HTTPS Scanning not working

Hi, Dave, and welcome to the UTM Community!

Open the Web Filtering Live Log and show us the lines related to passing this traffic.

Cheers - Bob

Thanks Bob!

Here are the lines from when I clicked on the link (I didn't download the file, but the windows opened up asking me where to download it to).  My machine is 192.168.22.100.  

2016:04:06-17:07:05 sophosutm httpproxy[27126]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.22.100" dstip="216.58.219.227" user="Dave" group="" ad_domain="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo2 (Adults)" filteraction="REF_HttCffAdults (Adults)" size="5097" request="0xcd6d6000" url="https://id.google.com/" referer="" error="" authtime="0" dnstime="33932" cattime="25033" avscantime="0" fullreqtime="11229751" device="0" auth="0" ua="" exceptions="" category="145" reputation="neutral" categoryname="Search Engines" application="google" app-id="182"
2016:04:06-17:07:05 sophosutm httpproxy[27126]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.22.100" dstip="172.217.0.35" user="Dave" group="" ad_domain="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo2 (Adults)" filteraction="REF_HttCffAdults (Adults)" size="5099" request="0xcd5d0c00" url="https://ssl.gstatic.com/" referer="" error="" authtime="0" dnstime="41692" cattime="49" avscantime="0" fullreqtime="11297815" device="0" auth="0" ua="" exceptions="" category="177" reputation="neutral" categoryname="Content Server" application="google" app-id="182"
2016:04:06-17:07:05 sophosutm httpproxy[27126]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.22.100" dstip="216.58.219.227" user="Dave" group="" ad_domain="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo2 (Adults)" filteraction="REF_HttCffAdults (Adults)" size="5099" request="0xcd5d0600" url="https://www.gstatic.com/" referer="" error="" authtime="0" dnstime="1" cattime="52" avscantime="0" fullreqtime="11298522" device="0" auth="0" ua="" exceptions="" category="177" reputation="trusted" categoryname="Content Server" application="google" app-id="182"
2016:04:06-17:07:11 sophosutm httpproxy[27126]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.22.100" dstip="188.40.238.250" user="Dave" group="" ad_domain="" statuscode="204" cached="0" profile="REF_HttProContaInterNetwo2 (Adults)" filteraction="REF_HttCffAdults (Adults)" size="0" request="0xcd670000" url="analytics.eicar.org/piwik.php referer="www.eicar.org/85-0-Download.html" error="" authtime="0" dnstime="0" cattime="96" avscantime="0" fullreqtime="13181192" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36" exceptions="" category="126" reputation="neutral" categoryname="Information Security"
2016:04:06-17:07:12 sophosutm httpproxy[27126]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.22.100" dstip="54.152.101.146" user="Dave" group="" ad_domain="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo2 (Adults)" filteraction="REF_HttCffAdults (Adults)" size="9971" request="0xcd62d600" url="https://a.company-target.com/" referer="" error="" authtime="0" dnstime="36087" cattime="90862" avscantime="0" fullreqtime="85764648" device="0" auth="0" ua="" exceptions="" category="177" reputation="unverified" categoryname="Content Server" application="dmndbase" app-id="1352"
2016:04:06-17:07:12 sophosutm httpproxy[27126]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.22.100" dstip="54.152.101.146" user="Dave" group="" ad_domain="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo2 (Adults)" filteraction="REF_HttCffAdults (Adults)" size="9971" request="0xe6b07800" url="https://a.company-target.com/" referer="" error="" authtime="0" dnstime="33553" cattime="64400" avscantime="0" fullreqtime="85735688" device="0" auth="0" ua="" exceptions="" category="177" reputation="unverified" categoryname="Content Server" application="dmndbase" app-id="1352"
2016:04:06-17:07:12 sophosutm httpproxy[27126]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.22.100" dstip="52.70.150.21" user="Dave" group="" ad_domain="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo2 (Adults)" filteraction="REF_HttCffAdults (Adults)" size="11628" request="0xcd65d600" url="https://api.demandbase.com/" referer="" error="" authtime="0" dnstime="37347" cattime="34123" avscantime="0" fullreqtime="86320349" device="0" auth="0" ua="" exceptions="" category="105" reputation="neutral" categoryname="Business" application="dmndbase" app-id="1352"
2016:04:06-17:07:26 sophosutm httpproxy[27126]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.22.100" dstip="188.40.238.252" user="Dave" group="" ad_domain="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo2 (Adults)" filteraction="REF_HttCffAdults (Adults)" size="1674" request="0xcd242400" url="https://secure.eicar.org/" referer="" error="" authtime="0" dnstime="3" cattime="75" avscantime="0" fullreqtime="15348552" device="0" auth="0" ua="" exceptions="" category="126" reputation="neutral" categoryname="Information Security"

It's strange, Dave, that several of those accesses took from 10 to 85 seconds to complete. That's an indication that you might want to skip AV for those sites.

If you don't download the file, AV will not get a chance to evaluate it?

Cheers - Bob

I'm not sure about the time it took...I clicked the link and the download box came up fairly quickly.  Our connection is Verizon FIOS with a 50 up, 50 down connection.

I am looking to get files scanned before downloading because my son tends to download anything that isn't blocked - he's 9, and figures if the filters let him download something, it's safe.  He's very curious about viruses and is trying to learn as much as he can about them - and I don't want to prevent that - but I also don't want him downloading something that isn't safe.

Thanks!

I am having a similiar problem to Dave but it´s not related to download. I think mine is worse because HTTPS filtering seem to be working only in some machines. Sometimes they work, sometimes they don´t,

I had to test some regex exceptions for a specific customer and then I started blocking youtube and that´s when I realized that the block wasnt working as expected.

Differently from Dave, I am using transparent webproxy (no SSO) and only HTTPs filtering (not decrypting). I updated mine to 9.4 a two days ago and I don´t know if this was a coincidence or not.

Rafael, I don't understand how this is similar to Dave's issue.  You might want to start a new thread with your question.

Cheers - Bob

It's not the speed of your connection, it's probably that the server is unhappy with something about the Proxy - I'm guessing that it's AV.  There's nothing like SandStorm for Web Filtering (yet), so you won't get a hit on malware unless you attempt the download.

Teach your son to use Sandboxie or a VM as a sandbox.  That way, he can just delete the VM or sandbox and not worry about having the infection in his machine.  That's probably a better way to learn anyway.

Cheers - Bob

It's not the speed of your connection, it's probably that the server is unhappy with something about the Proxy - I'm guessing that it's AV.  There's nothing like SandStorm for Web Filtering (yet), so you won't get a hit on malware unless you attempt the download.

Teach your son to use Sandboxie or a VM as a sandbox.  That way, he can just delete the VM or sandbox and not worry about having the infection in his machine.  That's probably a better way to learn anyway.

Cheers - Bob