How to properly configure POP3 AV and malware inspection

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to properly configure POP3 AV and malware inspection

L1 Bithead

Dear Live Community,

 

I was wondering how I have ro configure pop3 traffic inspection in order to protect my network from malware and viruses in mails sent to me. My Linux server pulls various mail servers in the internet using fetchmail every couple of minutes. The connection is tcp/995 POP3S. The PAN is working in virtual wire mode between my main switch and the DSL router. I have wildfir

 

I've configured a decryption profile for the POP3 servers and from certification validation errors in fetchmail in the beginning I can see that the decryption is actually taking place 😉 (problem fixed in the meantime).

 

I've now added a rule in my security polic:

From trust (internal) zone to POP3 servers in the untrust (Internet) zone, adresses: all POP3 servers referenced via IP, application: pop3 and ssl, services: pop3 and pop3s (tcp\110, tcp\995), Policy: "allow", Activated inspection profiles: AV, Vuln protection, Anti-Spyware, URL Filtering, File Blocking, WildFire. Settings in the profiles: Mostly default or alert. From what I've read, the "ssl" application should not be necessary, as the application is just "pop3" when the session is decrypted but nevertheless...

 

So far I've not received a single alert for malware in one of the emails, but have received quite a couple of mails with malicious attachments (e.g. Locky ransomware). These attachments fortunately were filtered by my endpoint AV product.

 

What am I missing? Why isn't the PAN blocking these attachments?

 

 

 

1 REPLY 1

L1 Bithead

And another question comes to my mind: How would the FW actually block the malicious content?

I've seen blog posts where the FW interferes with a SMTP transfer and sends an Error 541 to the sending MTA, so the mail is actually not transfered to the protected ressources, but how will it be with POP3?

The malicious mail is already at my provider and when I retrieve the mails using POP3, what will be transfered if malicious content is identified in 1 out of 10 messages on the server? Nothing? 9 mails? All 10 mails? Will the blocked mail stay on the POP3 server and will be transferred on every sync again and again?

 

 

  • 2043 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!