INTERCEPT X DETECTIONS

(Browser-Specific): Threat Protection policies only detects malwares in Firefox when accessing the eicar website but failed to detect it using Chrome.

also, what is this behavior, it keeps detecting the malware, cleans it, but never kills the sophos_hips_test.exe ?



Edit tags
[edited by: GlennSen at 3:06 PM (GMT -7) on 3 Oct 2024]
  • The detection you have there is from on disk, the cache of the browser, web protection should stop that before it hits the disk and what that test should be testing.

    In the example, you are using HTTPS to download the Eicar test file from Sophostest.com.  To be able to do scanning of HTTPS you need to enable in the Threat Protection policy the following:

    Is that enabled? If not can you enable it and retry.

    https_decrypt_enabled will be set to 1 under: HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\ThreatProtection\[latest revision]\web_protection once the endpoint gets the policy to enable it.  I think you need to restart the browser as well.

    That said, without decryption, you should be able to visit:

    https://sophostest[.]com 

    To force the browser to use HTTP, that should generate the inline block page.

    This is also true for all the categorization tests on sophostest.com.  Given it's one domain, sophostest.com, with a bunch of classified URLs, when visited as HTTPS, without decryption, web protection/control can't see the full URL.  It can only see the domain. 

    ---

    As for the SophosHIPS test, that is an old tool that works with the old Sophos Anti-Virus component.  I don't believe there is a rule to detect the behaviour that does with the newer product.  I wouldn't worry about that.

  • In my case, I was just accessing the web page actually, I wasn't trying to download the eicar, the website contains the actual strings of the test file, the detection only happend when using firefox, but not on chrome. (I've tested that on basilisk browser and the agent has detect it).

    PS: The ssl/tls decryption feature was disabled, I'll try with it and update this comment.

    For the second part: fair enough, i'll look for some other explanations if they exists and for other test samples.

    Thanks 

  • sorry for the delay, response verified for both points.