Support

Support for business applications

Kaspersky Secure Mail Gateway

Event log

Viewing information about email traffic processing events

Kaspersky Secure Mail Gateway
Нет результатов
Knowledge Base Online Help
Advice & Solutions FAQ Download Buy Renew Forum Contact support Recovery tools

Viewing information about email traffic processing events

16 April 2024

ID 207772

Click the link in the upper part of the window to go to the Backup section and view the information about messages in Backup related to this event.

To view information about an email traffic processing event:

  1. In the main window of the application web interface, open the management console tree and select the Events section.
  2. Select the Mail traffic tab.

    Email traffic processing event information is displayed as a table.

  3. Select the event for which you want to view information.

    This opens a window containing information about the event.

The information window for an email traffic processing event contains the following tabs:

  • General info
  • Message scan result
  • Attachments
  • MIME parts
  • Links

For large messages, information is displayed about no more than 50 first MIME parts, attachments, and links of the processed message. If the number of MIME parts, attachments, or links in a large message exceeds 50, some of the information is hidden and the corresponding notification is displayed. To view information about the rest of MIME parts, attachments, or links, click Show all in the notification.

Information about the scanning of an attachment, MIME part, or link may be missing from event details. This can happen for one of the following reasons:

  • The event record was created before the functionality of logging the scan results for MIME parts, links, and attachments became available.
  • The application is configured in such a way that information about the of scanning of MIME parts, links, and attachments is logged only for messages in which objects are detected (default behavior).
  • The message does not contain links or attachments, or they could not be detected.

General info

This tab displays the following data:

  • Date and time is the date and time when the event occurred.
  • Node is the IP address or port of the node where the message was processed.
  • Sender email is the IP address of the message sender. The address is taken from the SMTP session.
  • Sender IP is the IP address of the message sender.
  • Application message ID is the unique ID that the application assigns to the message.
  • SMTP Message-ID is the ID assigned to the message at the mail server.
  • To is the address of the message recipient. The address is taken from the SMTP session.
  • CC is the address of the recipient of a copy of the message. The address is taken from the SMTP session.
  • BCC is the address of the recipient of a blind copy of the message. The address is taken from the SMTP session.
  • Subject is the message subject.
  • Rule name is the name of the rule which caused the message to be processed.

    You can view rule details by clicking the link with the rule name.

  • Action is the action taken on the message based on the results of scanning by application modules.

Message scan result

This tab displays the statuses that each scan module assigned to the message. For some statuses, the detection methods or the reason for assigning the status are displayed in the second line, separated by commas.

List of possible scan module statuses

Attachments

This tab displays a table with information about the results of scanning message attachments.

The table contains the following information:

  • File name is the name of the attachment.
  • Index of attachment MIME part displays the location of the MIME part in the MIME part hierarchy of the message. Possible values:
    • 0 for the root MIME part of the message.
    • 0.<index of the current MIME part> for a MIME part of the message that is a child of the root MIME part. The index of the current MIME part is a non-negative integer number.
    • <index of parent MIME part>.<index of the current MIME part> for a the MIME part that is not nested in the root MIME part.
    • <index of MIME part>.p is the prologue of the MIME part of the message.
    • <index of MIME part>.e is the epilogue of the MIME part of the message.
  • Action on attachment is the action taken on the attachment based on the scan results.
  • Anti-Virus is the Anti-Virus module scan result for the attachment.
  • Content filtering is the Content Filtering scan result for the attachment.
  • Hash is the algorithm used for calculating the hash of the attachment. If hashing is not enabled in the application settings, a dash is displayed instead.
  • Size is the size of the attachment in bytes.

To view detailed information about attachment scan results, select the relevant record in the table. This opens a window with the following information:

  • File name is the name of the attachment.
  • File size (bytes) is the size of the attachment.
  • Action is the action taken on the attachment based on the scan results. Possible values:
    • None
    • Disinfected
    • Deleted
  • Anti-Virus are Anti-Virus module scan details:
    • Skip reason:
      • File name
      • Nesting level

      If the attachment status is different from Not scanned, a dash is displayed.

    • Document with a macro Possible values: Yes, No.
    • Status:
      • Not detected.
      • Not scanned.
      • Infected.
      • Encrypted.
      • Error.
    • Detection method:
      • Local databases.
      • KSN.
      • KPSN reputation.
    • Threats is the list of detected threats.
    • Deleted objects is the list of objects that were deleted as a result of processing the attachment. These can be objects from single-volume archives: ARJ, CAB, LHA, ZIP, RAR 5.0 and earlier. The archive must not be self-extracting.
    • Disinfected objects is the list of objects that were disinfected as a result of processing the attachment. These can be objects from single-volume archives: ARJ, CAB, LHA, ZIP, RAR 5.0 and earlier. The archive must not be self-extracting.
  • Content Filtering are details of the Content Filtering scan for the attachment.
    • Status:
      • Not detected.
      • Not scanned.
      • Error.
      • Matched content.
    • Triggered expressions is a list of expressions that were applied as a result of Content Filtering of the attachment.
  • Hash algorithm is the algorithm used for calculating the hash of the attachment. If hashing is not enabled in the application settings, a dash is displayed instead.
  • Hash is the hash value of the attachment. The hash is calculated after the application applies all actions to the attachment. If hashing is not enabled in the application settings, a dash is displayed instead.

MIME parts

The tab displays a table with information about the following objects:

  • All MIME parts, including attachments. Attachment information is the same as on the Attachments tab.
  • 'Prologue' and 'Epilogue' are the prologue and epilogue of MIME parts of messages.
  • 'Entire message' is the entire message. This string is displayed if the Anti-Virus module detected a threat when scanning the entire message, but no threats were detected when scanning individual MIME parts of the message.

The table contains the following information:

  • File name is the name of the attachment, 'prologue', 'epilogue', 'entire message', or a dash if a name is not defined.
  • MIME part index displays the location of the MIME part in the MIME part hierarchy of the message. Possible values:
    • 0 for the root MIME part of the message.
    • 0.<index of the current MIME part> for a MIME part of the message that is a child of the root MIME part. The index of the current MIME part is a non-negative integer number.
    • <index of parent MIME part>.<index of the current MIME part> for a the MIME part that is not nested in the root MIME part.
    • <index of MIME part>.p is the prologue of the MIME part of the message.
    • <index of MIME part>.e is the epilogue of the MIME part of the message.
  • Action on MIME part is the action applied to the MIME part based on the scan results.
  • Anti-Virus is the Anti-Virus module scan result for the MIME part.
  • Content filtering is the Content Filtering scan result for the MIME part.
  • Hash is the name of the hashing algorithm. If hashing is not enabled in the application settings, a dash is displayed instead.
  • Size is the size of the MIME part in bytes.

To view detailed information about MIME part scan results, select the relevant record in the table. This opens a window with the following information:

  • File name is the name of the MIME part, if any.
  • File size (bytes) is the size of the MIME part.
  • Action is the action applied to the MIME part based on the scan results. Possible values:
    • None
    • Disinfected
    • Deleted
  • Anti-Virus are Anti-Virus module scan details:
    • Skip reason:
      • File name
      • Nesting level

      If the MIME part status is different from Not scanned, a dash is displayed.

    • Document with a macro Possible values: Yes, No.
    • Status:
      • Not detected.
      • Not scanned.
      • Infected.
      • Encrypted.
      • Error.
    • Detection method:
      • Local databases.
      • KSN.
      • KPSN reputation.
    • Threats is the list of detected threats.
    • Deleted objects is the list of objects that were deleted as a result of processing the MIME part. These can be objects from single-volume archives: ARJ, CAB, LHA, ZIP, RAR 5.0 and earlier. The archive must not be self-extracting.
    • Disinfected objects is the list of objects that were disinfected as a result of processing the MIME part. These can be objects from single-volume archives: ARJ, CAB, LHA, ZIP, RAR 5.0 and earlier. The archive must not be self-extracting.
  • Content Filtering is the Content Filtering scan details for the MIME part.
    • Status:
      • Not detected.
      • Not scanned.
      • Error.
      • Matched content.
    • Triggered expressions is a list of expressions that were applied as a result of Content Filtering of the MIME part.
  • Hash algorithm is the algorithm used for calculating the hash of the MIME part. If hashing is not enabled in the application settings, a dash is displayed instead.
  • Hash is the hash value of the MIME part. The hash is calculated after the application applies all actions to the MIME part. If hashing is not enabled in the application settings, a dash is displayed instead.

Links

This tab displays a table with information about the results of scanning message links.

The table contains the following information:

  • URL is the scanned link from the message. You cannot follow the link.

    Hovering over the link displays the copy icon. Click the icon to copy the link.

  • Link scanning is the result of the scan by the URL Advisor module.
  • Anti-Phishing is the result of the scan by the Anti-Phishing module.

Kaspersky Endpoint Security for Business Advanced: Adaptive security of your company
Web and device controls. Data encryption. Centralized and convenient management from a single console.
Kaspersky Premium Support (MSA): High‑priority incident processing
Telephone and web ticket support. Fast response, monitoring and health check. Submit a request and activate the contract (MSA).
Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.