XG Firewall email scaning

I have been able to outgoing mail scanned. I have copied the rule, but reversed some of it and waiting to see what happens over a couple of days. When the mac finishes its upgrade Ii will check and update this thread.

Ian

No, didn't work, setup is entirely different. I need to think this through.

Hi DarioQuesada,

Have you read the Knowledgebase Articles on Email Protection? Here are several articles that might help: 

• https://community.sophos.com/kb/en-US/123273
• https://community.sophos.com/kb/en-US/123119

It seems like the second article will be more helpful; it enables IP reputation, which might help your situation here.

If not, the first article and the links within it will help you recreate the filtering rule from scratch, as missing some settings might compromise the rule.

Please reply to this post if you need more help!

Cheers,
DJ Kim.

Thank you

I'll check the kb articles, but i think the problem i am having is about the Police rule I created, if I put origin WAN destination LAN the viruses attached in the incoming mails are not removed...
There is some way to only remove the attached file instead the entire email?

Regards

I believe this article https://community.sophos.com/kb/en-US/123359 might help you with just that.

Under Delivery Option for: Infected Attachment, select Remove and Deliver.

That should do it! Just remember to create the Business Application Rule that allows for SMTP scanning (also described in the article).

If that doesn't do it, please post in this thread again.

Cheers,

Paul Kim

Hello Kim

I have configured the rule as shown, with Remove and Deliver, but it still deletes and replace the body of the email. This is the message i receive instead the original (as you see in the name the firewall add Infected Attachment Removed, but all of the body content is replaced too):

Asunto: [Infected Attachment Removed] Fwd: prueba virus
Fecha: Wed, 16 Dec 2015 13:59:18 +0100
De: Dario <dario@tapiatelecom.com>
Para: soporte@tapiatelecom.com


Sophos Anti Virus has found Infected Attachment in the following message:
----------------------
From: dario@tapiatelecom.com
To: soporte@tapiatelecom.com
Date: 2015-12-16 13:59:10


Virus Name(s): 'HIDDENEXT/Worm.Gen'
Attachment Name(s): factura-A1-0005801571_.pdf.zip

What was the message (body) of the email?

Hello,

The message was:

"This is a email test, with an attached virus."

With a text including name, company charge , number phone and several images in the email signature

All of this is lost in the email delivered by the sophos xg firewall

Best regards

Hi DarioQuesada,

Sorry for the wait!

As it turns out, the feature is currently working as intended; meaning that there is currently no option to remove the attachment and keep the body/message. This was done to prevent the body text from containing links or other embedded ways for malware to be downloaded.

Of course, you can always request a feature at http://feature.astaro.com/forums/330219-sophos-xg-firewall/ Here, you can formally request that we add an option to delete the attachment but keep the body of the Email. It would be filed under Email Protection, and then our community and Sophos engineers can evaluate the request and add it to an update in the future.

Cheers,
DJ Kim

Ok,
I thought remove and deliver was the option to 'remove the attachment and deliver the body' but if you say that this is the intended working of the feature then it's working well.

Thank you!!! (and merry xmas ;) )