

    You can configure an Exchange Transport Rule to insert an X-Header, X-MS-Exchange-Organization-SkipSafeAttachmentProcessing, which Advanced Threat Protection looks for to bypass Advanced Threat Protection scanning.

    You could in theory create a rule that does the same thing for a sender. You would have to test that out.

    +1. This should work as I've encountered it several times in the past. More reference here: https://office365.uservoice.com/forums/289138-office-365-security-compliance/suggestions/9292590-advanced-threat-protection-whitelist

    Obviously, you can enable Dynamic Delivery which will deliver the email without the attachment just like a regular email and the attachment will arrive a bit later on. This, however, will not work with forwarding since the attachment arrives after the email has been forwarded and does not follow it to the forwarding address.


    Everything that can be automatized, should and must be automatized.


    Wednesday, June 7, 2017 6:42 PM

All replies

  • We use ATP Scan on Office 365 (Exchange Online). We noticed that it takes a long time sometimes to receive forwarded email (from a desk in the same room) or even just from the scanner to arrive in our mailboxes. Is it possible to create a whitelist or maybe disable the scan from users in the same domain or any other sollution to speed things up? The are over 20 users that are continuously waiting for email with attachments now.

    You can create exceptions for users of course in the Safe Attachment policy. But if this is wide spread issue, I would open a ticket with Office 365.

    Wednesday, June 7, 2017 1:57 PM
  • Hello Andy, thank you for the quick reply. But there is only an exception for receipiants and not for senders. It would be a lot better if we could create a rule that would whitelist internal users. Or maybe it is an idea to assign an extra domainname like atpscan.at and add an alias for all users. If send to the alias they get whitelisted? Or is this also not possible?
    Wednesday, June 7, 2017 2:01 PM
  • Hello Andy, thank you for the quick reply. But there is only an exception for receipiants and not for senders. It would be a lot better if we could create a rule that would whitelist internal users. Or maybe it is an idea to assign an extra domainname like atpscan.at and add an alias for all users. If send to the alias they get whitelisted? Or is this also not possible?

    Here is what is avail:

    https://technet.microsoft.com/en-us/library/mt789012(v=exchg.150).aspx

    You can configure an Exchange Transport Rule to insert an X-Header, X-MS-Exchange-Organization-SkipSafeAttachmentProcessing, which Advanced Threat Protection looks for to bypass Advanced Threat Protection scanning.

    You could in theory create a rule that does the same thing for a sender. You would have to test that out.

    • Proposed as answer by Victor.Onofrei Wednesday, June 7, 2017 6:20 PM
    • Marked as answer by GadgetServer Thursday, June 8, 2017 8:28 AM
    Wednesday, June 7, 2017 3:24 PM
  • Hello Andy, thank you for the quick reply. But there is only an exception for receipiants and not for senders. It would be a lot better if we could create a rule that would whitelist internal users. Or maybe it is an idea to assign an extra domainname like atpscan.at and add an alias for all users. If send to the alias they get whitelisted? Or is this also not possible?

    Here is what is avail:

    https://technet.microsoft.com/en-us/library/mt789012(v=exchg.150).aspx

    You can configure an Exchange Transport Rule to insert an X-Header, X-MS-Exchange-Organization-SkipSafeAttachmentProcessing, which Advanced Threat Protection looks for to bypass Advanced Threat Protection scanning.

    You could in theory create a rule that does the same thing for a sender. You would have to test that out.

    +1. This should work as I've encountered it several times in the past. More reference here: https://office365.uservoice.com/forums/289138-office-365-security-compliance/suggestions/9292590-advanced-threat-protection-whitelist

    Obviously, you can enable Dynamic Delivery which will deliver the email without the attachment just like a regular email and the attachment will arrive a bit later on. This, however, will not work with forwarding since the attachment arrives after the email has been forwarded and does not follow it to the forwarding address.


    Everything that can be automatized, should and must be automatized.


    Wednesday, June 7, 2017 6:42 PM
  • Hello Victor, this seems like a solution. If the Organisation name is Blabla.com, what would the rule be and where can I add this rule in the Exchange Online enviroment?
    Thursday, June 8, 2017 8:27 AM
  • Hope this will sort it out for you.

    You can reach it by accessing the Exchange Control Panel: (https://outlook.office365.com/ecp/) > mail flow > rules > + > Create new rule.. > More options > If the sender domain is .. Blabla.com > Modify the message properties > set a message header > X-MS-Exchange-Organization-SkipSafeAttachmentProcessing with the value 1.


    Everything that can be automatized, should and must be automatized.

    Thursday, June 8, 2017 9:53 AM