Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 12 replies
  • Answers 2 answers
  • Subscribers 41 subscribers
  • Views 6050 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF anomaly on url="/Microsoft-Server-ActiveSync" - Samsung Email App 6.1.30.30 v with XG publishing Exchange

admin info

Hi there,

After Samsung Email App (for Andoird OS) Update to version 6.1.30.30 , our XG 18.0.3 MR3 Publishing Rule (WAF) for Exchange server gets an error:

1. on Client side: Couldn't verify account

2. on XG logs : 403 WAF Anomaly - Inbound Anomaly Score Exceeded

2020-11-09 11:08:02Web server protectionmessageid="17071" log_type="WAF" log_component="Web Application Firewall" user="-" server="mail.domain.domain" src_ip="194.76.244.147" local_ip="xxx.xxx.xxx.xxx" protocol="HTTP/1.1" url="/Microsoft-Server-ActiveSync" query_string="?Cmd=Options&User=temp%40softinfo.ro&DeviceId=SEC10D234385E4A8&DeviceType=SamsungDevice" cookie="-" referer="-" method="OPTIONS" response_code="403" reason="WAF Anomaly" extra="Inbound Anomaly Score Exceeded (Total Score: 5)" content_type="text/html" user_agent="Android-SAMSUNG-SM-G950F/101.80000" response_time="1242" bytes_sent="4782" bytes_received="715" fw_rule_id="10"

3. WAF Rule hasn't been modified: 

WAF Publishing Exchange Rule: exchange general
Exceptions :
Paths : /Microsoft-Server-ActiveSync*
Skip this checks - Static URL hardening - Checked
Advanced - Never change HTML during static URL hardering of gorm hardering

How to debug or Has anyone encountered this problem?

Many thanks in advanced



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to emmosophos

    Hi Emmanuel, Thank you for your response. The link you provided didn't work but, 

    I found the KB where it says that 949110 is an Infrastructure rule

    How does this rule affect the XG security ? Is it safe to Skip this Rule ?

    Sophos XG Firewall: How to bypass individual WAF rules

  • +1 in reply to emmosophos

    Sophos Support call result this morning suggests that bypassing 949110 is not ideal.

    Notes from Support

    # Checked internally with the team and got the update that it is not suggested to disable the Infrastructure rules ID 949110. If an infrastructure rule is added to the Skip filter rules list, then you make yourself vulnerable to other possible attacks.

    # the Samsung email client is performing activities similar those that would indicate an attack. That email client version is performing actions that the XG WAF sees as dangerous.

    # Suggested Either change to another email client or another version of the same client.

    I've submitted a case with Samsung as well.

  • 0 in reply to admin info

    Hello Admin,

    Thank you for the KB, I must have an old list, if it is part of the infrastructure, if you bypass it might make you vulnerable to attacks that reference that infrastructure ID.

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to DW Sophos User

    i think its more than just the samsung app - and for me skipping that rule did not get things working. 

    Have you learned anything new in the past 12 days on this topic ?

  • 0 in reply to Kiwi

    Disappointingly, no.  All communication from Samsung support stopped after I send them the feedback from Sophos Support.

    I rolled back the Samsung Email App to what came with a Galaxy S8... it worked for about 16 hours, but then the error returned.

    Without question, the issue relates to both how the Samsung Email App functions and Sophos version 18.0.3.  Unbelievably frustrating.

    Tried the Android MS Outlook App and Gmail App... they work, but sporadically.

    Wish I could roll back to Sophos version 17.  It has become that much of a frustration.

  • 0 in reply to DW Sophos User

    I contacted support and found that after troubleshooting the reverse-proxy log on the XG we were about to see that there was a limit on the XG of 1MB that needed changing by a sophos engineer ( he advised me that these changes would be overwritten when a firmware update was completed) I said why would an option not be created in the GUI to allow this change to be made by users of the XG and SG firewalls ( yes this issue exists in both the XG and SG ) or to at-least increase the minimum setting to be maybe 15MB or something like that.

    Anyway after this change that had to be made on the backend ie via ssh and in the Database tables of the XG/SG. Now things are back to normal for the most part.

    I hope this helps someone.

  • 0 in reply to Kiwi

    Thank's for the response,

    There is a GUI specific setting in the Web Server- Protection Policies - Antivirus Limit scan size 

    Is that what your talking about ? That was the change made by the support through console ?

Unfiltered HTML