This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AV scanning not blocking zipped malware when downloaded from cloud drives like Google Drive

Hello!

 

I just installed Sophos UTM for testing purposes, I enabled SSL Inspection and set dual av engine in the web filtering, when I test download a test eicar file "eicarcom2.zip" it blocks the request perfectly. But, when I uploaded eicarcom2.zip to google drive and also my owncloud drive, tried downloading from both but it didn't block the request, below is the log:

 

Successfully blocked request:

2018:12:26-04:25:00 local httpproxy[14612]: id="0056" severity="info" sys="SecureWeb" sub="http" name="web request blocked, virus detected" action="block" method="GET" srcip="10.0.0.2" dstip="91.212.136.200" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2705" request="0xdcea1100" url="www.ikarussecurity.com/.../eicar_com.zip" referer="www.ikarussecurity.com/.../" error="" authtime="0" dnstime="0" aptptime="153" cattime="86" avscantime="1580107" fullreqtime="3103347" device="0" auth="0" ua="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36" exceptions="" category="105" reputation="neutral" categoryname="Business" sandbox="-" content-type="application/zip" virus="EICAR-AV-Test" engine="SAVI"
 
 
Not blocked:

2018:12:26-04:26:14 local httpproxy[14612]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.0.0.2" dstip="35.XXX.XXX.237" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="7268" request="0xe915100" url="oc.XXXXX.com/.../eicarcom2.zip" referer="" error="" authtime="0" dnstime="0" aptptime="103" cattime="155" avscantime="10623" fullreqtime="1527438" device="0" auth="0" ua="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36" exceptions="" category="178" reputation="neutral" categoryname="Internet Services" sandbox="-" content-type="text/html"

 

I've no idea what's going on, it should have been blocked as it is the same file downloaded from the original source.

 

Regards,



This thread was automatically locked due to age.
Parents Reply Children
No Data