Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 18004 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web filter /antivirus not being applied to Android device when Data Saver is enabled

alan weir

I have enabled the Web filtering in Sophos UTM 9.5. so far it works just fine on my wired PC running windows 10, but the web filtering seems to not be working at all on my Android phone.I have added the Internal (Network) to the allowed list.  Both Avira and Sophos AV are enabled.

Both Standard and transparent modes were tried...

When downloading the eicar test file on the PC the download page is blocked when in transparent mode. When in transparent mode, the .com file is blocked from being downloaded.

However, when downloading the eicar test file from my Android device, the antivirus does not even stop the download at all, in either standard or transparent mode, HTTPS or HTTPS.

Even blocked websites slip right past the web filtering on my android device, but are blocked when browsing the same sites in my wired PC client.

 

What am I doing wrong? I really need to get web filtering to work from Android devices.

 

Config:

Gateway mode w/ DHCP on

DHCP disabled on wireless router

 

Should I add the IP address of my wireless router to the allowed networks?

I have enabled the Web filtering in Sophos UTM 9.5. so far it works just fine on my wired PC running windows 10, but the web filtering seems to not be working at all on my Android phone.I have added the Internal (Network) to the allowed list.  Both Avira and Sophos AV are enabled.

Both Standard and transparent modes were tried...

When downloading the eicar test file on the PC the download page is blocked when in transparent mode. When in transparent mode, the .com file is blocked from being downloaded.

However, when downloading the eicar test file from my Android device, the antivirus does not even stop the download at all, in either standard or transparent mode, HTTPS or HTTPS.

Even blocked websites slip right past the web filtering on my android device, but are blocked when browsing the same sites in my wired PC client.

 

What am I doing wrong? I really need to get web filtering to work from Android devices.

 

Subscriptions:   Base Functionality
Email Protection
Network Protection
Web Protection
Webserver Protection
Wireless Protection
Endpoint AntiVirus
Firmware version:   9.500-9
 
Pattern version:   127448
Current System Configuration  
  Firewall is active with 3 rules
 
Intrusion Prevention is active with 2160 of 31242 patterns
 
Web Filtering is active, 6095 requests served today
 
Network Visibility is active, 0 Application Control rules active
 
SMTP Proxy is inactive
 
  POP3 Proxy is inactive
 
RED is inactive
 
  Wireless Protection is inactive
 
Endpoint Protection is inactive
Site-to-Site VPN is inactive
 
Remote Access is active with 0 online users
Web Application Firewall is inactive
Sophos UTM Manager is not configured
 
Sophos Mobile Control is inactive
HA/Cluster is inactive
 
Antivirus is active for protocols HTTP/S
 
Antispam is inactive
 
Antispyware is active


This thread was automatically locked due to age.
  • 0

    Open web filtering live log, enter you phone's ip as the filter value, and see what appears when you try the phone test.

    One possibility is that the phone is not on your wifi network,  so UTM is not seeing the phone traffic.

    What authentication method are you using on the phone?  If none, try switching to Browser authentication to see if you start getting prompted.

    By the way, I have been pleased, even impressed, with the free Sophos Free antivirus for Android phones.  I am using it instead of the McAfee-Verizon product that came with my phone.

  • 0 in reply to DouglasFoster

    The phone is connected to my wifi using WPA2 AES without TKIP

    Ok viewed the live web filter logs and it appears that when browsing the Eicar site using my Android phone, only the .zip file is being detected and blocked. "name="web request blocked, virus detected...url="www.eicar.org/.../eicar_com.zip"

     

    It seems the .com is downloaded with no issue on the wireless device even though it is on the blocked file extension list.

     

    I have added the IP address of my phone to the allowed list, as verified though the DHCP lease table in Network Services.

     

    But downloading the .com file through windows fails: "web request blocked, forbidden file extension detected".

     

    So I can't figure out why web filtering would be blocking.com files downloaded through my Pc client and not through the wireless client.

  • 0 in reply to alan weir

    Check the profile="" and filteraction="" clauses of the live log.  I suspect that the devices are hitting different filteractions.

    The logic flow:     IP+port(mode) determines filterprofile.  Filterprofile determines authentication method.  Authentication determines user.  User or group selects a policy.    Policy determines the filteraction.  Filteraction determines allow or block.

    Authentication failures will hit the default policy for the filteraction, unless it is overridden.  There are two overrides.   A policy checkbox can be used to block all unauthenticated users.  Another checkbox can be used to force a policy to be applied when authenti tion is ignored because of an Exception entry to bypass authentication.

    Hope this helps.

  • 0 in reply to DouglasFoster

    Well this is really strange but web filtering blocked it two times on my Android device with the Sophos "blocked content" screen, then allowed it on subsequent attempts with no web filter logging at all.

    When it did block the Eircar .com file from downloading over my Android device, I recieved logs in the web filter and the blocked content screen....

    httpproxy[22578]: id="0064" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden file extension detected" action="block" method="GET" srcip="192.168.2.102" dstip="213.211.198.62" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="35989" request="0xda0c2400" url="www.eicar.org/.../eicar.com" referer="" error="" authtime="0" dnstime="344" cattime="297" avscantime="0" fullreqtime="293765" device="0" auth="0" ua="Dalvik/2.1.0 (Linux; U; Android 6.0.1; SM-S120VL Build/MMB29M)" exceptions="" category="126" reputation="neutral" categoryname="Information Security" reason="extension" extension="com"

     

    When downloading the file on my Windows wired client PC I also receive the log file in web filter and the blocked content screen.

     

    httpproxy[22578]: id="0064" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden file extension detected" action="block" method="GET" srcip="192.168.2.104" dstip="213.211.198.62" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="85393" request="0xda932400" url="www.eicar.org/.../eicar.com" referer="www.eicar.org/85-0-Download.html" error="" authtime="0" dnstime="272" cattime="291" avscantime="0" fullreqtime="289567" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0" exceptions="" category="126" reputation="neutral" categoryname="Information Security" reason="extension" extension="com"

     

    I have attempted to download the file more times on my Android device and ever since the first two attempts were blocked, the file downloads sucessfully as well as the .zip file.

     

     

    UPDATE:

    I tried a different browser on my Android device and suddenly the .com file is being continually blocked. It seems when downloading the file using the AOSP Android browser the file is bypassing the web filtering, but on the Samsung browser, the file is being caught every time. Now I am wondering if the Android browser is forcing downloads through HTTPS.

     

    I have even tested it using my phone's LTE connection, connected to the UTMs Remote Access SSL VPN connection, and the file is blocked there too. My goal is be able to utilize the web filtering features when browsing the internet through a VPN connection from unsecured wifi hotspots. I have the correct NAT masquerade rule in place and it appears to be working, but ONLY from certain browsers on my Android device. This is almost certainly seems to be because the Android browser is choosing the HTTPS Eicar test file version and not the HTTP one, but I would need to inspect the traffic to be sure.

  • 0 in reply to alan weir

    The issue turned out to be the Data Saver feature on the Android browser. With Data Saver enabled, the web filter is bypassed.

    As soon as I disabled Data Saver, the web filtering was able to intercept the .com file and block it. So it seems the web filter cannot scan compressed web pages.

  • 0 in reply to alan weir

    Then you will want to check the option on the MISC(ellaneous) tab of Web Filtering:  "Block unscannable and encrypted files"

  • 0 in reply to alan weir

    Configurong Https inspection is not too difficult, and since it uses a utm-generated CA, it is no cost.  Https inspection provides the additional protection that you want, as well as better logging.

    You could create an additional Filter Profile and link it to the vpn address range, and only enable https inspection for that profile.  You would only need to install the UTM CA certificate on your phone and other devices with that IP range.

    However, the block and warn web pages have content that references UTM using a reserved host name.   If you block or warn on an https site, you will want the CA root certificate distributed to all devices, even without https inspection enabled.

  • 0 in reply to DouglasFoster

    thank you, I will look into HTTPS inspection.

Unfiltered HTML