We moved from Puremessage on premise to Sophos Email Gateway. The Puremessage installation has not been removed as we are in the process of replacing our mail server but it is no longer updated since january first of 2021. Sophos Email Gateway has been found to deliver viral messages now three times, they were detected by PureMessage and by Endpoint X as malicious.
I received an email from SophosLabs confirming that they were malicous in nature and that they will update their database.
"Your sample submission 04399005 has been analysed. The file(s) you submitted are malicious in nature and detection will be available on the Sophos Labs Database shortly. Please update Sophos Anti-Virus or Sophos Central Endpoint and run a Full System Scan to clean up this threat."
The problem is that the detection engine of both PureMessage and Endpoint X are already detecting these files BUT Email Gateway with Sandbox did not.
- Is Email Gateway using a different database / detection Engine?
- Why are only Sandbox details available of viral messages (Intelix Threat Summary) and not of all messages with attachment types that require sandboxing?
- Furthermore why can't we forward / submit viral messages to Sophos Labs from the Emergancy mailbox?
I have send the email examples to SophosLab and according to Sophos Support the virus signature was added to the database and should now be stopped by Email Gateway. Both old Puremessage and up-to-date Endpoint X already detected it.
After that I was still able to send the viruses to Sophos Support Delivery Succesfull without triggering Sophos Email Gateway SAV and/or Sandbox.