Demystifying ATP Scanning: The Ultimate Guide to Advanced Threat Protection

How ATP Scan Works to Secure Your Emails and the Flexibility It Offers

Key Takeaways:

  1. ATP scanning plays a crucial role in identifying and blocking virus-infected or suspicious email attachments, ensuring cyber safety.
  2. ATP allows for exemptions based on various criteria such as sender or recipient email addresses or domains, and even IP addresses.
  3. Messages flagged by ATP are logged with specific codes that inform about the message status, enabling better control and decision-making.
  4. ATP scanning can be configured to either deliver emails first and then scan or scan them before delivery.
  5. ATP statistics on the Dashboard give a comprehensive overview of scanned attachments and their infection status.

What is ATP Scanning?

Advanced Threat Protection (ATP) scanning is a specialized cybersecurity feature that scrutinizes email attachments to identify and block any potentially harmful files. Deployed in a myriad of email services, ATP acts as the gatekeeper of your inbox, ensuring that you are protected from malicious software that may be lurking in those innocuous-looking attachments. ATP has different operational modes like “Deliver First, then Scan” and “Scan First, then Deliver,” each with its pros and cons, making it a flexible solution for various business needs.

How ATP Works

When an email comes into the system with an attachment, the ATP scan jumps into action. If it determines that the attachment is virus-infected or suspicious, the recipient is notified, and the action is logged. The Message Log will display this action as Advanced Threat Protection, making it easier to monitor what ATP is doing.

Exemptions in ATP Scanning

ATP isn’t a one-size-fits-all solution, as there are times when certain emails should not be scanned. ATP allows for various exemptions that prevent specific emails from being sent to the ATP cloud for scanning. These exemptions can be set based on the ‘envelope from’ address, domain, and more.

How to Add an Exemption

  1. Navigate to the Exemptions by Email Address/Domains section in the admin interface.
  2. Enter the email address or domain in the Exemptions field.
  3. Choose whether the exemption applies to the Sender or the Recipient.
  4. Optionally, you can enter a Comment to elaborate on the reason for the exemption.
  5. Click “Add,” and the exemption will display in the list.

Note that these exemptions only apply to ATP scanning and not to other forms of Email Gateway Defense virus scanning.

Understanding ATP Message Logs

The Message Log is the goldmine of information about emails processed by the ATP service. Emails blocked or deferred by ATP are recorded here with specific codes under the “Reason” column. These codes provide valuable insights into the email’s status:

  1. Advanced Threat Protection: Message blocked due to an infected attachment.
  2. Pending Scan (Scan First, then Deliver enabled): Message deferred while the attachment is being scanned.
  3. ATP Service Unavailable: Message deferred because ATP service is temporarily unavailable.

Dashboard for ATP Statistics

ATP also comes with a Dashboard that offers statistics about the attachments scanned. It shows how many were determined to be infected, giving you an overview of how well the ATP service is performing.

Dealing With Deferred Messages

Emails can be deferred for several reasons during an ATP scan, especially when the ATP service is unavailable or when scanning is pending. In such cases, different events can unfold:

  1. The sending mail server retries, and upon scan completion, the email is either delivered or blocked.
  2. If the mail server retries for more than 2 hours without a scan result, the message gets quarantined.
  3. If the mail server doesn’t retry, the admin has the option to manually download and send the deferred message.

Determining Whether to Deliver a Blocked or Quarantined Message

If ATP blocks or quarantines a message, the admin has the option to override this action and deliver the email. Here’s how:

  1. Log into Email Gateway Defense as the administrator.
  2. Navigate to Overview > Message Log and search using the necessary filters.
  3. Messages blocked by ATP will show as ‘Not Delivered.’ Click on this message.
  4. In the reading pane, click on ATP Reports. This will show a list of attachments suspected to be infected.
  5. Review each attachment’s report by clicking “View Report.”
  6. After assessing each attachment, if you decide to deliver the email, accept the disclaimer and click ‘Deliver’ in the Email Delivery Warning dialog box.


ATP scanning is a vital part of modern cybersecurity infrastructure, especially for businesses. Its ability to scan email attachments for potential threats provides an added layer of security. Its flexible modes and exemption features offer a customizable experience suited to various business needs. By understanding how ATP works, how to add exemptions, and how to interpret its logs and statistics, you can make informed decisions that significantly improve your organization’s cyber hygiene.

This post contains affiliate links. Affiliate disclosure: As an Amazon Associate, we may earn commissions from qualifying purchases from and other Amazon websites.

Written by Admin

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.