Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 1 subscriber
  • Views 6257 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[9.314]Malware attachments going into Quarantine

mayday175
For a while now we have had emails with malicious attachments going into quarantine instead of being dropped/blackholed. See the attached image for an example of emails received recently. 

Occasionally, users release their quarantined email and recklessly open the attachment... fortunately Sophos Endpoint protection detects and removes the file at this point.

So, why are these emails with malware attached going to Quarantine? I would prefer they were dropped altogether... the end user should never see emails with malware attached.

Our UTM's SMTP Antivirus settings are as follows:
- Reject malware during SMTP transaction = Enabled
- Antivirus Scanning = Blackhole, Dual Scan, Quarantine unscannable = enabled
- MIME type filter = all disabled (default, I think)
- File extension filter = exe, js, etc (default, I think)

I have toggled every setting on/off just to make sure they are set correctly... but won't know if that helped til the quarantine is monitored for a few days. Do you have any ideas what's happening here?

Thanks


This thread was automatically locked due to age.
Parents
  • 0
    Good detective work!  If you happened to notice one of these within an hour after it was caught, you could send the malware example to Sophos Labs.  After that, some AV company with a honeypot will have found it and distributed it to others.  No, there isn't a selection to blackhole emails with files containing extensions - only quarantine, so the comment in my prior post above is the accepted solution with the UTM.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0
    Good detective work!  If you happened to notice one of these within an hour after it was caught, you could send the malware example to Sophos Labs.  After that, some AV company with a honeypot will have found it and distributed it to others.  No, there isn't a selection to blackhole emails with files containing extensions - only quarantine, so the comment in my prior post above is the accepted solution with the UTM.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML