Solved: ESAV C300v support both McAfee and Sophos at a single time ?

jamsheduddin · ‎04-09-2017

Hi friends,

Need a help.

We have deployed a ESAV C300v (for more than 1k emplyee) on ESXi platform. We did not purchased any license still, running the demo version.Before going to be purchased wanna to confirm that will I be able to enable both anti virus McAfee and Sophos in this virtual appliance C300v? To run both antivirus at a time what should I have/do ?

Appreciate your support.

thank you.

Jamshed

Robert Sherwin · ‎04-10-2017

Yes - the ESA will run both AV engines at the same time. You will see them scan and act separately.

Examples:

Mon Apr 10 12:09:28 2017 Info: MID 837 ICID 658 From: <robsherw@ubuntu.local>
Mon Apr 10 12:09:28 2017 Info: MID 837 ICID 658 RID 0 To: <robsherw@esa.av>
Mon Apr 10 12:09:28 2017 Info: MID 837 Message-ID '<c2a4cb$ma@120.local>'
Mon Apr 10 12:09:28 2017 Info: MID 837 Subject 'AV testing'
Mon Apr 10 12:09:28 2017 Info: MID 837 ready 37792 bytes from <robsherw@ubuntu.local>
Mon Apr 10 12:09:28 2017 Info: MID 837 matched all recipients for per-recipient policy <|__AV_ONLY__|> in the inbound table
Mon Apr 10 12:09:29 2017 Info: MID 837 interim AV verdict using McAfee VIRAL
Mon Apr 10 12:09:29 2017 Info: MID 837 antivirus positive 'W97M/Downloader.brm'
Mon Apr 10 12:09:29 2017 Info: Message aborted MID 837 Dropped by antivirus
Mon Apr 10 12:09:29 2017 Info: Message finished MID 837 done

Here, McAfee sees it viral, takes action first, and drops mail --- it never gets through the mail processing pipeline for Sophos to scan.

Mon Apr 10 12:10:45 2017 Info: MID 838 ICID 659 From: <robsherw@ubuntu.local>
Mon Apr 10 12:10:45 2017 Info: MID 838 ICID 659 RID 0 To: <robsherw@esa.av>
Mon Apr 10 12:10:45 2017 Info: MID 838 Message-ID '<c2a4cb$me@120.local>'
Mon Apr 10 12:10:45 2017 Info: MID 838 Subject 'AV testing'
Mon Apr 10 12:10:45 2017 Info: MID 838 ready 670172 bytes from <robsherw@ubuntu.local>
Mon Apr 10 12:10:45 2017 Info: MID 838 matched all recipients for per-recipient policy <|__AV_ONLY__|> in the inbound table
Mon Apr 10 12:10:45 2017 Info: MID 838 interim AV verdict using McAfee ENCRYPTED
Mon Apr 10 12:10:45 2017 Info: MID 838 interim AV verdict using Sophos VIRAL
Mon Apr 10 12:10:45 2017 Info: MID 838 antivirus positive 'Mal/DrodZp-A'
Mon Apr 10 12:10:46 2017 Info: Message aborted MID 838 Dropped by antivirus
Mon Apr 10 12:10:46 2017 Info: Message finished MID 838 done
Mon Apr 10 12:10:50 2017 Info: ICID 659 close

McAfee sees this file as encrypted. AV cannot see into an encrypted (password encrypted) file. However, since Sophos had this encrypted file previously marked as malicious, known in the IDE library - it takes the drop action.

Mon Apr 10 12:11:46 2017 Info: MID 839 ICID 660 From: <robsherw@ubuntu.local>
Mon Apr 10 12:11:46 2017 Info: MID 839 ICID 660 RID 0 To: <robsherw@esa.av>
Mon Apr 10 12:11:46 2017 Info: MID 839 Message-ID '<c2a4cb$mi@120.local>'
Mon Apr 10 12:11:46 2017 Info: MID 839 Subject 'AV testing'
Mon Apr 10 12:11:46 2017 Info: MID 839 ready 301838 bytes from <robsherw@ubuntu.local>
Mon Apr 10 12:11:46 2017 Info: MID 839 matched all recipients for per-recipient policy <|__AV_ONLY__|> in the inbound table
Mon Apr 10 12:11:51 2017 Info: ICID 660 close
Mon Apr 10 12:12:01 2017 Info: MID 839 interim AV verdict using McAfee CLEAN
Mon Apr 10 12:12:01 2017 Info: MID 839 interim AV verdict using Sophos CLEAN
Mon Apr 10 12:12:01 2017 Info: MID 839 antivirus negative
Mon Apr 10 12:12:01 2017 Info: MID 839 queued for delivery
Mon Apr 10 12:12:01 2017 Info: Delivery start DCID 0 MID 839 to RID [0]
Mon Apr 10 12:12:01 2017 Info: Message done DCID 0 MID 839 to RID [0] [('X-IronPort-AV', 'E=McAfee;i="5800,7501,8493"; a="839"'), ('X-IronPort-AV', 'E=Sophos;i="5.37,182,1488844800"; \r\n d="xml\'?fdoc\'?scan\'72,145,208,48?rels\'72,145,208,48?jpg\'72,145,208,48,145?dict\'72,145,208,48,145?xps\'72,145,208,48,145,72,48";a="839"')]
Mon Apr 10 12:12:01 2017 Info: MID 839 RID [0] Response '/dev/null'
Mon Apr 10 12:12:01 2017 Info: Message finished MID 839 done

Both clean --- I have logheaders enabled to record the AV headers... so - they are included, showing the engine versions and IDEs.

Hope that helps.

-Robert

Cheers,
Robert Sherwin

View solution in original post

Libin Varghese · ‎04-10-2017

Hi Jamshed,

You can certainly enable both Sophos and McAfee scanning, it would increase the load on the appliance.

However, the amount of load would depend on factors such as mail flow, attachment sizes, etc.

You could request your accounts team to share trial licenses for the features and test it out in your environment before you purchase the licenses.

Thank You!

Libin Varghese

jamsheduddin · ‎04-13-2017

Thank you Libin

Robert Sherwin · ‎04-10-2017

Yes - the ESA will run both AV engines at the same time. You will see them scan and act separately.

Examples:

Mon Apr 10 12:09:28 2017 Info: MID 837 ICID 658 From: <robsherw@ubuntu.local>
Mon Apr 10 12:09:28 2017 Info: MID 837 ICID 658 RID 0 To: <robsherw@esa.av>
Mon Apr 10 12:09:28 2017 Info: MID 837 Message-ID '<c2a4cb$ma@120.local>'
Mon Apr 10 12:09:28 2017 Info: MID 837 Subject 'AV testing'
Mon Apr 10 12:09:28 2017 Info: MID 837 ready 37792 bytes from <robsherw@ubuntu.local>
Mon Apr 10 12:09:28 2017 Info: MID 837 matched all recipients for per-recipient policy <|__AV_ONLY__|> in the inbound table
Mon Apr 10 12:09:29 2017 Info: MID 837 interim AV verdict using McAfee VIRAL
Mon Apr 10 12:09:29 2017 Info: MID 837 antivirus positive 'W97M/Downloader.brm'
Mon Apr 10 12:09:29 2017 Info: Message aborted MID 837 Dropped by antivirus
Mon Apr 10 12:09:29 2017 Info: Message finished MID 837 done

Here, McAfee sees it viral, takes action first, and drops mail --- it never gets through the mail processing pipeline for Sophos to scan.

Mon Apr 10 12:10:45 2017 Info: MID 838 ICID 659 From: <robsherw@ubuntu.local>
Mon Apr 10 12:10:45 2017 Info: MID 838 ICID 659 RID 0 To: <robsherw@esa.av>
Mon Apr 10 12:10:45 2017 Info: MID 838 Message-ID '<c2a4cb$me@120.local>'
Mon Apr 10 12:10:45 2017 Info: MID 838 Subject 'AV testing'
Mon Apr 10 12:10:45 2017 Info: MID 838 ready 670172 bytes from <robsherw@ubuntu.local>
Mon Apr 10 12:10:45 2017 Info: MID 838 matched all recipients for per-recipient policy <|__AV_ONLY__|> in the inbound table
Mon Apr 10 12:10:45 2017 Info: MID 838 interim AV verdict using McAfee ENCRYPTED
Mon Apr 10 12:10:45 2017 Info: MID 838 interim AV verdict using Sophos VIRAL
Mon Apr 10 12:10:45 2017 Info: MID 838 antivirus positive 'Mal/DrodZp-A'
Mon Apr 10 12:10:46 2017 Info: Message aborted MID 838 Dropped by antivirus
Mon Apr 10 12:10:46 2017 Info: Message finished MID 838 done
Mon Apr 10 12:10:50 2017 Info: ICID 659 close

McAfee sees this file as encrypted. AV cannot see into an encrypted (password encrypted) file. However, since Sophos had this encrypted file previously marked as malicious, known in the IDE library - it takes the drop action.

Mon Apr 10 12:11:46 2017 Info: MID 839 ICID 660 From: <robsherw@ubuntu.local>
Mon Apr 10 12:11:46 2017 Info: MID 839 ICID 660 RID 0 To: <robsherw@esa.av>
Mon Apr 10 12:11:46 2017 Info: MID 839 Message-ID '<c2a4cb$mi@120.local>'
Mon Apr 10 12:11:46 2017 Info: MID 839 Subject 'AV testing'
Mon Apr 10 12:11:46 2017 Info: MID 839 ready 301838 bytes from <robsherw@ubuntu.local>
Mon Apr 10 12:11:46 2017 Info: MID 839 matched all recipients for per-recipient policy <|__AV_ONLY__|> in the inbound table
Mon Apr 10 12:11:51 2017 Info: ICID 660 close
Mon Apr 10 12:12:01 2017 Info: MID 839 interim AV verdict using McAfee CLEAN
Mon Apr 10 12:12:01 2017 Info: MID 839 interim AV verdict using Sophos CLEAN
Mon Apr 10 12:12:01 2017 Info: MID 839 antivirus negative
Mon Apr 10 12:12:01 2017 Info: MID 839 queued for delivery
Mon Apr 10 12:12:01 2017 Info: Delivery start DCID 0 MID 839 to RID [0]
Mon Apr 10 12:12:01 2017 Info: Message done DCID 0 MID 839 to RID [0] [('X-IronPort-AV', 'E=McAfee;i="5800,7501,8493"; a="839"'), ('X-IronPort-AV', 'E=Sophos;i="5.37,182,1488844800"; \r\n d="xml\'?fdoc\'?scan\'72,145,208,48?rels\'72,145,208,48?jpg\'72,145,208,48,145?dict\'72,145,208,48,145?xps\'72,145,208,48,145,72,48";a="839"')]
Mon Apr 10 12:12:01 2017 Info: MID 839 RID [0] Response '/dev/null'
Mon Apr 10 12:12:01 2017 Info: Message finished MID 839 done

Both clean --- I have logheaders enabled to record the AV headers... so - they are included, showing the engine versions and IDEs.

Hope that helps.

-Robert

Cheers,
Robert Sherwin

jamsheduddin · ‎04-11-2017

Thank you so much.

But in the demo version I can see only Sophos antivirus is enabled. Is there any separate procedure to find available both (Sophos+ mcAfee) antivirus on ESAV C300v VM appliance ? If I purchase license will find both features ?

regards..

Jamshed

Libin Varghese · ‎04-11-2017

The device may have come with demo licenses for Sophos alone, you can request for demo licenses of McAfee as well from your accounts team.

Even when purchasing licenses you would need to mention which features are required based on your requirement.

- Libin V