Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Replies 10 replies
  • Subscribers 42 subscribers
  • Views 1264 views
  • Users 0 members are here
Options
Suggested

Webfilter debian deb repositories "Malware 'Unscannable"

LHerzog

We're having some strange issues currently only reported for debian repositories.

When trying to download random files from there with browser or wget - the requests randomly seem to time out and / or users get a STOP message from the firewall.

Sometimes it works to download directly, sometimes it requires several attempts, sometimes it's not working at all.

I know I can put web exceptions for the repository but first I'd like to know what is causing the problems.

The issue is known for several weeks and not a result of latest patterns.


messageid="08001" message="Malware 'Unscannable' was detected and blocked in a download from ftp.de.debian.org" log_type="Anti-Virus" log_component="HTTP" log_subtype="Virus" fw_rule_id="38" fw_rule_name="xxxxxx" fw_rule_section="Local rule" user="xxxxxxx" web_policy_id="5" virus="Unscannable" url="">ftp.de.debian.org/.../golang-1.21-src_1.21.10-1_all.deb" domain="ftp.de.debian.org" src_ip="xxxxxxxx" src_country="R1" dst_ip="141.76.2.4" dst_country="DEU" protocol="TCP" src_port="64458" dst_port="80" bytes_sent="490" bytes_received="18544668" user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0" status_code="403" web_policy="xxxxxx"

Error: Failed to fetch ftp.de.debian.org/.../golang-1.22-src_1.22.3-1_all.deb Error reading from server - read (104: Connection reset by peer) [IP: 141.76.2.4 80]

firewall:8090/.../error
> The requested content could not be scanned for malware. It may be corrupted or encrypted.



Added TAGs
[edited by: Raphael Alganes at 3:49 PM (GMT -7) on 4 Jun 2024]
Parents
  • +1

    The underlying problem is that file is not scannable (or rather it times out during scan).  I don't know about these specific files but .deb and .hpi files are actually archives.  Some of them contain >10,000 files within themselves - each file within the archive gets separately virus scanned.  I know one of the packages I looked at had internally testing for zipbombs and then contained within it had a zipbomb.

    Around Jan 2024 we added some additional archive support into the sophos virus scanner.  Previously some of these files may have virus scanned quickly because we were not opening inside the archive.  Now we are scanning inside.

    Now the scans do complete eventually and the files get downloaded -- if you download and scan one file at a time.  IIRC apt-get normally does this, it does the downloads sequentially.  But some people use apt-fast to try and speed up by downloading multiple files at a time - which causes multiple virus scans at a time.  This is where the timeouts start happening.

    So there are two solutions
    1) if using apt-fast or other system that does multiple downloads try switching back to apt-get
    2) use exceptions to skip virus scanning

    For example
    ^([A-Za-z0-9.-]*\.)?debian\.org/.*\.deb$

    ^([A-Za-z0-9.-]*\.)?ubuntu\.com/.*\.deb$


    For Support - Internal KB-000044985

  • 0 in reply to Michael Dunn
    Thanks for your explanations of the technical background  !
    We've put these exceptions in the webfilter and it works now.
    In fact only this new was required:
    ^([A-Za-z0-9.-]*\.)?ftp\.([A-Za-z]*)\.debian\.org/
    we've had this alread in place:
    ^([A-Za-z0-9.-]*\.)?ftp\.debian\.org/
Reply Children
No Data
Unfiltered HTML