Sophos UTM: Decommissioning of obsolete URL categorization services CFFS. Click here for important info.

Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 7 replies
  • Subscribers 35 subscribers
  • Views 3639 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Logs do not specify blocked filetypes. Where do downloads blocked by filetype appear in the logs?

alan weir

I performed the eicar test where I attempt to download the Eicar virus testfile. The block page shows that the file eicar.com was blocked by filetype. However, the webfilter log shows that the website was blocked, but does not specify that it was due to a fileype being blocked. HTTPS decryption is working properly, but I noticed it was different this time:

Usually the webfilter blocks the eicar testfile from downloading and the block page says it blocked "websites categorized as Malware".

This time the webfilter did not detect the eicar test site as a malware site but instead blocked the ".com" filetype from downloading and did not actually detect the eicar testfile as a virus. the other .ZIP files were blocked due to web category Malware, and not extracted and scanned by the antivirus.

Nowhere i

But the logs are frustrating, with many users complaining that the block page/log is not specific enough to let a system admin know enough about what the exact details of the block are caused by.  

I looked through the logs (ATP, Zero-day protection, web filter), and there is no log anywhere that related to blocked filetypes.

I'ts even more strange since Sophos categorizes the Eicar testfile website as Information technology, Acceptable.

I created a Policy check exclusion for eicar.com in the Web Filter Exceptions, and now the AV component is able to successfully scan the .ZIP archives and detect them as malware. The eicar test files are now appearing in the Zero-Day protection logs as they should. If I remove the .COM filetype from the list of blocked filetypes, then it should also appear. This was just a configuration issue. But still, the log should say weather a download was blocked by filetype, since the eicar testfile site is categorized as acceptable, the log entry does not give any details to why it was blocked.



This thread was automatically locked due to age.
  • 0

    Hello,

    Greeting!

    I have reviewed the same in my local setup and observing the same behavior. I request you to raise the support case to get this confirmed and share us the case ID to progress it.

    Mayur Makvana
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question please use the 'Verify Answer' button.

  • 0

    So my firewall is doing what it should do: 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

     Hi  

    Could you block the executable file type and review again?

    Mayur Makvana
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to MayurMakvana

    I can't really get to the bottom of this. In the log in the post above, the site was categorized as "Information Technology" but now it is categorized as "Spyware and Malware" and I was wondering if it was just some sort of fluke: maybe Sophos mis-categorizing the site temporarily, or if I overrrided the website category, but I did not change anything besides playing around with the exceptions (HTTPS decryption/Malware/Zeroday/Policy)

    It's not a huge deal, but I can't seem to reproduce what it was doing before, where it blocked the download by the filetype (.COM)

    I don't know exactly how the firewall proccess web filtering in what order, whether it do a filetype check after it passes the web category lookup or the other way around. Exactly in what order it is done, there is a chart somewhere that shows the exact flow. I should study it.

    Aha, yes I found it.

  • 0

    The testing for eicar is complicated by HTTPS scanning and categorization.

    The XG will only be able to do filetype and AV scanning if the connection is decrypted.  Some of the file links are categorized as malware and would also be block if you block malware urls.


    Try this url instead.  It is http and does not have a .com ending and not categorized in a way that would normally block.

    sophostest.com/.../index.html

  • +1

    The logic for filetype is:

    1) Does the request contain a file extension that is blocked?  eg if Blocking executable files (which includes .com) then site.com/download/file.com would be blocked at request time while site.com/download/file.com/something else would not be.  What is the category of the url and it is blocked?

    If we have not blocked so far, then send the request to the web server and wait for the response.

    2) Does the response headers contain mime-type?  If so, is the mime-type one of the types that is blocked?

    3) Does the response headers contain content-disposition with a filename?  If so, is the file extension one of the types that is blocked?

    If we have not blocked so far, then send to the AV scanner. 

    4) The Sophos AV scanner returns with the detected files types (and for example all the file types within a .zip file).  Is the detected true file types one of the mime types that is blocked?

    If you are blocked at REQUEST time, we do not know the actual filename (though we could guess it) and do not include it in the logs.

    If you are blocked at RESPONSE time and there is no content-disposition, we do not know the actual filename (though we could guess it) and do not include it in the logs.

    If you are blocked at RESPONSE time and there is a content-disposition, know the actual filename and we put it in the logs.


    In the example in the original post they were blocked at Request time.

    Offhand, I am not actually sure which (if any) of those conditions we log something that specifically says we blocked due to filetype.  I just know that the filename is not included in all blocks (tracked as a Will Not Fix issue NC-64950).

  • 0

    Same here with URL blacklist…

    The Logs are useless because it only shows blocked and the category, not the real reason (because I use a URL blacklist).

Unfiltered HTML