Sophos Firewall: v18.5 MR3: Feedback and experiences

Hi,

Lots of spam coming through since update, did not change anything. Any clue?

Pills, drugs and sex al getting past the spam checks.

Quarantine is empty, for a few days now, used to have 20~25 mails a day going to quarantine.

Hi,

Lots of spam coming through since update, did not change anything. Any clue?

Pills, drugs and sex al getting past the spam checks.

Quarantine is empty, for a few days now, used to have 20~25 mails a day going to quarantine.

Eicar test email did get blocked and quarantined, but that was bij AV engine.

UTM did this movement towards SASI and we found an issue in UTM. 

https://support.sophos.com/support/s/article/KB-000042345?language=en_US

Could be potentially the same issue, could you please verify, if you see the same issue on your SFOS Appliance? 

My XG115w rev 3 is letting spam through and it is running v19 eap2 which has the anti-spam update from the 24th March.

Ian

Only this in log:

2022-03-29.17:30:35 MESSAGE [Main] [ precompile.cpp:687] [Precompile thread]: Signatures are out of sync. Fetching new signatures.
2022-03-29.17:30:36 MESSAGE [Main] [ precompile.cpp:580] Downloaded file /sdisk/sasi/asdb.tmp is verified with checksum..
2022-03-29.17:30:37 MESSAGE [Main] [ engine.cpp:790] Database loaded of version: 2022.3.29.150919
2022-03-29.17:30:37 MESSAGE [Main] [ precompile.cpp:701] [Precompile thread]: New signatures are fetched and successfully loaded.
2022-03-29.17:54:38 MESSAGE [Main] [ precompile.cpp:580] Downloaded file /sdisk/sasi/asdb.delta is verified with checksum..
2022-03-29.17:54:39 MESSAGE [Main] [ engine.cpp:790] Database loaded of version: 2022.3.29.152718
2022-03-29.17:54:39 MESSAGE [Main] [ precompile.cpp:758] [Precompile thread]: Signatures are reloaded with latest delta and verified with checksum of new signatures.
2022-03-29.18:10:49 MESSAGE [Main] [ main.cpp:78] LASE Daemon STARTED
2022-03-29.18:10:49 MESSAGE [Main] [ main.cpp:80] LASE Daemon Version: 4.1.4
2022-03-29.18:10:50 MESSAGE [Main] [ laseserver.cpp:372] Lased started on port : 25315

CPU Has at least SSSE3:

SFVH_SO01_SFOS 18.5.3 MR-3-Build408# grep flags -m1 /proc/cpuinfo
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm cpuid_fault epb invpcid_single pti tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid xsaveopt ibpb ibrs stibp dtherm ida arat pln pts

LuCar Toni Hi Toni, Spam is getting out of hand, a few mail are getting labeled as [SPAM] but a lot of 100% spam is getting through, I'm getting complains about this. Scrolling through the e-mail logs i see lots of spam mails that just getting approved.

What's going on, this needs to be fixed. I already stopped the roll-out to our customers.

Bart

Do you have a Support Case for this? 

@LuCar Toni

No this is on a home XG (it's my home firewall, and also a LAB setting), we always install first on test devices before rolling out to customers.

The SASI brokenness will supposedly be fixed in 18.5.4 MR4 and 19.0.1 MR1. NC-90702 is the tracking reference for this problem.

Hi LuCar Toni,

Support fixed the spam module problem for me, they uploaded a new binary that has the fix.

It was related to IPv6 running on my device, and some other problem that broke spam detection.

Support case: 05143473 / XG 18.5.3 MR3 Spam detection / ref:_00D301GN6a._5003Z1OUzhS:ref

Can confirm fix will be public in MR4