Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 10 replies
  • Subscribers 43 subscribers
  • Views 3169 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Webfilter debian deb repositories "Malware 'Unscannable"

LHerzog

We're having some strange issues currently only reported for debian repositories.

When trying to download random files from there with browser or wget - the requests randomly seem to time out and / or users get a STOP message from the firewall.

Sometimes it works to download directly, sometimes it requires several attempts, sometimes it's not working at all.

I know I can put web exceptions for the repository but first I'd like to know what is causing the problems.

The issue is known for several weeks and not a result of latest patterns.


messageid="08001" message="Malware 'Unscannable' was detected and blocked in a download from ftp.de.debian.org" log_type="Anti-Virus" log_component="HTTP" log_subtype="Virus" fw_rule_id="38" fw_rule_name="xxxxxx" fw_rule_section="Local rule" user="xxxxxxx" web_policy_id="5" virus="Unscannable" url="">ftp.de.debian.org/.../golang-1.21-src_1.21.10-1_all.deb" domain="ftp.de.debian.org" src_ip="xxxxxxxx" src_country="R1" dst_ip="141.76.2.4" dst_country="DEU" protocol="TCP" src_port="64458" dst_port="80" bytes_sent="490" bytes_received="18544668" user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0" status_code="403" web_policy="xxxxxx"

Error: Failed to fetch ftp.de.debian.org/.../golang-1.22-src_1.22.3-1_all.deb Error reading from server - read (104: Connection reset by peer) [IP: 141.76.2.4 80]

firewall:8090/.../error
> The requested content could not be scanned for malware. It may be corrupted or encrypted.



This thread was automatically locked due to age.
  • 0

    Hello,
    The first errors could be caused by problems with certificate handling:
    "Dieser Server konnte nicht beweisen, dass er ftp.de.debian.org ist. Sein Sicherheitszertifikat stammt von debian.inf.tu-dresden.de. Mögliche Gründe sind eine fehlerhafte Konfiguration oder ein Angreifer, der deine Verbindung abfängt."
    The message "Malware 'Unscannable'" usually means that encrypted files / code components are being transferred that the firewall cannot examine.
    There are also tracking pixels that trigger this.
    Strange if this doesn't happen when using another mirror.
    Sandboxing also leads to download errors for us, which no longer exist 20 minutes later.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    Hi Dirk, good point - the certificate mismatch could be part of the root cause here.

    Though the links are http - I can see some of them as https links in the firewall logs.

    that's my entry URL ftp.de.debian.org/.../

  • 0 in reply to LHerzog

    it is the sophos community frontend making https links out of http links.

    also my URL posted above was http originally

  • 0 in reply to LHerzog

    ugly but not impossible


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0

    Hi LHerzog

    Please check under Web-->General Settings, disable Block unrecognized SSL protocols for test 

    Regards

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Bharat J

    thanks for your idea . Do you think it will have any impact for http downloads?

  • 0 in reply to LHerzog

    How long has this been happening and which version of firmware are you using?

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    I have a user complaint that is about 4 weeks old and we're using SFOS 19.5.3

  • +1

    The underlying problem is that file is not scannable (or rather it times out during scan).  I don't know about these specific files but .deb and .hpi files are actually archives.  Some of them contain >10,000 files within themselves - each file within the archive gets separately virus scanned.  I know one of the packages I looked at had internally testing for zipbombs and then contained within it had a zipbomb.

    Around Jan 2024 we added some additional archive support into the sophos virus scanner.  Previously some of these files may have virus scanned quickly because we were not opening inside the archive.  Now we are scanning inside.

    Now the scans do complete eventually and the files get downloaded -- if you download and scan one file at a time.  IIRC apt-get normally does this, it does the downloads sequentially.  But some people use apt-fast to try and speed up by downloading multiple files at a time - which causes multiple virus scans at a time.  This is where the timeouts start happening.

    So there are two solutions
    1) if using apt-fast or other system that does multiple downloads try switching back to apt-get
    2) use exceptions to skip virus scanning

    For example
    ^([A-Za-z0-9.-]*\.)?debian\.org/.*\.deb$

    ^([A-Za-z0-9.-]*\.)?ubuntu\.com/.*\.deb$


    For Support - Internal KB-000044985

  • 0 in reply to Michael Dunn
    Thanks for your explanations of the technical background  !
    We've put these exceptions in the webfilter and it works now.
    In fact only this new was required:
    ^([A-Za-z0-9.-]*\.)?ftp\.([A-Za-z]*)\.debian\.org/
    we've had this alread in place:
    ^([A-Za-z0-9.-]*\.)?ftp\.debian\.org/
Unfiltered HTML