Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 11 replies
  • Subscribers 45 subscribers
  • Views 4577 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Why can I Download EICAR wenn DPI is on

DirkJung

I want to Change Virus protection to ssl/DPI on Sophos V 18.

I set a ssl rule. When I go to the original eicar website i  can´t download any Eicar testfile.

On this website

https://ipinfo.info/html/testvirus.php

I´m able to download eicar (zip) and eicar (double zip) when ssl/DPI is on. When I change to webproxy download will be blocked.

Is that a bug of V18 ?

 

Dirk

 

 



This thread was automatically locked due to age.
Parents
  • 0

    Hi Dirk,

    please post a copy of your firewall rule and the SSL/TLS rule which are causing the issue.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Same here for me with the mirror abvoe.

    On this mirror my XG is blocking EICAR:

  • 0 in reply to Dom Nik

    If you use DPI Engine, is the website decrypted? Do you see the Certificate replaced of this website? 

     

    Check if http://sophostest.com and https://sophostest.com work as expected. 

    __________________________________________________________________________________________________________________

  • 0 in reply to Dom Nik

    Hi Dom,

    I was able to download all but one of the files, the Sophos Home premium stopped all of them on my MBP.

    You have raised an interesting question.

    Basically from the test DPI appears to check the connection, but not the content, that would appear to be a big weakness in the DPI setup/build?

    So you need the proxy for content scanning and DPI only does the connection security.

    When I performed the test I disabled the web proxy two boxes and left the other web security as was.

    Lets us hope that support whizkid reviews this thread and can enlighten us on our configuration or expectation failings.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • 0 in reply to Dom Nik

    Hi Dom,

    I was able to download all but one of the files, the Sophos Home premium stopped all of them on my MBP.

    You have raised an interesting question.

    Basically from the test DPI appears to check the connection, but not the content, that would appear to be a big weakness in the DPI setup/build?

    So you need the proxy for content scanning and DPI only does the connection security.

    When I performed the test I disabled the web proxy two boxes and left the other web security as was.

    Lets us hope that support whizkid reviews this thread and can enlighten us on our configuration or expectation failings.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Children
  • 0 in reply to rfcat_vk

    Hi folks,

    further thoughts on this issue. You would need to setup an SSL/TLS rule that enables decrypt and not use the default rule. I suspect that is where my tests have gone wrong because I am using the default rule which is do not decrypt.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    I checked it in the logs:

    The download is hosted on meineipadresse.de and my profile does encryption on it.

    However it is TLS1.3. Maybe this is a bug or fallback behrvior  in XG?

    (I have encryption for 1.3 active as well)

  • 0 in reply to rfcat_vk

    I tested this a couple of different ways, using both the web proxy and DPI - neither blocked the download from eicar.org (both the HTTP and HTTPS links) with decrypt and scan disabled (that is in the SSL "decrypt all" rule itself).

    Sophos Home picked it up regardless, as did the XG when HTTPS inspection was enabled. That struck me as being a bit weird, though I've not looked closely at anything.

    The check content for malware was turned on in all instances, I don't have a v17 to check this behaviour against.

     

    Regards

Unfiltered HTML