3CX DLL-Sideloading attack: What you need to know

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 14 subscribers
  • Views 1543 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Mails quarantined multiple times in email Security and data protect

prifesport

Hello all,

I am currently starting to use Sophos Central Mail. First tests with the end-user quarantine have shown that released mails sometimes end up in the quarantine again after being released by another policy.

Here is the process I am observing:

1. mail (with unscannable attachment) comes in and is scanned
2. email security module quarantines mail because attachment can't be scanned
3. user gets quarantine summary
4. user releases the mail

up to here everything as I expect it but then:

5. data protection module detects the released mail as unscannable and moves it back to quarantine

Maybe I missed the point or it is intentional but my wish is that a deliberately released mail cannot be quarantined by another scan.

Maybe someone can help me.

Many greetings
Stephan



This thread was automatically locked due to age.
  • 0

    Hello ,

    Thank you for reaching out to the community, This is a known behavior in some cases. The issue XGE-19926 seems to be related. In addition, we would need to confirm what was the reason for quarantine in the first place, as well as what was the reason in the second place. There may be two reasons for quarantining it again after releasing. According to the known issue, the first cause is BULK and the second one is DLP, so what was the reason you noticed?

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Hi Vivek,

    Thank you for your quick response.

    the first action was due to unscannable content.

    With the second event I only see that it was the data control. But there is only an attachment filter included, so it could have been only the attachment.

    Hopefully this information will help.

    Regards

    Stephan

  • 0 in reply to prifesport

    Hey ,

    Alright, thank you for the update, this does not seems to be related to the known issue mentioned !
    I would suggest to log a support request and get this further investigated !! 

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

Unfiltered HTML