AV Engine Spam and Endpoint

Hello @all,

are the antivirus engines the same for Sophos Endpoint Protection an Sophos Email Protection?

I ask because if a virus slips through the spam it usually takes a while until the new definitions have arrived at the endpoint and it would be recognized there.

Thx for the Informations

  • the AV engine is the same, however they are meant to be used together.  IMO ANY one product will not sufficiently protect against AV.  a minimum of two is required  (generally the gateway and desktop client) but for the best protection, something like this would be the best:

    • Gateway device such as an email appliance - its main responsibility is to catch known items up to the second it's delivered.
    • Puremessage for Exchange (AV only install) - this will scan the email box servers and quarantine anything that is detected after the email is delivered (so if you get a 0 day at 11pm and a detection is found at 11:30pm it would be removed before the user starts work at 8am.
    • Desktop client - it is the only client that can scan encrypted files and the best protection against malicious programs running on the workstation. (required)
    • Intercept X - is a powerful 4th line of defense that specifically targets crypto ware and APT's.


  • I catch 0 day files from the SEA on a daily basis - It can take 12 hours for Sophos to add them to database. I also run puremessage to help catch the files the SEA miss.


    The virus/email checking on Sandstorm does appear to respond differently to the results from samples@sophos.com submissions. Does anyone know why this happens?

    I would like to think they are both checked in the same way?

  • In reply to Tony Smith2:

    Sandstorm does not replace any sort of checking.

    what it does do ... in a nut shell..

    normally SAV will scan a file, it will get a result of YES or NO (in VERY high-level terms there definitely a lot more to it) .. Sandstorm gives SAV the ability to say "maybe"  it also adds additional logic / rule sets that automatically sends files for detonation.   (again, lot more to it but this will do)

    generally its designed for things like office documents, pdf's or similar..  without getting into the weeds.. those document formats may contain things like macros or un-scanable, un/do data or a bunch of other things specific to embed content. 

    these features help Sandstorm be an effective 3rd layer of defense in addition to the normal av scanning


    so theirs nothing random about it, its just that the files your seeing may not be triggering the same rules in SAV.