Advanced Threat Protection Whitelist
Current Advanced Threat Protection (ATP) scans all non-standard attachments sent, even internally sent emails. This means it could take 30min to receive the a PDF file or scan the from the person in the office next to you. We need a way to create a white-lists and or transport rules for ATP in the same way their is for the spam filter. Either that or speed up the ATP process so it doesn't take so long.
Please understand that ATP feature is actually detonating the attachment in a sandbox. As such, we believe that the protections offered by ATP are worth a few extra minutes. We believe that the worst performance issues with ATP are understood and are being addressed. That said, we also now have more features that will allow you the flexibility to decide what to do when it takes longer than you’d like. The documentation is still being updated, but you can check out the session from Ignite here:
https://myignite.microsoft.com/videos/1339. There are several other sessions on this topic as well.
For the ultimate in flexibility, you may also consider creating an Exchange Transport Rule that adds the header X-MS-Exchange-Organization-SkipSafeAttachmentProcessing to value of 1 under certain criteria. This will essentially disable ATP safe attachment scanning for rules which meet the criteria.
For safe links, the header is X-MS-Exchange-Organization-SkipSafeLinksProcessing.
Another vote for white list.. All the other competitors have this feature.. step up and make it
This isn't a user friendly solution, but it's not a workaround. It does resolve the issue. I agree that a user friendly white-list should be implemented in addition to this solution.
Honestly I consider the "X-MS-Exchange-Organization-SkipSafeAttachmentProcessing" a work around which did not address the issue. A "white-list would but it appears you are not planning on doing thsi?
Michael Uribe commented
So it marks this issue as addressed but there is still no Whitelist availalbe. Also I see no documentation that was mentioned in the addressing post. This is still a glaring issue for our organization when it comes to ATP.
Really, it should allow domains too, like http://www.staples.com/* since many people send links that are not only the exact url but pages in that same domain which are expected to be safe.
Thanks for the comment. I read the other posts just after I posted. I didn't realize we could delete comments now. I would have done so if I knew that was an option. thanks again, I'm glad to see the positive answer to this question.
@Caleb, No, see the prior response. "Header firewall" feature in Exchange prevents this.
Can malicious senders outside our organization add the header "X-MS-Exchange-Organization-SkipSafeAttachmentProcessing" with a value of 1 to their emails and effectively bypass the safe attachment processing?
@Mauro - Yes, as with all MSExchange headers, these are protected from anonymous injection by the header firewall, for example see: https://technet.microsoft.com/library/bb232136.aspx
Ulrich Bernskov commented
Why is something as trivial as whitelisting not an option.
Just like SPAM handling?
I have tried the X-MS headerinjection and that made no difference. It still takes 5-15 minutes.
Paul B. commented
With regards to X-MS-Exchange-Organization-SkipSafeAttachmentProcessing, two questions:
- is there a mechanism to prevent malicious senders to inject the header from outside the organizazion in certain emails?
- is there a similar header to disable safe links processing (which, in turn, is very limited in therms of configuration)?
I agree with the rest of the comments here, this needs improved granularity on the filtering, whether whitelist by email address or IP address for likes of multi function printer/scanners.
This needs to be sorted and quickly to make ATP a sensible user application especially in that its is an additional bolt on subscription.
I am SO GLAD that we are not alone in having this issue. We too resist a workaround that may compromise the security service that we are paying to have. An ATP sender white list would address this completely. Unfortunately, I get the impression from support that there is not an ATP team who we can take this to.
Very interesting comment Brad Busch. Microsoft, can you please address Brad's comment? The only thing I can think of that an admin can do at this point is to create a rule that has a higher priority then the rule suggested that says, reject any email that has this header.
Brad Busch commented
So, essentially, now anybody (hacker, scammer, etc...) can inject this header and bypass the protection?
The work around takes care of the "problem" for me. All internal emails are covered in my transport rule.
Ivan H commented
Good work-a-round, however this scenario is not officially supported by Office 365.
So, still waiting for a supported solution form Microsoft! (September 2016)
To bypass ATP based on senders kindly create below transport rule. You can scope the transport rule as per your requirement either based on sender/recipient/domain/type of attachment etc and it works as expected.
BYPASS ATP Rule
If the message...
Is received from 'firstname.lastname@example.org'
Do the following...
Set audit severity level to 'High'
and set message header 'X-MS-Exchange-Organization-SkipSafeattachmentProcessing' with the value '1 '
and Stop processing more rules
thank you for creating a way to bypass this filter with mail rules. This is extremely helpful. After I implemented this our users would stop by my office and say, I get scans way faster now! Thank you sooo much! They rejoiced!
That said, when dealing with external clients and on tight deadlines or on a conference call, the 5/10min delay is still very noticeable. Please continue to speed this process up.