Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who Me Too'd this topic

How to properly configure POP3 AV and malware inspection

L1 Bithead

Dear Live Community,


I was wondering how I have ro configure pop3 traffic inspection in order to protect my network from malware and viruses in mails sent to me. My Linux server pulls various mail servers in the internet using fetchmail every couple of minutes. The connection is tcp/995 POP3S. The PAN is working in virtual wire mode between my main switch and the DSL router. I have wildfir


I've configured a decryption profile for the POP3 servers and from certification validation errors in fetchmail in the beginning I can see that the decryption is actually taking place 😉 (problem fixed in the meantime).


I've now added a rule in my security polic:

From trust (internal) zone to POP3 servers in the untrust (Internet) zone, adresses: all POP3 servers referenced via IP, application: pop3 and ssl, services: pop3 and pop3s (tcp\110, tcp\995), Policy: "allow", Activated inspection profiles: AV, Vuln protection, Anti-Spyware, URL Filtering, File Blocking, WildFire. Settings in the profiles: Mostly default or alert. From what I've read, the "ssl" application should not be necessary, as the application is just "pop3" when the session is decrypted but nevertheless...


So far I've not received a single alert for malware in one of the emails, but have received quite a couple of mails with malicious attachments (e.g. Locky ransomware). These attachments fortunately were filtered by my endpoint AV product.


What am I missing? Why isn't the PAN blocking these attachments?




Who Me Too'd this topic