Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 10438 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Not Receiving Virus\Malware Emails from Endpoints

PhilTomlinson

Wondering if any one can shed some light on a problem were having with our email alerts.

Were not receiving any alerts from our Endpoints when a Virus is picked up. 

On SEC (5.2.1 R2)

Policy set up and configured Email messaging (local SMTP server in putted and resolves correctly)

On the Endpoint (SES and Control 10.3)

In Alerting>Messaging > Email Alerting is enabled, messages to send are checked, I have my email address in the recipients and when I configure SMTP (on the client) I get a "Connection to SMTP Server successful" when clicking "Test"

Although i never receive a Email alert

I have had a look on the log of the local PC but I dont see anything obvious, Im thinking maybe Firewall?

(I think?! this worked before we moved over to O365?! so it might be a filtering issue)

Using O365 for Email

Firewall is on (both Server and Endpoint)

Regards

Phil



This thread was automatically locked due to age.
  • 0

    Hi Phil,

    Sophos uses SMTP for email alerting.

    Make sure that nothing is blocking traffic on TCP port 25

    On the client machine do the following E-mail alert testing:

    1. Right click on the Sophos shield and choose 'Open Sophos Endpoint Security and Control'

    2. Click on the 'Configure anti-virus and HIPS' link

    3. Click on the Messaging > e-mail alerts > enable e-mail alerting > configure SMTP > SMTP server should be the IP address of the test machine > enter a SMTP sender address > click OK

    4. Download SMTP4Dev from this location: http://smtp4dev.codeplex.com/

    5. Unzip the downloaded file to a suitable location.

    6. Launch SMTP4Dev, it will start listening on Port 25 of the PC you are running it on.

    7. Re-create a virus alert message.  You can so by running the Eicar test found in the below KB article

    -----------------------------------------

    Article ID: 10027

    Title: Testing that virus detection works

    URL: http://www.sophos.com/en-us/support/knowledgebase/10027.aspx

    -----------------------------------------

     

    8. Once an email is received by SMTP4Dev it will do an alert pop up and store the email.

    9. Open SMTP4Dev and you'll see the email and be able to view the entire content and save the email to disk

    If you can see the email, then something on your side is blocking the traffic.

  • 0 in reply to SamBarseghyan

    Hi Thanks for the reply it was really helpful.

    I did manage to receive the message in SMTP4DEV, so this does indeed indicate that something on our network is blocking the traffic.

    Its rather strange because we can receive email alerts from the console when configured through Tools>Configure Email alerts> to receive Policy\Protection\errors.

    Does the endpoint email alerts work differently to those mentioned above? Different ports maybe?

    Regards

    Phil

  • 0 in reply to PhilTomlinson

    Hello Phil,

    do you perhaps have to authenticate? Are the keys mentioned here set for SEC?

    Christian

  • 0 in reply to QC

    Hi,

    Thanks for your reply.

    I don`t think we need to authenticate, as all other servers configured for notifications (Backup etc..) dont require this (Plain SMTP)

    Phil

  • 0 in reply to PhilTomlinson

    I think I have found the error.

    Our internal SMTP Relay is set to restrict e-mail to only certain IP addresses, adding my test machine now lets this through, so adding i just need to add a wildcard maybe to allow all domain workstations.

    Thanks for your help

    Regards

    phil