Advisory: [RESOLVED] Sophos Central Email – Admin quarantine fails to complete loading for customers in UTC +0 timezone

Sophos Email customers with their system clocks set to the UTC +0 timezone may be unable to view the contents of the quarantine page via Central Admin.

Applies to the following Sophos product(s) and version(s)

Sophos Central Email

Attempting to load the quarantine page will be unsuccessful.

[Update] The root cause here has been identified and this will be addressed in the next Central release Saturday 9th November.

Affected customers should see the positive impact of this on their accounts between the 9th and 12th of November

In the short term, see the Workaround sections below for viable workarounds.

This article will be updated once the issue is resolved.

There are 2 viable options to workaround this problem

  1. Users can access the contents of their quarantine via the User Portal
  2. Alternatively if admin quarantine access is required, temporarily changing the timezone on the client machine to UTC +1:00 and reloading the quarantine page will allow the content to load.

This article will be updated once we have confirmed the issue is resolved

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

“The IP Address 185.153.222.46 was found to have a negative reputation.”

I need a solution

We have been receiving “The IP Address 185.153.222.46 was found to have a negative reputation.” error for months and our mails cannot be delivered. We are a legit company and we are sure that we are not sending and spam or soliciting emails. When we request our ip to be cleared, it is cleared for a while but then, gets to the “bad reputation” list again in a short time. I searched the forum but could not find a solution to this matter. Could you please help us to resolve the issue and clear our ip permanently?

Thanks in advance!

0

Related:

  • No Related Posts

How can I disallow TLS 1.1 for the session between the user’s device and the Proxy SG?

I need a solution

Hi;

My understandins is that the TLS version setting under Configuraiton> SSL> SSL client are for the ssl session between the Proxy SG and the Server, so you can disallow TLS 1.1 between the Proxy SG and the OCS “Server”.

My question is:

How can I disallow TLS 1.1 for the session between the user’s device and the Proxy SG?

Kindly

Wasfi

0

Related:

  • No Related Posts

Why denied category “denied” is not marking in the access log

I need a solution

Hi Team,

I have blocked categories “File Storage/Sharing” and “Email”. When proxy is hitting “Email” category it is showing “DENIED” message in logs. But when Proxy hitting “File Storage/Sharing” category. It is denirying the access but not shwoing DENIED message in logs.

Why it is like that?  It has show in Access logs the same status?

Thanks,

Mayur

0

Related:

  • No Related Posts

Custom Plugin & Attribute having issues with LDAP Lookup.

I need a solution

Hi All,

I’ve successfully integrated our proxy via ICAP which is feeding our Web Prevent Server.

I noticed the username was showing up as “local://sAMaccountname@domain.com”.  I added a new plugin successfully which outputs Username=sAMaccountname after parsing the ‘sender-email’ argument.  I then created a custom Attribute in our Employee field called “Username”.  We did not have this value prior.  My custom script successfully populates the new “Username” field.

My plugin Chain is as follows:

  1. Custom ICAP Username Parse
  2. LDAP

The exsting LDAP Plugin is as follows:

attr.Employee = :(|(mail=$sender-email$)(mail=$data-owner-email$)(sAMAccountName=$endpoint-user-name$)):displayName
attr.Employee Email = :(|(mail=$sender-email$)(mail=$data-owner-email$)(sAMAccountName=$endpoint-user-name$)):mail
attr.Employee FirstName = :(|(mail=$sender-email$)(mail=$data-owner-email$)(sAMAccountName=$endpoint-user-name$)):givenName
attr.Employee LastName = :(|(mail=$sender-email$)(mail=$data-owner-email$)(sAMAccountName=$endpoint-user-name$)):sn
attr.Employee Title = :(|(mail=$sender-email$)(sAMAccountName=$data-owner-email$)(sAMAccountName=$endpoint-user-name$)):title
attr.Employee Dept = :(|(mail=$sender-email$)(mail=$data-owner-email$)(sAMAccountName=$endpoint-user-name$)):department
attr.Employee Division = :(|(mail=$sender-email$)(mail=$data-owner-email$)(sAMAccountName=$endpoint-user-name$)):division
attr.Cost Center = :(|(mail=$sender-email$)(mail=$data-owner-email$)(sAMAccountName=$endpoint-user-name$)):ou
attr.TempManager = :(|(mail=$sender-email$)(mail=$data-owner-email$)(sAMAccountName=$endpoint-user-name$)):manager
attr.Supervisor First Name = :(distinguishedname=$TempManager$):givenName
attr.Supervisor Last Name = :(distinguishedname=$TempManager$):sn
attr.Supervisor Email = :(distinguishedname=$TempManager$):mail

When I generate a new ICAP event, DLP successfully executes my custom plugin and fills in the attribute “Username” with what is parsed as the AD sAMaccoutname.  All other fields are blank and from my understanding its due to my LDAP plugin missing the new field to lookup with.

1) I’ve tried to modify my LDAP lookup by adding (sAMAccountName=$Username$) but the lookup never works for Network Events and does not autopopulate or populate with a manual lookup.  I may be doing this incorrectly but I tried multiple ways.  I’m not sure if my order is maybe incorrect?  I need some guidance here.

2) After this change, Endpoint Incidents do not populate any custom attribute fields and when i click on “Lookup” an error message occurs with “Custom Attribute Lookup failed”.  I think this is due to my new custom attribute called “Username”

I think I’m missing something easy here but I’m not too sure at this point I’m getting confused.  Maybe how I modified my LDAP plugin? 

Any guidance at this point would be apperciated.

0

Related:

  • No Related Posts

Cisco Firepower Threat Defense Software File Policy Bypass Vulnerability

A vulnerability in the Secure Sockets Layer (SSL)/Transport Layer Security (TLS) protocol inspection engine of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass the configured file policies on an affected system.

The vulnerability is due to errors when handling specific SSL/TLS messages. An attacker could exploit this vulnerability by sending crafted HTTP packets that would flow through an affected system. A successful exploit could allow the attacker to bypass the configured file policies and deliver a malicious payload to the protected network.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190807-ftd-bypass

Security Impact Rating: Medium

CVE: CVE-2019-1970

Related:

  • No Related Posts

Cisco ASA and FTD Software Cryptographic TLS and SSL Driver Denial of Service Vulnerability

A vulnerability in the cryptographic driver for Cisco Adaptive Security Appliance Software (ASA) and Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the device to reboot unexpectedly.

The vulnerability is due to incomplete input validation of a Secure Sockets Layer (SSL) or Transport Layer Security (TLS) ingress packet header. An attacker could exploit this vulnerability by sending a crafted TLS/SSL packet to an interface on the targeted device. An exploit could allow the attacker to cause the device to reload, which will result in a denial of service (DoS) condition.

Note: Only traffic directed to the affected system can be used to exploit this vulnerability. This vulnerability affects systems configured in routed and transparent firewall mode and in single or multiple context mode. This vulnerability can be triggered by IPv4 and IPv6 traffic. A valid SSL or TLS session is required to exploit this vulnerability.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190710-asa-ftd-dos

Security Impact Rating: High

CVE: CVE-2019-1873

Related:

  • No Related Posts