Hi,
In UTM, we scan mail for AV at two places. at
If you want to reject malware at SMTP time use enable "SMTP->malware->Scan During SMTP Transaction".
If this config is disabled then you can find logs like "Skipping SMTP inline AV scan for this message" but, policy time AV scanning is performed. When you check full logs you can find other log lines like " AV: calling CSSD for single scan (engine: PRIMARY)". This scanning logs are pointing av scan perform at policy time (dual / Single).
In short, this is normal behavior.
Thanks
Sachin Gurung
Team Lead | Sophos Technical Support
Knowledge Base | @SophosSupport | Video tutorials
Remember to like a post. If a post (on a question thread) solves your question use the 'This helped me' link.
Here is my inference, based on comparing the UTM help text to other products I have used:
SMTP Transaction phase has two block points:
Policy Phase:
After the message is fully accepted, it can still be blocked, based on profile-specific policies. This means that a multi-recipient message could potentially be allowed for some destination domains and blocked for others.
In general, I would always recommend checking in both places, and use both antivirus engines. There is simply too much hostile email to do otherwise.
astiadmin said:What is the advantage to scan during SMTP transfer? Is this using a different engine? Any disadvantage?
Technically speaking, reject during SMTP Transfer leaves the email still on the senders mailserver queue and therefore in their responsibility, e.g the email has not been delivered to the recipient (recipient's mailserver). In some circumstances for legal purposes this could be very beneficial :)
During SMTP Transfer phase, only one AV scanner is used, and it's the one definied in Management > System Settings -> Scan Settings.
Thanks. Good to have clarification.