ES 10.0.9 - Capture ATP Malicious Attachments not blocked but delivered
BWC
Cybersecurity Overlord ✭✭✭
Hi,
today a customer called me about a Capture ATP Report he got. Usually I'am telling the same story over and over again, if it's from 127.0.0.1 then it's a report for the Email Security and you're covered, the attachment is blocked.
The specific user got two attachments in the last two days. Yesterday the Attachment was detected as malicious by Capture ATP and the Message got blocked. But today another Attachment arrived and got detected as Malicious by Capture ATP but it went through and got delivered. For real, how could that be?
Not again another Support case eating up my time, I'am getting really sick of this.
Is this a known problem any might be already reported? Couldn't find any information on 10.0.10 about this, but will update today anyhow.
Message Log shows no Virus found.
Capture ATP says otherwise:
--Michael@BWC
Answers
@BWC Please open a support case with the details.
This is not a known issue and must be looked into.
David Wilbur
Technical Support Senior Advisor, Premier Services , SME Email Security
#43696131 it is. Will keep this thread updated.
--Michael@BWC
This is an ongoing issue that I experienced on multiple deployments. It's a campaign driven by random @hotmail.com sender addresses originating from IP addresses detected as South Korea, USA and Germany.
I strongly advise to handle all messages coming from donotreply-capture@sonicwall.com to the MSW account holder with special care, because it could be an indicator of a detection by Capture ATP AFTER the malicious mail got delivered, despite the configuration says otherwise.
For a quick verfication I searched the Message log for hotmail.com sender addresses and checked if any mail with a subject like "taj wr q pavvn" or similar got delivered. In that case the enduser should be informed.
--Michael@BWC