Good evening folks,
I have some strange behaviour with our primary XG210 box. The issue exists for a long while I believe but until now i didn't care so much because we have several anti-malware tools in action.
But lately the other tools were also faling to detect a threat and a mail with an infected attachment has gone all the way through to the inbox of a colleague and he was able to open the attachment which was quite unsettling...
I have already opened a case but I thought maybe someone in the community noticed the same behaviour:
Firmware: SFOS 18.0.4 MR-4, acting as transparent smtp proxy, mailserver is MS Exchange 2019 CU8. Incoming mails are scanned for malware & spam (spam/probable spam/RBL).
Malware configuration is set to only remove infected attachments, not to block/reject. Spam configuration is also set to just mark the subject line but not block/reject (because there has been a bug in the past with some XG firmware which blocked many of our incoming mails since RBL service was overloaded/timed out and since then I don't reject spam anymore).
Spam mails are marked very efficiently. But malware is only filtered in rare cases (maybe 20%?), the rest is filtered on the mailserver (by Kaspersky for Exchange 9.6).
I did now ran some simple tests, disabled outgoing spam and malware checking on my personal mail system and sent two test mails. One with only eicar testvirus signature as text in the body. Second with eicar testvirus + eicar spam signature as text in the body.
The first mail with only test virus signature got detected/marked as infected in the subject line/code got removed, body marked with:
"Sophos Anti Virus has found Infected Attachment in the following message:...
Virus Name(s): 'EICAR-AV-Test'
Attachment Name(s): Part0001"
The second mail with test virus + test spam was ONLY detected as spam and marked in the subject but the code did NOT get removed. Body was just submitted like sent:
"XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAI.......
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FI......"
So clearly incoming mails which are detected by the spam-filter (or also prbl) are not further checked for malware.
Any thoughts on that? Is there any way to change the order for the mail filters (malware first, spam second)?
Thank you!
Regards Thilo
This thread was automatically locked due to age.
