Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 12 replies
  • Subscribers 27 subscribers
  • Views 1498 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG 18.04 MR-4 more malware in emails missed even with Sandstorm now enabled!

Fred_B

After consulting the Sophos reseller we added the extra layer of protection of a Sophos Sandbox subscription.

I now have two additional MALWARE E-MAILS that ended up in the quarentine queue that based on the XG settings should have been dropped. Piuremessage with old definitions identifies them as Mal/Generic-S, Mal/DrodRar-AIC and Mal/Generic-S, Mal/Inject-GM, CXmail/MalPE-B.

XG MTA with SAV DUAL SCAN engine, primary set to Sophos and DETECT ZERO DAY threats with SANDSTORM ENABLED does not detect the malware in these e-mails. In my understanding e-mails that is still being scanned for malware not yet given the all green from both SAV scanning and Sandstrom should not be in the quarantine queue.

Support is not really responding other than sending their default e-mails with instructions to upload the file, My answer again and again is that the fille requested is in the online case portal already uploaded there.

These two new emails are now uploaded also and the case record updated.

The case number is 03694098.

Fred



This thread was automatically locked due to age.
  • 0

    Another virus missed by XG SAV and Sandstorm.

    Detection by Puremessage behind the XG with outdated definitions:

    Event: Virus infection detected

    Location: 1035 Purchase Contract.rar

    Replaced with text: Yes

    Virus name(s): CXmail/MalPE-BP

    I have uploaded this one to the support portal case also

  • 0

    Hello Fred,

    Thank you for contacting the Sophos Community.

    I was able to find the Samples submitted via the Web Site under Case ID 03741758, I took the samples and made the submissions to Labs, and I raised a Labs request with them.

    I have left a note in your case, for the engineer, once there is an update from Labs, I will ask the engineer to share it with you. 

    In the future, after you submit the samples, share the Case ID  that gets automatically created via the Sample Submission website, in the ticket, so the engineer can open the ticket with Labs using that Case ID, just as you mentioned in the last email.

    Regards,

  • 0 in reply to emmosophos

    Hello Fred,

    An update from Labs.

    There’s a detection for all the samples, except for 2 which are recently created, they’ll be published in the next IDE update.

    Regards,

  • 0 in reply to emmosophos

    Emmanuel,

    Puremessage for Exchange retired as of December 31th but still detects them but XG with Sandbox does not. This tells me that there is something not right with your answer. 

    Are you saying that Puremessage and SAV are using different virus definitions as compared to XG and Sandstorm? It is supposed to have a dual scan engine. I can send more samples that are detected by Puremessage proving the old product to be superior over XG and Sandstorm.

    After moving to newer instances of Exchange and Windows server we will return to Puremessage.

    Fred

  • 0 in reply to emmosophos

    The same .eml files I uploaded as samples with the new case 03741758 were also uploaded before on the request of the engineer to the old case 03694098 in the support portal. 

  • 0

    I mailed some of the files missed by the XG SAV and send them through the Sophos Email Gateway.  The Email Gateway does recognize these files as malicious but to be honest I uploaded those 10 files as samples before. 

    I will wait for a new one to arrive in the XG and send that tru the email gateway for a conclusion.    

  • 0

    Are you using V18 and can look at the sandstorm reports? 

  • 0 in reply to LuCar Toni

    Hi LuCar Toni,

    XG 18.0.4 MR-4 latest version. No new firmware available. Allowed automatic installation of hot fixes.

    AP Firmware
    11.0.014
    -
    22:00:52, Dec 22 2020
    Success
    ATP
    1.0.0347
    -
    08:56:54, Mar 22 2021
    Success
    Avira AV
    1.0.414367
    -
    10:55:40, Mar 22 2021
    Success
    Authentication Clients
    1.0.0019
    -
    20:10:44, Dec 16 2019
    Success
    Geoip ip2country DB
    2.0.004
    -
    08:39:37, Feb 10 2021
    Success
    IPS and Application signatures
    18.17.98
    -
    08:55:56, Mar 18 2021
    Success
    Sophos Connect Clients
    2.1.001
    -
    06:53:56, Mar 10 2021
    Success
    RED Firmware
    3.0.004
    -
    22:14:14, Feb 17 2021
    Success
    Sophos AV
    1.0.16642
    -
    10:55:50, Mar 22 2021
    Success
    SSLVPN Clients
    1.0.008
    -
    13:52:54, Nov 10 2020
    Success

    Set to automatic update of patterns and check every 2 hours. 

    I occasionaly receive an email from the XG that malware has been caught. 

    Sandstorm is in IMHO a farce. 

    I have 1 file to look at the Sandstorm report and that was a harmless Excel file. They let pass by .cab. zip. .rar without any report in Sandbox during that same period.

    Support is not responding. 

    That is why I am checking out Email Gateway as an alternative.

    I noticed that the XG will allow SMTP on all IP adresses. Our official MX is an allias. I cannot block the traffic on the IP of the XG as system takes precedence over the firewall rules. SMTP on a non MX IP address record is per definition suspicious. When I enable route incoming email through the gateway (enable setting) I end up again with mail stuck in the mail spool without being able to release. 

    The email checked by Sandstorm was send to our MX ip address, the alias. Real nice fancy report. A shame it misses the important stuff.

    Regards,

    Fred

     

  • 0 in reply to Fred_B

    Firewall rules have scan SMTP and SMTPS enabled and I can see that they are hit in the log. 

  • 0 in reply to Fred_B

    You should be able to look at all sandstorm scanned Emails/files. Means you should be able to verify, why sandstorm allowed this file. If sandstorm did not generate a report for a file, it did not upload nor checked it with hash values. Which means it seems like not be getting activated by XG for whatever reason. XG will generate a report for each file - even if "only" the on prem scanner tells XG to block/allow this file. 

    You do not need a firewall rule to scan SMTP. the MTA will be acting on the configuration based on the device access configuration in administration. As device access allow the zone "WAN", you can disable SMTP on the other WAN IPs/ports via Backhole DNAT rule. 

    Anyways Central Email is by far the better solution with much more features to protect the setup of a costumer.