This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Files uploaded from Web not being scanned

We have a website on  Windows Server 2008 R2 using IIS 7 where our customers can upload files. We have just recently been Pen Tested and our testing company was able to upload and place a test virus signature text file on a folder on our server. We have real-time scanning switched on and for test purposes I have configured this for ALL FILES, however the file is not being detected when it is placed in the folder from the Web or from the LAN. Running a manual full scan does detect the file and says the file has been quarantined, however the infected file remains in the folder it was placed in and is fully accessible.

I would really welcome any suggestions from the forum on how to set this up correctly. The server is managed through the Sophos management console.



This thread was automatically locked due to age.
Parents
  • Hello ShaunClarke,

    first of all, quarantined is perhaps not the best term. What happens in response to a detection is this: Depending on the Cleanup settings (automatic cleanup, delete or move as alternate actions) and whether a cleanup routine is associated with the threat remediation is attempted and if it succeeds that's it. Otherwise (for Deny access only, or in case cleanup is unavailable or fails) the threat is moved to quarantine but this just means that the event is recorded and an entry is added to the list of threats requiring attention and action. Any access attempt (except delete) should get blocked though. The cleanup options for a Full System Scan are Log only therefore the detected items are quarantined but not cleaned.

    fully accessible
    Indeed? You can open it e.g. with an editor?

    real-time scanning switched on
    read, rename and write; no exclusions defined? - Excuse the seemingly dumb question. If you try to open the file locally - what happens? And if you can access it, can you copy it somewhere else, your Desktop for example?

    Christian

  • Hi Christian

    The file can indeed be opened and read without Sophos detecting it as a virus. However a 'right click' on the file and scan with Sophos detects the file as a virus.

    Read/Rename & write are switched on. I did define file types for scanning but for the purposes of this test I configured Sophos to scan ALL FILES.

    I have got around the issue now where Sophos was not removing the detected file, however the most pressing issue is Sophos does not detect at the instance it is placed on to the server, regardless of whether it is accessed or not.

    The file can be moved around, copy + pasted without Sophos detecting it.

    Thanks
    Shaun
  • Hello Shaun,

    detects the file as a virus
    could you give the name of the detection? As you say virus, the message contained Virus/Spyware, right?

    can be moved around, copy + pasted
    this sounds like On-Access not scanning at all. I'd suggest you use the little vintage savtst32.exe utility. You'll find it in the SEC installer directory (...\SEC_vrr\tools\). Simple as it is it would take you some time to make reasonable use of it so I'll give you a crash course

    Run savtst32.exe as administrator - you'll get a tiny Window with File, Drive and Help menu items and a read-only pane saying SavTest: Select action

    Help  - just offers About, forget it :)
    Drive - offers Select which in turn opens an Explorer window where you can choose drive, folder, name and extension for the EICAR test file
    File    - this is where the fun starts. 
    On-Access Test  is what you want. The pane flickers what it's doing, On-Access scan should immediately detect the file, the Sophos icon pop up its balloon and finally SavTest32 inform you with a pop-up that scanning is functioning correctly. By configuring different folders with Drive you can verify that On-Access is working as it should (i.e. a detection is triggered). BTW - you can also verify that certain extension are scanned and that True File Type detection works as advertised by, for example, saving (note: it is only saved when you choose a Test from File) it as some.pdf.
    If you want to use the On-Demand Test you'd have to disable On-Access or set an appropriate exclusion.
    Cleanup should remove a leftover test file but it works as one would expect only if On-Access doesn't scan the file and intercept the access (savtst32 doesn't do a straight delete)
    Exit  - is obvious

    HTH and gives some insight

    Christian 

Reply
  • Hello Shaun,

    detects the file as a virus
    could you give the name of the detection? As you say virus, the message contained Virus/Spyware, right?

    can be moved around, copy + pasted
    this sounds like On-Access not scanning at all. I'd suggest you use the little vintage savtst32.exe utility. You'll find it in the SEC installer directory (...\SEC_vrr\tools\). Simple as it is it would take you some time to make reasonable use of it so I'll give you a crash course

    Run savtst32.exe as administrator - you'll get a tiny Window with File, Drive and Help menu items and a read-only pane saying SavTest: Select action

    Help  - just offers About, forget it :)
    Drive - offers Select which in turn opens an Explorer window where you can choose drive, folder, name and extension for the EICAR test file
    File    - this is where the fun starts. 
    On-Access Test  is what you want. The pane flickers what it's doing, On-Access scan should immediately detect the file, the Sophos icon pop up its balloon and finally SavTest32 inform you with a pop-up that scanning is functioning correctly. By configuring different folders with Drive you can verify that On-Access is working as it should (i.e. a detection is triggered). BTW - you can also verify that certain extension are scanned and that True File Type detection works as advertised by, for example, saving (note: it is only saved when you choose a Test from File) it as some.pdf.
    If you want to use the On-Demand Test you'd have to disable On-Access or set an appropriate exclusion.
    Cleanup should remove a leftover test file but it works as one would expect only if On-Access doesn't scan the file and intercept the access (savtst32 doesn't do a straight delete)
    Exit  - is obvious

    HTH and gives some insight

    Christian 

Children
No Data