Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

ES 10.0.6 / false/negative, no upload to Capture ATP

BWCBWC Cybersecurity Overlord ✭✭✭

Hi all,

today I recieved a strange mail from "Heidelberg University" totally out of context. Sent through some service provider in Singapore. SPF could have this covered, but that's another story.

The strange thing is, that from all the attachments only the .png files got sent into the Capture ATP service, the bad files just went through. A manual upload to VirusTotal was detecting them both.

How come that Capture ATP isn't getting these files? File size is < 100 KB.

Events like this reduce the confidende once more.

--Michael@BWC

Category: Email Security Appliances
Reply

Comments

  • Halon5Halon5 Newbie

    Hi BWC,

    Yes, its a real problem when files just aren't shipped.

    We have had all sorts of issues in this area and its vastly improved but we still get the odd issues. We have employed a number of dictionaries so we can eyeball messages when they contain certain file types but that incurs a heavy penalty around manpower.


    I have been sending samples of this stuff to tech support for years... Most often cases are just closed.

    Improvements around the submission of such items have been suggested but that just falls on deaf ears... Its just the same old "ancient" and labor intensive methods they have had for what is probably a decade at least.

    We really need some innovative way to do that. Then both parties will benefit from better intelligence and reduction in effort to get this stuff on the table.


    They need to add a SUBMIT FOR ANALYSIS button to the AUDIT and JUNK Logs. that should gather the message and any other pertinent data that is required to analyse and troubleshoot the issue.


    My 2 cents.

    Steph.

  • Halon5Halon5 Newbie

    This one WAS scanned by the looks..


    X-Mlf-CaptureInfo: 0,87,3e6d900b6f944e267c3ee87ca1df13af4767e19d1757399e74469c5c2fea049e,good;

  • Halon5Halon5 Newbie

    strangely.. when the .eml's were submitted manually via ES upload, they were seen as malicious.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Maybe it's related how the mail itself is formatted and sometimes the ES is not able to detect the attachments and therefore not uploading them to the CaptureBox.

    Detection of attachments was also an issue not having them available in the Junkbox for manual download.

    I can't see a clear pattern at this point.

    --Michael@BWC

Sign In or Register to comment.