View All Resources

Proofpoint: Unscanned Attachments

 
What does it mean when I see "[Unscanned Attachment]" in my email subject?

Penn has contracted with Proofpoint to provide our email sanitation. The Proofpoint service provides spam detection, virus protection, and URL safety validation. As part of this protection, it also uses sandboxing to examine email attachments. As part of this sandboxing, the attachments are examined using a virtual machine for known malicious behavior. This examination can be time-consuming, depending on the size of the attachment.

Proofpoint uses a cloud-based approach for the sandboxing, which may, due to email volume, cause the process to time out. Generally and under normal circumstances, we see less than 0.01% of all emails with scanned attachments time out.

If the examination of the attachment(s) takes longer than 5 minutes, the service will abandon the analysis and pass the email on, but will annotate the subject line of the email with "[Unscanned Attachment]".

 

What should I do when I receive an email annotated with "[Unscanned Attachment]"?

When receiving an email annotated with "[Unscanned Attachment]", you should be extra vigilant prior to opening or using the attachment. It does not necessarily mean that the attachment is malicious. Emails from an unknown source should be treated with even more caution.

 

Why would I receive an email marked "[Unscanned Attachment]" that does not have an attachment?

Due to the way O365 handles email and the particulars of PennO365 email routing, emails that are formatted as Rich Text will have a hidden attachment of winmail.dat, which will be scanned by Proofpoint. If the scan times out, as mentioned above, the email will be marked with "[Unscanned Attachement]" even though no attachment is visible. We recommend that all clients use HTML as the preferred format for sending email.