06-18-2014 08:44 AM
Is anyone experiencing degraded Sophos performance in the last 48 hours?
We have a number of PDF infectors coming in (HEUR:Exploit.PDF.Generic) that Sophos chokes on and can't scan. AV timeout gets exceeded, but the work queue grows to enormous size and backlog ensues.
We start blocking these infectors by subject, sender,etc - but then we start getting *long* periods of "Paused on services: antivirus" when checking: workqueue status. This, too results in a 500+ message backlog.
The only thing we've seen to fix this is disabling Sophos, running: delivernow, letting it clear, and then turning Sophos back on.
This happening to anyone else or just me?
06-18-2014 09:22 AM
Sophos updated IDEs in place? Tried running 'avupdate force' on the CLI to assure?
Anything in the seen PDFs/senders that matches w/ hot outbreaks?
http://tools.cisco.com/security/center/threatOutbreak.x?i=77
-Robert
06-18-2014 10:13 AM
Yes, and yes.
Sophos Anti-Virus Engine | 17 Jun 2014 19:25 (GMT +00:00) | 3.2.07.351.0_5.01 | Not Available |
Sophos IDE Rules | 18 Jun 2014 13:14 (GMT +00:00) | 2014061807 | Not Available |
Threats in question:
Typically: from
($randomfirstname)($randomlastname)@baml.com
fraud@aexp.com
Subject: Important docs
And: Viral 'Troj/PdfJs-AFW' (sophos id'd)
Typically: from service@hsbc.co.uk
Subject: Unable to process your most recent Payment
aka https://www.virustotal.com/en/file/31edb5f3f59bee534715dad5aa81cf6aa26c9cc132a520c5a258dc622709222d/analysis/
... neither of which seem to be represented in the threat links in the link you posted (yet)
06-19-2014 04:53 AM
I would recommend to get examples of the live messages turned over to our Spam Operations group to review and get incorporated into the rules sets. Please submit them to spam@access.ironport.com. Feel free to also open a direct support case, so that we can advise the direct findings of your submissions to you, once they are available. Usually with infected PDFs, these are caught and added into the Threats listing, which builds the VOF rules as well.
...
Here are two methods that you can use in order to submit a missed spam message or a message that is incorrectly marked as not-spam to Cisco for examination:
Note: All of the submitted messages must be in the RFC 822 format. Any other formats, such as S/MIME, are currently not compatible with the submission tool. Also, unless submitted through a plug-in (Microsoft Outlook, not Microsoft Outlook Express), the messages that are forwarded must be RFC-822-compliant attachments. Forwards of previously-forwarded messages cannot be processed at this time.
You can send the messages to one of these destinations for examination:
Each message is reviewed by a team of human analysts and is used in order to enhance the accuracy and effectiveness of the product.
Once the submissions are received, the messages are passed through an automated classification system that makes use of the latest rule-set. If these messages are tagged by the new rule-set as spam, they are classified as such. However, due to a delay in the reception of samples and rule generation, there are usually rules published for many of the missed-spam messages between the time that they are received by the email client and the time that they are reported to Cisco.
Some messages are a part of the new spam trends, with new variants that are sufficiently different, or the new spam strains that are not classified by automated systems. Any messages that are held for classification due to mitigation factors are held for human review. Cisco attempts to address the messages within two to three hours after they are ingested into the corpus.
...
-Robert
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: