Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
903
Views
0
Helpful
3
Replies

Problematic Sophos over the last 24 hours

Bryan Hance
Level 1
Level 1

‎06-18-2014 08:44 AM

Is anyone experiencing degraded Sophos performance in the last 48 hours?

We have a number of PDF infectors coming in (HEUR:Exploit.PDF.Generic) that Sophos chokes on and can't scan. AV timeout gets exceeded, but the work queue grows to enormous size and backlog ensues.


We start blocking these infectors by subject, sender,etc - but then we start getting *long* periods of "Paused on services: antivirus" when checking: workqueue status. This, too results in a 500+ message backlog.

 

The only thing we've seen to fix this is disabling Sophos, running: delivernow, letting it clear, and then turning Sophos back on.

 

This happening to anyone else or just me?

Labels:
0 Helpful
3 Replies 3

Robert Sherwin
Cisco Employee
Cisco Employee

‎06-18-2014 09:22 AM

Sophos updated IDEs in place?  Tried running 'avupdate force' on the CLI to assure?

Anything in the seen PDFs/senders that matches w/ hot outbreaks?

http://tools.cisco.com/security/center/threatOutbreak.x?i=77

-Robert

Cheers,
Robert Sherwin
0 Helpful

Bryan Hance
Level 1
Level 1
In response to Robert Sherwin

‎06-18-2014 10:13 AM

Yes, and yes.

Sophos Anti-Virus Engine17 Jun 2014 19:25 (GMT +00:00)3.2.07.351.0_5.01
Not Available
Sophos IDE Rules18 Jun 2014 13:14 (GMT +00:00)2014061807
Not Available

 

Threats in question:

https://www.virustotal.com/en/file/1ec8a4d209c1c46c8cda124e00357d302b00869e002a0b6c902e13f539f545bb/analysis/

Typically: from

($randomfirstname)($randomlastname)@baml.com
fraud@aexp.com

Subject: Important docs

 

 

And: Viral 'Troj/PdfJs-AFW' (sophos id'd)

Typically: from service@hsbc.co.uk

Subject: Unable to process your most recent Payment

aka https://www.virustotal.com/en/file/31edb5f3f59bee534715dad5aa81cf6aa26c9cc132a520c5a258dc622709222d/analysis/

... neither of which seem to be represented in the threat links in the link you posted (yet)

0 Helpful

Robert Sherwin
Cisco Employee
Cisco Employee
In response to Bryan Hance

‎06-19-2014 04:53 AM

I would recommend to get examples of the live messages turned over to our Spam Operations group to review and get incorporated into the rules sets.  Please submit them to spam@access.ironport.com.  Feel free to also open a direct support case, so that we can advise the direct findings of your submissions to you, once they are available.  Usually with infected PDFs, these are caught and added into the Threats listing, which builds the VOF rules as well.

...

How do I report Content Security Anti-Spam false positives or missed spam?

 

Here are two methods that you can use in order to submit a missed spam message or a message that is incorrectly marked as not-spam to Cisco for examination:

 

  • Cisco recommends that you use the Microsoft Outlook plug-in or the Lotus plug-in, found on the Cisco IronPort Email Security Page.
     
  • If you use any mail program other than Microsoft Outlook, then follow the program instructions in order to attach the email as an RFC-822 MIME-encoded attachment.
     

Note: All of the submitted messages must be in the RFC 822 format. Any other formats, such as S/MIME, are currently not compatible with the submission tool. Also, unless submitted through a plug-in (Microsoft Outlook, not Microsoft Outlook Express), the messages that are forwarded must be RFC-822-compliant attachments. Forwards of previously-forwarded messages cannot be processed at this time.

 

You can send the messages to one of these destinations for examination:

 

Each message is reviewed by a team of human analysts and is used in order to enhance the accuracy and effectiveness of the product.

 

Once the submissions are received, the messages are passed through an automated classification system that makes use of the latest rule-set. If these messages are tagged by the new rule-set as spam, they are classified as such. However, due to a delay in the reception of samples and rule generation, there are usually rules published for many of the missed-spam messages between the time that they are received by the email client and the time that they are reported to Cisco.

 

Some messages are a part of the new spam trends, with new variants that are sufficiently different, or the new spam strains that are not classified by automated systems. Any messages that are held for classification due to mitigation factors are held for human review. Cisco attempts to address the messages within two to three hours after they are ingested into the corpus.

 

...

-Robert

Cheers,
Robert Sherwin
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents