This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AV scanning not blocking zipped malware when downloaded from cloud drives like Google Drive

Hello!

 

I just installed Sophos UTM for testing purposes, I enabled SSL Inspection and set dual av engine in the web filtering, when I test download a test eicar file "eicarcom2.zip" it blocks the request perfectly. But, when I uploaded eicarcom2.zip to google drive and also my owncloud drive, tried downloading from both but it didn't block the request, below is the log:

 

Successfully blocked request:

2018:12:26-04:25:00 local httpproxy[14612]: id="0056" severity="info" sys="SecureWeb" sub="http" name="web request blocked, virus detected" action="block" method="GET" srcip="10.0.0.2" dstip="91.212.136.200" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2705" request="0xdcea1100" url="www.ikarussecurity.com/.../eicar_com.zip" referer="www.ikarussecurity.com/.../" error="" authtime="0" dnstime="0" aptptime="153" cattime="86" avscantime="1580107" fullreqtime="3103347" device="0" auth="0" ua="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36" exceptions="" category="105" reputation="neutral" categoryname="Business" sandbox="-" content-type="application/zip" virus="EICAR-AV-Test" engine="SAVI"
 
 
Not blocked:

2018:12:26-04:26:14 local httpproxy[14612]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.0.0.2" dstip="35.XXX.XXX.237" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="7268" request="0xe915100" url="oc.XXXXX.com/.../eicarcom2.zip" referer="" error="" authtime="0" dnstime="0" aptptime="103" cattime="155" avscantime="10623" fullreqtime="1527438" device="0" auth="0" ua="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36" exceptions="" category="178" reputation="neutral" categoryname="Internet Services" sandbox="-" content-type="text/html"

 

I've no idea what's going on, it should have been blocked as it is the same file downloaded from the original source.

 

Regards,



This thread was automatically locked due to age.
Parents
  • Hi aaa kkk,

    Welcome to the community.

    that really is a bad heading! 

    You need to first consider what you are trying to protect?

    the UTM works in conjunction with the endpoint security you have installed.

    the UTM will protect from most of the malware out there in the wild, but there are 2 or 3 modules that need to be enabled for maximum protection (from the web).

    Simply put ...

    1. IPS - this is inbound

    2. Web Protection (best to have HTTPS decrypt and scan) - this is also inbound

    3. ATP - this is outbound.

     

    but please note if you download an unrecognised malware, your endpoint security suite will spot it (later) and quarantine it when it is recognised as malware.

    I had this the other day (for a variant of the w97 macro virus) initially let through by the scanning, then spotted later when accessed again, but this was by the endpoint security suite.

    Really this test is not a valid, as you do not seem to have an endpoint security suite installed on your test system.

    XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
    Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!

  • Argo,

    Thanks for your answer, I do understand that endpoint needs to be installed but that's not the case here. I have ssl mitm enabled and working.

    If it's detecting a test virus file directly through a normal ssl url then why not when it's downloaded from any cloud source?

    Regards,

  • it may not spot it, as there are quite a few obvious differences with how each request was handled, and thus different policies are applied.

    Also in may well be that, if I am understanding this correctly, that you are trying to transfer from one cloud provider to another?

    these cloud providers may well transfer directly instead of involving the endpoint...

    and as such may not transfer across the UTM.

     

    please see this;

    avscantime="1580107"

    avscantime="10623"

     

    XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
    Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!

  • No, I downloaded that test eicar file and uploaded it Google drive and owncloud from a pc that is not behind utm. So, when I downloaded this file from Google drive and own cloud on a pc that is behind utm, it went through without any problems.

  • This is weird, while downloading a zip file from Google or owncloud

    content-type="text/html"

    It should have been "application/zip".

    That's weird

Reply Children
No Data