How to report false positive or false negative Virus / Spam E-Mails on Sophos UTM

  • Article ID: 115670
  • Updated: 08 Mar 2016

Known to apply to the following Sophos product(s) and version(s)

Sophos UTM v9

Operating systems

V8, V9

What to do

Rarely the E-Mail Protection engine of Sophos UTM might report Spam-E-Mails or Virus infected E-Mails, which are false. On the other hand Spam-E-Mails or Virus infected E-Mails might be delivered to the recipient occasionally. In order to minimize such cases false positive as well as false negative samples should be submitted to Sophos.

Collect and submit your samples for false positive Spam / Virus E-Mails

In order to be able to capture samples of false positives the E-Mail Protection configuration should be changed as follows:

For false positive viruses

  1. Log into the Webadmin and navigate to E-Mail protection > SMTP > Antivirus
  2. Uncheck Reject malware during SMTP transaction and Click Apply

For false positive spam

  1. Log into the Webadmin and navigate to E-Mail protection > SMTP > Antispam
  2. Switch Reject at SMTP time to Off and Click Apply

By Standard the action for Spam and Virus E-Mails is now to Quarantine and samples can be collected. Make sure that the samples are no older than 3 days.

Collect and submit your samples for false positive Spam / Virus E-Mails

  1. Log into the Webadmin and navigate to E-Mail protection > Mail Manager
  2. Click Open Mail Manager in New Window
  3. Check 3 of the false positive E-Mails in the SMTP Quarantine and select Download in the drop-down menu below
  4. Compress the samples into a password protected ZIP-File
  5. Switch back to the Webadmin and navigate to Logging & Reporting > View Log Files > Today's Log Files or Archived Log Files depending on the time of the occurrence. Note: We do need the Logfile showing the arrival of the submitted E-Mail-Samples
  6. Download the SMTP proxy Logfile as an archive
  7. Open a support ticket through myUTM Attach the Samples and the SMTP-Log Add the following information to your message:
    For viruses:
    Is Single (which AV-Engine) or Dual Scan activated?
    For spam:
    What Mail-Server is being used?
    What Mail-Client is being used?
  8. Submit your Ticket
Collect and submit your samples for false negative Spam / Virus E-Mails

False negative E-Mails were most likely delivered to the recipient; therefore the E-Mail Protection settings stay unchanged for the collection.
  1. Use the E-Mail-Client to export the undetected E-Mails (ideally three) to *.eml format
    Note: A step-by-step description on how to export mails with your E-Mail Client can be found in KB 23113 but make sure to export the E-Mails as *.eml files only!
  2. Compress the samples into a password protected ZIP-File
    Note: This is to avoid a false positive on our side, blocking your attachment to be delivered
  3. Log into the Webadmin and navigate to Logging & Reporting > View Log Files > Today's Log Files or Archived Log Files depending on the time of the occurrence.
    Note: We do need the Logfile showing the arrival of the submitted E-Mail-Samples
  4. Download the SMTP proxy Logfile as an archive
  5. Open a support ticket through myUTM
  6. Attach the Samples and the SMTP-Log
  7. Open a support ticket through myUTM Attach the Samples and the SMTP-Log Add the following information to your message:
    For viruses
    Is Single (which AV-Engine) or Dual Scan activated?
    For spam:
    What Mail-Server is being used?
    What Mail-Client is being used?
  8. Submit your Ticket

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments