Reflexion will be End-of-life on March 31,2023. See Sophos Reflexion EoL FAQs to learn more.

Bug?: Why is my local mail domain excluded in sandstorm?

Hi Sophos Team,

all mails with executable content are excluded in sandstorm. There is no exception. Is this a Bug?

From the smtp log:

"Warning: localdomain.tld profile excludes SANDBOX scan"



  • In the event of an incoming email with executable content the fallback log shows following lines:

    2016:03:04-10:37:14 asg-2 [local0:err] [ctipd] [5552]: CEnginesContainer::GetCacheDelta - Still unable to connect to Datacenter
    2016:03:04-10:38:19 asg-2 [user:notice] 	Is  the server running on host "db_host.local" ( and accepting
    2016:03:04-10:38:19 asg-2 [user:notice] 	TCP/IP  connections on port 5432?

  • Hi mod,

    This log line is caused by your configuration: Dual scan works in a way that the primary engine (which can be selected on WebAdmin under Management > System settings > Scan settings > Single scan engine) will be used to scan your message in SMTP connection time, while the other is run when the message is already accepted by the UTM. Sandstorm is only supported by Sophos scan engine, so in case you have Avira as your primary scanner, Sandstorm scan will not be run by Exim, leading to the log line you mentioned.

    I do agree however that the message itself may lead to confusions, so we might change the description to clear any misunderstandings, thanks for reporting it!


  • Thanks Niriel for that explanation! now I understand how it works :)

  • So the following settings:

    - Setting Management > System Settings > Scan settings > Single scan engine: Sophos

    - Email Potection > SMTP > Antivirus > Enable Sandstorm: checked

    - Email Potection > SMTP > Antivirus > Dual scan (maximum security): checked

    will use Sandstorm and Avira for scanning SMTP?

  • Hi rsc,

    Basically Sandstorm is a new feature of the Sophos scanner engine, which has long been part of the UTM. :)

    With the settings you mentioned, the Sophos engine (with Sandstorm feature enabled) will be used as the primary engine and Avira as the secondary. If "Reject malware during SMTP transaction" is turned on (on the top of the Antivirus tab), this means that Sophos engine will be used in SMTP connection time while if it's turned off, Sophos engine will be used after the message is accepted by the UTM. The secondary scan will always be run after the message is accepted, but only if the primary engine didn't find any malware in the message.