Skip to content

Enhanced Email Malware Scan

You can apply enhanced email content scanning.

This option is only available if your license includes Sophos Email Security.

Note

If an option is locked, your partner or Enterprise administrator has applied global settings.

Enhanced content and file property scan

This is our highest level of protection against email malware. It's on by default.

This setting applies to inbound and outbound messages.

Note

If malware is detected in a message, it's always discarded.

Un-scanned emails

You can choose what happens to messages that can't be scanned. The available actions are:

  • Quarantine
  • Delete
  • Tag subject line

This setting applies to inbound messages only.

There are various reasons we may not be able to scan specific messages:

  • Inability to access the file: The file is identified correctly, but the software can't access the file to decompress or scan it.
  • Corrupt file: The file is corrupt and can't be accessed.
  • Correctly identifying a file, but unexpected content is encountered: The file is correctly identified and access is granted, however unexpected content is found. The antivirus scan process produces an error.
  • Scanner times out: The antivirus scanner times out while scanning. There are several reasons this can occur. Some examples are: a file is compressed in many nested levels or the antivirus scanner exceeds the scan time limit.
  • Large compressed attachment: If a compressed attachment is too large, it can't be scanned. The attachment may be nested within too many compression levels, the compressed files included are too large, or there are too many compressed files within the attachment.

These are just some examples. There may be other reasons.

Email addresses and domains that you add to the Inbound Allow/Block list and Sophos encrypted emails aren't scanned.

Time of Click URL Protection

This is available with an Email Advanced license only and is turned on by default.

When Time of Click URL Protection is turned on, URLs contained within inbound messages are rewritten to point to Sophos Email Security instead of the original destination.

When you click the link Sophos Email Security performs an SXL lookup, and if it's malicious, it's blocked. If the URL is clean, the action taken when you click the link depends on what you've specified in the policy. For example, if you've set medium risk websites as allowed, when the link is checked and classified as not malicious, the link takes you to the original link destination.

The domain name is displayed at the start of the rewritten URL so that you can see where the link will send you, if allowed. For example d=domain.com.

Warning

Sophos Email Security can't re-evaluate an URL after it has been rewritten by another product.

You can select the action you want to take for websites with the following reputation levels:

  • High risk: Includes illegal sites, sites containing malware, and phishing sites.
  • Medium risk: Includes sites associated with spam and anonymizing proxies.
  • Unverified: The reputation of the website can't be verified.

You can't allow high-risk websites.

Note

URLs you add to the Time of Click allow list are never rewritten at time of click.

You can also control whether URLs are rewritten in plain text messages and within securely signed messages:

  • Plain text messages: refers to emails with no HTML formatting. Without HTML formatting, the entire encoded URL shows in the email when URL rewriting is turned on. You can bypass URL re-writing in these messages by deselecting the Re-write URLs in plain text messages. option.
  • Securely signed messages: URL re-writing may break the signatures of S/MIME, PGP, and DKIM signed messages. You can bypass URL re-writing in these messages by deselecting the Re-write URLs within securely signed messages. option.

Warning

Be careful if you choose to bypass URL re-writes, as URLs in these messages won't be protected.

See URL allow list.

Warning

If you turn on Time of Click URL Protection, and are using a Google email server, you may see DMARC failures reported for inbound messages.

This might be because Google doesn't consistently process emails from IP addresses in its Gateway IPs list. To check your email settings and find out more, see Restrict delivery to Sophos IP addresses.

Intelix Threat Analysis

This is available with an Email Advanced license only and is turned on by default.

This option sends emails that may contain active malicious content to an isolated virtual environment where they're opened and checked. If emails are found to be malicious, they're removed. SophosLabs Intelix detects threats in messages using static and dynamic analysis. Static analysis leverages multiple machine learning models, neural networks, global reputation, deep file scanning, and more. Dynamic analysis detonates a message in a sandbox to reveal its true nature and threat capability.

When Intelix service location is turned on, you can select your preferred location.

Tip

Select Let Sophos decide (recommended) to automatically route messages for optimal performance.

Messages that may be malicious will run in a virtual environment for closer inspection.

Messages that are clean are delivered as normal. Messages that contain advanced threats are discarded.

Impersonation Protection

This is available with an Email Advanced license only and is turned on by default.

This feature detects emails that pretend to be from well-known brands or very important people (VIPs) in your organization.

Choose the action taken when this feature detects emails.

If you add a banner to suspect emails, you can select the actions the users see in the banner.

Choose from the following options:

  • Block Sender: The sender's email address is added to a block list.
  • Report Spam messages to Sophos: Users can report suspicious messages to SophosLabs. This helps us improve our impersonation detection.

Example impersonation banner

We can only apply banners to HTML format emails, not plain text emails.

In summary reports, these emails are labeled as advanced threat.

You can add email addresses for VIPs in VIP management.

For more information, see Impersonation Protection and VIP Management.

S/MIME protection

You can protect messages using Secure/Multipurpose Internet Mail Extensions (S/MIME). It protects inbound messages, outbound, or both.

You must join the Early Access Program to use this option.

You must turn on and set up S/MIME protection in Settings > Secure MIME Settings before you can use it in policies. See S/MIME settings.

You can verify inbound messages against the certificates attached to the emails.

Sophos Email Security can't verify inbound messages signed by a third party's self-signed certificate until they send you their certificate. You must upload these certificates in Overview > Global Settings > Secure MIME Settings > External S/MIME Certificates. See External S/MIME Certificates.

If Sophos Email Security doesn't have all the S/MIME certificates to encrypt and sign an outgoing message, it tries to encrypt the message using Push Encryption instead. See Outbound message processing

You can decrypt inbound messages and encrypt outgoing messages.

You can choose the following actions to take if a message fails an S/MIME check.

  • Quarantine, delete, or deliver inbound emails with a message added to the subject line to alert the recipient.
  • Delete, quarantine, deliver, or bounce outbound emails.
  • For outbound messages, you can select Push encrypt entire message on release. See Outbound message processing

Inbound message processing

For inbound messages, if you only configure one of the S/MIME options (Verify inbound messages or Decrypt inbound messages), only the outer layer of the message is processed. If the selected option doesn't match the inbound message type, the message fails.

For inbound messages, you can set the failure action to Deliver if messages are to be verified or decrypted after Sophos Email Security has processed them. For example, a user could have their certificates and private keys stored in their email software.

For example, if you've selected Verify inbound messages and the message isn't signed, the message fails. Or, if you've selected Decrypt inbound messages and the message isn't encrypted, the message fails.

The way inbound messages are processed depends on which S/MIME settings are turned on.

If you set Verify inbound messages on, and Decrypt inbound messages off, the messages are processed as follows.

Inbound message conditions Actions
Encrypted, then signed. Message verified and delivered.

If verification fails, we take your chosen action. We don't decrypt the message.

Signed, then encrypted. No S/MIME actions. We take your chosen action.
Signed, not encrypted. Message verified and delivered.

If verification fails, we take your chosen action.

Encrypted, not signed. No S/MIME actions. We take your chosen action.
Not signed or encrypted. No S/MIME actions, message delivered.

If you set Verify inbound messages off, and Decrypt inbound messages on, the messages are processed as follows.

Inbound message conditions Actions
Encrypted, then signed. No S/MIME actions. We take your chosen action.
Signed, then encrypted. Message decrypted and delivered.

If decryption fails, we take your chosen action.

Signed, not encrypted. No S/MIME actions. We take your chosen action.
Encrypted, not signed. Message decrypted and delivered.

If decryption fails, we take your chosen action.

Not signed or encrypted. No S/MIME actions, message delivered.

Outbound message processing

Sophos Email Security can deliver messages encrypted with Push encryption if it isn't possible to use S/MIME. For example Sophos Email Security might not have all the certificates it needs for S/MIME to work.

To turn this feature on, do as follows:

  1. In Failure Action for Outbound messages, select Quarantine or Deliver.
  2. Select Push encrypt entire message on release.

If you select Deliver and S/MIME encryption fails, Sophos Email Security uses Push encryption to encrypt the message, and sends it immediately.

If you select Quarantine and S/MIME encryption fails, Sophos Email Security uses Push Encryption to encrypt the message and sends it when you release the message from quarantine. For more information on Push Encryption, see Email Encryption.

Back to top