WAF anomaly on url="/Microsoft-Server-ActiveSync" - Samsung Email App 6.1.30.30 v with XG publishing Exchange

Question

Hi there, 
 After Samsung Email App (for Andoird OS) Update to version 6.1.30.30 , our XG 18.0.3 MR3 Publishing Rule (WAF) for Exchange server gets an error: 
 1. on Client side: Couldn't verify account 
 2. on XG logs : 403 WAF Anomaly - Inbound Anomaly Score Exceeded 
 2020-11-09 11:08:02Web server protectionmessageid="17071" log_type="WAF" log_component="Web Application Firewall" user="-" server="mail.domain.domain" src_ip="194.76.244.147" local_ip="xxx.xxx.xxx.xxx" protocol="HTTP/1.1" url="/Microsoft-Server-ActiveSync" query_string="?Cmd=Options&User=temp%40softinfo.ro&DeviceId=SEC10D234385E4A8&DeviceType=SamsungDevice" cookie="-" referer="-" method="OPTIONS" response_code="403" reason="WAF Anomaly" extra="Inbound Anomaly Score Exceeded (Total Score: 5)" content_type="text/html" user_agent="Android-SAMSUNG-SM-G950F/101.80000" response_time="1242" bytes_sent="4782" bytes_received="715" fw_rule_id="10" 
 3. WAF Rule hasn't been modified: 
 WAF Publishing Exchange Rule: exchange general Exceptions : Paths : /Microsoft-Server-ActiveSync* Skip this checks - Static URL hardening - Checked Advanced - Never change HTML during static URL hardering of gorm hardering 
 How to debug or Has anyone encountered this problem? 
 Many thanks in advanced

DW Sophos User · Accepted Answer

Sophos Support call result this morning suggests that bypassing 949110 is not ideal. 
 Notes from Support 
 # Checked internally with the team and got the update that it is not suggested to disable the Infrastructure rules ID 949110. If an infrastructure rule is added to the Skip filter rules list, then you make yourself vulnerable to other possible attacks. # the Samsung email client is performing activities similar those that would indicate an attack. That email client version is performing actions that the XG WAF sees as dangerous. # Suggested Either change to another email client or another version of the same client. 
 I've submitted a case with Samsung as well.

Kiwi · Answer

I contacted support and found that after troubleshooting the reverse-proxy log on the XG we were about to see that there was a limit on the XG of 1MB that needed changing by a sophos engineer ( he advised me that these changes would be overwritten when a firmware update was completed) I said why would an option not be created in the GUI to allow this change to be made by users of the XG and SG firewalls ( yes this issue exists in both the XG and SG ) or to at-least increase the minimum setting to be maybe 15MB or something like that. 
 Anyway after this change that had to be made on the backend ie via ssh and in the Database tables of the XG/SG. Now things are back to normal for the most part. 
 I hope this helps someone.

admin info · Answer

Hi Emmanuel, Thank you for your response. The link you provided didn't work but, 
 I found the KB where it says that 949110 is an Infrastructure rule 
 How does this rule affect the XG security ? Is it safe to Skip this Rule ? 
 Sophos XG Firewall: How to bypass individual WAF rules

WAF anomaly on url="/Microsoft-Server-ActiveSync" - Samsung Email App 6.1.30.30 v with XG publishing Exchange

Top Replies