Skip to content


You can choose what happens if malware is found in messages.

In Enhanced Email Malware Scan, you can choose what happens to messages in more detail.

Anti-malware scan

In Anti-malware scan, you can choose what to do with messages that contain known malware or viruses.

Choose from the following options:

  • Delete
  • Quarantine

Enhanced content and file property scan


This setting applies to inbound and outbound messages.

This is our highest level of protection against email malware. It's on by default.

Un-scanned emails


This setting applies to inbound messages only.

You can choose what happens to messages that can't be scanned. The available actions are:

  • Quarantine
  • Delete
  • Tag subject line
  • Add banner

When the Add banner setting is selected, a banner or a message tag will be shown at the top of inbound HTML format messages that can't be scanned, enhancing user awareness.

You can edit the settings and the predefined text of the banner. This controls the actions users can see in the banner.

Choose from the following options:

  • Allow sender: The sender's email address is added to an allow list. It's on by default.
  • Block sender: The sender's email address is added to a block list. It's on by default.
  • Report messages to Sophos: If this setting is turned on, users can also report the message as a threat to SophosLabs when they block a sender. This helps us improve our threat detection.


For plain text messages, the banner is in text-only form, using the same content you set, and is shown at the beginning of the email body.

Why are emails un-scannable?

Here are some of the reasons why emails are un-scannable:

  • Inability to access the file: The file is identified correctly, but the software can't access the file to decompress or scan it.
  • Corrupt file: The file is corrupt and can't be accessed.
  • Unexpected content: We identify the file correctly and can access it, but then find unexpected content. The antivirus scan process produces an error.
  • Scanner times out: The antivirus scanner times out while scanning. There are several reasons this can occur. For example, a file is compressed in many nested levels, or the antivirus scanner exceeds the scan time limit.
  • Large compressed attachment: If a compressed attachment is too large, it can't be scanned. The attachment may be nested within too many compression levels, the compressed files included may be too large, or there may be too many compressed files within the attachment.

These are just some examples. There may be other reasons.

Sophos Email still performs malware scanning even if you add the email address and domain to the Inbound Allow/Block list or Sophos encrypted emails.

We also quarantine messages that contain a very large number of URLs. See Time of Click URL Protection.

Intelix Threat Analysis

This option sends emails that may contain active malicious content to an isolated virtual environment where they're opened and checked. SophosLabs Intelix detects threats in messages using static and dynamic analysis. Static analysis leverages multiple machine learning models, neural networks, global reputation, deep file scanning, and more. Dynamic analysis detonates a message in a sandbox to reveal its true nature and threat capability.

Messages that may be malicious are run in a virtual environment for closer inspection.

Messages that are clean are delivered as normal.

You can configure actions for the following Intelix verdicts:

  • Intelix Malicious: Messages that contain a known and verified threat.
  • Intelix Suspicious: Messages that don't contain a known and verified threat but display characteristics that make them suspicious.


When SophosLabs Intelix fails to scan a message, the message will be marked as "Intelix Unscannable", and the message will be quarantined. This prevents a malicious message from getting delivered when scanning fails.

You can choose the following actions for Intelix Malicious messages:

  • Quarantine
  • Delete

You can choose the following actions for Intelix Suspicious messages:

  • Quarantine
  • Deliver
  • Delete
  • Tag subject line

When Intelix service location is turned on, you can select your preferred location.

Select Let Sophos decide (recommended) to automatically route messages for optimal performance.

End User Quarantine

If you choose to put some messages in end user quarantine, messages can be checked, released, or deleted by your users. See End User Quarantine.