Feedback by UserVoice

How can we improve compliance or protect your users better in Office 365?

Advanced Threat Protection Whitelist

Current Advanced Threat Protection (ATP) scans all non-standard attachments sent, even internally sent emails. This means it could take 30min to receive the a PDF file or scan the from the person in the office next to you. We need a way to create a white-lists and or transport rules for ATP in the same way their is for the spam filter. Either that or speed up the ATP process so it doesn't take so long.

213 votes
Vote
Sign in
(thinking…)
Password icon
Signed in as (Sign out)
You have left! (?) (thinking…)
Caleb shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

Please understand that ATP feature is actually detonating the attachment in a sandbox. As such, we believe that the protections offered by ATP are worth a few extra minutes. We believe that the worst performance issues with ATP are understood and are being addressed. That said, we also now have more features that will allow you the flexibility to decide what to do when it takes longer than you’d like. The documentation is still being updated, but you can check out the session from Ignite here:
https://myignite.microsoft.com/videos/1339. There are several other sessions on this topic as well.

For the ultimate in flexibility, you may also consider creating an Exchange Transport Rule that adds the header X-MS-Exchange-Organization-SkipSafeAttachmentProcessing to value of 1 under certain criteria. This will essentially disable ATP safe attachment scanning for rules which meet the criteria.

For safe links, the header is X-MS-Exchange-Organization-SkipSafeLinksProcessing.

59 comments

Sign in
(thinking…)
Password icon
Signed in as (Sign out)
Submitting...
  • David Caranfa commented  ·   ·  Flag as inappropriate

    The whitelist would be great. I think it would also be nice to have the option for ATP to use the existing whitelists that we have already configured in the spam filter settings.

  • Anonymous commented  ·   ·  Flag as inappropriate

    creating an Exchange Transport Rule that adds the header X-MS-Exchange-Organization-SkipSafeAttachmentProcessing to value of 1 method works. But keep in mind that ATP removes this header after it is processed.

  • John McNamara commented  ·   ·  Flag as inappropriate

    On 6-2-16, we received a complaint that scan to print took 15 minutes at an entire facility. Upon looking at one of the emails, it was deferred from 12:36 to 12:53 by ATP. I can provide a screenshot of that trace if you would like. We are in awkward situtaion of choosing between ultra slow emails (and imparing work), or turning off ATP. If we have to turn it off to be productive, I'm not understanding why we should even have it.

  • John McNamara commented  ·   ·  Flag as inappropriate

    Instead of just updating the UI with a sender whitelist option, we received a 12 step transport rule process. I consider this a "hack/workaround" and not really a product improvement.
    Why hasn't this been addressed? Instead of providing workarounds for the current inadequate product, IMPROVE the product!!

  • Anonymous commented  ·   ·  Flag as inappropriate

    The whitelisting feature is must have, no product is perfect. Please make it a top priority!

  • Craig commented  ·   ·  Flag as inappropriate

    Any update on this? The wait time for internal attachment scanning is causing significant issues with many in our organization. I'm to the point where turning off safe attachment scanning for individuals is necessary - which totally defeats the purpose of purchasing this service.

  • Craig commented  ·   ·  Flag as inappropriate

    Add another request to the "safe senders" list. Huge problem with internal copy machines that scan to pdf.

  • Sara commented  ·   ·  Flag as inappropriate

    Any development on this yet Microsoft? We are climbing into our busiest season of the year and scans take way too long to reach a mailbox. PLEASE ADD SAFE SENDERS to our exceptions!!!!!

  • Sara commented  ·   ·  Flag as inappropriate

    I think what would fix this issue is the ability to add "sender" to the exception area will allow us to put our scanner emails addresses in there and they would not be scanned. Please fix this asap Microsoft!!!

  • Andreas Strey www.iteco-supply.com commented  ·   ·  Flag as inappropriate

    Immature product. Incoming PDFs are delivered without problem to internal Users Mailbox, he forwards the PDFs to other internal Users and they are classified as malware.
    No good. Not enough rules. All Emails from scanners are massively delayed, leading to Users scanning Things 2-3 times. Safe LInks are not working because of "too many redicretions".
    Disabled product.

  • Taylor Higley commented  ·   ·  Flag as inappropriate

    Christian,
    We had to turn on the option to allow through timed out attachments, it was causing massive false positive rates. After we did this, we see several pieces of malware come through definition scanning that Safe Attachments catches with zero false positives yet.

  • Taylor Higley commented  ·   ·  Flag as inappropriate

    I agree with the need to be able to whitelist internal senders. While every organization has a different risk appetite, we feel that internal communications should not be subject to this scanning (unless it is made much faster).

  • Phil commented  ·   ·  Flag as inappropriate

    This product is definitely pretty bad and this is one of the major issues with it. Whitelisting can only be done based on recipient properties and this is rarely useful. To be able to whitelist based on the sender (or more likely the sender's domain) seems to be a no-brainer.

  • JB commented  ·   ·  Flag as inappropriate

    Even more importantly than speeding it up there should be a whitelist for senders - not recipients (err I think you got this the wrong way around MS....!)

    Because there is no whitelist the only solution to stop false positives is turn it off for that user OR delete the license.

    Worthless product until this is in place.

  • Christian commented  ·   ·  Flag as inappropriate

    Update from the field:

    More than 250 false positives within 5 days in a setup with roughly 380 users. Most of them are internal communication.

  • Christian commented  ·   ·  Flag as inappropriate

    Same here - to many false positives to high extend affecting internal communication. Customer should have the option to flag internal communication as save. There should be a web based quarantine function specifically for ATP allowing admins to review and release with a click. A quarantine notification & release function from withing the IPhone Admin App would also be very effective. Redirecting the mails to another mailbox to review like we are doing today is not optimal.
    The ATP reporting for attachements is not very meaning full and the German translation is also not optimal. The Licensing seems to be inconsistent since we are testing ATP with few users but apparently all mailboxes under the desired domain are protected as we can see from the mail flow details. The delay ATP causes is not acceptable - please upgrade your VM backend to speed up the spinnup and scanning. In short, the product ist not usable for us atm and we will not roll it out to the company.

1 3 Next →

Feedback and Knowledge Base