Keep email containing attachments in mail queue pending antivirus updates for a specified amount of time based on rules
With the recent influx of attachment attacks I think it would be nice to have the ability to hold mail containing some types of attachments based on some rules (receiving time, region, has this host communicated with us before?, etc) until it has had a few passes through the Anitvirus scanner. It would be nice to specify a time such as N hours before releasing it from the queue and onto the AV then to the mailbox. It is important that zero-day attachment age enough so antivirus can catch up enough to kill them.
For example, An email arrives from Russian MTA at 2AM to one of my users in Arizona in the USA containing a very convincing looking email with an invoice.doc attachment. The invoice.doc contains a zero-day trojan that Sophos isn't yet aware of. It passes through the mail queue and is delivered to the users inbox.
Sometime around 5AM security researchers at Sophos labs receive samples of this file from other infections and push out an update which my server receives at about 7:00AM.
User arrives in the office at 9 AM and opens their Outlook with KOFF.
and it happily downloads the infected invoice.doc file despite the Sophos AV being updated and aware of the infected attachment. As it stands Kerio Connect doesn't rescan email already delivered to users mailboxes. Only fresh mail that comes in trough the queue. Since fresh mail is mostly zero-day trojan nowadays this is mostly useless.
Luckily her endpoint AV catches these but I think Kerio can help here because the attackers are getting more aggressive and more frequent, now even beating the endpoint AV to the punch.
Perhaps an option of sending a warning after a certain amount of time letting the receiver know that there is an email pending review, that they can contact the admin to release it early if they feel it is something that needs to be white-listed or have that server's IP added to the trusted servers list.