Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 11 replies
  • Subscribers 45 subscribers
  • Views 4575 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Why can I Download EICAR wenn DPI is on

DirkJung

I want to Change Virus protection to ssl/DPI on Sophos V 18.

I set a ssl rule. When I go to the original eicar website i  can´t download any Eicar testfile.

On this website

https://ipinfo.info/html/testvirus.php

I´m able to download eicar (zip) and eicar (double zip) when ssl/DPI is on. When I change to webproxy download will be blocked.

Is that a bug of V18 ?

 

Dirk

 

 



This thread was automatically locked due to age.
  • 0

    Hi Dirk,

    please post a copy of your firewall rule and the SSL/TLS rule which are causing the issue.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Same here for me with the mirror abvoe.

    On this mirror my XG is blocking EICAR:

  • 0 in reply to Dom Nik

    If you use DPI Engine, is the website decrypted? Do you see the Certificate replaced of this website? 

     

    Check if http://sophostest.com and https://sophostest.com work as expected. 

    __________________________________________________________________________________________________________________

  • 0 in reply to Dom Nik

    Hi Dom,

    I was able to download all but one of the files, the Sophos Home premium stopped all of them on my MBP.

    You have raised an interesting question.

    Basically from the test DPI appears to check the connection, but not the content, that would appear to be a big weakness in the DPI setup/build?

    So you need the proxy for content scanning and DPI only does the connection security.

    When I performed the test I disabled the web proxy two boxes and left the other web security as was.

    Lets us hope that support whizkid reviews this thread and can enlighten us on our configuration or expectation failings.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Hi folks,

    further thoughts on this issue. You would need to setup an SSL/TLS rule that enables decrypt and not use the default rule. I suspect that is where my tests have gone wrong because I am using the default rule which is do not decrypt.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    I checked it in the logs:

    The download is hosted on meineipadresse.de and my profile does encryption on it.

    However it is TLS1.3. Maybe this is a bug or fallback behrvior  in XG?

    (I have encryption for 1.3 active as well)

  • 0 in reply to rfcat_vk

    I tested this a couple of different ways, using both the web proxy and DPI - neither blocked the download from eicar.org (both the HTTP and HTTPS links) with decrypt and scan disabled (that is in the SSL "decrypt all" rule itself).

    Sophos Home picked it up regardless, as did the XG when HTTPS inspection was enabled. That struck me as being a bit weird, though I've not looked closely at anything.

    The check content for malware was turned on in all instances, I don't have a v17 to check this behaviour against.

     

    Regards

  • 0

    Hi,

    a little bit feedback from TO.

    My problem with DPI ... missing/incorrect "SSL/TLS inspection rules" within "Rules and policies".

    Try it again the last days ... working without problems .. if configured correctly.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    Hallo,

     

    here are my rules:

     

    My SSL/TLS Inspection rule:

    This ssl/TLS rule is by sophos:

     

    My Firewall Policy:

     

     

     

     

    Dirk

  • 0 in reply to DirkJung

    Assuming we are currently waiting for V18.0 MR1, i would suggest to install MR1 and retest this website. Actually it should work as expected. 

    __________________________________________________________________________________________________________________

Unfiltered HTML