In SMG, there is a "feature" for the Suspected Virus Quarantine, that automatically releases email after 24 hours if it is still there and no one has deleted it. 24 hours is the maximum allowed time limit. I am told that this triggers the emails to go back through the filtering process, for re-scanning, and if nothing is found, it gets released. Sometimes, this causes dangerous emails to be released into end-user Spam Quarantine areas, just because "SMG didn't determine the file was dangerous"-your support said that.....
The work around for this, is to add a mail tag to the subject line or header that utilizes the content filtering to route the message to a Quarantine Incident Folder. Why not just have it go there automatically, and rescan after 24 hours, but keep it there if nothing has been detected. In today's dangerous landscape of expertly packed PE's and drive-by 0days, it's not worth taking the chance, even for someone getting mad because one of their emails got delayed.
Additional things that might assist in this, is further clarifying what EXACTLY about the email flagged it as potentially infected. Obviously, the file name and possibly contents...but details would be really nice (maybe even a file sig so we can go read about the file on other sites, if you don't have any info on it!).
With the amount of email received, and files that get marked as suspicious it would be a completely different job in itself to drag a sandbox rig out and open up a file disassembler and scroll through code all day doing process mapping to see what a file does to determine if it's a threat or not, and if so-WHY? So I can then turn around and determine how many of them got through, and if those files are also the same-to try to block them.
There's also the aspect of: If I have to take the risk and download every file that gets missed to check on it before releasing/deleting it, I'm opening my environment up to even more danger while also creating a lot of unnecessary workload for myself-all while doing the job that SMG is supposed to be doing for me (People pay you lots of money for this!).
The "WHY" is important to know in case someone has clicked on it. I need to know what I'm looking for, and not "GenericTrojan1". SEP doesn't always find the endpoint threats, and sometimes things (or end-users) figure out how to turn it off, so this information is vital especially when dealing with a crypto-variant that could take down your entire environment.
Some things that would be useful to know about files in quarantine: Payload, file structure analysis(if any was done), what specific code was dangerous about a PDF or word doc that made you block it? Was it a flinch when someone made some fantastic document with embedded content, and SMG didn't know what it was so it was blocked?, MD5 of the file, if the file is encrypted - what type? Why not provide a link to query your database for the virus info, known C&C servers (so i can block those too!), landing pages, and other known file names/types. Empower us with your knowledge!
I feel like SMG SHOULD be like the TSA is for people getting on airplanes. Email goes through it, you get the cool x-ray-like pic (in our case, the data!) of what's in it to check, if you see something or there's a problem you have someone (an admin) take a closer look at what you found.
Instead, we get Lucille Ball in the Chocolate Factory, and very little useful/actionable information.
The auto release feature in itself creates a point of vulnerability. Workflow for destruction: Email 0day disguised as phishing campaign>Nothing detected>ends up going to user>user opens email>blammmoooo.