Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 16 replies
  • Subscribers 45 subscribers
  • Views 75237 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is it Possible that the Firewall won't detect eicar ? ( Malware-Scanner activated..)

EgonLampert

Hi

Just setted up my new Sophos XG Firewall at home, but when I test the malware-scanner ( downloading EICAR-File) it won't be detected. malware-scanner is active, also in rule is it "on" 

Any help is kindly appreciated!

Regards



This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to Billybob

    I can't confirm that. My network rule restricts the services to web ports (80 and 443) and ftp ports (21,990). Furthermore I am using the firewall in transparent proxy mode. In my setup the XG firewall is able to detect the eicar test file from eicar.org. See screenshots below.

Children
  • 0 in reply to dempie

    dempie said:
    My network rule restricts the services to web ports (80 and 443) and ftp ports (21,990). Furthermore I am using the firewall in transparent proxy mode.

    The bug that I filed was originally for non transparent traffic. But as you can see something is not right with the transparent intercept of traffic also. In any case, this probably won't get fixed till someone calls support.

  • 0 in reply to Billybob

    Billybob said:

    The bug that I filed was originally for non transparent traffic. But as you can see something is not right with the transparent intercept of traffic also. In any case, this probably won't get fixed till someone calls support.

    It also works when using the firewall in non-transparent proxy mode here. Eicar files are recognized and blocked correctly.
    When I started with the XG firewall I used the non-transparent proxy mode. It was a desaster in the beginning. I had a rule allowing traffic for ports 21,80,443. Nevertheless all of the websites were blocked because of my default network policy rule which is a deny for all and everything. I wondered why. The only way I could solve this was by adding the proxy port 3128 to my allow rule.
    So are you really sure that the traffic was handled by the policy rule with defined services when using the firewall in non-transparent proxy mode?
    I mean if you have an allow for http and https with malware scanning and another rule for any services without malware scanning it could be that the traffic was handled by the second rule.
    Did you try to add the proxy port 3128 to the defined service rule? Same result?
    Best Regards.
  • 0 in reply to dempie
    Hi and thanks for the detailed response. I am not using XG at the moment so what I am writing is from memory only. Since my detailed report on astaro.org is also gone, I will try to recreate the scenario from memory. community.sophos.com/.../58158

    1.Client using XG as gateway and using transparent mode --- Worked in chrome with services defined. I didn't Try IE.

    2. Client using XG as gateway and using port 3128 in browser proxy config... Bypasses traffic unless use ANY in services.

    3. Changing proxy port on XG to 8080 and using 8080 in browser also fails unless ANY is used for traffic.

    The traffic completely bypasses the proxy (no proxy logs) when I tried different services. I only tested with ONE rule. Masq Internal to external, services ftp, http, scan for malware, user not defined. The traffic is not logged but bypasses XG completely for some reason. I did not try with port 3128 in allowed services as to me that would indicate that I want internal clients to be able to use proxy (port 3128) offered by external websites.

    Regards
Unfiltered HTML