Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Appliance gives loopback address for endpoint

This appliance was just installed weeks ago so we're still learning. We got a notice from the appliance:


03/16/2021 7:39:55 PM UTC

127.0.0.1 may have downloaded a malicious file. The endpoint may need to be cleaned.


Curious why it gives a loopback address? Viewing the full report does give an endpoint PC that likely downloaded the file. I guess technically the appliance DID download the file and forwarded it.

Category: Email Security Appliances
Reply

Answers

  • David WDavid W SonicWall Employee
    edited March 2021

    The email itself is coming from your mysonicwall account.

    For email security it is mostly useless as email security does not let anything in that has been detected.

    The attachment gets stripped and it follows the settings you have under antivirus.

    You can turn those alerts off from your mysonicwall account.

    It's listing the loopback address as that is where the message is stored while being processed.

    David Wilbur

     Technical Support Senior Advisor, Premier Services , SME Email Security

  • djhurt1djhurt1 Enthusiast ✭✭

    @David W


    Under Antivirus, we have both Likely and Definite set to reject with SMTP error code 550. At the bottom of the same page it says

    Miscellaneous

    Viruses will be removed from messages identified as definite Viruses, but will deliver attachments intact for messages identified as Likely Viruses.

    However in message log it says it's a virus and it's in the junk box. Why is it in the junk box when it's supposed to be rejected?


    Also the email notification says 7:39 UTC however viewing the complete report it says 1:39. The appliance is set to our time zone. How do I get the time zones to line up?

  • David WDavid W SonicWall Employee
    edited March 2021

    Since the connection that sent the message is long gone the only thing left is to store in junkbox.

    Reject is the only one where it does not follow the logic since it cannot reject it.

    The emails from mysonicwall will always show UTC not your local time while viewing the report from capture logs shows your local time.

    David Wilbur

     Technical Support Senior Advisor, Premier Services , SME Email Security

  • djhurt1djhurt1 Enthusiast ✭✭
    edited March 2021


    @David W

    I'm confused by your first statement. What do you mean since it's long gone the only thing left is to store in junkbox? If the appliance can't reject it, why not simply drop the message or delete it? The concern here is the appliance is set to reject but instead it appears it's giving the user the option to un-junk what it deems as a definite virus threat.

  • David WDavid W SonicWall Employee
    edited March 2021

    When a message is in capturebox the orignal connection that delivered the message has been disconnected already.

    The message is stored in the capturebox waiting for a verdict from the Capture servers.

    There is no longer a connection from the sender present at that time that a verdict is given and it cannot be rejected for that reason.


    By default users are not allow to unjunk virus emails and even if it were unjunked the attachment has been deleted. We do not leave definate virus attachments in emails.


    Also see the admin guide pages 174 and 175


    David Wilbur

     Technical Support Senior Advisor, Premier Services , SME Email Security

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @djhurt1

    I agree it is confusing to mention 127.0.0.1 as a potential infected endpoint. It bugs me from a technical point of view, but in the meantime it's my indicator if a Cature ATP message from MSW was generated because of a hit on the Firewall or on the ESA.

    I told my customers if it's from 127.0.0.1 you're good, any other we have to check.

    --Michael@BWC

  • djhurt1djhurt1 Enthusiast ✭✭
    edited March 2021

    @David W


    I think there is an opportunity for improvement in this area. From an end user perspective, my understanding was that items that went to junkbox would trigger a notice the user where they can unjunk/delete/whitelist the email. I realize now that per the guide you linked to, that's not entirely true in the case of viruses. The guide says in the case of a virus the message is quarantined however "quarantine" is junkbox in this case. Traditionally "junkbox" is for questionable messages that the user has at their discretion to unjunk. In the future I'd love to see a seperate "Quarantine" that definite viruses go into. A notice sent to Admins who can deal with as they see fit. This is a big deal in my opinion because if anything were to go wrong, as they often do with technology, I cringe at the thought of virus laden message mistakenly getting unjunked by an ignorant user. Basically it would make my job much easier if at a glance I know for sure, without digging deep into the guide, that such a message is stuck in a definite quarantine and isn't going anywhere without "my" intervention.

    Furthermore regarding the settings in Antivirus to reject messages that are likely or definite virus. Referring to your explanation, this is misleading. When would a message ever be "rejected" then?

Sign In or Register to comment.