Thread Info
  • Locked Locked
  • Replies 3 replies
  • Subscribers 3 subscribers
  • Views 12342 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Puremessage not scanning Inbound and Outbound for Anti-Virus. Only Internal

BenediktSchatto

Hey Guys,

we have some trouble with Anti-virus scanning on Inbound and Outbound E-Mails....
If i send a E-Mail with a Virus in a .doc File to someone in my Company, PureMessage Quarantined this mesage. The Settings for "On infection" are the same as for Inbound, Outbound and Internal but it's only working for Internal Mails.

We have a Sophos Mail Appliance (ES100) in front of our Exchange Server and PureMessage is installed on our Exchange Server. Both Systems didn't find the Virus in the .doc File (CXmail/OleDI-A Virus). The Activity monitor will notice this Virus only on internal messages.

Any ideas what's wrong?



This thread was automatically locked due to age.
  • Hey Benedikt! Thanks for your post..
    If you send an EICAR test...does it block the email?

    proceed with the following steps to enable X-headers:
    Open Puremessage admin console
    Select anti-spam (under the left pane - transport SMTP scanning policy)
    Select configure subject tags and x-headers (right pane)
    Select x-header for unscanned, spam and spam score
    Hit OK and save changes

    Send an email from an external account. check the email headers....do you see any internal MTA besides the exchange server itself? if you're using the email appliance, you should see something like.....received from "email appliance IP address" by "exchange server IP address"

    Make sure you have your trusted relays in place...in your case the email appliance ip address.

    PureMessage uses the configured mail domains, trusted upstream relays, and IP address of the connecting host to distinguish between inbound, outbound and internal mail.

    How does PureMessage route mail?
    1. Is the recipient domain on the configured mail domain list?
    No: the message is outbound.
    Yes: go to step 2.

    2. Is the sender’s IP address external?
    Yes: the message is inbound.
    No: go to step 3.

    3. Is the sender’s IP address internal or unavailable?
    Internal: go to step 4.
    Unavailable: the message is internal.

    4. Is the internal IP address on the list of trusted relays?
    Yes: the message is inbound.
    No: the message is internal.


    Make sure puremessage transport agent is loaded and active on the exchange transport...
    open exchange powershell
    run the cmdlet: Get-TransportAgent

    Send an email from an external account with the following string in the subject and email body: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


    Thanks
  • Hey Ziggyedman :)

    Thanks for your reply. Before i wanted to start the tests, i send the Mail with my Virus attachment again and now it works. Internal, Inbound and Outbound, the Message will not get through.
    I didn't do any changes but i noticed, that PureMessage detects the Mail now as Troj/DocDI-BEF. Two days ago the internal Message was blocked and detected with CXmail/OleDI-A. Inbound and Outbound had not been detected as i said.

    E-Mail Headers and trusted relays are fine. Same IP-Address entries.
    A transport agent with the Name "PmE15Transport" is on state "true" and Priority "1". Is this the PureMessage transport agent?

    Looks like PureMessage is working correctly now and with our Sophos ES100 as mail gateway they should do the job as best as they can. :)

    Thanks!
  • in reply to BenediktSchatto
    Hey Benedikt!
    Great to know that puremessage is working properly....strange though, that it was not being detected even by the email appliance...
    It could happen to be "zero day" for that virus (I haven't cheked that but will do tomorrow), it might not be detected during a short period, while we don't have the detection data for it...but since it was being detected by the internal smtp policy...i don't know...
    Was it being detected by the smtp scan or by the store scan?

    PmE15Transport and PmE15Protocol are the 2 puremessage transport agent components, loaded into the Exchange 2013 transport service (MS Exchange 2007 and 2010 use a different version; PmE12Transport and PmE12Protocol)....all the scanning at the smtp level are performed by the agents...

    Cheers!
Unfiltered HTML