This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AV scanning not blocking zipped malware when downloaded from cloud drives like Google Drive

Hello!

 

I just installed Sophos UTM for testing purposes, I enabled SSL Inspection and set dual av engine in the web filtering, when I test download a test eicar file "eicarcom2.zip" it blocks the request perfectly. But, when I uploaded eicarcom2.zip to google drive and also my owncloud drive, tried downloading from both but it didn't block the request, below is the log:

 

Successfully blocked request:

2018:12:26-04:25:00 local httpproxy[14612]: id="0056" severity="info" sys="SecureWeb" sub="http" name="web request blocked, virus detected" action="block" method="GET" srcip="10.0.0.2" dstip="91.212.136.200" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2705" request="0xdcea1100" url="www.ikarussecurity.com/.../eicar_com.zip" referer="www.ikarussecurity.com/.../" error="" authtime="0" dnstime="0" aptptime="153" cattime="86" avscantime="1580107" fullreqtime="3103347" device="0" auth="0" ua="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36" exceptions="" category="105" reputation="neutral" categoryname="Business" sandbox="-" content-type="application/zip" virus="EICAR-AV-Test" engine="SAVI"
 
 
Not blocked:

2018:12:26-04:26:14 local httpproxy[14612]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.0.0.2" dstip="35.XXX.XXX.237" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="7268" request="0xe915100" url="oc.XXXXX.com/.../eicarcom2.zip" referer="" error="" authtime="0" dnstime="0" aptptime="103" cattime="155" avscantime="10623" fullreqtime="1527438" device="0" auth="0" ua="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36" exceptions="" category="178" reputation="neutral" categoryname="Internet Services" sandbox="-" content-type="text/html"

 

I've no idea what's going on, it should have been blocked as it is the same file downloaded from the original source.

 

Regards,



This thread was automatically locked due to age.
Parents
  • Hello - I add my welcome to that of Argo!

    In your last post here, I think you gave us all the answer.  Apparently, Google Drive uses its own coding that "tricks" anti-virus engines.

    So, it's as Argo said - the only way to block malware in a zip downloaded from Google Drive is after the file exists on your hard drive - and that would be with an endpoint antivirus.

    Cheers - Bob

    PS I changed the title of the thread to make it easier for others to find the information you've brought to the UTM Community.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Yep, it's the same case with all cloud drives.

Reply Children