Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 12 replies
  • Subscribers 27 subscribers
  • Views 1486 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG 18.04 MR-4 more malware in emails missed even with Sandstorm now enabled!

Fred_B

After consulting the Sophos reseller we added the extra layer of protection of a Sophos Sandbox subscription.

I now have two additional MALWARE E-MAILS that ended up in the quarentine queue that based on the XG settings should have been dropped. Piuremessage with old definitions identifies them as Mal/Generic-S, Mal/DrodRar-AIC and Mal/Generic-S, Mal/Inject-GM, CXmail/MalPE-B.

XG MTA with SAV DUAL SCAN engine, primary set to Sophos and DETECT ZERO DAY threats with SANDSTORM ENABLED does not detect the malware in these e-mails. In my understanding e-mails that is still being scanned for malware not yet given the all green from both SAV scanning and Sandstrom should not be in the quarantine queue.

Support is not really responding other than sending their default e-mails with instructions to upload the file, My answer again and again is that the fille requested is in the online case portal already uploaded there.

These two new emails are now uploaded also and the case record updated.

The case number is 03694098.

Fred



This thread was automatically locked due to age.
Parents
  • 0

    Are you using V18 and can look at the sandstorm reports? 

  • 0 in reply to LuCar Toni

    Hi LuCar Toni,

    XG 18.0.4 MR-4 latest version. No new firmware available. Allowed automatic installation of hot fixes.

    AP Firmware
    11.0.014
    -
    22:00:52, Dec 22 2020
    Success
    ATP
    1.0.0347
    -
    08:56:54, Mar 22 2021
    Success
    Avira AV
    1.0.414367
    -
    10:55:40, Mar 22 2021
    Success
    Authentication Clients
    1.0.0019
    -
    20:10:44, Dec 16 2019
    Success
    Geoip ip2country DB
    2.0.004
    -
    08:39:37, Feb 10 2021
    Success
    IPS and Application signatures
    18.17.98
    -
    08:55:56, Mar 18 2021
    Success
    Sophos Connect Clients
    2.1.001
    -
    06:53:56, Mar 10 2021
    Success
    RED Firmware
    3.0.004
    -
    22:14:14, Feb 17 2021
    Success
    Sophos AV
    1.0.16642
    -
    10:55:50, Mar 22 2021
    Success
    SSLVPN Clients
    1.0.008
    -
    13:52:54, Nov 10 2020
    Success

    Set to automatic update of patterns and check every 2 hours. 

    I occasionaly receive an email from the XG that malware has been caught. 

    Sandstorm is in IMHO a farce. 

    I have 1 file to look at the Sandstorm report and that was a harmless Excel file. They let pass by .cab. zip. .rar without any report in Sandbox during that same period.

    Support is not responding. 

    That is why I am checking out Email Gateway as an alternative.

    I noticed that the XG will allow SMTP on all IP adresses. Our official MX is an allias. I cannot block the traffic on the IP of the XG as system takes precedence over the firewall rules. SMTP on a non MX IP address record is per definition suspicious. When I enable route incoming email through the gateway (enable setting) I end up again with mail stuck in the mail spool without being able to release. 

    The email checked by Sandstorm was send to our MX ip address, the alias. Real nice fancy report. A shame it misses the important stuff.

    Regards,

    Fred

     

  • 0 in reply to Fred_B

    Firewall rules have scan SMTP and SMTPS enabled and I can see that they are hit in the log. 

  • 0 in reply to Fred_B

    You should be able to look at all sandstorm scanned Emails/files. Means you should be able to verify, why sandstorm allowed this file. If sandstorm did not generate a report for a file, it did not upload nor checked it with hash values. Which means it seems like not be getting activated by XG for whatever reason. XG will generate a report for each file - even if "only" the on prem scanner tells XG to block/allow this file. 

    You do not need a firewall rule to scan SMTP. the MTA will be acting on the configuration based on the device access configuration in administration. As device access allow the zone "WAN", you can disable SMTP on the other WAN IPs/ports via Backhole DNAT rule. 

    Anyways Central Email is by far the better solution with much more features to protect the setup of a costumer. 

Reply
  • 0 in reply to Fred_B

    You should be able to look at all sandstorm scanned Emails/files. Means you should be able to verify, why sandstorm allowed this file. If sandstorm did not generate a report for a file, it did not upload nor checked it with hash values. Which means it seems like not be getting activated by XG for whatever reason. XG will generate a report for each file - even if "only" the on prem scanner tells XG to block/allow this file. 

    You do not need a firewall rule to scan SMTP. the MTA will be acting on the configuration based on the device access configuration in administration. As device access allow the zone "WAN", you can disable SMTP on the other WAN IPs/ports via Backhole DNAT rule. 

    Anyways Central Email is by far the better solution with much more features to protect the setup of a costumer. 

Children
  • 0 in reply to LuCar Toni

    Hi LuCar Toni,

    I added the blackhole DNAT for the default gateway address. 

    We both have the impression that Sandbox is not being triggered for some reason. At least not in all cases. For that reason I crreated the explicit SMTP inbound rule with SMTP SMTPS scan enabled. Enabled or disabled sandstorm is not triggered and dual scan did not pick up the samples before. Mail keeps flowing but as far as Sandbox is concerned I see no entries in the log under advanced threat intelligence or Sandstorm. The licenses show subscribed to 1-1-3000. I reysnchronized.  

    I tested with a zipped and that is send to Sandstorm. 

     I will monitor the situation and if new malware comes in will send it through the Email Gateway also. 

     

  • 0 in reply to Fred_B

    Today three more viruses where not dropped by the XG with dual scan and also an active Zero Day Sandstorm Advanced Threat Detection subscription. Sophos support is still non existent since February 26th.

    I have send the attachment through the Sophos Mail Gateway and all three were detected and deleted. 2x ML/PE-A and a ML PUA (PUA).Just like the old PureMessage scanner detected them with the old definitions. 

    Verdict XG SMTP scan did not detect these .gz, .xz and .r11 attachments as being malicious and Sandstorm was not even triggered. 

    Do not trust the XG SMTP mail scan and sandstorm functionality!