Mail scanner does not detect incoming Malware.

Hi,

what you haven't told us is your incoming mail setup.

Do you use imap because the UTM doesn't scan imap currently only smtp and pop3.

The malware would have been caught on the wayout by the smtp scanning.

Please put ina feature request for imap scanning.

Sorry,

Came in via SMTP Proxy

Was marked as spam, when I released it and forwarded I got the message.

Log:

/var/log/smtp/2017/02/smtp-2017-02-15.log.gz:2017:02:15-13:50:51 firewall exim-in[7784]: 2017-02-15 13:50:51 H=(hmrcg0v.co.uk) [146.20.65.136]:54525 Warning: jimbojones.com profile excludes greylisting: Skipping greylisting for this message
/var/log/smtp/2017/02/smtp-2017-02-15.log.gz:2017:02:15-13:50:51 firewall exim-in[7784]: 2017-02-15 13:50:51 H=(hmrcg0v.co.uk) [146.20.65.136]:54525 Warning: jimbojones.com profile excludes SANDBOX scan
/var/log/smtp/2017/02/smtp-2017-02-15.log.gz:2017:02:15-13:50:52 firewall exim-in[7784]: 2017-02-15 13:50:52 [146.20.65.136] F=<service-jimbo=jimbojones.com@hmrcg0v.co.uk> R=<jimbo@jimbojones.com> Verifying recipient address with callout
/var/log/smtp/2017/02/smtp-2017-02-15.log.gz:2017:02:15-13:51:13 firewall exim-in[7784]: 2017-02-15 13:51:13 1cdzyu-00021Y-1J DKIM: d=hmrcg0v.co.uk s=key c=relaxed/relaxed a=rsa-sha1 [invalid - public key record (currently?) unavailable]
/var/log/smtp/2017/02/smtp-2017-02-15.log.gz:2017:02:15-13:51:14 firewall exim-in[7784]: 2017-02-15 13:51:14 1cdzyu-00021Y-1J <= service-jimbo=jimbojones.com@hmrcg0v.co.uk H=(hmrcg0v.co.uk) [146.20.65.136]:54525 P=esmtp S=146907 id=0.0.0.0.1D287917DA14CAC.1AC5FEA0@hmrcg0v.co.uk
/var/log/smtp/2017/02/smtp-2017-02-15.log.gz:2017:02:15-13:51:14 firewall exim-in[7784]: 2017-02-15 13:51:14 SMTP connection from (hmrcg0v.co.uk) [146.20.65.136]:54525 closed by QUIT
/var/log/smtp/2017/02/smtp-2017-02-15.log.gz:2017:02:15-13:51:20 firewall smtpd[7932]: SCANNER[7932]: 1cdzzM-00023w-Dv <= service-jimbo=jimbojones.com@hmrcg0v.co.uk R=1cdzyu-00021Y-1J P=INPUT S=145531
/var/log/smtp/2017/02/smtp-2017-02-15.log.gz:2017:02:15-13:51:20 firewall smtpd[7932]: SCANNER[7932]: id="1001" severity="info" sys="SecureMail" sub="smtp" name="email quarantined" srcip="146.20.65.136" from="service-jimbo=jimbojones.com@hmrcg0v.co.uk" to="jimbo@jimbojones.com" subject="HMRC Secure Communication" queueid="1cdzzM-00023w-Dv" size="145531" reason="as" extra=""
/var/log/smtp/2017/02/smtp-2017-02-15.log.gz:2017:02:15-23:03:00 firewall exim-out[8786]: 2017-02-15 23:03:00 1cdzzM-00023w-Dv => jimbo@jimbojones.com P=<service-jimbo=jimbojones.com@hmrcg0v.co.uk> R=static_route_hostlist T=static_smtp H=My.LAN.IP.2 [My.LAN.IP.2]:25 C="250 2.0.0 Ok: queued as 929496086CE0"

OK Thanks Bob

I will do that

Jeff

Thanks, Jeff, but the mystery deepens...  It wasn't found to have a virus by either Avira or Sophos AV by our SMTP Proxy.  I'm hesitant to open the Word document as it contains an encrypted file.

I'm sure they'd rather have this reported by you: Submitting samples of suspicious files to Sophos

Cheers Bob

Thanks Bob,

No don't its not worth the risk !

The weird thing is detecting it outbound !

I will send the sample

Jeff

Hi Bob, run the file through virustotal.com to see which scanners detect it and why even avira is missing it. Although sophos AV is intercepting the outbound mail as virus, in my experience avira has a much higher detection rate.

Hi Billybob

Sophos AV detects it on my desktop, I had to disable on Access AV scanning temporarily to upload it to Sophos

Aha, I get it now. Are you using endpoint protection or a standalone subscription. In either case a virustotal.com test will still be interesting even if it is a false positive.

Hi Billybob

I use Endpoint protection that is provided free with UTM 9, the mail proxy is handled by the UTM but I had to save the file from the email in order to submit to sophos, this is when endpoint kicked in. so I disabled OAS sent the sample deleted and re enabled OAS

Jeff

Thats ok. I remember when endpoint protection was first introduced, wingman did a lot of tests for endpoint protection vs UTM protection and he found results similar to yours. Some of the problems were fixed after his discoveries but sadly, now I see the quality of UTM detection is slipping again[:@] In any case thanks for the heads up.

Edit: A false positive; which was my first inclination. Have taken out sophos bashing after Bob's findings below[:D]

UTM Endpoint on my laptop did not see anything bad, nor did virustotal.

Cheers - Bob

Thanks for taking the time Bob. I don't know what we would do without you[:D] I have edited my post above accordingly[;)]

Thanks for taking the time Bob. I don't know what we would do without you[:D] I have edited my post above accordingly[;)]

Hi Bob and Billybob,

Thanks for the help but am a bit confused

Are you saying this is a false positive that has been detected by both OAS and outgoing mail scanner ?

Jeff

I don't know, Jeff.  I don't understand what happened to cleanse the message when it was forwarded to me, but that appears to be what happened.  Very strange.

Cheers - Bob

Hi Bob,

OK Thanks, I did open the file you returned to me. There were no alarms from UTM or Sophos Endpoint OAS but there was no content in the file.

To check I tried to open the original and it still triggered the OAS as a virus.

Jeff

Wow, now that's some nifty malware, Jeff.  You might need to send the entire mail as an attachment instead of forwarding it.  Try sending it to me that way.

Cheers - Bob

Still no update on this from Sophos !

Doing their bang up job as normal !