Strange Message in SMTP Virusscan Log

Hi all,

quite old thread but still relevant. I can see the same message in my SMTP log for all internal domains on UTM version 9.414. Is this by design when you do not have configured SMTP profiles?

Thanks
Daniel

Scanning can be skipped if the attachment is large or encrypted, depending on site sertings.  Could these apply in your situation?

Hi, I just checked that but no, it also happens for emails without any attachment. Thanks for the hint though.

Hi,

In UTM, we scan mail for AV at two places. at

1. At the time when email is accepting (SMTP time).
2. At time email policy applies (policy time).

If you want to reject malware at SMTP time use enable "SMTP->malware->Scan During SMTP Transaction".

If this config is disabled then you can find logs like "Skipping SMTP inline AV scan for this message" but, policy time AV scanning is performed. When you check full logs you can find other log lines like " AV: calling CSSD for single scan (engine: PRIMARY)". This scanning logs are pointing av scan perform at policy time (dual / Single).

In short, this is normal behavior.

Thanks

Hi Sachin,

that sounds reasonable. Thanks for clarifying.

Daniel

Sorry to bring up this old case but I have another question:

What is the advantage to scan during SMTP transfer? Is this using a different engine? Any disadvantage?

Sorry to bring up this old case but I have another question:

What is the advantage to scan during SMTP transfer? Is this using a different engine? Any disadvantage?

Here is my inference, based on comparing the UTM help text to other products I have used:

SMTP Transaction phase has two block points:

• Some messages can be blocked based on sender blacklists or SPF, immediately after the "SMTP Hello".   If you block at that point, the sender knows he was blocked.  Subject, body, and attachments are never transmitted.   So you save bandwidth, but you communicate rejection.   The logs will not contain the Subject because it was never communicated, so the logs are less helpful for detecting false positives.
  
  
• Blocks based on message content can only occur after the entire message is received.   When blocks occur at this point, the sender thinks the message was accepted, so he will not know that he was blocked.   (You could send and NDR, but should not, because fraud in the email system creates the risk of backscatter notices to the wrong entity.)

Policy Phase:

After the message is fully accepted, it can still be blocked, based on profile-specific policies.   This means that a multi-recipient message could potentially be allowed for some destination domains and blocked for others.

In general, I would always recommend checking in both places, and use both antivirus engines.   There is simply too much hostile email to do otherwise.

astiadmin said:

What is the advantage to scan during SMTP transfer? Is this using a different engine? Any disadvantage?

Technically speaking, reject during SMTP Transfer leaves the email still on the senders mailserver queue and therefore in their responsibility, e.g the email has not been delivered to the recipient (recipient's mailserver). In some circumstances for legal purposes this could be very beneficial :)

During SMTP Transfer phase, only one AV scanner is used, and it's the one definied in Management > System Settings -> Scan Settings.

Thanks.  Good to have clarification.