How to enable Zombie and spyware protection on the Email security for outbound email traffic.

03/26/2020 1,031 People found this article helpful 484,460 Views

Description

Resolution

To Enable Zombie/Spyware protection we need to have "Email Anti-Virus Comprehensive" licensed on the Email security. For this configuration, all the outbound email traffic must be routed through the SonicWall Email security.

1. Login to the Email security as an admin.

2. Go to Manage | Security Services | Anti-virus | Outbound | Zombie Protection Settings

Unauthorized software running on a user's computer sending out junk email messages (spam, phishing attacks, virus or other unauthorized content) is called a Zombie or Spyware. SonicWall's Zombie and Spyware Protection technology brings the same high standard of threat protection available on the inbound email path to email messages leaving your organization by the outbound path.

Zombie Protection Settings

Enable Zombie and Spyware Protection to prevent potentially affected machines within your organization from sending spam, viruses, phishing attacks, spyware and other malicious content outside your organization (through your outbound email path).

Monitoring for Zombie and Spyware Activity

You can alert the administrator of potential zombie messages. Alerts are sent if these settings are defined:

Check the box to enable notification if Email is sent from an address not in LDAP.
Check the box to enable notification if More than <X> messages are identified as possible threats, where X is the number of possible threats identified in the last hour.
Check the box to enable notification if More than <X> messages are sent by one user, where X is the number of messages sent in the last hour.

Action Settings

If messages are being sent outside of your organization that are identified as spam, phishing attacks, virus, or another threat, select the action you want to take:

Allow delivery: Attempts to deliver the message without interference.
Permanently delete: Deletes the message. Use this option with caution: deleted email cannot be retrieved.
Store in Junk Box: Stores messages with potential threats in the outbound Junk Box.

If messages are being sent outside of your organization but the sender is not listed in your LDAP server, select the action you want to take:

Allow any "From" address: Allows messages from all email addresses. If you haven't configured LDAP this is the only option you can use.
Permanently delete: Deletes messages from unknown senders. Use this option with caution: deleted email cannot be retrieved.
Store in Junk Box: Stores messages from unknown senders in the outbound Junk Box.

Enable the Outbound Safe Mode if you want to block all emails with potentially dangerous attachments from leaving your organization by checking the box for Safe Mode is on.

When Outbound Safe Mode is on, administrators are alerted every 60 minutes that it is on.

To set the action to take for dangerous attachments while in Safe Mode, select one of the following:

Permanently delete
Store in Junk Box

If you want to automatically turn on Outbound Safe Mode, set the parameters for turning it on:

Check the box to enable notification if Email is sent from an address not in LDAP.
Check the box to enable notification if More than <X> messages are identified as possible threats, where X is the number of possible threats identified in the last hour.
Check the box to enable notification if More than <X> messages are sent by one user, where X is the number of messages sent in the last hour.

Miscellaneous

You can manually add senders to a list so that the system will not flag messages sent from those email addresses. You can add any email addresses that are not in LDAP and any valid email addresses that are expected to send a high volume of legitimate email. Enter the addresses that should not trigger alerts or actions in the text box provided. Separate multiple addresses with a comma.

NOTE: If the navigation or the screenshot looks different from the one mentioned above , you may be in an older firmware version and would require a firmware upgrade. Please refer the link below to upgrade the firmware to latest version.