Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
We'd love to hear about it! Click here to go to the product suggestion community
A small subset of incoming email messages are appearing in user inboxes in a strange format which I'd characterise as "MIME not decoded properly" format. For example, the first few lines of one message:
Content-Type: text/plain; charset="utf-8"
There doesn't seem to be any pattern to this yet; or at least none I've identified. There are no other MTAs involved - just Office 365, Sophos in MTA mode, and the internal Exchange server. Since most messages are working, I'm not even sure where to start with this or what other information will help, so any suggestions are welcomed.
Edit: There appears to be a significant difference in the SMTP headers. The "broken" email I have shows headers like this:
Content-Type: text/plain; charset="iso-8859-1"
Compare that to a working email from the same sender to the same recipients:
Is it possible the Sophos is breaking it apart and reassembling poorly during scanning? There doesn't appear to be anything obviously "strange" in the re-sent copy that worked.
Same problem here; 17.5 MR4-1.
Most messages have no issues; some have a broken content (attachment scan issue?)
Content-Type: text/plain; charset="us-ascii"
[#8781751] support ticket
I have the exact same problem with SFOS 17.5.4 MR-4-1 on Sophos XG 135 device with MTA mode. Random messages will come through garbled and corrupt looking very similar to the above.
[#8783646] Web support query
This problem has existed since 17.5 and has not been solved by the authorities. It seems to be the problem of anti-virus
In reply to Ben ni:
Had this issue today for the first time... So no update on this? If it is a problem of av, which engine then? Sophos av engine?
In reply to Jelle:
As far as I can see the first mail was catched by sandstorm. Evaluation took about 11 minutes. As that mail was not usable because of the issue the mail was resent by the sender. This time the email passed sandstorm as the attachments were known to XG and it came to the users postbox without any issue.
Who else with this issue has sandstorm active?
Coincidentally or not, I too use sandstorm, however I get this corruption on emails with and without attachments.
I personally suspect the anti virus sub system, because I have one particular sender which we trust explicitly for which I have a policy to bypass everything except for anti virus, and I still get random emails from them being corrupted by my XG.
To this point I have been engaged by level 1 and level 2 Sophos support agents with logs pulled and requests for remote support assistance, but they have now gone dark on the matter and I have not had interaction on it for a while now
In reply to Louis Swanepoel:
Installed a XG135 HA Cluster last Wednesday for a customer. No Sandstorm subscription but they report the same issue. Using SFOS 17.5.4 MR-4-1.
The header of the email is converted to:
Content-Type: text/plain; charset="iso-8859-1"Content-Transfer-Encoding: quoted-printable
The email is received from Office 365. If the sender resends the email it usually gets through without problems.
Dual scanning is enabled and a requirement from the customer. File Protection and Data Protection are both turned OFF.
So SFOS 17.5.5 MR-5 is out and no mention whatsoever of a fix for this....
Apologies for any inconvenience caused, there is currently an open ID related to this (NC-44646) that our team is investigating. If you think you are also affected, please raise a support case referencing this ID, and send me a PM for tracking purposes.
Louis Swanepoel I reviewed the activities within your support case (#8783646), please reply back to the latest email with the requested logs and samples so that further investigation can be performed.
PRC_N Please reply back to the latest email (#8781751) with your availability for a remote troubleshooting session.
Please don't hesitate to PM me directly if you had any questions or concerns.
I have had this issue and received a patch that fixes it.
The tech let me know that this is fixed in v17.5MR6.
If you are receiving the email but the content is jumbled/malformed, copy it to a base64 decoder and it should output the email fine. This is just for urgent emails where you need to have the content.
Apparently MR6 will be out end of May. I would suggest that if you cannot wait, log a case and refer to the bug ID FloSupport has put in.
In reply to KingChris:
Thank you Jelle. I raised a case. Waiting for the fix now.
In reply to J_d_G:
The patch was applied last Friday. The customer is now testing funcitonality.
In reply to FloSupport:
When do you rollout 17.5 MR6? You wrote end of may.
Somebody also wrote that the Patch is testing . Thats over a month ago.
My Case: #8874601