Exclude entries from Inbound allow list from Enhanced Email Malware Scan?

Hey Sophos Team and Sophos Community,

an entry on the Inbound allow list does not exclude the mails sent by our mail server to bypass the Enhanced Malware Scan by Sophos when we have files attached.

Is there a way to exclude entries from inbound allow list from Enhanced Email Malware Scan (ideally without disabling EEMS as a whole for all  regular mails).

This would make my work a lot easier. Otherwise, I will have to bypass Sophos as a whole, which is possible, but requires triple the communication and paperwork.

Looking very much forward to some ideas or insights.

EDIT:

The menu entry "e-mail policy" allows me to edit the Base Policy - Data Loss Prevention. I can add domains there which should exclude the mails from this sender from the scanning process. Unfortunately it doesn't work like I thought.

My mails with attachments still go through Intelix Threat Analysis, and it deletes them. How do I create rules or policies or exceptions for that? I know I can disable that as a whole, but that is not my goal. I want certain mail servers to basically have a get out of jail free card.



Updated the post with new findings and new questions
[edited by: Luk123 at 8:18 PM (GMT -7) on 17 Jun 2022]
Parents
  • Also can someone explain to me which setting is ON and which is OFF? It's not that clear to me.

  • If there is a green indicator, it basically means, the rule is enabled. The labling is kinda off. But Central in general uses the left option to enable something and the right option means, it is disabled. 

    And there are two different frameworks. The DLP and the Scan Framework. Basically the DLP Framework is to keep stuff outside/Inside you do not want. And the Scanning Engine is to protect your network from attacks. Two different stories (Like Protection and Control, one can allow/permit something, the other is to protect you). 

    So as far as i know, you cannot use DLP rules to skip Protection methods. 

    The question is: Why is intelix deleting your Emails? Is it a false positive? And why? You could engage with Labs to find the reason and maybe resolve this problem. 

    __________________________________________________________________________________________________________________

  • Thanks. I kinda guessed about the indicator, but I am glad you can confirm this. Good to know about central being the opposite.

    Thanks for giving that clarification. It kinda dawned on me when I had time to think about it over the weekend. So it only makes sense that these rules only apply to the corresponding framework and not to the other one.

    I can live with the answer that it is not possible. At least then I can move on and find another way to achieve my goal.

    It's only right that intelix is deleting my mails. From a technical standpoint I am very much so sending that should be detected. So congratulations on intelix doing what it is supposed to do. I can't go into detail, but it's all in accordance with the law and the people receiving those mails. Therefore, I would have wished to find an "official" way to "whitelist" that service. This would have been the easiest and most transparent for everyone involved.

  • As a follow-up to this for anyone reading this in the future:

    I am basically benchmarking different security solutions in regard to that aspect.

    A quick comparison: TrendMicro didn't detect my mails as well as Sophos, but it has the feature to whitelist domains with wildcard from all security frameworks. To be fair though I didn't set up policies as strict as Sophos does from the box. Anyway.

    If Sophos implemented this in the future this would be great and will surely make it an even better product.

Reply
  • As a follow-up to this for anyone reading this in the future:

    I am basically benchmarking different security solutions in regard to that aspect.

    A quick comparison: TrendMicro didn't detect my mails as well as Sophos, but it has the feature to whitelist domains with wildcard from all security frameworks. To be fair though I didn't set up policies as strict as Sophos does from the box. Anyway.

    If Sophos implemented this in the future this would be great and will surely make it an even better product.

Children
No Data