Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 40 subscribers
  • Views 8750 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AV Scanning

HaydenKirk

 Hi All.

 

I am trying the Fortinet test (http://metal.fortiguard.com/tests/), and one test the Sophos is failing on is the zip file in zip file in zip file in zip file.

I assume the AV is giving up when the depth is too great. Are there settings for this?

 

Thanks



This thread was automatically locked due to age.
  • 0

    Changing the scanning engine to dual seems to have fixed this. Can someone shed some light on this?

  • 0 in reply to HaydenKirk

    HaydenKirk, which AV are u using as primary AV engine?

    Thanks

  • 0 in reply to lferrara

    How can I tell? I run dual, it doesn't state.

  • 0
    When using Single Scan with the engine set to Sophos:
     
    On the XG Sophos AV is internally configured to scan 5 layers deep in a zip file. So any virus that has been zipped up 5 times will be caught.
     
    However what happens when Sophos AV detects that there are 6 layers of zip is dependent on a setting.
    Web \ General Settings \ Action on Malware Scan Failure.
    If set to Block - all zip files with 6 layers of zip are blocked.
    If set to Allow - all zip files with 6 layers of zip are allowed (with no AV scanning past 5 layers).
     
    This test is designed to claim that blocking unscannable files are a failure, which isn't quite true.
     
    The other AV scan engine we have, Avira, will scan at least 10 layers deep.  So if you are using Single Scan Engine Avira, or Dual Scan Engine, it will pass all the layered tests.
     
     
    Similarly with the password/encrypted zip:
    If set to Block - all encrypted zip files are blocked.
    If set to Allow - all encrypted zip files are allowed (with no AV scanning).
     
    This test is designed to fail all the time.  All products will either block encrypted zip (including clean ones) or not block encrypted zip (including malware ones).
  • 0 in reply to Michael Dunn

    Thanks for the detailed reply.

Unfiltered HTML