Is anyone experiencing degraded Sophos performance in the last 48 hours?
We have a number of PDF infectors coming in (HEUR:Exploit.PDF.Generic) that Sophos chokes on and can't scan. AV timeout gets exceeded, but the work queue grows to enormous size and backlog ensues.
We start blocking these infectors by subject, sender,etc - but then we start getting *long* periods of "Paused on services: antivirus" when checking: workqueue status. This, too results in a 500+ message backlog.
The only thing we've seen to fix this is disabling Sophos, running: delivernow, letting it clear, and then turning Sophos back on.
I would recommend to get examples of the live messages turned over to our Spam Operations group to review and get incorporated into the rules sets. Please submit them to firstname.lastname@example.org. Feel free to also open a direct support case, so that we can advise the direct findings of your submissions to you, once they are available. Usually with infected PDFs, these are caught and added into the Threats listing, which builds the VOF rules as well.
How do I report Content Security Anti-Spam false positives or missed spam?
Here are two methods that you can use in order to submit a missed spam message or a message that is incorrectly marked as not-spam to Cisco for examination:
If you use any mail program other than Microsoft Outlook, then follow the program instructions in order to attach the email as an RFC-822 MIME-encoded attachment.
Note: All of the submitted messages must be in the RFC 822 format. Any other formats, such as S/MIME, are currently not compatible with the submission tool. Also, unless submitted through a plug-in (Microsoft Outlook, not Microsoft Outlook Express), the messages that are forwarded must be RFC-822-compliant attachments. Forwards of previously-forwarded messages cannot be processed at this time.
You can send the messages to one of these destinations for examination:
Each message is reviewed by a team of human analysts and is used in order to enhance the accuracy and effectiveness of the product.
Once the submissions are received, the messages are passed through an automated classification system that makes use of the latest rule-set. If these messages are tagged by the new rule-set as spam, they are classified as such. However, due to a delay in the reception of samples and rule generation, there are usually rules published for many of the missed-spam messages between the time that they are received by the email client and the time that they are reported to Cisco.
Some messages are a part of the new spam trends, with new variants that are sufficiently different, or the new spam strains that are not classified by automated systems. Any messages that are held for classification due to mitigation factors are held for human review. Cisco attempts to address the messages within two to three hours after they are ingested into the corpus.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...