3CX DLL-Sideloading attack: What you need to know
Hi Sophos Team,all mails with executable content are excluded in sandstorm. There is no exception. Is this a Bug?
From the smtp log:
"Warning: localdomain.tld profile excludes SANDBOX scan"
This log line is caused by your configuration: Dual scan works in a way that the primary engine (which can be selected on WebAdmin under Management > System settings > Scan settings > Single scan engine) will be used to scan your message in SMTP connection time, while the other is run when the message is already accepted by the UTM. Sandstorm is only supported by Sophos scan engine, so in case you have Avira as your primary scanner, Sandstorm scan will not be run by Exim, leading to the log line you mentioned.
I do agree however that the message itself may lead to confusions, so we might change the description to clear any misunderstandings, thanks for reporting it!
So the following settings:
- Setting Management > System Settings > Scan settings > Single scan engine: Sophos
- Email Potection > SMTP > Antivirus > Enable Sandstorm: checked
- Email Potection > SMTP > Antivirus > Dual scan (maximum security): checked
will use Sandstorm and Avira for scanning SMTP?
Basically Sandstorm is a new feature of the Sophos scanner engine, which has long been part of the UTM. :)
With the settings you mentioned, the Sophos engine (with Sandstorm feature enabled) will be used as the primary engine and Avira as the secondary. If "Reject malware during SMTP transaction" is turned on (on the top of the Antivirus tab), this means that Sophos engine will be used in SMTP connection time while if it's turned off, Sophos engine will be used after the message is accepted by the UTM. The secondary scan will always be run after the message is accepted, but only if the primary engine didn't find any malware in the message.