Hi,
In UTM, we scan mail for AV at two places. at
If you want to reject malware at SMTP time use enable "SMTP->malware->Scan During SMTP Transaction".
If this config is disabled then you can find logs like "Skipping SMTP inline AV scan for this message" but, policy time AV scanning is performed. When you check full logs you can find other log lines like " AV: calling CSSD for single scan (engine: PRIMARY)". This scanning logs are pointing av scan perform at policy time (dual / Single).
In short, this is normal behavior.
Thanks
Sachin Gurung
Team Lead | Sophos Technical Support
Knowledge Base | @SophosSupport | Video tutorials
Remember to like a post. If a post (on a question thread) solves your question use the 'This helped me' link.
Here is my inference, based on comparing the UTM help text to other products I have used:
SMTP Transaction phase has two block points:
Policy Phase:
After the message is fully accepted, it can still be blocked, based on profile-specific policies. This means that a multi-recipient message could potentially be allowed for some destination domains and blocked for others.
In general, I would always recommend checking in both places, and use both antivirus engines. There is simply too much hostile email to do otherwise.
Here is my inference, based on comparing the UTM help text to other products I have used:
SMTP Transaction phase has two block points:
Policy Phase:
After the message is fully accepted, it can still be blocked, based on profile-specific policies. This means that a multi-recipient message could potentially be allowed for some destination domains and blocked for others.
In general, I would always recommend checking in both places, and use both antivirus engines. There is simply too much hostile email to do otherwise.