Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 16 replies
  • Subscribers 45 subscribers
  • Views 75242 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is it Possible that the Firewall won't detect eicar ? ( Malware-Scanner activated..)

EgonLampert

Hi

Just setted up my new Sophos XG Firewall at home, but when I test the malware-scanner ( downloading EICAR-File) it won't be detected. malware-scanner is active, also in rule is it "on" 

Any help is kindly appreciated!

Regards



This thread was automatically locked due to age.
  • 0 in reply to Billybob

    Billybob said:

    The bug that I filed was originally for non transparent traffic. But as you can see something is not right with the transparent intercept of traffic also. In any case, this probably won't get fixed till someone calls support.

    It also works when using the firewall in non-transparent proxy mode here. Eicar files are recognized and blocked correctly.
    When I started with the XG firewall I used the non-transparent proxy mode. It was a desaster in the beginning. I had a rule allowing traffic for ports 21,80,443. Nevertheless all of the websites were blocked because of my default network policy rule which is a deny for all and everything. I wondered why. The only way I could solve this was by adding the proxy port 3128 to my allow rule.
    So are you really sure that the traffic was handled by the policy rule with defined services when using the firewall in non-transparent proxy mode?
    I mean if you have an allow for http and https with malware scanning and another rule for any services without malware scanning it could be that the traffic was handled by the second rule.
    Did you try to add the proxy port 3128 to the defined service rule? Same result?
    Best Regards.
  • 0 in reply to lferrara
    The issue only occurs with IE and scan mode "Real-time"! It's definitive a bug.

    mod
  • 0 in reply to dempie
    Hi and thanks for the detailed response. I am not using XG at the moment so what I am writing is from memory only. Since my detailed report on astaro.org is also gone, I will try to recreate the scenario from memory. community.sophos.com/.../58158

    1.Client using XG as gateway and using transparent mode --- Worked in chrome with services defined. I didn't Try IE.

    2. Client using XG as gateway and using port 3128 in browser proxy config... Bypasses traffic unless use ANY in services.

    3. Changing proxy port on XG to 8080 and using 8080 in browser also fails unless ANY is used for traffic.

    The traffic completely bypasses the proxy (no proxy logs) when I tried different services. I only tested with ONE rule. Masq Internal to external, services ftp, http, scan for malware, user not defined. The traffic is not logged but bypasses XG completely for some reason. I did not try with port 3128 in allowed services as to me that would indicate that I want internal clients to be able to use proxy (port 3128) offered by external websites.

    Regards
  • 0 in reply to mod2402
    So I gave it a try in real time scan mode using transparent and non transparent proxy mode. The result is the same: The XG firewall detected the eicar virus in all configurations. The XG Log Viewer for malware has an entry for each access on the eicar files.

    With both web browsers (Chrome, IE) I didn't get a block message within the browser. The Chrome browser showed a "not available page" with an ERR_CONTENT_LENGTH_MISMATCH, the Internet Explorer came up with a file save message. But the file on my disk was a zero file with no content.

    Surely you can discuss about the way it is handled. I don't know if you can handle it different with real time scanning. But in my configuration the XG firewall detects malware in real time and in batch mode.

    Best Regards.
  • 0

    I can confirm this issue. If I set  Scan mode - realtime - I get:

    FF - blank page
    Chrome - allows download but 0KB
    IE 11 - allows download but 0KB

    If I set scan mode bulk it works ok with or without any or other custom web filter policy.

  • 0

    Hi


    I just noticed that when I click on the following link the detection works correctly:

    http://www.eicar.org/download/eicar.com.txt

    But when I click on one of the files in the 2nd link the Sophos XG does not detect it and lets me download the files (local PC AV kicks in instead):

    https://www.etes.de/downloads/eicar-testvirus/

    Webfilter Options:

Unfiltered HTML