Advanced Threat Protection Whitelist
Current Advanced Threat Protection (ATP) scans all non-standard attachments sent, even internally sent emails. This means it could take 30min to receive the a PDF file or scan the from the person in the office next to you. We need a way to create a white-lists and or transport rules for ATP in the same way their is for the spam filter. Either that or speed up the ATP process so it doesn't take so long.
Please understand that ATP feature is actually detonating the attachment in a sandbox. As such, we believe that the protections offered by ATP are worth a few extra minutes. We believe that the worst performance issues with ATP are understood and are being addressed. That said, we also now have more features that will allow you the flexibility to decide what to do when it takes longer than you’d like. The documentation is still being updated, but you can check out the session from Ignite here:
https://myignite.microsoft.com/videos/1339. There are several other sessions on this topic as well.
For the ultimate in flexibility, you may also consider creating an Exchange Transport Rule that adds the header X-MS-Exchange-Organization-SkipSafeAttachmentProcessing to value of 1 under certain criteria. This will essentially disable ATP safe attachment scanning for rules which meet the criteria.
For safe links, the header is X-MS-Exchange-Organization-SkipSafeLinksProcessing.
Brad Busch commented
So, essentially, now anybody (hacker, scammer, etc...) can inject this header and bypass the protection?
The work around takes care of the "problem" for me. All internal emails are covered in my transport rule.
Ivan H commented
Good work-a-round, however this scenario is not officially supported by Office 365.
So, still waiting for a supported solution form Microsoft! (September 2016)
To bypass ATP based on senders kindly create below transport rule. You can scope the transport rule as per your requirement either based on sender/recipient/domain/type of attachment etc and it works as expected.
BYPASS ATP Rule
If the message...
Is received from 'firstname.lastname@example.org'
Do the following...
Set audit severity level to 'High'
and set message header 'X-MS-Exchange-Organization-SkipSafeattachmentProcessing' with the value '1 '
and Stop processing more rules
thank you for creating a way to bypass this filter with mail rules. This is extremely helpful. After I implemented this our users would stop by my office and say, I get scans way faster now! Thank you sooo much! They rejoiced!
That said, when dealing with external clients and on tight deadlines or on a conference call, the 5/10min delay is still very noticeable. Please continue to speed this process up.
David Caranfa commented
The whitelist would be great. I think it would also be nice to have the option for ATP to use the existing whitelists that we have already configured in the spam filter settings.
creating an Exchange Transport Rule that adds the header X-MS-Exchange-Organization-SkipSafeAttachmentProcessing to value of 1 method works. But keep in mind that ATP removes this header after it is processed.
John McNamara commented
On 6-2-16, we received a complaint that scan to print took 15 minutes at an entire facility. Upon looking at one of the emails, it was deferred from 12:36 to 12:53 by ATP. I can provide a screenshot of that trace if you would like. We are in awkward situtaion of choosing between ultra slow emails (and imparing work), or turning off ATP. If we have to turn it off to be productive, I'm not understanding why we should even have it.
John McNamara commented
Instead of just updating the UI with a sender whitelist option, we received a 12 step transport rule process. I consider this a "hack/workaround" and not really a product improvement.
Why hasn't this been addressed? Instead of providing workarounds for the current inadequate product, IMPROVE the product!!
The whitelisting feature is must have, no product is perfect. Please make it a top priority!
Would love this!
Any update on this request?
Any update on this? The wait time for internal attachment scanning is causing significant issues with many in our organization. I'm to the point where turning off safe attachment scanning for individuals is necessary - which totally defeats the purpose of purchasing this service.
Add another request to the "safe senders" list. Huge problem with internal copy machines that scan to pdf.
Any development on this yet Microsoft? We are climbing into our busiest season of the year and scans take way too long to reach a mailbox. PLEASE ADD SAFE SENDERS to our exceptions!!!!!
I think what would fix this issue is the ability to add "sender" to the exception area will allow us to put our scanner emails addresses in there and they would not be scanned. Please fix this asap Microsoft!!!
Andreas Strey www.iteco-supply.com commented
Immature product. Incoming PDFs are delivered without problem to internal Users Mailbox, he forwards the PDFs to other internal Users and they are classified as malware.
No good. Not enough rules. All Emails from scanners are massively delayed, leading to Users scanning Things 2-3 times. Safe LInks are not working because of "too many redicretions".
Taylor Higley commented
We had to turn on the option to allow through timed out attachments, it was causing massive false positive rates. After we did this, we see several pieces of malware come through definition scanning that Safe Attachments catches with zero false positives yet.
Taylor Higley commented
I agree with the need to be able to whitelist internal senders. While every organization has a different risk appetite, we feel that internal communications should not be subject to this scanning (unless it is made much faster).
This product is definitely pretty bad and this is one of the major issues with it. Whitelisting can only be done based on recipient properties and this is rarely useful. To be able to whitelist based on the sender (or more likely the sender's domain) seems to be a no-brainer.