Admin Notifications for Zero Hour Auto Purge (ZAP) actions.
Need to have notification to Admins when ZAP takes an action on email.
1) Need to know what was found and deleted
2) Even more importantly, need to know what was found and WAS NOT deleted since it had already been read.
Really needs more information. I had a number of alerts randomly fire and it was reporting the notification emails from Teams was the culprit.
Seeing as I can't see the emails in question, or the malware it supposedly removed I have to put this down to a false positive but this is a guess.
It doesn't help when your security team want further info and there is none to provide.
Notifications for Zero Hour Auto Purge ;
Malware was detected in one or more attachments included with this email message.
Action: All attachments have been deleted.
I don't have office 365 , why you sending me garbage ?
I got an alert regarding ZAP process failures because junk mail filtering was disabled by some users. I resolved that issue, but I have no idea if the messages were then filtered after the fact. There is no reporting on its actions, no detail on the messages detected, and I had to enter a support case and go through a long, painful discussion just to find this out. It surprises me to see the comments here going back more than a year and this hasn't been remedied yet.
ZAP deleted one of our email attachment after it was delivered to our mailbox a week ago. We should be notified before deletion or given a choice whether to delete. Deleted attachment should also be recoverable.
I have lost attachments i need from friendly sources through ZAP, I need to be given the choice of opening the attachment or not, dont just delete and purge without my approval! I have lost customers where I have had to go back to them to ask for them to resend e-mails and they get really annoyed by this.
ZAP is very promising. Additional reporting would be great, particularly from an incident response (IR) perspective.
Please consider also adding:
1) *did the recipient open the attachment before the attachment was "zapped"*.
2) when was the attachment zapped.
3) what was the SHA1/SHA256 hash of the attachment
4) was the attachment zapped from any other mailboxes?
5) why was the attachment zapped
6) if malware was identified, please tell us the name/family.
7) a time delta, between message delivery and zap intervention, would be nifty, too.
Lastly, the ability to customize the language in the replacement attachment might be helpful, too.
Douglas Plumley commented
The lack of information & reporting available for ZAP is frustrating, makes the product all but useless.