EICAR Test virus not being picked up over SSLVPN

It all depends on how the traffic flows through the UTM device.   Firewall rules do not look at traffic content, but each of the proxies do.   UTM does not provide a proxy for CIFS/SMB, so the traffic flows through the firewall.  UTM would block it if the transfer used FTP, HTTP, HTTPS, SMTP, or POP3 (with appropriate configuration of the relevant proxy module).  

CIFS/SMB traffic is normally protected on the endpoint device, which would be Sophos Endpoint Protection or Sophos Mobile.

CIFS/SMB traffic would not normally flow through a perimiter device.   You should block ports 139 and 445 in the firewall rules to protect against hostile email links that attempt to connect to malware sites using SMB.   Obviously, VPN is an exception to this general rule, and there are legitimate reasons why you might want it available for VPN sessions.

Thanks for the reply on this.

Do you think Sophos endpoint protection would help stop the spread of some sort of malware trying to encrypt say a Network share over SMB from an infected endpoint?

E.g. if my laptop (in this case infected) is connecting into SMB servers over SSLVPN, and the SMB server has Sophos AV on it, or any other AV - and the endpoint which is connected to the SSLVPN was infected and attempting to encrypt any files it could find; do you think the AV on the SMB server would stop that happening, or it could still do so?

It is a very good question. 

1) You reduce your risk if you minimize the number of devices that are allowed to cross into your network interior, both by limiting use of VPN and by limiting physical movement between home and office.

2) You reduce your risk by trying to protect your devices even when they are outside your network.  I am not currently a user of Sophos Endpoint, as our company standardized on a different anti-virus product.   Based on my reading of marketing material, I think it has a good story about keeping laptops protected when they leave your network for home use or business travel.  I do use the free version of Sophos Mobile on my cell phone, because it seemed a much more comprehensive solution than the one that came free with my cell-vendor-customized phone. 

3) You reduce your risk if you limit what a remote device is allowed to do.   I suggest that remote access users should be limited to web, email, and terminal functions (RDP, Citrix, VDI, VNC, Telnet, or SSH).   For the methods that allow file sharing over the terminal session, I suggest that these should be blocked.   These limits will create a wall that is difficult for malware on an infected device to penetrate.  If users really need to send and receive files, set up a carefully controlled dropbox arrangement specifically for this purpose.   This does not help if the infected device is brought into the office tomorrow morning, but it does protect against the home PC that has your VPN software on it.

4) The best defense against ransomware is File Services Resource Manager (FSRM) on Windows Server (2008 and above).    You can do a web search on "using FSRM to block ransomware" for suggestions.   You use it to allow or block specific file extensions.   Most of the web examples suggest using a list of blocked file extensions.   I suggest using it to create a list of allowed file extensions, blocking all others.  In general, anti-virus software has trouble blocking ransomware.   

Thanks alot.

I'll look into FSRM. It may be an idea for Sophos to look into this as Sonicwall already do this inspection on SMB traffic quite well.

Thanks for the help

Thanks alot.

I'll look into FSRM. It may be an idea for Sophos to look into this as Sonicwall already do this inspection on SMB traffic quite well.

Thanks for the help

To be sure that your idea gets noticed, post your feature suggestions on ideas.sophos.com