Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1196
Views
0
Helpful
3
Replies

Reporting False Positive Virus catches

Greg.Howley
Level 1
Level 1

‎09-28-2016 12:40 PM

Our Ironport uses Sophos. Recently Sophos classified something as Unscannable and quarantined it (as per policy).  VIP user is upset that his mail is getting blocked.   I am not going to turn off AV for this rare occurrence.

I know how to report false positives for SPAM & HAM, but how do i report this?

We do not have a direct relationship with Sophos.  Submitting on their site asks for the OS used, but there is no option that I can see for AsyncOS.

Any advice?

Thanks

Labels:
0 Helpful
3 Replies 3

dmccabej
Cisco Employee
Cisco Employee

‎09-28-2016 01:10 PM

Hello,

Cisco handles the communication with Sophos for any false-negative/false-positive submissions. If you do truly need to submit a file for false-negative/false-positive analysis, please go ahead and open up a TAC case and we'll be sure to take care of it for you.

However, it sounds like you may just need to adjust your mail policy since it's actually reading as 'Unscannable' and not Virus Positive. You can perform this via Mail Policies --> Incoming/Outgoing Mail Policies --> Anti-Virus --> Unscannable Messages.

Thanks!

-Dennis M.

0 Helpful

Libin Varghese
Cisco Employee
Cisco Employee

‎09-28-2016 01:11 PM

Hi Greg,

Attachments that are marked as unscannable by sophos are accompanied by an error code.

  • 0x8004020F - The message was of an unknown format, and was therefore unscannable.
  • 0x8004021A - The message is in a format that cannot be scanned.
  • 0x8007000E - The message was most likely too large or contained too many nested items, and the scanner ran out of memory before completing the scan. This most likely occurred when the appliance was under heavy load.
  • 0x80040210 - The scanner could not open the message, and the message was therefore unscannable.

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117849-qanda-esa-00.html

The above article provides reasons for some of the error codes, it usually is due to the type or composition of the attachment itself.

To get a detailed analysis you would need to open a TAC case with a copy of the attachment in question.

Thanks

Libin

0 Helpful

exMSW4319
Level 3
Level 3

‎09-29-2016 01:44 AM

The same VIP would no doubt want your hide if you or your ESA let an item of encrypting ransomware in. Other options for dealing with this type of mail might be:

  • have a separate mail policy for domains you can really trust, and handle Unscannables from them differently; this can also be a necessity for Encrypted mail, though doing this by mail policy is obviously something of a calculated risk
  • if you can identify crucial domains but don't want to risk admissions of Unscannables from them, have a mail policy generate a forward notice to the recipient, your internal service desk or yourself
  • copy Unscannables to a quarantine and then strip and deliver the original
  • send a notification back to the sender so at least they know the mail couldn't be admitted; again, care is needed with this option to avoid generating excessive backscatter 
  • look at your ESA performance over a working week then VERY gingerly modify the Virus Scanning Timeout
0 Helpful
Customers Also Viewed These Support Documents