Sophos email appliance with Sandbox. Does it do a good job? Say, compared to Mimecast.

Your best option is to use both for the right reasons.

Sandstorm excels at office type document scanning, for example .pdf .doc .docx files etc.. The sand box can detonate items with a potential payload (like a macro or script)and examine the results.

Having layers of AV security is imo a good thing and may help with 0 day infections. 

Sandstorm is a great feature but is not meant to replace traditional av scanning, It's purpose is to enhance scanning.  For example: 

Without Sandstorm. 

SAV (Sophos Anti Virus) has 2 options, Yes or No.

With Sandstorm

SAV has a 3rd option "maybe"  anything that that classifies as maybe is sent to the sandbox for scanning.

In addition the email appliance also has the ability to proxy identified links in emails.   The appliance will re-write the link so that the destination is proxied through the appliance.  Should a site be blocked by labs as malicious the request would be dropped.   This is an added security feature of the appliance. 

As no one product will ever be your "silver bullet", but a combination of products and features is one of the keys of a great security policy. 

Another technology you may wish to look at is Intercept X.. witch specifically deals with cryptolocker. 

Ultimately...  What ever works best in your environment is the correct answer.

Thanks for your very full reply.

I think i worded my query wrong, the subject was more accurate than the rest of my waffling post.

I've got AV/Intercept X.

I'm just looking at a email appliance our isp currently do it for us.  I don't love this device.  So they've offered mimecast which does lots and sounds great, but costs a fortune.  I can get the sophos appliance with sandstorm for less than half the price over three years.  Yes I have to manage it myself as opposed to the ISP doing the work, but i was really after those of you using it.  Would you put your sophos email appliance up against the mimecast web service and say yep this does a good job.

Thanks :)

Highly recommend you download the trial of vmware workstation, then grab the 30 day trial of the sea.. 

this will give you more of a seance of its abilities.   the SEA is an industrial email solution.. there are not to many cloud services that can compete with the flexibility of been able to willy nilly scan mail anyway you wish or simply drop an entire country.

It is "more" work but well worth the effort.

The only option available to you with SEA is turn it off or turn it on.

Other than on or off you have no other controls over Sandstorm.

You can't tell it to sandbox all Office documents.

You can't tell it to sandbox all emails with attachments from a certain domain.

You can't run a report to see which recipients are getting the most sandbox triggered emails.  You manually have to go to sandstorm monitoring, copy the sender, go to search and search for the sender.

SEA only sandstorms what it wants to not what you want to.

Remember it is called "Security Made Simple"

HI Navar,

just for some clarification..  You are correct when you say the reporting could be improved. Totally get that.

some of the reason for that is because of the way sandstorm actually works and what information is given back from the sandbox service.

you cant dictate file types or exclusions and similar because Sandstorm is a triggered event passed back from SAVI (the antivirus scanner)  the high-level analogy is that the feature allows the labs team to build "extra" hooks into file scanning.

For example: the antivirus program (SAVI) can only derive at a limited number of results.   For example, the file contains a virus, it does not, it is the call on if a version will become available.   or the file is damaged/incomplete. 

Sandstorm allows for additional actions where SAVI can make more informed decisions about the actual content of the file and if the file should be detonated.  documents like word documents may contain unscannable "un-do" information in the header, traditionally the av scanner would see that as the call on if a version will become available.  .  With additional rules savi now has the ability to think like "i don't know exactly what this file does, so i will send it for detonation and await the results) rather than a yes/no answer

sandstorm is an added layer of security and rules logic. 

Suppose you want to whitelist email from your good friends at example.com, but they are hosted on hostingservice.com.   From my scan of the product, you can whitelist the example.com email domain (and accidentally whitelist fraudulently addressed traffic as well), or you can whitelist the servers (and accidentally whitelist all of the other organizations on the service, if you can even determine a way to specify all of the servers.)   But you cannot do a two-factor authentication based on a trusted email domain running on a trusted server farm.   Am I mistaken?   I am currently shopping for a different spam filter, and I ruled out three Sophos products and one cloud-based product on this issue alone.

There is a significant problem in the industry with websites deciding that if I log into their system, then they have the right to send email to me that is from my email address.   This is domain spoofing, and anyone who tries to defend against email fraud using SPF/DKIM/DMARC should understand that this is a really bad thing.   But some very big companies are doing it and some big spam filtering vendors are allowing them to do it on their platform.   This means that I have to whitelist the source, so the issue of how I whitelist a domain+server combination is very important.

I have not yet found any vendor that has a good approach to sender authentication.   SPF/DKIM/DMARC leave authentication as a sender option, and senders care about getting their email accepted, not about preventing fraud.   The same big company that is spoofing my domain, and uses a major cloud-based spam vendor to do so, has the following sender authentication in place:

• SPF: entry ends in SoftFail
• DKIM:  some mail is correctly signed, but there is no signing policy to make it mandatory
• DMARC:   their DMARC policy asks for feedback but does not ask for any enforcement.
• TLS:   Corporate mail from them is encrypted, but marketing mail that is sent using their domain name is sent unencrypted.

Consequently, if SPF/DKIM/DMARC are how I detect whether a message is really from them or not, I am doomed.   If the 100,000-employee companies are not willing to protect against spoofing, why should we think that SPF/DKIM/DMARC will ever be a sufficient defense.   WannaCry reminded us that one bad email can take down critical infrastructures.  Where is the vendor hustle and buyer demand to fix this problem?

It is time for somebody to deliver a product that puts the recipient system manager in charge of deciding whether a sender is sufficiently authenticated or not.   I have a 15-page document describing what should be possible with existing technologies (document available on request), but so far I have not found a vendor who is even thinking about the problem from this perspective.   The biggest players seem to think that their content filtering is so good that source filtering is unimportant.   I am unconvinced.

Given a lack of vision, DMARC is the best mechanism available for sender-authentication, so my next spam filter must support DMARC.  DMARC actually has three functional components:   

1. enforcing the domain owner's policy on my incoming mail,
2. collecting data and sending feedback reports to the domain owner about problematic mail (so they can close infected accounts and fix SPF/DKIM configuration errors), and
3. processing feedback from others about mail from my domain.   (This is a database function, not a spam filtering function, so it is solved differently.)

I would expect an up-to-date spam filter to both of the first two functions.  I understand that S.E.A. is the only Sophos product that can do DMARC enforcement, but can it send feedback?

The SEA needs to be completely overhauled.  I consider not much more than a mom and pop email gateway.

The Sophos is great.

Time to Click is great safety feature.

Does it catch spam yes.

Problem areas:

Poor reporting

Dont even think about using the encrypted email function as it is the same technology that the hackers use and many companies block and drop SPX.

What is SPX.  SEA takes your original email and turns it into a password protected PDF(SPX) with attachments, then creates a new email and attachs the SPX file.  The recipient must (MUST) have Adobe reader installed (no other PDF readers are supported) to view the SPX.  But this only applies if there was an attachment in the original email.  Do you allow password protected file to pass thru your current email gateway un-scanned for viruses?  Most dont.

The user spam portal doesn't have a search function.  End users really hate this.

Time to Click doesn't always apply to all URLs and specially when they are longer than 256 characters long.

Sophos has to types for support.  Free with your purchase or advanced which cost extra.  Free has much longer wait times.

If need to to have a BAA signed by Sophos, the odds are they wont sign it and specially if company needs to comply with HIPAA.

There are far better email gateway to choose from.