End Point Sec and Protection - Email / pop3 protection?

We've moved from KAV Business Space Security to EPSC 9.7 deployed via EC 4.7.

As a test i've received several eicar laced emails and all came through ok to the EPSC clients and it wasn't until we saved then executed the files (.com .exe) that an alert came up.  On the KAV clients the emails were removed from Outlook and replaced with a virus found message, even on the odd client we have with Avast we were denied access to the virus emails.

I've searched and searched within the EC polices in relation to email / pop3 (Outlook clients) protection and can find nothing to configure for email protection.  Am i missing something?

Thanks.

:13221
  • Hello Buddy,

    it might be unfamiliar that access to an email is not intercepted when it contains a mailcious attachment. The important thing is that the content is blocked when you're actually about to "use" it. It is not necessary to decode and scan the attachments "in advance". Usually the gateway should scan and remove such messages in the first place but if it doesn't on-access will intercept the open of a decoded attachment.

    Christian   

    :13241
  • Thanks for the reply, surprised and disappointed to say the least.  A very fundamental protection is missing :(

    :13523
  • What do you think is missing? As I said you can't open malicious content. Admittedly you could perhaps forward the entire mail to someone else - is that your concern?

    Christian

    :13527
  • The product is missing is the ability to scan pop3 / smtp traffic, instead it's relying on the on-demand scanner to catch the payload.  Symantec, Kaspersky, Avast, Comodo, AVG etc. all intercept mail (inc all the free versions) can't fathom why Sophos doesn't.

    For example pop3 email comes in virus embedded it's possible a user to forward that mail from within the email client on to other users and the Sophos wouldn't prevent it as the payload isn't saved or run.  Also the mind set of users is the AV software gets to virus laced emails before they even have a chance to do anything with it, now they are left to open those attachments at their lesiure.

    :13563
  • Ok, I'll try again. If the payload is in some way "unscannable" - like a password protected zip file - it will get through (or otherwise such content would never be delivered). Thus it has to be scanned again anyway when opened (unless the information about the scan during transfer is kept somewhere - where would that be?). Furthermore decoding and extracting during transfer significantly delays the download and could also lead to timeouts. Still - as noted above - it wouldn't catch all threats and "just in time" scanning couldn't be waived.

    Actually this kind of scan should be performed by the gateway, IMO POP3 scanning is overrated and a relic.

    now they are left to open those attachments at their leisure

    Only if they'd forward it somewhere else where no AV is installed as already noted.

    Christian

    :13571
  • I understand what you're saying but you're missing or choosing to ignore my point.  Sophos EPSP doesn't offer mail protection beyond last gasp brute force approach.  Free products (for personal use) manage it far better and I’’’’m disappoint having extensively used the likes of Symantec Endpoint, Kaspersky Business Space and Trend Micro Business Security that Sophos is so poor in this area.

    Decoding and extracting attachments does not significantly delay or cause issues in my experience when using POP3 scanning in any scenario I’’’’ve used.  Nor is POP3 scanning overrated or a relic.  There are circumstances where it is advantageous to run dedicated clients outside of the scope of groupware platforms.

    I was expecting as with other products that Sophos end point client protection would include the ability to safely manage dangerous email payloads upon there arrival without the need to execute a virus to get protection.

    :13619