18.5 MR3 and 19.0 onwards replace the anti-spam engine with SASI, which is used in Sophos UTM since last year and also in Sophos Mail.
The detection rate was significantly lower with the changeover on the UTM so the XG dev team learned nothing from that experience :-(
If you want a better detection rate, revert to 18.5 MR2, move your mail filtering somewhere else, or engage with Sophos Support to get the detection rate improved. Those suggestions are listed in order of time to resolution.
There's probably a case here for Sophos providing a discounted and pro-rated amount for a Sophos Mail subscription to cover the remainder of the Mail Protection subscription if they're not interested in replacing/improving a substandard anti-spam implementation with one that performs well (i.e. the one they ripped out).
SASI was in the Email Appliance for decades. So it is actually not a new technology. Instead it was used by most of the enterprise customers out there. Also SASI was used in Pure Message for Unix. You even find references to back in 2005 to SASI.
I would recommend to check your general settings of Spam Protection as well. SPF, DKIM etc.
There is an issue with UTM/SFOS and old hardware as well: https://support.sophos.com/support/s/article/KB-000042345?language=en_US
In general Central Email has more tools compared to UTM/SFOS. It works on a different level especially because of the architecture. As Sophos Labs is in control of the MX records, it can immediately detect spam waves and prevent this. Because you only have 3 different MX records for all customers, you see a broader scale of data compared to a decentralized spam solution like a firewall. Then there are smart banner etc. Other features to prevent spam of occurring in the first place.
Irrespective of SASI's heritage, its implementation in both UTM and SFOS has been underwhelming.
How did any QA team sign off on replacing an antispam engine with high detection rates with an engine that had two significant operational errors (evidenced by NC-90702 and NC-93678)?
Sophos Labs would have billions of ham and spam messages that could have been fed through both engines with appropriate metrics taken and then only swapping the antispam engine once the replacement offered the same or better detection rate.
As for Spam Protection settings they're the same between 18.5 MR2 and 18.5 MR4/18.5 MR3 with patch.
Finally, Central Email *should* have a ton of extra capability that you get from a cloud-scale implementation and workload. Given that Mail Protection is now a subscription add-on, perhaps consideration should be given to offloading antispam processing in a similar fashion to Zero-Day Protection? Why have all these cloud-scale implementation and capabilities with no ability for edge devices to make use of it?
Why doing Email on a Firewall in the first place? A Firewall is not a Email Proxy.
You can see, what the Labs are capable of doing : https://ai.sophos.com/demos/sophos-ai-catbert-phishing-detection-model-demo/
This kind of technology should not be run on a decentralized solution. Asking for Intelix all the time will take time. That is not useful.
I find your answer incredible.
you criticize us for using technology provided by Sophos (Antispam Engine).
This worked for years.
Suddenly, Sophos decides to change the way it works, and you ask us why we use this feature?
It's obvious. Because Sophos allows you to do it, and it costs less than the complete decentralized solution
Performing email on a firewall is logical because the firewall is first line of defence for an internal server. The edge device as promoted over many years.
moving mail to the cloud is not logical because you still have to provide a secure connection to the cloud server which exposes you to attacks.
XG115W - v20 GA - Home
XG on VM 8 - v20 GA
If a post solves your question please use the 'Verify Answer' button.
That is not the case Ian. The approach in IT Security is to minimize the attack surface.
Nevertheless where your Email Solution is (Inhouse or hosted), to open the Email Solution to everybody is violating this approach. The better approach is to have something, which is secure, looking for your content and then approach you with a filtered message.
The question is: Are you able to monitore and react to any attacks going on to your firewall or not? What are you doing, if somebody is trying to exploit your email solution?
The other problem is: Is your Email service (internal server) secure? Is the product itself secure? Looking at solutions like Exchange, you can read about the several exploits out there and what damage they can cause.
Looking at hosted solutions, this approach is getting outdated.
About this point: Sebastien HENRY - What about the future and what about the current attack surface going on? You see everywhere customers getting exploited and attacked, because they use tech which is outdated and outdated approaches. Customers are moving to hosted Email solutions, because they do not want to deal with this stress anymore and other reasons.
Nevertheless, this is to far off topic for this thread anyway. That is just my opinion.
Since I can't wait for Sophos to release v19 MR1 and v18.5 MR4 won't fix the SASI hassle that's going on, I decided to downgrade to 18.5 MR2. However, this seems to be a problem sometimes.
I have a XGS126 that was upgraded from 18.5 MR2 to 19 GA. I could downgrade it back to 18.5 MR2 without any problem.
After that I tried to downgrade a XG210 that was upgraded from 18.5 MR3 to 19 GA. When uploading 18.5 MR2 or MR4 to the firewall it said "The firmware will boot the device with factory default configuration. Are you sure you want to continue?". Since I can't stand all the spam, I did it anyway and booted the uploaded 18.5 MR2. It indeed came up with factory defaults loaded. I tried to restore the latest config backup from 19 GA, but it just said that the firmware is not matching, so I restored an old backup from a time the firewall had installed 18.5 MR2, which worked. After that I just booted up the still present 19 GA firmware and the firewall came up with the restored MR2 config. I restored the latest 19 GA backup and booted the 18.5 MR2 firmware. I expected the firewall to come up with factory defaults again, but it still has the latest config running.
So thats the processes that work:
18.5 MR2 > 19 GA > 18.5 MR2/MR4 without factory reset
18.5 MR3 > 19 GA > 18.5 MR2/MR4 with factory reset > 19 GA > restore latest config from 19 GA > 18.5 MR2/MR4 without factory reset
Why do I need a factory reset if 18.5 MR3 was previously installed, but not if I skipped it? In both scenarios I go 19 GA > 18.5 MR2 in the end.
I do not have the answer to this point but MR2 will go End of Life soon. Per definition of the lifecycle policy: https://support.sophos.com/support/s/article/KB-000035279?language=en_US#xgfirewallsoftware
So i assume, it is not smart to go back in time to MR2.