Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=email-malware-scan

Anti-malware

You can choose what happens if malware is found in messages.

In Enhanced Email Malware Scan you can choose what happens to messages in more detail.

This option is only available if your license includes Sophos Email Security.

Anti-malware scan

In Anti-malware scan you can choose what to do with messages that contain known malware or viruses.

Choose from the following options:

  • Delete
  • Quarantine

Enhanced content and file property scan

This is our highest level of protection against email malware. It's on by default.

This setting applies to inbound and outbound messages.

Un-scanned emails

You can choose what happens to messages that can't be scanned. The available actions are:

  • Quarantine
  • Delete
  • Tag subject line

This setting applies to inbound messages only.

There are various reasons we may not be able to scan specific messages:

  • Inability to access the file: The file is identified correctly, but the software can't access the file to decompress or scan it.
  • Corrupt file: The file is corrupt and can't be accessed.
  • Unexpected content: We identify the file correctly, and can access it, but then find unexpected content. The antivirus scan process produces an error.
  • Scanner times out: The antivirus scanner times out while scanning. There are several reasons this can occur. Such as, a file is compressed in many nested levels, or the antivirus scanner exceeds the scan time limit.
  • Large compressed attachment: If a compressed attachment is too large, it can't be scanned. The attachment may be nested within too many compression levels, the compressed files included may be too large, or there may be too many compressed files within the attachment.

These are just some examples. There may be other reasons.

We don't scan email addresses and domains that you add to the Inbound Allow/Block list or Sophos encrypted emails.

We also quarantine messages that contain a very large number of URLs. See Time of Click URL Protection.

Intelix Threat Analysis

This is available with an Email Advanced license only and is turned on by default.

This option sends emails that may contain active malicious content to an isolated virtual environment where they're opened and checked. SophosLabs Intelix detects threats in messages using static and dynamic analysis. Static analysis leverages multiple machine learning models, neural networks, global reputation, deep file scanning, and more. Dynamic analysis detonates a message in a sandbox to reveal its true nature and threat capability.

Messages that may be malicious are run in a virtual environment for closer inspection.

Messages that are clean are delivered as normal.

There are two categories of Intelix threats:

  • Intelix Malicious: Messages that contain a known and verified threat.
  • Intelix Suspicious: Messages that don't contain a known and verified threat but display characteristics that make them suspicious.

You can choose the following actions for Intelix Malicious messages:

  • Quarantine
  • Delete

You can choose the following actions for Intelix Suspicious messages:

  • Quarantine
  • Deliver
  • Delete
  • Tag subject line

When Intelix service location is turned on, you can select your preferred location.

Select Let Sophos decide (recommended) to automatically route messages for optimal performance.

End User Quarantine

If you choose to put some messages in end user quarantine, messages can be checked, released, or deleted by your users. See End User Quarantine.