Why is Email Security's AV not catching some of the message samples that my desktop AV catches?

03/26/2020 1041 12786

DESCRIPTION:
Why is Email Security's AV not catching some of the message samples that my desktop AV is able to catch?

RESOLUTION:

Question:

Why is Email Security's AV not catching some of the message samples that my desktop AV is able to catch?

Answer:

This article is geared toward a specific scenario : An inbound message comes through without an attachment and Email Security delivers it on to the End user. The end user's desktop AV solution may identify the message as virus and then ends up quarantining the message. Although the message does not contain any virus related attachment, it does contain a URL string that the desktop AV is identifying as virus related.  Assuming that the Email Security deployment is receiving all of its updates successfully without delay, and that the message sample does not contain an attachment, Email Security is not designed to trace the URL links found in emails to their websites for the analysis of malicious content. However, what Email Security can do is to provide spam protection based on the spam related association of that URL and takes quarantined action against that event if configured to do so. Also to note, this does not prevent the end user from un junking the message and following the URL of the infected website. This is why implementing  several layers of AV solutions would go further towards providing increased protection against malware. You would normally see this type of protection deployed at the firewall and Desktop AV solutions. SonicWall UTM solutions, for example, can be configured to detect malware being downloaded from an infected website and prevent the malware from getting to the the end user's computer. Another tip towards AV security is to diversify your AV providers as this would broaden your antivirus coverage and increase your AV security.  

Some common configurations for safe computing behavior when it comes to URL's found in emails:

1) Do Not click on links in the e-mail body.

2) Do Not open automatically downloaded .zip files.

3) Do Not open the executable, screen saver, PDF, word doc, PowerPoint, etc. that is extracted from the .zip.

4) Both Steps 2 & 3 would be a a good  combined action to follow.

5) Scan all zip files attachments with local Desktop AV before opening it. 

NOTE: The information in the article applies to firmware versions 9.2.2 and older. URL scanning is available in firmware versions 10.0.0 and newer.