Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

ES 10.0.9 - Capture ATP Malicious Attachments not blocked but delivered

BWCBWC Cybersecurity Overlord ✭✭✭

Hi,

today a customer called me about a Capture ATP Report he got. Usually I'am telling the same story over and over again, if it's from 127.0.0.1 then it's a report for the Email Security and you're covered, the attachment is blocked.

The specific user got two attachments in the last two days. Yesterday the Attachment was detected as malicious by Capture ATP and the Message got blocked. But today another Attachment arrived and got detected as Malicious by Capture ATP but it went through and got delivered. For real, how could that be?

Not again another Support case eating up my time, I'am getting really sick of this.

Is this a known problem any might be already reported? Couldn't find any information on 10.0.10 about this, but will update today anyhow.

Message Log shows no Virus found.


Capture ATP says otherwise:

--Michael@BWC

Category: Email Security Appliances
Reply

Answers

  • David WDavid W SonicWall Employee

    @BWC Please open a support case with the details.

    This is not a known issue and must be looked into.

    David Wilbur

     Technical Support Senior Advisor, Premier Services , SME Email Security

  • BWCBWC Cybersecurity Overlord ✭✭✭

    #43696131 it is. Will keep this thread updated.

    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭
    edited June 5
    Affects 10.0.10 as well.
    

    This is an ongoing issue that I experienced on multiple deployments. It's a campaign driven by random @hotmail.com sender addresses originating from IP addresses detected as South Korea, USA and Germany.

    I strongly advise to handle all messages coming from [email protected] to the MSW account holder with special care, because it could be an indicator of a detection by Capture ATP AFTER the malicious mail got delivered, despite the configuration says otherwise.

    For a quick verfication I searched the Message log for hotmail.com sender addresses and checked if any mail with a subject like "taj wr q pavvn" or similar got delivered. In that case the enduser should be informed.

    --Michael@BWC

Sign In or Register to comment.