Why malware not blocked, when Avira knows it is malware? Dual scan turned on.

User received an email with a zip file attachment containing a malicious .jar file.

I have Dual Scan turned on for Malware scanning in Email Protection. So the file should have been examined by both the Sophos engine and the Avira engine.

Running the file through VirusTotal.com reports that Sophos does not detect it. Only 6 of the 55 anti-virus systems did detect it, despite it being around since 2013. Avira is not one of the 55 that VirusTotal tests.

I went to the Avira web site to submit it there and it identified it as malware already:

The file 'SGS Test Result.jar' has been determined to be 'MALWARE'. Our analysts named the threat JAVA/Dldr.Agent.67578. The term "JAVA/" denotes a virulent Java-Applet or–Application.  Detection is added to our virus definition file (VDF) starting with version 8.12.96.174.

It's a RAT called Adwind or Java/Agent.

So how did the email get through? 

SMTP log:

2016:06:01-16:54:01 astaro1-1 exim-in[9122]: 2016-06-01 16:54:01 SMTP connection from [211.75.1.130]:4150 (TCP/IP connection count = 1)
2016:06:01-16:54:01 astaro1-1 exim-in[9122]: 2016-06-01 16:54:01 SMTP connection from [211.75.1.130]:4241 (TCP/IP connection count = 2)
2016:06:01-16:54:02 astaro1-1 exim-in[9122]: 2016-06-01 16:54:02 SMTP connection from [211.75.1.130]:4410 (TCP/IP connection count = 3)
2016:06:01-16:54:03 astaro1-1 exim-in[22656]: 2016-06-01 16:54:03 [211.75.1.130] F=<lnfo@sgs.com.tw> R=<j@bordo.com.au> Verifying recipient address with callout
2016:06:01-16:54:03 astaro1-1 exim-in[22655]: 2016-06-01 16:54:03 [211.75.1.130] F=<lnfo@sgs.com.tw> R=<i@bordo.com.au> Verifying recipient address with callout
2016:06:01-16:54:03 astaro1-1 exim-in[22660]: 2016-06-01 16:54:03 [211.75.1.130] F=<lnfo@sgs.com.tw> R=<n@bordo.com.au> Verifying recipient address with callout
2016:06:01-16:54:06 astaro1-1 exim-in[9122]: 2016-06-01 16:54:06 SMTP connection from [211.75.1.130]:1028 (TCP/IP connection count = 4)
2016:06:01-16:54:08 astaro1-1 exim-in[22667]: 2016-06-01 16:54:08 [211.75.1.130] F=<lnfo@sgs.com.tw> R=<y@bordo.com.au> Verifying recipient address with callout
2016:06:01-16:54:12 astaro1-1 exim-in[22660]: 2016-06-01 16:54:12 1b802W-0005tU-0g ctasd reports 'Suspect' RefID:str=0001.0A150208.574E8694.0113,ss=2,re=0.000,recu=0.000,reip=0.000,cl=2,cld=1,fgs=0
2016:06:01-16:54:12 astaro1-1 exim-in[22660]: 2016-06-01 16:54:12 1b802W-0005tU-0g Greylisting: Successful greylist retry from 211.75.1.130 (original host was 211.75.1.130/32)
2016:06:01-16:54:12 astaro1-1 exim-in[22660]: 2016-06-01 16:54:12 1b802W-0005tU-0g <= lnfo@sgs.com.tw H=211-75-1-130.hinet-ip.hinet.net (mail.netdoing.com.tw) [211.75.1.130]:4410 P=esmtp S=188480 id=201606011408353.SM03080@[91.213.233.184]
2016:06:01-16:54:13 astaro1-1 exim-in[22655]: 2016-06-01 16:54:13 1b802W-0005tP-0k ctasd reports 'Suspect' RefID:str=0001.0A150201.574E8694.01D9,ss=2,re=0.000,recu=0.000,reip=0.000,cl=2,cld=1,fgs=0
2016:06:01-16:54:13 astaro1-1 exim-in[22655]: 2016-06-01 16:54:13 1b802W-0005tP-0k Greylisting: 211.75.1.130 is a known retry host
2016:06:01-16:54:13 astaro1-1 exim-in[22655]: 2016-06-01 16:54:13 1b802W-0005tP-0k <= lnfo@sgs.com.tw H=211-75-1-130.hinet-ip.hinet.net (mail.netdoing.com.tw) [211.75.1.130]:4150 P=esmtp S=188472 id=201606011405322.SM03172@[91.213.233.184]
2016:06:01-16:54:13 astaro1-1 exim-in[22660]: 2016-06-01 16:54:13 SMTP connection from 211-75-1-130.hinet-ip.hinet.net (mail.netdoing.com.tw) [211.75.1.130]:4410 closed by QUIT
2016:06:01-16:54:13 astaro1-1 exim-in[22656]: 2016-06-01 16:54:13 1b802W-0005tQ-0o ctasd reports 'Suspect' RefID:str=0001.0A150201.574E8694.01F1,ss=2,re=0.000,recu=0.000,reip=0.000,cl=2,cld=1,fgs=0
2016:06:01-16:54:13 astaro1-1 exim-in[22656]: 2016-06-01 16:54:13 1b802W-0005tQ-0o Greylisting: 211.75.1.130 is a known retry host
2016:06:01-16:54:13 astaro1-1 exim-in[22656]: 2016-06-01 16:54:13 1b802W-0005tQ-0o <= lnfo@sgs.com.tw H=211-75-1-130.hinet-ip.hinet.net (mail.netdoing.com.tw) [211.75.1.130]:4241 P=esmtp S=188471 id=20160601140527.SM01820@[91.213.233.184]
2016:06:01-16:54:13 astaro1-1 exim-in[22655]: 2016-06-01 16:54:13 SMTP connection from 211-75-1-130.hinet-ip.hinet.net (mail.netdoing.com.tw) [211.75.1.130]:4150 closed by QUIT
2016:06:01-16:54:13 astaro1-1 exim-in[22656]: 2016-06-01 16:54:13 SMTP connection from 211-75-1-130.hinet-ip.hinet.net (mail.netdoing.com.tw) [211.75.1.130]:4241 closed by QUIT
2016:06:01-16:54:14 astaro1-1 smtpd[9117]: QMGR[9117]: 1b802W-0005tU-0g moved to work queue
2016:06:01-16:54:14 astaro1-1 smtpd[9117]: QMGR[9117]: 1b802W-0005tP-0k moved to work queue
2016:06:01-16:54:15 astaro1-1 smtpd[9117]: QMGR[9117]: 1b802W-0005tQ-0o moved to work queue
2016:06:01-16:54:16 astaro1-1 exim-in[22667]: 2016-06-01 16:54:16 1b802a-0005tb-22 ctasd reports 'Suspect' RefID:str=0001.0A150201.574E8698.0036,ss=2,re=0.000,recu=0.000,reip=0.000,cl=2,cld=1,fgs=0
2016:06:01-16:54:16 astaro1-1 exim-in[22667]: 2016-06-01 16:54:16 1b802a-0005tb-22 Greylisting: 211.75.1.130 is a known retry host
2016:06:01-16:54:16 astaro1-1 exim-in[22667]: 2016-06-01 16:54:16 1b802a-0005tb-22 <= lnfo@sgs.com.tw H=211-75-1-130.hinet-ip.hinet.net (mail.netdoing.com.tw) [211.75.1.130]:1028 P=esmtp S=188478 id=201606011412736.SM01432@[91.213.233.184]
2016:06:01-16:54:16 astaro1-1 exim-in[22667]: 2016-06-01 16:54:16 SMTP connection from 211-75-1-130.hinet-ip.hinet.net (mail.netdoing.com.tw) [211.75.1.130]:1028 closed by QUIT
2016:06:01-16:54:18 astaro1-1 smtpd[9117]: QMGR[9117]: 1b802a-0005tb-22 moved to work queue
2016:06:01-16:54:20 astaro1-1 smtpd[22713]: SCANNER[22713]: 1b802m-0005uL-DD <= lnfo@sgs.com.tw R=1b802W-0005tP-0k P=INPUT S=187684
2016:06:01-16:54:20 astaro1-1 smtpd[22713]: SCANNER[22713]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="211.75.1.130" from="lnfo@sgs.com.tw" to="i@bordo.com.au" subject="Fw: SGS Test Results" queueid="1b802m-0005uL-DD" size="187684"
2016:06:01-16:54:20 astaro1-1 smtpd[22713]: SCANNER[22713]: 1b802W-0005tP-0k => work R=SCANNER T=SCANNER
2016:06:01-16:54:20 astaro1-1 smtpd[22713]: SCANNER[22713]: 1b802W-0005tP-0k Completed
2016:06:01-16:54:20 astaro1-1 smtpd[22713]: SCANNER[22713]: 1b802m-0005uL-Ta <= lnfo@sgs.com.tw R=1b802W-0005tQ-0o P=INPUT S=187684
2016:06:01-16:54:21 astaro1-1 smtpd[22713]: SCANNER[22713]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="211.75.1.130" from="lnfo@sgs.com.tw" to="j@bordo.com.au" subject="Fw: SGS Test Results" queueid="1b802m-0005uL-Ta" size="187684"
2016:06:01-16:54:21 astaro1-1 smtpd[22713]: SCANNER[22713]: 1b802W-0005tQ-0o => work R=SCANNER T=SCANNER
2016:06:01-16:54:21 astaro1-1 smtpd[22713]: SCANNER[22713]: 1b802W-0005tQ-0o Completed
2016:06:01-16:54:21 astaro1-1 smtpd[22713]: SCANNER[22713]: 1b802n-0005uL-AO <= lnfo@sgs.com.tw R=1b802W-0005tU-0g P=INPUT S=187684
2016:06:01-16:54:21 astaro1-1 smtpd[22713]: SCANNER[22713]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="211.75.1.130" from="lnfo@sgs.com.tw" to="n@bordo.com.au" subject="Fw: SGS Test Results" queueid="1b802n-0005uL-AO" size="187684"
2016:06:01-16:54:21 astaro1-1 smtpd[22713]: SCANNER[22713]: 1b802W-0005tU-0g => work R=SCANNER T=SCANNER
2016:06:01-16:54:21 astaro1-1 smtpd[22713]: SCANNER[22713]: 1b802W-0005tU-0g Completed
2016:06:01-16:54:21 astaro1-1 smtpd[22713]: SCANNER[22713]: 1b802n-0005uL-Ov <= lnfo@sgs.com.tw R=1b802a-0005tb-22 P=INPUT S=187684
2016:06:01-16:54:22 astaro1-1 smtpd[22713]: SCANNER[22713]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="211.75.1.130" from="lnfo@sgs.com.tw" to="y@bordo.com.au" subject="Fw: SGS Test Results" queueid="1b802n-0005uL-Ov" size="187684"
2016:06:01-16:54:22 astaro1-1 smtpd[22713]: SCANNER[22713]: 1b802a-0005tb-22 => work R=SCANNER T=SCANNER
2016:06:01-16:54:22 astaro1-1 smtpd[22713]: SCANNER[22713]: 1b802a-0005tb-22 Completed
2016:06:01-16:54:30 astaro1-1 exim-out[22727]: 2016-06-01 16:54:30 1b802m-0005uL-Ta => j@bordo.com.au P=<lnfo@sgs.com.tw> R=static_route_hostlist T=static_smtp H=192.168.1.9 [192.168.1.9]:25 C="250 OK"
2016:06:01-16:54:30 astaro1-1 exim-out[22727]: 2016-06-01 16:54:30 1b802m-0005uL-Ta Completed
2016:06:01-16:54:30 astaro1-1 exim-out[22721]: 2016-06-01 16:54:30 1b802m-0005uL-DD => i@bordo.com.au P=<lnfo@sgs.com.tw> R=static_route_hostlist T=static_smtp H=192.168.1.9 [192.168.1.9]:25 C="250 OK"
2016:06:01-16:54:30 astaro1-1 exim-out[22721]: 2016-06-01 16:54:30 1b802m-0005uL-DD Completed
2016:06:01-16:54:30 astaro1-1 exim-out[22734]: 2016-06-01 16:54:30 1b802n-0005uL-AO => n@bordo.com.au P=<lnfo@sgs.com.tw> R=static_route_hostlist T=static_smtp H=192.168.1.9 [192.168.1.9]:25 C="250 OK"
2016:06:01-16:54:30 astaro1-1 exim-out[22734]: 2016-06-01 16:54:30 1b802n-0005uL-AO Completed
2016:06:01-16:54:30 astaro1-1 exim-out[22737]: 2016-06-01 16:54:30 1b802n-0005uL-Ov => y@bordo.com.au P=<lnfo@sgs.com.tw> R=static_route_hostlist T=static_smtp H=192.168.1.9 [192.168.1.9]:25 C="250 OK"
2016:06:01-16:54:30 astaro1-1 exim-out[22737]: 2016-06-01 16:54:30 1b802n-0005uL-Ov Completed
2016:06:01-16:54:49 astaro1-1 smtpd[22713]: SCANNER[22713]: Nothing to do, exiting.

Running version 9.403-4