Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 3663 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AV scanning not blocking zipped malware when downloaded from cloud drives like Google Drive

aaa kkk

Hello!

 

I just installed Sophos UTM for testing purposes, I enabled SSL Inspection and set dual av engine in the web filtering, when I test download a test eicar file "eicarcom2.zip" it blocks the request perfectly. But, when I uploaded eicarcom2.zip to google drive and also my owncloud drive, tried downloading from both but it didn't block the request, below is the log:

 

Successfully blocked request:

2018:12:26-04:25:00 local httpproxy[14612]: id="0056" severity="info" sys="SecureWeb" sub="http" name="web request blocked, virus detected" action="block" method="GET" srcip="10.0.0.2" dstip="91.212.136.200" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2705" request="0xdcea1100" url="www.ikarussecurity.com/.../eicar_com.zip" referer="www.ikarussecurity.com/.../" error="" authtime="0" dnstime="0" aptptime="153" cattime="86" avscantime="1580107" fullreqtime="3103347" device="0" auth="0" ua="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36" exceptions="" category="105" reputation="neutral" categoryname="Business" sandbox="-" content-type="application/zip" virus="EICAR-AV-Test" engine="SAVI"
 
 
Not blocked:

2018:12:26-04:26:14 local httpproxy[14612]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.0.0.2" dstip="35.XXX.XXX.237" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="7268" request="0xe915100" url="oc.XXXXX.com/.../eicarcom2.zip" referer="" error="" authtime="0" dnstime="0" aptptime="103" cattime="155" avscantime="10623" fullreqtime="1527438" device="0" auth="0" ua="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36" exceptions="" category="178" reputation="neutral" categoryname="Internet Services" sandbox="-" content-type="text/html"

 

I've no idea what's going on, it should have been blocked as it is the same file downloaded from the original source.

 

Regards,



This thread was automatically locked due to age.
  • 0

    Hi aaa kkk,

    Welcome to the community.

    that really is a bad heading! 

    You need to first consider what you are trying to protect?

    the UTM works in conjunction with the endpoint security you have installed.

    the UTM will protect from most of the malware out there in the wild, but there are 2 or 3 modules that need to be enabled for maximum protection (from the web).

    Simply put ...

    1. IPS - this is inbound

    2. Web Protection (best to have HTTPS decrypt and scan) - this is also inbound

    3. ATP - this is outbound.

     

    but please note if you download an unrecognised malware, your endpoint security suite will spot it (later) and quarantine it when it is recognised as malware.

    I had this the other day (for a variant of the w97 macro virus) initially let through by the scanning, then spotted later when accessed again, but this was by the endpoint security suite.

    Really this test is not a valid, as you do not seem to have an endpoint security suite installed on your test system.

    XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
    Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!

  • 0 in reply to Argo

    Argo,

    Thanks for your answer, I do understand that endpoint needs to be installed but that's not the case here. I have ssl mitm enabled and working.

    If it's detecting a test virus file directly through a normal ssl url then why not when it's downloaded from any cloud source?

    Regards,

  • 0 in reply to aaa kkk

    it may not spot it, as there are quite a few obvious differences with how each request was handled, and thus different policies are applied.

    Also in may well be that, if I am understanding this correctly, that you are trying to transfer from one cloud provider to another?

    these cloud providers may well transfer directly instead of involving the endpoint...

    and as such may not transfer across the UTM.

     

    please see this;

    avscantime="1580107"

    avscantime="10623"

     

    XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
    Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!

  • 0 in reply to Argo

    No, I downloaded that test eicar file and uploaded it Google drive and owncloud from a pc that is not behind utm. So, when I downloaded this file from Google drive and own cloud on a pc that is behind utm, it went through without any problems.

  • 0 in reply to Argo

    This is weird, while downloading a zip file from Google or owncloud

    content-type="text/html"

    It should have been "application/zip".

    That's weird

  • 0

    Hello - I add my welcome to that of Argo!

    In your last post here, I think you gave us all the answer.  Apparently, Google Drive uses its own coding that "tricks" anti-virus engines.

    So, it's as Argo said - the only way to block malware in a zip downloaded from Google Drive is after the file exists on your hard drive - and that would be with an endpoint antivirus.

    Cheers - Bob

    PS I changed the title of the thread to make it easier for others to find the information you've brought to the UTM Community.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Yep, it's the same case with all cloud drives.

  • 0 in reply to aaa kkk

    I just tried putting that file onto Google Drive, then behind a UTM I tried to download it.  First Google Drive gave me a warning before the download started.  When I actually did the download, the UTM caught it.

     

    2019:01:04-19:34:43 van-asg-34 httpproxy[16384]: id="0056" severity="info" sys="SecureWeb" sub="http" name="web request blocked, virus detected" action="block" method="GET" srcip="10.145.3.203" dstip="172.217.23.161" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2955" request="0x9c2cd100" url="https://doc-00-3c-docs.googleusercontent.com/docs/securesc/ftqp000p638gel3p6fmv1cjuqdrjmtlu/jkit2m4c6t3ufkvac8glf8ig0jjqm3dp/1546624800000/16340678029207328493/16340678029207328493/1oAlrMpVpxWyEH4jO5AzP7slglnVnKM6K?e=download&nonce=kf1174lau5u78&user=16340678029207328493&hash=5n4p8d5f3nl71u3dhblkf0mhvq4b7abi" referer="https://drive.google.com/drive/my-drive" error="" authtime="0" dnstime="0" aptptime="0" cattime="107" avscantime="79243" fullreqtime="516131" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36" exceptions="" category="177" reputation="neutral" categoryname="Content Server" content-type="application/x-zip-compressed" sandbox="-" virus="EICAR-AV-Test" engine="SAVI"

     

    I suspect you have a problem in your configuration.  Can you please reproduce with Google Drive (since I can test on that as well) and post full logs, configuration, etc.

Unfiltered HTML