Logs do not specify blocked filetypes. Where do downloads blocked by filetype appear in the logs?

Question

I performed the eicar test where I attempt to download the Eicar virus testfile. The block page shows that the file eicar.com was blocked by filetype. However, the webfilter log shows that the website was blocked, but does not specify that it was due to a fileype being blocked. HTTPS decryption is working properly, but I noticed it was different this time: 
 Usually the webfilter blocks the eicar testfile from downloading and the block page says it blocked "websites categorized as Malware". 
 This time the webfilter did not detect the eicar test site as a malware site but instead blocked the ".com" filetype from downloading and did not actually detect the eicar testfile as a virus. the other .ZIP files were blocked due to web category Malware, and not extracted and scanned by the antivirus. 
 Nowhere i 
 But the logs are frustrating, with many users complaining that the block page/log is not specific enough to let a system admin know enough about what the exact details of the block are caused by. 
 I looked through the logs (ATP, Zero-day protection, web filter), and there is no log anywhere that related to blocked filetypes. 
 I'ts even more strange since Sophos categorizes the Eicar testfile website as Information technology, Acceptable. 
 
 I created a Policy check exclusion for eicar.com in the Web Filter Exceptions, and now the AV component is able to successfully scan the .ZIP archives and detect them as malware. The eicar test files are now appearing in the Zero-Day protection logs as they should. If I remove the .COM filetype from the list of blocked filetypes, then it should also appear. This was just a configuration issue. But still, the log should say weather a download was blocked by filetype, since the eicar testfile site is categorized as acceptable, the log entry does not give any details to why it was blocked.

Michael Dunn · Accepted Answer

The logic for filetype is: 1) Does the request contain a file extension that is blocked? eg if Blocking executable files (which includes .com) then site.com/download/file.com would be blocked at request time while site.com/download/file.com/something else would not be. What is the category of the url and it is blocked? If we have not blocked so far, then send the request to the web server and wait for the response. 2) Does the response headers contain mime-type? If so, is the mime-type one of the types that is blocked? 3) Does the response headers contain content-disposition with a filename? If so, is the file extension one of the types that is blocked? If we have not blocked so far, then send to the AV scanner. 4) The Sophos AV scanner returns with the detected files types (and for example all the file types within a .zip file). Is the detected true file types one of the mime types that is blocked? If you are blocked at REQUEST time, we do not know the actual filename (though we could guess it) and do not include it in the logs. If you are blocked at RESPONSE time and there is no content-disposition, we do not know the actual filename (though we could guess it) and do not include it in the logs. If you are blocked at RESPONSE time and there is a content-disposition, know the actual filename and we put it in the logs. 
 In the example in the original post they were blocked at Request time. Offhand, I am not actually sure which (if any) of those conditions we log something that specifically says we blocked due to filetype. I just know that the filename is not included in all blocks (tracked as a Will Not Fix issue NC-64950).

Logs do not specify blocked filetypes. Where do downloads blocked by filetype appear in the logs?

Top Replies