This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG 18.04 MR-4 more malware in emails missed even with Sandstorm now enabled!

After consulting the Sophos reseller we added the extra layer of protection of a Sophos Sandbox subscription.

I now have two additional MALWARE E-MAILS that ended up in the quarentine queue that based on the XG settings should have been dropped. Piuremessage with old definitions identifies them as Mal/Generic-S, Mal/DrodRar-AIC and Mal/Generic-S, Mal/Inject-GM, CXmail/MalPE-B.

XG MTA with SAV DUAL SCAN engine, primary set to Sophos and DETECT ZERO DAY threats with SANDSTORM ENABLED does not detect the malware in these e-mails. In my understanding e-mails that is still being scanned for malware not yet given the all green from both SAV scanning and Sandstrom should not be in the quarantine queue.

Support is not really responding other than sending their default e-mails with instructions to upload the file, My answer again and again is that the fille requested is in the online case portal already uploaded there.

These two new emails are now uploaded also and the case record updated.

The case number is 03694098.

Fred

This thread was automatically locked due to age.

Top Replies

emmosophos over 4 years ago +1

Hello Fred, Thank you for contacting the Sophos Community. I was able to find the Samples submitted via the Web Site under Case ID 03741758, I took the samples and made the submissions to Labs, and…

0 Fred_B over 4 years ago in reply to LuCar Toni

Hi LuCar Toni,

I added the blackhole DNAT for the default gateway address.

We both have the impression that Sandbox is not being triggered for some reason. At least not in all cases. For that reason I crreated the explicit SMTP inbound rule with SMTP SMTPS scan enabled. Enabled or disabled sandstorm is not triggered and dual scan did not pick up the samples before. Mail keeps flowing but as far as Sandbox is concerned I see no entries in the log under advanced threat intelligence or Sandstorm. The licenses show subscribed to 1-1-3000. I reysnchronized.

I tested with a zipped and that is send to Sandstorm.

I will monitor the situation and if new malware comes in will send it through the Email Gateway also.
Cancel
Vote Up 0 Vote Down

Cancel
0 Fred_B over 4 years ago in reply to Fred_B

Today three more viruses where not dropped by the XG with dual scan and also an active Zero Day Sandstorm Advanced Threat Detection subscription. Sophos support is still non existent since February 26th.

I have send the attachment through the Sophos Mail Gateway and all three were detected and deleted. 2x ML/PE-A and a ML PUA (PUA).Just like the old PureMessage scanner detected them with the old definitions.

Verdict XG SMTP scan did not detect these .gz, .xz and .r11 attachments as being malicious and Sandstorm was not even triggered.

Do not trust the XG SMTP mail scan and sandstorm functionality!
Cancel
Vote Up 0 Vote Down

Cancel