This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

False Positive

So what exactly happens when you use the "Release and report false positive" option in Mail Manager?


This thread was automatically locked due to age.
  • Has this ever been answered?

     

    I'm interested too, wondering if the UTM is learning or wheather it is only reported back to Sophos?

     
    SFVH (SFOS 20.0.0 GA-Build222) - Last (re)boot on November 6th  2023
    Asus H410i-plus - Pentium 6605 Gold - 250GB M.2 PCIe NVMe SSD - 8GB - 3 ports
    [If any of my posts are helpful to you please use the 'Verify Answer' link]
  • It has been explained before that Sophos hands off the message to the Antivirus subsystem, which then returns an accept or reject signal.   I assume that if  you flag something as a false positive, they merely pass the information on to the antivirus engine(s) that tripped the alarm.   The implications of that information will trickle into the continuous update process from the Antivirus subsystems.

  • I think this is a different question, Doug.  This has to do with anti-spam, in particular with ctasd (the CommTouch anti spam daemon).  For every incoming email, ctasd calculates a RefID like:

    RefID:str=0001.0A02020E.5CCF3583.000E,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0

    This is sent to a cloud server at CYREN (formerly CommTouch) that then compares the RefID to its database of RefIDs of known spams and responds with 'Confirmed' (an almost-perfect match with one), 'Bulk' (a close match), 'Suspect' or 'Unknown'.  Bulk is qualified as Spam.  Unknown and Suspect are delivered.

    When one reports it as a false positive, this is relayed to CYREN.  I don't know the details of how they use that to automatically update their database.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thank you for elaborating on this Bob.

     
    SFVH (SFOS 20.0.0 GA-Build222) - Last (re)boot on November 6th  2023
    Asus H410i-plus - Pentium 6605 Gold - 250GB M.2 PCIe NVMe SSD - 8GB - 3 ports
    [If any of my posts are helpful to you please use the 'Verify Answer' link]