This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM Transparent bridge mode AV detection

I'm currently testing Sophos home UTM and I'm wondering if there's anything I need to do, to have it detect malware while in bridge mode.

I have the UTM appliance setup on a 2 NIC small form factor pc I purchased for testing. I put a test system behind it. The test system can get out of the internet just fine. If if I go to https://secure.eicar.org/eicar.com or even http://secure.eicar.org/eicar.com , the sophos utm appliance doesn't detect this file. (If the Windows system behind the utm has its AV system running, it will detect the test file.) My hope is for the network appliance to capture/detect/block this before it even gets to the client. Any idea what I need to do?

FYI, the appliance isn't doing dhcp or dns. I would just like it to run as a network AV device per se.

I used this guide to setup the bridge mode: https://www.fastvue.co/sophos/blog/easily-evaluate-sophos-utm-using-full-transparent-mode/

Any info/input I would greatly appreciate.

This thread was automatically locked due to age.

Parents

0 dirkkotte over 3 years ago

AV is usable from web-proxy (possible transparent proxy too) and mail-security only.

Don't know if IPS with "file related pattern" activated do the job too.

Dirk

Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum Partner
Sophos Solution Partner since 2003
If a post solves your question, click the 'Verify Answer' link at this post.
Cancel
Vote Up 0 Vote Down

Cancel

0 zit stif over 3 years ago in reply to dirkkotte

Thanks for the reply. It looks like I'm making some progress. I switched web filtering mode to full transparent and tried to download the test AV signature over HTTP and was promptly blocked. :-) secure.eicar.org/eicar.com doesn't allow downloading over http, it will upgraded your http request to https.

" severity="info" sys="SecureWeb" sub="http" name="web request blocked, virus detected" action="block" method="GET" srcip="192.168.1.245" dstip="89.238.73.97" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2784" request="0x9a50e00" url="">www.eicar.org/.../eicar.com.txt" referer="" error="" authtime="0" dnstime="795" aptptime="324" cattime="50027" avscantime="372542" fullreqtime="730146" device="0" auth="0" ua="Wget/1.20.3 (mingw32)" exceptions="" category="126" reputation="malicious" categoryname="Information Security" sandbox="-" content-type="text/plain" virus="EICAR-AV-Test" engine="SAVI"

Reply

0 zit stif over 3 years ago in reply to dirkkotte

" severity="info" sys="SecureWeb" sub="http" name="web request blocked, virus detected" action="block" method="GET" srcip="192.168.1.245" dstip="89.238.73.97" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2784" request="0x9a50e00" url="">www.eicar.org/.../eicar.com.txt" referer="" error="" authtime="0" dnstime="795" aptptime="324" cattime="50027" avscantime="372542" fullreqtime="730146" device="0" auth="0" ua="Wget/1.20.3 (mingw32)" exceptions="" category="126" reputation="malicious" categoryname="Information Security" sandbox="-" content-type="text/plain" virus="EICAR-AV-Test" engine="SAVI"

Children

No Data