Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 6 subscribers
  • Views 468 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM Transparent bridge mode AV detection

zit stif

I'm currently testing Sophos home UTM and I'm wondering if there's anything I need to do, to have it detect malware while in bridge mode. 

I have the UTM appliance setup on a 2 NIC small form factor pc I purchased for testing. I put a test system behind it. The test system can get out of the internet just fine. If if I go to https://secure.eicar.org/eicar.com  or even http://secure.eicar.org/eicar.com , the sophos utm appliance doesn't detect this file. (If the Windows system behind the utm has its AV system running, it will detect the test file.)  My hope is for the network appliance to capture/detect/block this before it even gets to the client. Any idea what I need to do? 

FYI, the appliance isn't doing dhcp or dns. I would just like it to run as a network AV device per se. 

I used this guide to setup the bridge mode: https://www.fastvue.co/sophos/blog/easily-evaluate-sophos-utm-using-full-transparent-mode/

Any info/input I would greatly appreciate. 



This thread was automatically locked due to age.
Parents
  • 0

    AV is usable from web-proxy (possible transparent proxy too) and mail-security only.

    Don't know if IPS with "file related pattern" activated do the job too.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Reply
  • 0

    AV is usable from web-proxy (possible transparent proxy too) and mail-security only.

    Don't know if IPS with "file related pattern" activated do the job too.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Children
  • 0 in reply to dirkkotte

    Thanks for the reply. It looks like I'm making some progress. I switched web filtering mode to full transparent and tried to download the test AV signature over HTTP and was promptly blocked. :-)  secure.eicar.org/eicar.com doesn't allow downloading over http, it will upgraded your http request to https. 

    " severity="info" sys="SecureWeb" sub="http" name="web request blocked, virus detected" action="block" method="GET" srcip="192.168.1.245" dstip="89.238.73.97" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2784" request="0x9a50e00" url="">www.eicar.org/.../eicar.com.txt" referer="" error="" authtime="0" dnstime="795" aptptime="324" cattime="50027" avscantime="372542" fullreqtime="730146" device="0" auth="0" ua="Wget/1.20.3 (mingw32)" exceptions="" category="126" reputation="malicious" categoryname="Information Security" sandbox="-" content-type="text/plain" virus="EICAR-AV-Test" engine="SAVI"


Unfiltered HTML