Sophos email appliance with Sandbox. Does it do a good job? Say, compared to Mimecast.

Your best option is to use both for the right reasons.

Sandstorm excels at office type document scanning, for example .pdf .doc .docx files etc.. The sand box can detonate items with a potential payload (like a macro or script)and examine the results.

Having layers of AV security is imo a good thing and may help with 0 day infections. 

Sandstorm is a great feature but is not meant to replace traditional av scanning, It's purpose is to enhance scanning.  For example: 

Without Sandstorm. 

SAV (Sophos Anti Virus) has 2 options, Yes or No.

With Sandstorm

SAV has a 3rd option "maybe"  anything that that classifies as maybe is sent to the sandbox for scanning.

In addition the email appliance also has the ability to proxy identified links in emails.   The appliance will re-write the link so that the destination is proxied through the appliance.  Should a site be blocked by labs as malicious the request would be dropped.   This is an added security feature of the appliance. 

As no one product will ever be your "silver bullet", but a combination of products and features is one of the keys of a great security policy. 

Another technology you may wish to look at is Intercept X.. witch specifically deals with cryptolocker. 

Ultimately...  What ever works best in your environment is the correct answer.

Thanks for your very full reply.

I think i worded my query wrong, the subject was more accurate than the rest of my waffling post.

I've got AV/Intercept X.

I'm just looking at a email appliance our isp currently do it for us.  I don't love this device.  So they've offered mimecast which does lots and sounds great, but costs a fortune.  I can get the sophos appliance with sandstorm for less than half the price over three years.  Yes I have to manage it myself as opposed to the ISP doing the work, but i was really after those of you using it.  Would you put your sophos email appliance up against the mimecast web service and say yep this does a good job.

Thanks :)

Highly recommend you download the trial of vmware workstation, then grab the 30 day trial of the sea.. 

this will give you more of a seance of its abilities.   the SEA is an industrial email solution.. there are not to many cloud services that can compete with the flexibility of been able to willy nilly scan mail anyway you wish or simply drop an entire country.

It is "more" work but well worth the effort.

The only option available to you with SEA is turn it off or turn it on.

Other than on or off you have no other controls over Sandstorm.

You can't tell it to sandbox all Office documents.

You can't tell it to sandbox all emails with attachments from a certain domain.

You can't run a report to see which recipients are getting the most sandbox triggered emails.  You manually have to go to sandstorm monitoring, copy the sender, go to search and search for the sender.

SEA only sandstorms what it wants to not what you want to.

Remember it is called "Security Made Simple"

The only option available to you with SEA is turn it off or turn it on.

Other than on or off you have no other controls over Sandstorm.

You can't tell it to sandbox all Office documents.

You can't tell it to sandbox all emails with attachments from a certain domain.

You can't run a report to see which recipients are getting the most sandbox triggered emails.  You manually have to go to sandstorm monitoring, copy the sender, go to search and search for the sender.

SEA only sandstorms what it wants to not what you want to.

Remember it is called "Security Made Simple"

HI Navar,

just for some clarification..  You are correct when you say the reporting could be improved. Totally get that.

some of the reason for that is because of the way sandstorm actually works and what information is given back from the sandbox service.

you cant dictate file types or exclusions and similar because Sandstorm is a triggered event passed back from SAVI (the antivirus scanner)  the high-level analogy is that the feature allows the labs team to build "extra" hooks into file scanning.

For example: the antivirus program (SAVI) can only derive at a limited number of results.   For example, the file contains a virus, it does not, it is the call on if a version will become available.   or the file is damaged/incomplete. 

Sandstorm allows for additional actions where SAVI can make more informed decisions about the actual content of the file and if the file should be detonated.  documents like word documents may contain unscannable "un-do" information in the header, traditionally the av scanner would see that as the call on if a version will become available.  .  With additional rules savi now has the ability to think like "i don't know exactly what this file does, so i will send it for detonation and await the results) rather than a yes/no answer

sandstorm is an added layer of security and rules logic.