Dear All,
Excel macro enabled files are quarantined by our Sophos E-Mail protection but sometimes it let pass emails with macro enable excel file attached. We made a test with an external source who send an e-mail with two excels files (one is *.xlsm) to 3 users of our company. Two recepients were blocked (quarantined) and one has passed. How it's possible as there's no exception defined in e-mail protection?
Regards,
-Jacob
Hi Jacob,
Please enable debug for SMTP logs, refer: https://www.sophos.com/en-us/support/knowledgebase/115325.aspx
Resend the mail with Excel Macro and capture smtp.log. Post the logs here. Additional information required, "Sender email, receiver email, time stamp".
Thanks
Sachin Gurung
Team Lead | Sophos Technical Support
Knowledge Base | @SophosSupport | Video tutorials
Remember to like a post. If a post (on a question thread) solves your question use the 'This helped me' link.
Hi there,
Here you've the log where the first recepient of the email receive a "passed" and 2nd and 3rd receive a quarantined.
2016:06:09-13:19:42 xxxxx-x exim-in[4620]: 2016-06-09 13:19:42 H=mx2.xxxx-xxxxxxxxx.xx (HSPMSG03.hex.local) [xxx.xxx.xxx.xx]:30315 Warning: xxx.xx profile excludes SANDBOX scan
2016:06:09-13:19:45 xxxxx-x exim-in[4620]: 2016-06-09 13:19:45 1bAxzz-0001CW-1G ctasd reports 'Unknown' RefID:str=0001.0A0C0202.575950D0.015E:SCFSTAT17958010,ss=1,re=-4.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
2016:06:09-13:19:45 xxxxx-x exim-in[4620]: 2016-06-09 13:19:45 1bAxzz-0001CW-1G Greylisting: xxx.xxx.xx.xx is a known retry host
2016:06:09-13:19:45 xxxxx-x exim-in[4620]: 2016-06-09 13:19:45 1bAxzz-0001CW-1G <= xxx@xxxx-xxxxxxxxx.xx H=mx2.xxxx-xxxxxxxxx.xx (HSPMSG03.hex.local) [xxx.xxx.xx.xx]:30315 P=esmtps X=TLSv1:AES256-SHA:256 S=524023 id=D3319B0D7B27E449B9263C66C672E0B53440111E@HSPMSG01.hex.local
2016:06:09-13:19:45 xxxxx-x exim-in[4620]: 2016-06-09 13:19:45 H=mx2.xxxx-xxxxxxxxx.xx (HSPMSG03.hex.local) [xxx.xxx.xx.xx]:30315 Warning: xxx.xx profile excludes SANDBOX scan
2016:06:09-13:19:46 xxxxx-x exim-in[4620]: 2016-06-09 13:19:46 1bAy01-0001CW-1e ctasd reports 'Unknown' RefID:str=0001.0A0C0202.575950D2.0100:SCFSTAT17958010,ss=1,re=-4.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
2016:06:09-13:19:46 xxxxx-x exim-in[4620]: 2016-06-09 13:19:46 1bAy01-0001CW-1e Greylisting: xxx.xxx.xx.xx is a known retry host
2016:06:09-13:19:46 xxxxx-x exim-in[4620]: 2016-06-09 13:19:46 1bAy01-0001CW-1e <= xxx@xxxx-xxxxxxxxx.xx H=mx2.xxxx-xxxxxxxxx.xx (HSPMSG03.hex.local) [xxx.xxx.xx.xx]:30315 P=esmtps X=TLSv1:AES256-SHA:256 S=499934 id=D3319B0D7B27E449B9263C66C672E0B53440111E@HSPMSG01.hex.local
2016:06:09-13:19:46 xxxxx-x exim-in[4620]: 2016-06-09 13:19:46 SMTP connection from mx2.xxxx-xxxxxxxxx.xx (HSPMSG03.hex.local) [xxx.xxx.xx.xx]:30315 closed by QUIT
2016:06:09-13:19:46 xxxxx-x smtpd[8737]: QMGR[8737]: 1bAxzz-0001CW-1G moved to work queue
2016:06:09-13:19:47 xxxxx-x smtpd[8737]: QMGR[8737]: 1bAy01-0001CW-1e moved to work queue
2016:06:09-13:19:49 xxxxx-x exim-in[8852]: 2016-06-09 13:19:49 SMTP connection from [xx.xxx.xx.xx]:xxxxx (TCP/IP connection count = 1)
2016:06:09-13:19:49 xxxxx-x exim-in[4653]: 2016-06-09 13:19:49 H=mx002.swissgrid.ch [xx.xxx.xx.xx]:xxxxx Warning: xxx.xx profile excludes SANDBOX scan
2016:06:09-13:19:50 xxxxx-x smtpd[4656]: SCANNER[4656]: 1bAy06-0001D6-GH <= xxx@xxxx-xxxxxxxxx.xx R=1bAxzz-0001CW-1G P=INPUT S=522014
2016:06:09-13:19:50 xxxxx-x smtpd[4656]: SCANNER[4656]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="xxx.xxx.xx.xx" from="xxx@xxxx-xxxxxxxxx.xx" to="xxxxx.xxxxxx@xxx.xx" subject="TR: RHO_MO_ER Kostenstand der Grossprojekte" queueid="1bAy06-0001D6-GH" size="522014"
2016:06:09-13:19:50 xxxxx-x smtpd[4656]: SCANNER[4656]: 1bAxzz-0001CW-1G => work R=SCANNER T=SCANNER
2016:06:09-13:19:50 xxxxx-x smtpd[4656]: SCANNER[4656]: 1bAxzz-0001CW-1G Completed
2016:06:09-13:19:50 xxxxx-x smtpd[4656]: SCANNER[4656]: 1bAy06-0001D6-Tz <= xxx@xxxx-xxxxxxxxx.xx R=1bAy01-0001CW-1e P=INPUT S=498013
2016:06:09-13:19:50 xxxxx-x smtpd[4656]: SCANNER[4656]: 1bAy06-0001D6-U3 <= xxx@xxxx-xxxxxxxxx.xx R=1bAy01-0001CW-1e P=INPUT S=498013
2016:06:09-13:19:51 xxxxx-x smtpd[4656]: SCANNER[4656]: id="1001" severity="info" sys="SecureMail" sub="smtp" name="email quarantined" srcip="xxx.xxx.xx.xx" from="xxx@xxxx-xxxxxxxxx.xx" to="xxxx.xxxxx@xxx.xx" subject="TR: RHO_MO_ER Kostenstand der Grossprojekte" queueid="1bAy06-0001D6-Tz" size="498013" reason="mime" extra="application/vnd.ms-excel.sheet.macroenabled.12"
2016:06:09-13:19:51 xxxxx-x smtpd[4656]: SCANNER[4656]: id="1001" severity="info" sys="SecureMail" sub="smtp" name="email quarantined" srcip="xxx.xxx.xx.xx" from="xxx@xxxx-xxxxxxxxx.xx" to="xxxxx.xxxxxx@xxx.xx" subject="TR: RHO_MO_ER Kostenstand der Grossprojekte" queueid="1bAy06-0001D6-U3" size="498013" reason="mime" extra="application/vnd.ms-excel.sheet.macroenabled.12"
2016:06:09-13:19:51 xxxxx-x smtpd[4656]: SCANNER[4656]: 1bAy01-0001CW-1e => work R=SCANNER T=SCANNER
2016:06:09-13:19:51 xxxxx-x smtpd[4656]: SCANNER[4656]: 1bAy01-0001CW-1e Completed
2016:06:09-13:19:51 xxxxx-x exim-out[4660]: 2016-06-09 13:19:51 1bAy06-0001D6-GH => xxxxx.xxxxxx@xxx.xx P=<xxx@xxxx-xxxxxxxxx.xx> R=static_route_hostlist T=static_smtp H=xxx.xx.xx.xx [xxx.xx.xx.xx]:25 X=TLSv1.2:ECDHE-RSA-AES256-SHA384:256 C="250 2.6.0 <D3319B0D7B27E449B9263C66C672E0B53440111E@HSPMSG01.hex.local> [InternalId=55765855371298, "
2016:06:09-13:19:51 xxxxx-x exim-out[4660]: 2016-06-09 13:19:51 1bAy06-0001D6-GH Completed
2016:06:09-13:19:52 xxxxx-x exim-in[4653]: 2016-06-09 13:19:52 1bAy06-0001D3-0u ctasd reports 'Unknown' RefID:str=0001.0A0C0201.575950D8.0028:SCFSTAT21292544,ss=1,re=-4.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
2016:06:09-13:19:52 xxxxx-x exim-in[4653]: 2016-06-09 13:19:52 1bAy06-0001D3-0u Greylisti
Thanks for your help!
-Jacob
Hi,
Is there any exception on Sandbox for any profile? Please DM me a log file without edits if you do not want to publish it here. Also, please capture logs individually for each mail. For eg: send an email, wait till the email is processed and take the logs then send the next one and logs separately.
Thanks
Sachin Gurung
Team Lead | Sophos Technical Support
Knowledge Base | @SophosSupport | Video tutorials
Remember to like a post. If a post (on a question thread) solves your question use the 'This helped me' link.
Hi, Jacob, and welcome to the UTM Community!
2016:06:09-13:19:50 xxxxx-x smtpd[4656]: SCANNER[4656]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="xxx.xxx.xx.xx" from="xxx@xxxx-xxxxxxxxx.xx" to="xxxxx.xxxxxx@xxx.xx" subject="TR: RHO_MO_ER Kostenstand der Grossprojekte" queueid="1bAy06-0001D6-GH" size="522014"
2016:06:09-13:19:51 xxxxx-x smtpd[4656]: SCANNER[4656]: id="1001" severity="info" sys="SecureMail" sub="smtp" name="email quarantined" srcip="xxx.xxx.xx.xx" from="xxx@xxxx-xxxxxxxxx.xx" to="xxxxx.xxxxxx@xxx.xx" subject="TR: RHO_MO_ER Kostenstand der Grossprojekte" queueid="1bAy06-0001D6-U3" size="498013" reason="mime" extra="application/vnd.ms-excel.sheet.macroenabled.12"
This would lead me to check whether there's a mime-type Exception for the first recipient.
Cheers - Bob
Hi,
please read that: https://community.sophos.com/products/unified-threat-management/f/56/t/15972
In the meanwhile the last comment suggests Sophos finally confirmed it is a bug. I am wondering how long it will take to fix it.
Thanks
Joerg
