This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to allow certain Services (Antivirus, Udateservers)

Hello, the UTM has started to block an Kaspersky Antivirus updates or signuature renewals (this started a month ago after some UTM upgrades. The same happens to other update Services for some garphics Adapters (Geforce), O&O Imanging Software etc.

BTW, Kaspersky has lots of update Servers. The download of the new files start but end up in freeze at 65 - 83% (it varies). Switching off the UTM an bringing the PCs directly to the Internet Show that the UTM configuration is stopping the process. Any ideas?



This thread was automatically locked due to age.
Parents
  • I found a similar problem with Sophos XG firewalls where the same symptoms were appearing and Kaspersky updates fails halfway through. A bit of digging around showed that the firewall was blocking virus definition files ending with .dat extension as these are categorized as video files and the firewall policy is to block videos.

    Creating exceptions for web filtering in the following manner :

    ^[A-Za-z0-9.-]*\.kaspersky-labs.com\.?/
    ^[A-Za-z0-9.-]*\.kaspersky.com\.?/
     
    solved the issue for me.
     
    You maybe experiencing a similar issue.
  • FormerMember
    0 FormerMember in reply to Mihira Fernando

    Hi Mihira,

    what exams do you leave in your exception? It still does not work :-(

    First I had

    ^https?://([A-Za-z0-9.-]+\.)?kaspersky\.com/

    maintained. Then I had read your post and changed to

    ^[A-Za-z0-9.-]*\.kaspersky-labs.com\.?/
    ^[A-Za-z0-9.-]*\.kaspersky.com\.?/

     

  • Please note that my exception rules were for Sophos XG firewalls which uses the SFOS v16

  • FormerMember
    0 FormerMember in reply to Mihira Fernando

    Hi,

    enclosed an extract of the web filter protocol - i see no "denied"....

    2017:05:29-12:00:00 mx01 httpproxy[6214]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.45.11" dstip="193.45.6.13" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="265" request="0xd468c600" url="dnl-12.geo.kaspersky.com/.../updater.xml.dif" referer="" error="" authtime="0" dnstime="1735" cattime="59079" avscantime="2727" fullreqtime="108694" device="0" auth="0" ua="*BUEBAAAA8WAAAk_AAAQB6xJVjxK3BN6WFGJpMxeSId5rQAAAAAwlBMAAKAA=" exceptions="" category="105" reputation="neutral" categoryname="Business" application="kasprsky" app-id="250" sandbox="-" content-type="application/octet-stream"
    2017:05:29-12:00:00 mx01 httpproxy[6214]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.45.11" dstip="193.45.6.13" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="403" request="0xdd8c0c00" url="dnl-12.geo.kaspersky.com/.../u1313g.xml.dif" referer="" error="" authtime="0" dnstime="10998" cattime="57711" avscantime="2967" fullreqtime="116238" device="0" auth="0" ua="*BUEBAAAA8WAAAk_AAAQB6xJVjxK3BN6WFGJpMxeSId5rQAAAAAwlBMAAKAA=" exceptions="" category="105" reputation="neutral" categoryname="Business" application="kasprsky" app-id="250" sandbox="-" content-type="application/octet-stream"
    2017:05:29-12:00:00 mx01 httpproxy[6214]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.45.11" dstip="193.45.6.13" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="1786" request="0xdd8c0c00" url="dnl-12.geo.kaspersky.com/.../u1313g.xml.klz" referer="" error="" authtime="0" dnstime="0" cattime="68877" avscantime="3644" fullreqtime="102446" device="0" auth="0" ua="*BUEBAAAA8WAAAk_AAAQB6xJVjxK3BN6WFGJpMxeSId5rQAAAAAwlBMAAKAA=" exceptions="" category="105" reputation="neutral" categoryname="Business" application="kasprsky" app-id="250" sandbox="-" content-type="application/octet-stream"

  • ^https?://([A-Za-z0-9.-]+\.)?kaspersky\.com/ would be one correct form in the UTM.  You see in the log lines that your Kaspersky accesses did not qualify for your Exception.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • FormerMember
    0 FormerMember in reply to BAlfson

    Hi,

    i changed the form but it still does not work :-(
    Still an error from Kaspersky update....

    2017:05:30-13:00:00 mx01 httpproxy[6214]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.45.11" dstip="212.73.221.199" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="885" request="0xe0177800" url="dnl-04.geo.kaspersky.com/.../updater.xml.dif" referer="" error="" authtime="0" dnstime="1541" cattime="0" avscantime="0" fullreqtime="44312" device="0" auth="0" ua="*BUEBAAAA8WAAAk_AAAQB6xJVjxK3BN6WFGJpMxeSId5rQAAAAAwlBMAAKAA=" exceptions="av,sandbox,auth,content,url,ssl,certcheck,certdate,mime,cache,fileextension,size,patience"
    2017:05:30-13:00:00 mx01 httpproxy[6214]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.45.11" dstip="212.73.221.199" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="257" request="0xdeab0400" url="dnl-04.geo.kaspersky.com/.../u1313g.xml.dif" referer="" error="" authtime="0" dnstime="133" cattime="0" avscantime="0" fullreqtime="42367" device="0" auth="0" ua="*BUEBAAAA8WAAAk_AAAQB6xJVjxK3BN6WFGJpMxeSId5rQAAAAAwlBMAAKAA=" exceptions="av,sandbox,auth,content,url,ssl,certcheck,certdate,mime,cache,fileextension,size,patience"
    2017:05:30-13:00:00 mx01 httpproxy[6214]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.45.11" dstip="212.73.221.199" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="1788" request="0xdeab0400" url="dnl-04.geo.kaspersky.com/.../u1313g.xml.klz" referer="" error="" authtime="0" dnstime="0" cattime="0" avscantime="0" fullreqtime="25574" device="0" auth="0" ua="*BUEBAAAA8WAAAk_AAAQB6xJVjxK3BN6WFGJpMxeSId5rQAAAAAwlBMAAKAA=" exceptions="av,sandbox,auth,content,url,ssl,certcheck,certdate,mime,cache,fileextension,size,patience"
    2017:05:30-13:00:02 mx01 httpproxy[6214]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.45.11" dstip="212.73.221.199" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="4057" request="0xdeab0400" url="dnl-04.geo.kaspersky.com/.../hips-1313g.xml.dif" referer="" error="" authtime="0" dnstime="0" cattime="0" avscantime="0" fullreqtime="2084569" device="0" auth="0" ua="*BUEBAAAA8WAAAk_AAAQB6xJVjxK3BN6WFGJpMxeSId5rQAAAAAwlBMAAKAA=" exceptions="av,sandbox,auth,content,url,ssl,certcheck,certdate,mime,cache,fileextension,size,patience"

  • Do you have any better luck with the form I prefer?

    ^https?://[A-Za-z0-9.-]*kaspersky\.com/

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • FormerMember
    0 FormerMember in reply to BAlfson

    I will try it and feedback...

    But you see in the log lines that my Kaspersky accesses did qualify my Exception - or have I got that wrong?

  • FormerMember
    0 FormerMember in reply to BAlfson

    Hi Bob,

    I think the problem is an other...
    I have disabled the exception and at the transparency mode exceptions i add the source host of my Kaspersky Update Server. Now it works :-)

    So the problem is the transparent proxy, right?

  • Are you checking all entries from a source machine in the same time period?  Your supplied log entries indicate that everything is working perfectly, so I doubt that you have found the right data.  Somewhere there must be an entry with something other than statuscode="200" and error=""

    I have seen several auto-update products that use HTTPS with an IP address rather than an host name.   When used with key pinning, it can still be secure.   I do not know if this is done to reduce risks of DNS poisoning or for more mundane reasons, but this technique complicates log analysis.

Reply
  • Are you checking all entries from a source machine in the same time period?  Your supplied log entries indicate that everything is working perfectly, so I doubt that you have found the right data.  Somewhere there must be an entry with something other than statuscode="200" and error=""

    I have seen several auto-update products that use HTTPS with an IP address rather than an host name.   When used with key pinning, it can still be secure.   I do not know if this is done to reduce risks of DNS poisoning or for more mundane reasons, but this technique complicates log analysis.

Children
No Data