Message History
Overview
Audit > Email History shows information about processing details and email related events in the system.
Since MetaDefender Cloud Email Security version 4.0.0 there is a possibility to scan Microsoft Teams message attachments. If you are eligible for Microsoft Teams integration, this feature has very similar functionalities like Email History page.
Due to usability reasons the Email history list is not updated automatically. Click the Refresh icon to update.
The N/A Scan result value means that MetaDefender Core was not involved in the processing of this entry.
Such cases are:
- Notifications for blocked emails
- Released from quarantine
- Forwarded from quarantine
- Delivered for external quarantining
The empty Rule value means that the email was not received from outside, but was generated from within Cloud Email Security.
Such cases are:
- Notifications for blocked emails
- Email alerts
- Quarantine reports
In the entry list, unlike in the Email History where the email's subject is shown, the Teams History page displays the filenames of the attachments.
Search
On the Email history list you can search for (marked red in the image below) the Date, Malware scan verdict, Phishing/Spam verdict, Status, Sender, Recipient, Rule, Subject and Rule direction (for Rule direction see Configuration/Policy).
Filtering
The list of emails can be filtered by the:
- Date,
- Sender,
- Recipient,
- Subject,
- Status
- Scan verdict
- Whether the email has attachments or not,
- Classifications (see Operating/Email classifications) and
- Tags (see Operating/Email tags).
For the status, classifications and tags filters multiple values can be specified.
For the date filter a time window can be specified.
Searching and Filtering in Teams History
Searching and filtering is possible the same way in teams history. The main differences are the following:
- There is no "Attachment" field in Teams filter.
- Since filenames are stored in the Subject field, you can search for the processed files names in the "Subject" field.
- You can't search based on Phishing/Spam verdict.
Details
Clicking an Email history or the Teams history list entry displays public details about the processing of the specific message.
Details section in Teams History page:
Malware scan details
Under the Malware scan verdict block links point to the scan details on the MetaDefender Core where the actual scanning took place.
Results for files that had a hash lookup match and were taken from the cache are marked with a
In case of scan results the Show results link points to the result of the scan batch (the aggregated result of all the scanned files).
For both the hash lookup and the scan results, clicking the
File names may differ even if file contents –and as so file hashes– are the same.
This may cause file names not matching (in the examples below: cyberscape/CYBERscape.pdf in Cloud Email Security but meeting minutes/CYBERscape.pdf in MetaDefender Core) in the email and in the scan details on MetaDefender Core / Cloud.This can be addressed using the Force scan on mismatch option in the hash lookup configuration. For further details see the Hash lookup subsection in Configuration/Policy/Scan.
Classifications
To reflect the risk level of a certain message, Cloud Email Security applies classifications. For details see Operating/Email classifications.
Processing history
The processing history section of the email details / message details contains information about the processing of the email / message.
The following type of entries are listed:
| Type | Description | Example |
|---|---|---|
| StatusChange | Added when a status change occurs. If the status change was manually initiated, the message contains the name of the user that executed the REST call. | LOCAL/admin changed status from Failed to Pending |
| ScanFailed | Added when a scan failure occurs. | Scan failed on url https://localhost:8008 (Reason: MetaDefender Core unavailable) |
| SendDetails | Added when sending an email | Sending email to smtp://127.0.0.1:25 |
| SendSucceeded | Added when sending an email succeeded | SMTP send succeeded to smtp://127.0.0.1:25 |
| SendFailed | Added when a send failure occurs. | SMTP send failed to smtps://localhost:587 (Response: No connection could be made because the target machine actively refused it 127.0.0.1:587) |
| ModifyFailed | Added when an email cannot be modified/sanitized (e.g. parsing error). | |
| ForkEmail | Occurs when an email is forked (e.g. different policy rules apply to different recipients, partial send failure for certain recipients). | |
| DuplicateEmail | Occurs when email content is duplicated (e.g. original copy is moved to quarantine, quarantined original copy is forwarded). | |
| ScanVerdict | Added when we receive a scan verdict for a file related to the message. | email/[body].txt: No Threat Detected |
| VaultUpload | Added when uploading an attachment to MetaDefender Vault | Attachment 'LargeAttachment' was uploaded to Vault |
| ModifyEmail | This event is added when all email modifications are complete and the email is ready to be sent. | Modification/Sanitization of email completed |
Only Microsoft Teams related entries:
| Type | Description | Example |
|---|---|---|
| UpdateCompleted | Added when a processed attachment is updated successfully on Microsoft Teams | Message updated via Microsoft Graph |
| AttachmentDeleted | Added when a blocked attachment has been removed from Microsoft Teams | Attachment virus.jpg was removed |
| AttachmentModified | Added when Cloud Email Security has processed the attachment, removed the malicious content from it, and replaced the original successfully | Attachment trojan.docx updated via Microsoft Graph |
| AttachmentUpdate Failed | Added when Cloud Email Security has processed the attachment, but couldn't update the original file | Failed to update password.pdf attachment via Microsoft Graph (Details: Microsoft Graph is not responding) |
Cleanup
Scheduled
Configure scheduled Email History cleanup under Settings > Data Retention / Email history cleanup schedule.
At the moment your Email History Cleanup Schedule will impact the messages in the Teams History. This cleanup will remove not only the Email History but the Teams History entries older then the value set up on this page.
On-demand
To clean-up Email History on demand click the
icon and select the time window of the cleanup. This is not available in Teams History at the moment.
Operations
Bulk email operations
Use the checkbox in front of each row to select entries (or use the checkbox in the header row to select all visible items).
Only visible elements are selected. Elements that are not visible (due to pagination, search or filtering) are not selected even by the select all checkbox.
Only emails that are in the Failed or Reprocessing status can be selected cause these are the only emails where bulk operations (Retry email, Delete email, Download email) are applicable.
For other entries the original email is not kept, hence the operations would not work.
To understand what can make an email to be failed see the section Processing status values.
Only those operations are available that are applicable to all emails that are selected.
For example if both Failed and Reprocessing mails are in the selection, then the Retry email function will be available.
Export to CSV
Clicking the Export to CSV button will export the history list (according to the actual filter conditions) to a CSV file.
The currently active filter conditions apply to the exported list.
All filtered data gets exported, even if the list expands to multiple pages.
Differentiating forked emails
In some cases there are seemingly duplicate entries in Email history. Such cases are when an email is:
- Released from quarantine,
- Forwarded from quarantine,
- Delivered for external quarantining.
These cases are marked in Email history with the following icons in the history list:
| Icon | Fork case |
|---|---|
 | Released from quarantine |
 | Forwarded from quarantine |
 | Delivered for external quarantining |
Processing status values
Workflow statuses
Messages with statuses listed below are progressing through the MetaDefender Cloud Email Security workflow.
Pending
Message is queued waiting to be processed.
Processing
Message is currently being processed.
Sending
Email has been processed and is being delivered to the SMTP relay server.
Completed
This status is deprecated since 4.4.0. It was replaced by Sent and Blocked
Message has been successfully processed and sent forward or blocked.
Sent
Email has been successfully processed and forwarded.
Blocked
Message has been blocked.
Temporary failure statuses
Messages with statuses listed below are in automatic retry sequence.
Reprocessing
MetaDefender Cloud Email Security has failed to process the message and it is currently pending a retry.
Possible causes
- MetaDefender Core server down/not responding
- Archive engine is not active on MetaDefender Core
- Enable archive handling is not enabled for the rules on MetaDefender Core (that are defined in the MetaDefender Core service policies that are in use by the rules on MetaDefender Cloud Email Security)
Resending
MetaDefender Cloud Email Security has failed to forward the email to the SMTP relay server and is currently pending retry.
Possible causes
- SMTP relay server down/not responding
- SMTP relay server rejects the email
Permanent failure statuses
Messages with statuses listed below require user interaction, since retry sequence is exhausted.
Failed
Message has exceeded the retry count and cannot be processed/delivered.
Possible causes
- Exhausted temporary processing failures (see Configuration/Settings) lead to this permanent failure status.
Possible actions
- Manually retry/delete message from the MetaDefender Could Email Security web interface.
Forbidden
No policy rule is found matching the message and requires manual delivery
Possible actions
- Manually retry/delete message from the MetaDefender Could Email Security web interface.
Other statuses
Quarantined
Message is located in quarantine.
Possible actions
- Manually deliver/delete/forward messagefrom the MetaDefender Could Email Security web interface.
Deleted
Messages with this status has been manually deleted by a user.