Sophos XG – Mail delivery blocked by antivirus pattern (Nov. 25, 2021)

Mail[German]Brief note to administrators who use Sophos XG as a firewall and security solution. On November 25, 2021, there was probably an update to the antivirus pattern that blocked at least one user from sending mail. The IT administrator in question pointed this out to me and I am posting it here on the blog for your information.

German blog reader Mario O. contacted me by mail this morning and informed me about their observation yesterday regarding a sudden disruption of mail sending (thanks for that). Sophos XG is in use there and Mario wrote:

Good morning Mr. Born,

we had an interesting problem with our Sophos XG yesterday. I'm sure other blog readers have been affected by it as well.

Yesterday evening I noticed that since 14:06 no more mails went out. They all got stuck in the Sophos spooler.

According to the log, the mails were accepted and waiting to be scanned for viruses. But it seems that this was not working anymore.

Then I saw in the logs that at 14:06 antivirus patterns were imported. These were probably defective.

Restarting the antivirus service did not help. The mails did not want to go out.

Sometime tonight the problem solved itself, can only have been due to new working antivirus patterns.

Our accumulated mails have all been delivered.

Our service provider confirmed that another customer was also affected.

Maybe it will help one or the other IT administrator or service provider, if users ask. I didn't find anything in the Sophos forum – there is only a 4 days old thread about printing problems, which probably annoying some admins.

Adendum: On Facebook Michael Z. (thanks for that) has sent me the following information.

Apparently this also concerned the Advanced Threat Protection, which reported a suspicious communication based on C2/Monera-A2 (Crypto Miner), after hours of searching, scanning and reading logs it turned out to be a false positive, the "suspicious traffic" also ended adhoc yesterday and [at] 9:35 am.

Sophos XG Firewall

For readers who don't know the product: Sophos has published a short description here.

XG Firewall provides detailed information about users at risk, unknown and unwanted applications, blended threats, suspicious payloads, encrypted traffic, and more.

Sophos XG Firewall provides technologies to protect your network from ransomware and blended threats: including an IPS, Advanced Threat Protection, Cloud Sandboxing with Deep Learning, dual antivirus, web and app control, email protection and a feature-rich web application firewall.

As a network security solution, Sophos XG Firewall can fully identify the source of an infection and automatically restrict access to other network resources in response. This is enabled by Sophos Security Heartbeat, which shares telemetry and status data between Sophos endpoints and the firewall.

Similar articles:
Let's Encrypt certificate trouble with Windows, Sophos UTM, macOS/iOS (2021/09/30)
Sophos fixes SQL injection vulnerability in Cyberoam OS
Sophos informs customers about data protection incident (Nov. 2020)
Chrome 84 & Sophos Authentication for Thin Clients (SATC)
Hacker attack on Sophos firewalls via 0-day exploit
Three vulnerabilities in Sophos/Cyberoam firewall technology
0-day vulnerability in Sophos XG Firewall under attack

This entry was posted in issue, Security, Software and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *