Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=email-malware-scan

Anti-malware

You can choose what happens if malware is found in messages.

In Enhanced Email Malware Scan, you can choose what happens to messages in more detail.

Anti-malware scan

In Anti-malware scan, you can choose what to do with messages that contain known malware.

Choose from the following options:

  • Delete
  • Quarantine

If a quarantined Malware/Virus message is released, the user receives a new email, with the original malicious email attached as a password-protected ZIP file. The new email contains the password to open the ZIP attachment.

Enhanced content and file property scan

Note

This setting applies to inbound and outbound messages.

If Enhanced content and file property scan is turned on, the message's and its attachments' metadata are used in heuristic rules to determine whether the email contains malware. By default, this setting is turned on.

Un-scanned emails

Note

This setting applies to inbound messages only.

You can choose what happens to messages that can't be scanned. The available actions are:

  • Quarantine
  • Delete
  • Tag subject line
  • Add banner

Smart banner settings

When the Add banner setting is selected, a smart banner will be shown at the top of inbound HTML format messages that can't be scanned, enhancing user awareness.

You can edit the settings and the predefined text of the smart banner. This controls the actions users can see in the smart banner. Choose from the following options:

  • Allow sender: If this setting is turned on, users see Allow Sender in the smart banner. When they click Allow Sender, a new page appears confirming that the sender's email address has been added to their allow list. Users can manage their allow list through the Sophos Central Self Service Portal.
  • Block sender: If this setting is turned on, users see Block Sender in the smart banner. When they click Block Sender, a new page appears allowing them to add the sender's email address to their block list. Optionally, users can report the message to SophosLabs.
  • Report messages to Sophos: If this setting is turned on, users see Report in the smart banner. When they click Report, a new page appears allowing them to report messages to SophosLabs. This helps us improve our threat detection.

Note

For plain text messages, the smart banner shows as text at the beginning of the email body, using the same content you've set.

Why are emails un-scannable?

Here are some of the reasons why emails are un-scannable:

  • Inability to access the file: The file is identified correctly, but the software can't access the file to decompress or scan it.
  • Corrupt file: The file is corrupt and can't be accessed.
  • Unexpected content: We identify the file correctly and can access it, but then find unexpected content. The antivirus scan process produces an error.
  • Scanner times out: The antivirus scanner times out while scanning. There are several reasons this can occur. For example, a file is compressed in many nested levels, or the antivirus scanner exceeds the scan time limit.
  • Large compressed attachment: If a compressed attachment is too large, it can't be scanned. The attachment may be nested within too many compression levels, the compressed files included may be too large, or there may be too many compressed files within the attachment.

These are just some examples. There may be other reasons.

Sophos Email still performs malware scanning even if you add the email address and domain to the Inbound Allow/Block list or Sophos encrypted emails.

We also quarantine messages that contain a very large number of URLs. See Time of Click URL Protection.

Intelix Threat Analysis

This option sends emails that may contain active malicious content to an isolated virtual environment where they're opened and checked. SophosLabs Intelix detects threats in messages using static and dynamic analysis. Static analysis leverages multiple machine learning models, neural networks, global reputation, deep file scanning, and more. Dynamic analysis detonates a message in a sandbox to reveal its true nature and threat capability.

Messages that may be malicious are run in a virtual environment for closer inspection.

Messages that are clean are delivered as normal.

You can configure actions for the following Intelix verdicts:

  • Intelix Malicious: Messages that contain a known and verified threat.
  • Intelix Suspicious: Messages that don't contain a known and verified threat but display characteristics that make them suspicious.

Note

When SophosLabs Intelix fails to scan a message, the message will be marked as "Intelix Unscannable", and the message will be quarantined. This prevents a malicious message from getting delivered when scanning fails.

You can choose the following actions for Intelix Malicious messages:

  • Quarantine
  • Delete

You can choose the following actions for Intelix Suspicious messages:

  • Quarantine
  • Deliver
  • Delete
  • Tag subject line

When Intelix service location is turned on, you can select your preferred location.

Select Let Sophos decide (recommended) to automatically route messages for optimal performance.

End User Quarantine

If you choose to put some messages in end user quarantine, messages can be checked, released, or deleted by your users. See End User Quarantine.