The Malware tab contains various measures against emails that carry harmful and dangerous content such as viruses, worms, or other malware.
Note – Outgoing emails will be scanned if the checkbox Scan relayed (outgoing) messages on the Relaying tab is selected.
Scan During SMTP Transaction
Select the checkbox Reject malware during SMTP transaction if you want to have messages scanned already during SMTP transaction and to have them rejected in case they contain malware.
In Profile mode: This setting cannot be changed per profile. Messages with more than one recipient will skip this feature if one of the recipient profiles has Malware Scanning turned off. This means it is advisable to leave the regular malware setting below set to either Blackhole or Quarantine.
Click Apply to save your settings.
When using this option, emails will be scanned for unwanted content such as viruses, trojan horses, or suspicious file types. Messages containing malicious content will be blocked and stored in the email quarantine. Users can review and release their quarantined messages either through the Sophos User Portal or the daily Quarantine Report. However, messages containing malicious content can only be released from the quarantine by an administrator in the Mail Manager.
Malware: You can configure how to proceed with messages that contain malicious content. The following actions are available:
- Off: There are no malware scans.
- Blackhole: Incoming messages are accepted and instantly removed. Outgoing messages are never blackholed to avoid unintended mail loss. They are quarantined instead.
- Quarantine: Default. Messages are blocked and stored in the email quarantine. Quarantined messages can be reviewed either through the User Portal or the daily Quarantine Report. Note that messages containing malicious content can be released from the quarantine only by an administrator.
Sophos UTM on AWS features several malware engines for best security:
- Single scan: Default setting; provides maximum performance using the engine defined on the System Settings > Scan Settings tab.
- Dual scan: Provides maximum recognition rate by scanning the respective traffic twice using different virus scanners. Note that dual scan is not available with BasicGuard subscription.
Enable Sandstorm: Select this option to activate Sandstorm and send suspicious attachments for sandboxing to have enhanced protection and better visibility into the likely behaviors of malware.
Note – This feature is only available to licensed users of Sophos Sandstorm.
Quarantine unscannable and encrypted content: Quarantines emails whose content could not be scanned. Unscannable content may be encrypted or corrupt archives or oversized content, or there may be a technical reason like a scanner failure.
Click Apply to save your settings.
The MIME type filter reads the MIME type of email contents. You can define how the different MIME types are to be dealt with.
- Quarantine audio content: When you select this checkbox audio content like e.g., mp3 or wav files, will be quarantined.
- Quarantine video content: When you select this checkbox video content like e.g., mpg or mov files, will be quarantined.
- Quarantine executable content: When you select this checkbox executable content like e.g., exe files, will be quarantined.
Additional types to quarantine: To add a MIME type other than above that shall be quarantined, click the Plus icon in the Additional Types To Quarantine box and enter the MIME type (e.g., image/gif). You can use wildcards (*) on the right side of the slash, e.g., application/*.
Whitelisted content types: You can use this box to allow generally certain MIME types. To add a MIME type click the Plus icon in the Whitelisted content types box and enter the MIME type. Click Apply to save your settings.
|MIME type||MIME type class|
MIME types known by the MIME Type Filter
This feature filters and quarantines emails (with warnings) that contain certain types of files based on their extensions (e.g. executables). To add file extensions, click the Plus icon in the Blocked file extensions box and enter a critical file extension you want to be restricted, e.g., exe or jar (without the dot delimiter). Click Apply to save your settings.
For each outgoing and incoming email, you can add and customize a special footer informing users that the email has been scanned for malicious content. However, the footer will only be added if the checkbox Scan relayed (outgoing) messages on the Relaying tab is selected. In addition, the malware check footer will not be appended to the email if the email is a reply (i.e. having In-Reply-To header) or if the content type of the email could not be determined. Select the checkbox Use the Text Below as a Footer and enter the footer text. Click Apply to save your settings.
Note – Adding a footer to messages already signed or encrypted by an email client (e.g., Microsoft's Outlook or Mozilla's Thunderbird) will break their signature and render them invalid. If you want to create digital signatures on the client side, disable the antivirus check footer option. However, if you do not wish to forgo the privacy and authentication of your email communication and still want to apply a general antivirus check footer, consider using the built-in email encryption feature of Sophos UTM on AWS. Email encryption done on the gateway means that the footer is added to the message prior to creating the digital signature, thus leaving the signature intact.