Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".


ES 10.0.9 - Capture ATP Malicious Attachments not blocked but delivered

BWCBWC Cybersecurity Overlord ✭✭✭
edited May 2021 in Email Security Appliances


today a customer called me about a Capture ATP Report he got. Usually I'am telling the same story over and over again, if it's from then it's a report for the Email Security and you're covered, the attachment is blocked.

The specific user got two attachments in the last two days. Yesterday the Attachment was detected as malicious by Capture ATP and the Message got blocked. But today another Attachment arrived and got detected as Malicious by Capture ATP but it went through and got delivered. For real, how could that be?

Not again another Support case eating up my time, I'am getting really sick of this.

Is this a known problem any might be already reported? Couldn't find any information on 10.0.10 about this, but will update today anyhow.

Message Log shows no Virus found.

Capture ATP says otherwise:


Category: Email Security Appliances


  • Options
    David WDavid W SonicWall Employee

    @BWC Please open a support case with the details.

    This is not a known issue and must be looked into.

    David Wilbur

     Technical Support Senior Advisor, Premier Services , SME Email Security

  • Options
    BWCBWC Cybersecurity Overlord ✭✭✭

    #43696131 it is. Will keep this thread updated.


  • Options
    BWCBWC Cybersecurity Overlord ✭✭✭
    edited June 2021
    Affects 10.0.10 as well.

    This is an ongoing issue that I experienced on multiple deployments. It's a campaign driven by random sender addresses originating from IP addresses detected as South Korea, USA and Germany.

    I strongly advise to handle all messages coming from to the MSW account holder with special care, because it could be an indicator of a detection by Capture ATP AFTER the malicious mail got delivered, despite the configuration says otherwise.

    For a quick verfication I searched the Message log for sender addresses and checked if any mail with a subject like "taj wr q pavvn" or similar got delivered. In that case the enduser should be informed.


Sign In or Register to comment.