Malware

The Malware tab contains various measures against emails that carry harmful and dangerous content such as viruses, worms, or other malware.

Note – Outgoing emails will be scanned if the checkbox Scan relayed (outgoing) messages on the Relaying tab is selected.

Scan During SMTP Transaction

Select the checkbox Reject malware during SMTP transaction if you want to have messages scanned already during SMTP transaction and to have them rejected in case they contain malware.

In Profile mode: This setting cannot be changed per profile. Messages with more than one recipient will skip this feature if one of the recipient profiles has Malware Scanning turned off. This means it is advisable to leave the regular malware setting below set to either Blackhole or Quarantine.

Click Apply to save your settings.

Malware Scanning

When using this option, emails will be scanned for unwanted content such as viruses, trojan horses, or suspicious file types. Messages containing malicious content will be blocked and stored in the email quarantine. Users can review and release their quarantined messages either through the Sophos User Portal or the daily Quarantine Report. However, messages containing malicious content can only be released from the quarantine by an administrator in the Mail Manager.

Malware: You can configure how to proceed with messages that contain malicious content. The following actions are available:

Sophos UTM on AWS features several malware engines for best security:

Enable Sandstorm: Select this option to activate Sandstorm and send suspicious attachments for sandboxing to have enhanced protection and better visibility into the likely behaviors of malware.

Note – This feature is only available to licensed users of Sophos Sandstorm.

Quarantine unscannable and encrypted content: Quarantines emails whose content could not be scanned. Unscannable content may be encrypted or corrupt archives or oversized content, or there may be a technical reason like a scanner failure.

Click Apply to save your settings.

MIME Type Filter

The MIME type filter reads the MIME type of email contents. You can define how the different MIME types are to be dealt with.

Additional types to quarantine: To add a MIME type other than above that shall be quarantined, click the Plus icon in the Additional Types To Quarantine box and enter the MIME type (e.g., image/gif). You can use wildcards (*) on the right side of the slash, e.g., application/*.

Whitelisted content types: You can use this box to allow generally certain MIME types. To add a MIME type click the Plus icon in the Whitelisted content types box and enter the MIME type. Click Apply to save your settings.

MIME type MIME type class
audio/* audio files
video/* video files
application/x-dosexec applications
application/x-msdownload
application/exe
application/x-exe
application/dos-exe
vms/exe
application/x-winexe
application/msdos-windows
application/x-msdos-program

MIME types known by the MIME Type Filter

File Extension Filter

This feature filters and quarantines emails (with warnings) that contain certain types of files based on their extensions (e.g. executables). To add file extensions, click the Plus icon in the Blocked file extensions box and enter a critical file extension you want to be restricted, e.g., exe or jar (without the dot delimiter). Click Apply to save your settings.

Malware Check Footer

For each outgoing and incoming email, you can add and customize a special footer informing users that the email has been scanned for malicious content. However, the footer will only be added if the checkbox Scan relayed (outgoing) messages on the Relaying tab is selected. In addition, the malware check footer will not be appended to the email if the email is a reply (i.e. having In-Reply-To header) or if the content type of the email could not be determined. Select the checkbox Use the Text Below as a Footer and enter the footer text. Click Apply to save your settings.

Note – Adding a footer to messages already signed or encrypted by an email client (e.g., Microsoft's Outlook or Mozilla's Thunderbird) will break their signature and render them invalid. If you want to create digital signatures on the client side, disable the antivirus check footer option. However, if you do not wish to forgo the privacy and authentication of your email communication and still want to apply a general antivirus check footer, consider using the built-in email encryption feature of Sophos UTM on AWS. Email encryption done on the gateway means that the footer is added to the message prior to creating the digital signature, thus leaving the signature intact.

Related Topics Link IconRelated Topics