When multiple content filtering policies are created to filter out content in a specific part of the message, such as "subject" or "envelope recipient" with an action to create a quarantine incident for each policy, the first content policy creates a quarantine incident message, but subsequent filtering policies create an informational incident, not a quarantine incident.
This is by design. The idea behind this design is two-fold:
A message should only be quarantine once, even if it triggers multiple content filtering policies. Otherwise, it will have to be quarantined the first time due to the first policy, then released, and then quarantine again due to the second policy, and so on.
An information incident is created for the subsequent or secondary policies to make sure it is known that those policies were triggered as well.
There is no solution because this behavior is by design. There are two choices: either re-write content filtering policies and choose which content you want to filter and what action you want to take or just use the information incident feature as a proof that the subsequent or secondary policies are being triggered.
These two places describe this behavior:
Administration Guide, the section "About multiple content filtering policies"
BMG Content Help (click on "Help" in the BMG web user interface, then click on "Search" tab, in the search box type "combining" and select "100. About Multiple content filtering policies".
Symantec Messaging Gateway versions 9.0 and higher.
Imported Document ID: TECH137184
Subscribing will provide email updates when this Article is updated. Login is required.