Is it Possible that the Firewall won't detect eicar ? ( Malware-Scanner activated..)

Hi

Just setted up my new Sophos XG Firewall at home, but when I test the malware-scanner ( downloading EICAR-File) it won't be detected. malware-scanner is active, also in rule is it "on" 

Any help is kindly appreciated!

Regards

  •  

    I filed it as a bug during the beta but didn't get any feedback from the devs. Basically, if you define the services instead of ALL Services in your network policy, the proxy will bypass av scanning. https://www.astaro.org/beta-versions/project-copernicus-public-beta/59288-bug-beta2-defining-services-policies-bypasses-web-proxy.html

  • In reply to Billybob:

    The Eicar test files are not being blocked for me as well. I have the services defined as "ANY" but it still does not block the download. I'm concerned that the AV scanning is not working at all. 

  • In reply to Chadwick24:

    Try manually putting YOUR XG Firewall LAN address port 3128 in your browser configuration for proxy settings and see if it works.
    Also can you please post your rule that is failing.
  • In reply to Chadwick24:

    Interestingly, for me they are being blocked if I try and download via Chrome. However, using IE they are NOT blocked. This is without changing the proxy to go through the XG firewall.

    Not sure why Chrome would work and IE wouldn't, must something in the way Sophos sees the traffic in the different browsers.
  • In reply to WayneBoyles:

    I can acknowledge this behavior
  • I change my policy rule from Http/s to any and eicar has been detected. Make sure you set scan http. Also make sure that scanning is in batch mode under Web Protection > Web Content Filter.

    Luk
  • In reply to Billybob:

    Sorry posted twice. Please see other message.

  • In reply to Billybob:

    I can't confirm that. My network rule restricts the services to web ports (80 and 443) and ftp ports (21,990). Furthermore I am using the firewall in transparent proxy mode. In my setup the XG firewall is able to detect the eicar test file from eicar.org. See screenshots below.

  • In reply to WayneBoyles:

    >>Not sure why Chrome would work and IE wouldn't, must something in the way Sophos sees the traffic in the different browsers.

    In my setup it also works with IE. See screenshot below.

  • In reply to dempie:

    dempie
    My network rule restricts the services to web ports (80 and 443) and ftp ports (21,990). Furthermore I am using the firewall in transparent proxy mode.

    The bug that I filed was originally for non transparent traffic. But as you can see something is not right with the transparent intercept of traffic also. In any case, this probably won't get fixed till someone calls support.

  • In reply to Billybob:

    Billybob

    The bug that I filed was originally for non transparent traffic. But as you can see something is not right with the transparent intercept of traffic also. In any case, this probably won't get fixed till someone calls support.

    Best Regards.
  • In reply to lferrara:

    The issue only occurs with IE and scan mode "Real-time"! It's definitive a bug.

    mod
  • In reply to dempie:

    Hi and thanks for the detailed response. I am not using XG at the moment so what I am writing is from memory only. Since my detailed report on astaro.org is also gone, I will try to recreate the scenario from memory. community.sophos.com/.../58158

    1.Client using XG as gateway and using transparent mode --- Worked in chrome with services defined. I didn't Try IE.

    2. Client using XG as gateway and using port 3128 in browser proxy config... Bypasses traffic unless use ANY in services.

    3. Changing proxy port on XG to 8080 and using 8080 in browser also fails unless ANY is used for traffic.

    The traffic completely bypasses the proxy (no proxy logs) when I tried different services. I only tested with ONE rule. Masq Internal to external, services ftp, http, scan for malware, user not defined. The traffic is not logged but bypasses XG completely for some reason. I did not try with port 3128 in allowed services as to me that would indicate that I want internal clients to be able to use proxy (port 3128) offered by external websites.

    Regards
  • In reply to mod2402:

    So I gave it a try in real time scan mode using transparent and non transparent proxy mode. The result is the same: The XG firewall detected the eicar virus in all configurations. The XG Log Viewer for malware has an entry for each access on the eicar files.

    With both web browsers (Chrome, IE) I didn't get a block message within the browser. The Chrome browser showed a "not available page" with an ERR_CONTENT_LENGTH_MISMATCH, the Internet Explorer came up with a file save message. But the file on my disk was a zero file with no content.

    Surely you can discuss about the way it is handled. I don't know if you can handle it different with real time scanning. But in my configuration the XG firewall detects malware in real time and in batch mode.

    Best Regards.
  • I can confirm this issue. If I set  Scan mode - realtime - I get:

    FF - blank page
    Chrome - allows download but 0KB
    IE 11 - allows download but 0KB

    If I set scan mode bulk it works ok with or without any or other custom web filter policy.