Advanced Threat Protection Whitelist
Current Advanced Threat Protection (ATP) scans all non-standard attachments sent, even internally sent emails. This means it could take 30min to receive the a PDF file or scan the from the person in the office next to you. We need a way to create a white-lists and or transport rules for ATP in the same way their is for the spam filter. Either that or speed up the ATP process so it doesn't take so long.
Please understand that ATP feature is actually detonating the attachment in a sandbox. As such, we believe that the protections offered by ATP are worth a few extra minutes. We believe that the worst performance issues with ATP are understood and are being addressed. That said, we also now have more features that will allow you the flexibility to decide what to do when it takes longer than you’d like. The documentation is still being updated, but you can check out the session from Ignite here:
https://myignite.microsoft.com/videos/1339. There are several other sessions on this topic as well.
For the ultimate in flexibility, you may also consider creating an Exchange Transport Rule that adds the header X-MS-Exchange-Organization-SkipSafeAttachmentProcessing to value of 1 under certain criteria. This will essentially disable ATP safe attachment scanning for rules which meet the criteria.
For safe links, the header is X-MS-Exchange-Organization-SkipSafeLinksProcessing.
Update from the field:
More than 250 false positives within 5 days in a setup with roughly 380 users. Most of them are internal communication.
Same here - to many false positives to high extend affecting internal communication. Customer should have the option to flag internal communication as save. There should be a web based quarantine function specifically for ATP allowing admins to review and release with a click. A quarantine notification & release function from withing the IPhone Admin App would also be very effective. Redirecting the mails to another mailbox to review like we are doing today is not optimal.
The ATP reporting for attachements is not very meaning full and the German translation is also not optimal. The Licensing seems to be inconsistent since we are testing ATP with few users but apparently all mailboxes under the desired domain are protected as we can see from the mail flow details. The delay ATP causes is not acceptable - please upgrade your VM backend to speed up the spinnup and scanning. In short, the product ist not usable for us atm and we will not roll it out to the company.