Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 12 replies
  • Subscribers 27 subscribers
  • Views 1650 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG 18.04 MR-4 more malware in emails missed even with Sandstorm now enabled!

Fred_B

After consulting the Sophos reseller we added the extra layer of protection of a Sophos Sandbox subscription.

I now have two additional MALWARE E-MAILS that ended up in the quarentine queue that based on the XG settings should have been dropped. Piuremessage with old definitions identifies them as Mal/Generic-S, Mal/DrodRar-AIC and Mal/Generic-S, Mal/Inject-GM, CXmail/MalPE-B.

XG MTA with SAV DUAL SCAN engine, primary set to Sophos and DETECT ZERO DAY threats with SANDSTORM ENABLED does not detect the malware in these e-mails. In my understanding e-mails that is still being scanned for malware not yet given the all green from both SAV scanning and Sandstrom should not be in the quarantine queue.

Support is not really responding other than sending their default e-mails with instructions to upload the file, My answer again and again is that the fille requested is in the online case portal already uploaded there.

These two new emails are now uploaded also and the case record updated.

The case number is 03694098.

Fred



This thread was automatically locked due to age.

Top Replies

  • +1

    Hello Fred,

    Thank you for contacting the Sophos Community.

    I was able to find the Samples submitted via the Web Site under Case ID 03741758, I took the samples and made the submissions to Labs, and I raised a Labs request with them.

    I have left a note in your case, for the engineer, once there is an update from Labs, I will ask the engineer to share it with you. 

    In the future, after you submit the samples, share the Case ID  that gets automatically created via the Sample Submission website, in the ticket, so the engineer can open the ticket with Labs using that Case ID, just as you mentioned in the last email.

    Regards,

    Jump to answer
  • 0 in reply to LuCar Toni

    Hi LuCar Toni,

    I added the blackhole DNAT for the default gateway address. 

    We both have the impression that Sandbox is not being triggered for some reason. At least not in all cases. For that reason I crreated the explicit SMTP inbound rule with SMTP SMTPS scan enabled. Enabled or disabled sandstorm is not triggered and dual scan did not pick up the samples before. Mail keeps flowing but as far as Sandbox is concerned I see no entries in the log under advanced threat intelligence or Sandstorm. The licenses show subscribed to 1-1-3000. I reysnchronized.  

    I tested with a zipped and that is send to Sandstorm. 

     I will monitor the situation and if new malware comes in will send it through the Email Gateway also. 

     

  • 0 in reply to Fred_B

    Today three more viruses where not dropped by the XG with dual scan and also an active Zero Day Sandstorm Advanced Threat Detection subscription. Sophos support is still non existent since February 26th.

    I have send the attachment through the Sophos Mail Gateway and all three were detected and deleted. 2x ML/PE-A and a ML PUA (PUA).Just like the old PureMessage scanner detected them with the old definitions. 

    Verdict XG SMTP scan did not detect these .gz, .xz and .r11 attachments as being malicious and Sandstorm was not even triggered. 

    Do not trust the XG SMTP mail scan and sandstorm functionality!