Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 3 subscribers
  • Views 14131 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Files uploaded from Web not being scanned

ShaunClarke

We have a website on  Windows Server 2008 R2 using IIS 7 where our customers can upload files. We have just recently been Pen Tested and our testing company was able to upload and place a test virus signature text file on a folder on our server. We have real-time scanning switched on and for test purposes I have configured this for ALL FILES, however the file is not being detected when it is placed in the folder from the Web or from the LAN. Running a manual full scan does detect the file and says the file has been quarantined, however the infected file remains in the folder it was placed in and is fully accessible.

I would really welcome any suggestions from the forum on how to set this up correctly. The server is managed through the Sophos management console.



This thread was automatically locked due to age.
  • 0

    Hello ShaunClarke,

    first of all, quarantined is perhaps not the best term. What happens in response to a detection is this: Depending on the Cleanup settings (automatic cleanup, delete or move as alternate actions) and whether a cleanup routine is associated with the threat remediation is attempted and if it succeeds that's it. Otherwise (for Deny access only, or in case cleanup is unavailable or fails) the threat is moved to quarantine but this just means that the event is recorded and an entry is added to the list of threats requiring attention and action. Any access attempt (except delete) should get blocked though. The cleanup options for a Full System Scan are Log only therefore the detected items are quarantined but not cleaned.

    fully accessible
    Indeed? You can open it e.g. with an editor?

    real-time scanning switched on
    read, rename and write; no exclusions defined? - Excuse the seemingly dumb question. If you try to open the file locally - what happens? And if you can access it, can you copy it somewhere else, your Desktop for example?

    Christian

  • 0 in reply to QC
    Hi Christian

    The file can indeed be opened and read without Sophos detecting it as a virus. However a 'right click' on the file and scan with Sophos detects the file as a virus.

    Read/Rename & write are switched on. I did define file types for scanning but for the purposes of this test I configured Sophos to scan ALL FILES.

    I have got around the issue now where Sophos was not removing the detected file, however the most pressing issue is Sophos does not detect at the instance it is placed on to the server, regardless of whether it is accessed or not.

    The file can be moved around, copy + pasted without Sophos detecting it.

    Thanks
    Shaun
  • 0 in reply to ShaunClarke

    Hello Shaun,

    detects the file as a virus
    could you give the name of the detection? As you say virus, the message contained Virus/Spyware, right?

    can be moved around, copy + pasted
    this sounds like On-Access not scanning at all. I'd suggest you use the little vintage savtst32.exe utility. You'll find it in the SEC installer directory (...\SEC_vrr\tools\). Simple as it is it would take you some time to make reasonable use of it so I'll give you a crash course

    Run savtst32.exe as administrator - you'll get a tiny Window with File, Drive and Help menu items and a read-only pane saying SavTest: Select action

    Help  - just offers About, forget it :)
    Drive - offers Select which in turn opens an Explorer window where you can choose drive, folder, name and extension for the EICAR test file
    File    - this is where the fun starts. 
    On-Access Test  is what you want. The pane flickers what it's doing, On-Access scan should immediately detect the file, the Sophos icon pop up its balloon and finally SavTest32 inform you with a pop-up that scanning is functioning correctly. By configuring different folders with Drive you can verify that On-Access is working as it should (i.e. a detection is triggered). BTW - you can also verify that certain extension are scanned and that True File Type detection works as advertised by, for example, saving (note: it is only saved when you choose a Test from File) it as some.pdf.
    If you want to use the On-Demand Test you'd have to disable On-Access or set an appropriate exclusion.
    Cleanup should remove a leftover test file but it works as one would expect only if On-Access doesn't scan the file and intercept the access (savtst32 doesn't do a straight delete)
    Exit  - is obvious

    HTH and gives some insight

    Christian 

  • 0

    Were you able to figure this out. we are having a very similar issue with a windows Server 2012 R2.

     

    I cannot find the test utility that was mentioned in the reponses, guessing it has been deprecated.

     

    Any help would be appreciated.

     

    Thanks,

  • 0 in reply to Gautham Melanta

    Hello Gautham Melanta,

    as said it should be in the SEC install directory, default C:\sec_551\tools\.

    Christian

  • 0 in reply to QC

    Hi Christian,

    Is the SEC a separate install? I do not have an SEC folder anywhere..

     

    Thanks,

  • 0 in reply to Gautham Melanta

    Hello Gautham Melanta,

    I was (perhaps incorrectly) assuming you are using the on-premise, SEC (Sophos Enterprise Console)-managed SESC.
    Basically savtst32.exe is a simply but convenient tool to write the EICAR testfile to an arbitrary location with an arbitrary name.

    Christian

  • 0 in reply to QC

    Hi Christian,

    No we do not have the on-premise SEC. WE have endpoint protection with cloud based management control.

     

    Is there another tool we can use?

     

    Thanks,

    Gautham.

  • 0 in reply to Gautham Melanta

    Hello Gautham,

    not that I know of.
    Can't say why savtst32.exe isn't available except with SEC, maybe Support would provide it. It's still mentioned in one article although its alleged "main" article just refers to EICAR. 

    Christian

Unfiltered HTML