This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF antivirus exception does not work

I am using an upload script that uses ajax to display a real-time progress bar. The progress bar will not display in the clients' browser unless some of the threats under 'Common threats filter' and some of the 'Threat Filter Categories' are disabled in either the WAF Firewall Profile I'm using or if I specify to skip those same checks in an exception that I created.

The problem I've encountered is that skipping the Antivirus, in the exception, does not work. I have to disable the Antivirus check in the WAF Firewall Profile.

Is this a bug? Shouldn't skipping the Antivirus check in an exception be the same as disabling it in a Firewall Profile?



This thread was automatically locked due to age.
  • Hi,

    I checked the exception functionality for Antivirus in 9.355. It works fine for me.

    Could you add screenshots of your configuration (with greyed out personal data)?


    Sabine

  • Below are my settings with Antivirus enabled, for the entire site, and with the Exception for the upload script:





    Below is a screenshot of what I get when uploading a file with the settings above:


    Below is a screenshot of what an upload should look like. I have to untick Antivirus in the Firewall Profile even though I have Antivirus ticked in the Exception rule:


    I have also tried adding   /*  to the Exception List so the whole site is excluded but that did not help. To reiterate, all I have to do is untick 'Antivirus' in the WAF Firewall Profile and leave all other setting the same, in order for the upload progress bar to display properly.

    Evianne, you can clearly see, adding Antivirus to my Exception List does not work for me. I doubt very much that your results would be any different if you were able to test with the same setup that I have.

    UPDATE (2/29/2016, 9:35 AM EST): I did more testing and it appears that this issue does not occur if the total size of the file(s) being uploaded is less than approximately 4.2MB in size.

    --------------------------------------------------------------------
    Sophos UTM 9.719-3 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------

  • Hi,

    your setup looks correct. Could you please post the corresponding log lines when you try to upload a file for both cases?

    Sabine

  • I used the same PDF file for testing. I removed some pages from the 4.23 MB PDF file to make it smaller. Both files are uploaded but one displays the progress bar and the other does not. 

    Successful displayed progress bar (file size: 4.17MB):

    2016:02:29-10:38:25 gateway reverseproxy: [Mon Feb 29 10:38:25.359661 2016] [security2:error] [pid 1389:tid 3753630576] [client 73.x.x.x] ModSecurity: Access allowed (phase 1). Operator GT matched 0 at ENV. [file "/usr/apache/conf/waf/base.conf"] [line "14"] [id "900000"] [hostname "mysite.com"] [uri "/cgi-bin/uploadScript/upload.cgi"] [unique_id "VtRl8TLwWoEAAAVt9GYAAAAt"]
    2016:02:29-10:38:26 gateway
    reverseproxy: [Mon Feb 29 10:38:26.182099 2016] [security2:error] [pid 1389:tid 3728452464] [client 73.x.x.x] ModSecurity: Access allowed (phase 1). Operator GT matched 0 at ENV. [file "/usr/apache/conf/waf/base.conf"] [line "14"] [id "900000"] [hostname "mysite.com"] [uri "/cgi-bin/uploadScript/upload-stat.cgi"] [unique_id "VtRl8jLwWoEAAAVt9GcAAAAw"]
    2016:02:29-10:38:31 gateway
    reverseproxy: id="0299" srcip="73.x.x.x" localip="50.x.x.x" size="3003" user="-" host="73.x.x.x" method="GET" statuscode="200" reason="-" extra="-" exceptions="SkipAntiVirus, SkipThreatsFilter" time="5257984" url="/cgi-bin/uploadScript/upload-stat.cgi" server="mysite.com" referer="-" cookie="SITEC=S0xZWU5uOU9sV2JZMDdsc3hsbXBFUHcwNzJZY1BsZVlwTlRIODcwTHdRPT0%3D; PHPSESSID=234575f4dbbd21fbf7f25f7f79984cb8ceabd300" set-cookie="-"
    2016:02:29-10:38:32 gateway
    reverseproxy: [Mon Feb 29 10:38:32.532420 2016] [security2:error] [pid 1389:tid 3728452464] [client 73.x.x.x] ModSecurity: Access allowed (phase 1). Operator GT matched 0 at ENV. [file "/usr/apache/conf/waf/base.conf"] [line "14"] [id "900000"] [hostname "mysite.com"] [uri "/cgi-bin/uploadScript/upload-stat.cgi"] [unique_id "VtRl@DLwWoEAAAVt9GgAAAAw"]
    2016:02:29-10:38:32 gateway
    reverseproxy: id="0299" srcip="73.x.x.x" localip="50.x.x.x" size="279" user="-" host="73.x.x.x" method="GET" statuscode="200" reason="-" extra="-" exceptions="SkipAntiVirus, SkipThreatsFilter" time="58923" url="/cgi-bin/uploadScript/upload-stat.cgi" server="mysite.com" referer="-" cookie="SITEC=S0xZWU5uOU9sV2JZMDdsc3hsbXBFUHcwNzJZY1BsZVlwTlRIODcwTHdRPT0%3D; PHPSESSID=234575f4dbbd21fbf7f25f7f79984cb8ceabd300" set-cookie="-"
    2016:02:29-10:38:33 gateway
    reverseproxy: [Mon Feb 29 10:38:33.532898 2016] [security2:error] [pid 1389:tid 3728452464] [client 73.x.x.x] ModSecurity: Access allowed (phase 1). Operator GT matched 0 at ENV. [file "/usr/apache/conf/waf/base.conf"] [line "14"] [id "900000"] [hostname "mysite.com"] [uri "/cgi-bin/uploadScript/upload-stat.cgi"] [unique_id "VtRl@TLwWoEAAAVt9GkAAAAw"]
    2016:02:29-10:38:33 gateway
    reverseproxy: id="0299" srcip="73.x.x.x" localip="50.x.x.x" size="20" user="-" host="73.x.x.x" method="GET" statuscode="200" reason="-" extra="-" exceptions="SkipAntiVirus, SkipThreatsFilter" time="58742" url="/cgi-bin/uploadScript/upload-stat.cgi" server="mysite.com" referer="-" cookie="PHPSESSID=234575f4dbbd21fbf7f25f7f79984cb8ceabd300; SITEC=S0xZWU5uOU9sV2JZMDdsc3hsbXBFUHcwNzJZY1BsZVlwTlRIODcwTHdRPT0%3D" set-cookie="-"
    2016:02:29-10:38:34 gateway
    reverseproxy: [Mon Feb 29 10:38:34.528722 2016] [security2:error] [pid 1389:tid 3728452464] [client 73.x.x.x] ModSecurity: Access allowed (phase 1). Operator GT matched 0 at ENV. [file "/usr/apache/conf/waf/base.conf"] [line "14"] [id "900000"] [hostname "mysite.com"] [uri "/cgi-bin/uploadScript/upload-stat.cgi"] [unique_id "VtRl@jLwWoEAAAVt9GoAAAAw"]
    2016:02:29-10:38:34 gateway
    reverseproxy: id="0299" srcip="73.x.x.x" localip="50.x.x.x" size="20" user="-" host="73.x.x.x" method="GET" statuscode="200" reason="-" extra="-" exceptions="SkipAntiVirus, SkipThreatsFilter" time="58708" url="/cgi-bin/uploadScript/upload-stat.cgi" server="mysite.com" referer="-" cookie="SITEC=S0xZWU5uOU9sV2JZMDdsc3hsbXBFUHcwNzJZY1BsZVlwTlRIODcwTHdRPT0%3D; PHPSESSID=234575f4dbbd21fbf7f25f7f79984cb8ceabd300" set-cookie="-"
    2016:02:29-10:38:35 gateway
    reverseproxy: [Mon Feb 29 10:38:35.548936 2016] [security2:error] [pid 1389:tid 3728452464] [client 73.x.x.x] ModSecurity: Access allowed (phase 1). Operator GT matched 0 at ENV. [file "/usr/apache/conf/waf/base.conf"] [line "14"] [id "900000"] [hostname "mysite.com"] [uri "/cgi-bin/uploadScript/upload-stat.cgi"] [unique_id "VtRl@zLwWoEAAAVt9GsAAAAw"]
    2016:02:29-10:38:35 gateway
    reverseproxy: id="0299" srcip="73.x.x.x" localip="50.x.x.x" size="20" user="-" host="73.x.x.x" method="GET" statuscode="200" reason="-" extra="-" exceptions="SkipAntiVirus, SkipThreatsFilter" time="58591" url="/cgi-bin/uploadScript/upload-stat.cgi" server="mysite.com" referer="-" cookie="SITEC=S0xZWU5uOU9sV2JZMDdsc3hsbXBFUHcwNzJZY1BsZVlwTlRIODcwTHdRPT0%3D; PHPSESSID=234575f4dbbd21fbf7f25f7f79984cb8ceabd300" set-cookie="-"
    2016:02:29-10:38:36 gateway
    reverseproxy: [Mon Feb 29 10:38:36.530420 2016] [security2:error] [pid 1389:tid 3728452464] [client 73.x.x.x] ModSecurity: Access allowed (phase 1). Operator GT matched 0 at ENV. [file "/usr/apache/conf/waf/base.conf"] [line "14"] [id "900000"] [hostname "mysite.com"] [uri "/cgi-bin/uploadScript/upload-stat.cgi"] [unique_id "VtRl-DLwWoEAAAVt9GwAAAAw"]
    2016:02:29-10:38:36 gateway
    reverseproxy: id="0299" srcip="73.x.x.x" localip="50.x.x.x" size="20" user="-" host="73.x.x.x" method="GET" statuscode="200" reason="-" extra="-" exceptions="SkipAntiVirus, SkipThreatsFilter" time="58273" url="/cgi-bin/uploadScript/upload-stat.cgi" server="mysite.com" referer="-" cookie="SITEC=S0xZWU5uOU9sV2JZMDdsc3hsbXBFUHcwNzJZY1BsZVlwTlRIODcwTHdRPT0%3D; PHPSESSID=234575f4dbbd21fbf7f25f7f79984cb8ceabd300" set-cookie="-"
    2016:02:29-10:38:37 gateway
    reverseproxy: [Mon Feb 29 10:38:37.529991 2016] [security2:error] [pid 1389:tid 3728452464] [client 73.x.x.x] ModSecurity: Access allowed (phase 1). Operator GT matched 0 at ENV. [file "/usr/apache/conf/waf/base.conf"] [line "14"] [id "900000"] [hostname "mysite.com"] [uri "/cgi-bin/uploadScript/upload-stat.cgi"] [unique_id "VtRl-TLwWoEAAAVt9G0AAAAw"]
    2016:02:29-10:38:37 gateway
    reverseproxy: id="0299" srcip="73.x.x.x" localip="50.x.x.x" size="98" user="-" host="73.x.x.x" method="GET" statuscode="200" reason="-" extra="-" exceptions="SkipAntiVirus, SkipThreatsFilter" time="58637" url="/cgi-bin/uploadScript/upload-stat.cgi" server="mysite.com" referer="-" cookie="SITEC=S0xZWU5uOU9sV2JZMDdsc3hsbXBFUHcwNzJZY1BsZVlwTlRIODcwTHdRPT0%3D; PHPSESSID=234575f4dbbd21fbf7f25f7f79984cb8ceabd300" set-cookie="-"
    2016:02:29-10:38:38 gateway
    reverseproxy: [Mon Feb 29 10:38:38.531884 2016] [security2:error] [pid 1389:tid 3728452464] [client 73.x.x.x] ModSecurity: Access allowed (phase 1). Operator GT matched 0 at ENV. [file "/usr/apache/conf/waf/base.conf"] [line "14"] [id "900000"] [hostname "mysite.com"] [uri "/cgi-bin/uploadScript/upload-stat.cgi"] [unique_id "VtRl-jLwWoEAAAVt9G4AAAAw"]
    2016:02:29-10:38:38 gateway
    reverseproxy: id="0299" srcip="73.x.x.x" localip="50.x.x.x" size="20" user="-" host="73.x.x.x" method="GET" statuscode="200" reason="-" extra="-" exceptions="SkipAntiVirus, SkipThreatsFilter" time="58315" url="/cgi-bin/uploadScript/upload-stat.cgi" server="mysite.com" referer="-" cookie="SITEC=S0xZWU5uOU9sV2JZMDdsc3hsbXBFUHcwNzJZY1BsZVlwTlRIODcwTHdRPT0%3D; PHPSESSID=234575f4dbbd21fbf7f25f7f79984cb8ceabd300" set-cookie="-"
    2016:02:29-10:38:39 gateway
    reverseproxy: [Mon Feb 29 10:38:39.542764 2016] [security2:error] [pid 1389:tid 3728452464] [client 73.x.x.x] ModSecurity: Access allowed (phase 1). Operator GT matched 0 at ENV. [file "/usr/apache/conf/waf/base.conf"] [line "14"] [id "900000"] [hostname "mysite.com"] [uri "/cgi-bin/uploadScript/upload-stat.cgi"] [unique_id "VtRl-zLwWoEAAAVt9G8AAAAw"]
    2016:02:29-10:38:39 gateway
    reverseproxy: id="0299" srcip="73.x.x.x" localip="50.x.x.x" size="20" user="-" host="73.x.x.x" method="GET" statuscode="200" reason="-" extra="-" exceptions="SkipAntiVirus, SkipThreatsFilter" time="59716" url="/cgi-bin/uploadScript/upload-stat.cgi" server="mysite.com" referer="-" cookie="SITEC=S0xZWU5uOU9sV2JZMDdsc3hsbXBFUHcwNzJZY1BsZVlwTlRIODcwTHdRPT0%3D; PHPSESSID=234575f4dbbd21fbf7f25f7f79984cb8ceabd300" set-cookie="-"
    2016:02:29-10:38:40 gateway
    reverseproxy: [Mon Feb 29 10:38:40.531283 2016] [security2:error] [pid 1389:tid 3728452464] [client 73.x.x.x] ModSecurity: Access allowed (phase 1). Operator GT matched 0 at ENV. [file "/usr/apache/conf/waf/base.conf"] [line "14"] [id "900000"] [hostname "mysite.com"] [uri "/cgi-bin/uploadScript/upload-stat.cgi"] [unique_id "VtRmADLwWoEAAAVt9HAAAAAw"]
    2016:02:29-10:38:40 gateway
    reverseproxy: id="0299" srcip="73.x.x.x" localip="50.x.x.x" size="20" user="-" host="73.x.x.x" method="GET" statuscode="200" reason="-" extra="-" exceptions="SkipAntiVirus, SkipThreatsFilter" time="58416" url="/cgi-bin/uploadScript/upload-stat.cgi" server="mysite.com" referer="-" cookie="SITEC=S0xZWU5uOU9sV2JZMDdsc3hsbXBFUHcwNzJZY1BsZVlwTlRIODcwTHdRPT0%3D; PHPSESSID=234575f4dbbd21fbf7f25f7f79984cb8ceabd300" set-cookie="-"
    2016:02:29-10:38:41 gateway
    reverseproxy: [Mon Feb 29 10:38:41.528316 2016] [security2:error] [pid 1389:tid 3728452464] [client 73.x.x.x] ModSecurity: Access allowed (phase 1). Operator GT matched 0 at ENV. [file "/usr/apache/conf/waf/base.conf"] [line "14"] [id "900000"] [hostname "mysite.com"] [uri "/cgi-bin/uploadScript/upload-stat.cgi"] [unique_id "VtRmATLwWoEAAAVt9HEAAAAw"]
    2016:02:29-10:38:41 gateway
    reverseproxy: id="0299" srcip="73.x.x.x" localip="50.x.x.x" size="20" user="-" host="73.x.x.x" method="GET" statuscode="200" reason="-" extra="-" exceptions="SkipAntiVirus, SkipThreatsFilter" time="58229" url="/cgi-bin/uploadScript/upload-stat.cgi" server="mysite.com" referer="-" cookie="SITEC=S0xZWU5uOU9sV2JZMDdsc3hsbXBFUHcwNzJZY1BsZVlwTlRIODcwTHdRPT0%3D; PHPSESSID=234575f4dbbd21fbf7f25f7f79984cb8ceabd300" set-cookie="-"
    2016:02:29-10:38:42 gateway
    reverseproxy: [Mon Feb 29 10:38:42.530212 2016] [security2:error] [pid 1389:tid 3728452464] [client 73.x.x.x] ModSecurity: Access allowed (phase 1). Operator GT matched 0 at ENV. [file "/usr/apache/conf/waf/base.conf"] [line "14"] [id "900000"] [hostname "mysite.com"] [uri "/cgi-bin/uploadScript/upload-stat.cgi"] [unique_id "VtRmAjLwWoEAAAVt9HIAAAAw"]
    2016:02:29-10:38:42 gateway
    reverseproxy: id="0299" srcip="73.x.x.x" localip="50.x.x.x" size="68" user="-" host="73.x.x.x" method="GET" statuscode="200" reason="-" extra="-" exceptions="SkipAntiVirus, SkipThreatsFilter" time="58305" url="/cgi-bin/uploadScript/upload-stat.cgi" server="mysite.com" referer="-" cookie="SITEC=S0xZWU5uOU9sV2JZMDdsc3hsbXBFUHcwNzJZY1BsZVlwTlRIODcwTHdRPT0%3D; PHPSESSID=234575f4dbbd21fbf7f25f7f79984cb8ceabd300" set-cookie="-"
    2016:02:29-10:38:42 gateway
    reverseproxy: id="0299" srcip="73.x.x.x" localip="50.x.x.x" size="460" user="-" host="73.x.x.x" method="POST" statuscode="200" reason="-" extra="-" exceptions="SkipAntiVirus, SkipThreatsFilter" time="17618485" url="/cgi-bin/uploadScript/upload.cgi" server="mysite.com" referer="-" cookie="SITEC=S0xZWU5uOU9sV2JZMDdsc3hsbXBFUHcwNzJZY1BsZVlwTlRIODcwTHdRPT0%3D; PHPSESSID=234575f4dbbd21fbf7f25f7f79984cb8ceabd300" set-cookie="-"
    2016:02:29-10:38:43 gateway
    reverseproxy: [Mon Feb 29 10:38:43.113485 2016] [security2:error] [pid 1389:tid 3753630576] [client 73.x.x.x] ModSecurity: Warning. Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){4,}" at ARGS:host. [file "/usr/apache/conf/waf/modsecurity_crs_sql_injection_attacks.conf"] [line "159"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: - found within ARGS:host: c-73-216-14-102.hsd1.va.comcast.net"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "mysite.com"] [uri "/upq/upload/upload_thanks.php"] [unique_id "VtRmAzLwWoEAAAVt9HMAAAAt"]
    2016:02:29-10:38:43 gateway
    reverseproxy: [Mon Feb 29 10:38:43.190513 2016] [security2:error] [pid 1389:tid 3753630576] [client 73.x.x.x] ModSecurity: Warning. Operator LT matched 5 at TX:inbound_anomaly_score. [file "/usr/apache/conf/waf/modsecurity_crs_correlation.conf"] [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound Score: 3, SQLi=1, XSS=): Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [hostname "mysite.com"] [uri "/upq/upload/upload_thanks.php"] [unique_id "VtRmAzLwWoEAAAVt9HMAAAAt"]
    2016:02:29-10:38:43 gateway
    reverseproxy: id="0299" srcip="73.x.x.x" localip="50.x.x.x" size="4593" user="-" host="73.x.x.x" method="POST" statuscode="200" reason="-" extra="-" exceptions="-" time="91064" url="/upq/upload/upload_thanks.php" server="mysite.com" referer="-" cookie="SITEC=S0xZWU5uOU9sV2JZMDdsc3hsbXBFUHcwNzJZY1BsZVlwTlRIODcwTHdRPT0%3D; PHPSESSID=234575f4dbbd21fbf7f25f7f79984cb8ceabd300" set-cookie="-"
    2016:02:29-10:38:58 gateway
    reverseproxy: id="0299" srcip="73.x.x.x" localip="50.x.x.x" size="3509" user="-" host="73.x.x.x" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="76164" url="/upq/" server="mysite.com" referer="-" cookie="SITEC=S0xZWU5uOU9sV2JZMDdsc3hsbXBFUHcwNzJZY1BsZVlwTlRIODcwTHdRPT0%3D; PHPSESSID=234575f4dbbd21fbf7f25f7f79984cb8ceabd300" set-cookie="-"

    Failed to display progress bar (file size: 4.23MB)

    2016:02:29-10:34:03 gateway reverseproxy: [Mon Feb 29 10:34:03.464391 2016] [security2:error] [pid 1389:tid 3762023280] [client 73.x.x.x] ModSecurity: Access allowed (phase 1). Operator GT matched 0 at ENV. [file "/usr/apache/conf/waf/base.conf"] [line "14"] [id "900000"] [hostname "mysite.com"] [uri "/cgi-bin/uploadScript/upload.cgi"] [unique_id "VtRk6zLwWoEAAAVt9GAAAAAs"]
    2016:02:29-10:34:04 gateway
    reverseproxy: [Mon Feb 29 10:34:04.269263 2016] [security2:error] [pid 1389:tid 3745237872] [client 73.x.x.x] ModSecurity: Access allowed (phase 1). Operator GT matched 0 at ENV. [file "/usr/apache/conf/waf/base.conf"] [line "14"] [id "900000"] [hostname "mysite.com"] [uri "/cgi-bin/uploadScript/upload-stat.cgi"] [unique_id "VtRk7DLwWoEAAAVt9GEAAAAu"]
    2016:02:29-10:34:09 gateway
    reverseproxy: id="0299" srcip="73.x.x.x" localip="50.x.x.x" size="2265" user="-" host="73.x.x.x" method="GET" statuscode="200" reason="-" extra="-" exceptions="SkipAntiVirus, SkipThreatsFilter" time="5084501" url="/cgi-bin/uploadScript/upload-stat.cgi" server="mysite.com" referer="-" cookie="SITEC=S0xZWU5uOU9sV2JZMDdsc3hsbXBFUHcwNzJZY1BsZVlwTlRIODcwTHdRPT0%3D; PHPSESSID=234575f4dbbd21fbf7f25f7f79984cb8ceabd300" set-cookie="-"
    2016:02:29-10:34:21 gateway
    reverseproxy: id="0299" srcip="73.x.x.x" localip="50.x.x.x" size="460" user="-" host="73.x.x.x" method="POST" statuscode="200" reason="-" extra="-" exceptions="SkipAntiVirus, SkipThreatsFilter" time="18034783" url="/cgi-bin/uploadScript/upload.cgi" server="mysite.com" referer="-" cookie="SITEC=S0xZWU5uOU9sV2JZMDdsc3hsbXBFUHcwNzJZY1BsZVlwTlRIODcwTHdRPT0%3D; PHPSESSID=234575f4dbbd21fbf7f25f7f79984cb8ceabd300" set-cookie="-"
    2016:02:29-10:34:21 gateway
    reverseproxy: [Mon Feb 29 10:34:21.618256 2016] [security2:error] [pid 1389:tid 3745237872] [client 73.x.x.x] ModSecurity: Warning. Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){4,}" at ARGS:host. [file "/usr/apache/conf/waf/modsecurity_crs_sql_injection_attacks.conf"] [line "159"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: - found within ARGS:host: c-73-216-14-102.hsd1.va.comcast.net"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "mysite.com"] [uri "/upq/upload/upload_thanks.php"] [unique_id "VtRk-TLwWoEAAAVt9GIAAAAu"]
    2016:02:29-10:34:21 gateway
    reverseproxy: [Mon Feb 29 10:34:21.694125 2016] [security2:error] [pid 1389:tid 3745237872] [client 73.x.x.x] ModSecurity: Warning. Operator LT matched 5 at TX:inbound_anomaly_score. [file "/usr/apache/conf/waf/modsecurity_crs_correlation.conf"] [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound Score: 3, SQLi=1, XSS=): Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [hostname "mysite.com"] [uri "/upq/upload/upload_thanks.php"] [unique_id "VtRk-TLwWoEAAAVt9GIAAAAu"]
    2016:02:29-10:34:21 gateway
    reverseproxy: id="0299" srcip="73.x.x.x" localip="50.x.x.x" size="4629" user="-" host="73.x.x.x" method="POST" statuscode="200" reason="-" extra="-" exceptions="-" time="90332" url="/upq/upload/upload_thanks.php" server="mysite.com" referer="-" cookie="SITEC=S0xZWU5uOU9sV2JZMDdsc3hsbXBFUHcwNzJZY1BsZVlwTlRIODcwTHdRPT0%3D; PHPSESSID=234575f4dbbd21fbf7f25f7f79984cb8ceabd300" set-cookie="-"
    2016:02:29-10:34:37 gateway
    reverseproxy: id="0299" srcip="73.x.x.x" localip="50.x.x.x" size="3509" user="-" host="73.x.x.x" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="75649" url="/upq/" server="mysite.com" referer
    ="-" cookie="SITEC=S0xZWU5uOU9sV2JZMDdsc3hsbXBFUHcwNzJZY1BsZVlwTlRIODcwTHdRPT0%3D; PHPSESSID=234575f4dbbd21fbf7f25f7f79984cb8ceabd300" set-cookie="-"

    UPDATE (11:03 AM EST): Now I'm confused... I just uploaded a couple of files that previously failed to display the progress bar but this time it did display. Here are the files I've been using to test with:

    http://www.filedropper.com/testfiles
     

    --------------------------------------------------------------------
    Sophos UTM 9.719-3 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------

  • Hi,

    hm, the actual POST request is not blocked.

    But it is send to path '/upq/upload/upload_thanks.php'.

    Could you please add '/upq/upload/upload_thanks.php' as exception path?

    Sabine

  • I'll try that right now and update this post but like I stated previously, I already tried adding   /*  which should exclude the entire site, correct?

    UPDATE (11:25 AM): Adding '/upq/upload/upload_thanks.php' as exception path did not help.

    --------------------------------------------------------------------
    Sophos UTM 9.719-3 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------

  • I also tried the eicar test virus. The exception is working because the test virus does get uploaded but not when I remove the exception.

    It seems to me that when a file is over approximately 4.2MB, the UTM caches/buffers the file before redirecting it even though the Antivirus exclusion exists. However, unticking Antivirus in the WAF Firewall Properties seems to disable Antivirus altogether so no caching/buffering is taking place. I'm just guessing, I could be way off target.

    The upload progress bar uses ajax so the file upload needs to stream in order for it to display real-time data.

    --------------------------------------------------------------------
    Sophos UTM 9.719-3 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------

  • In general, an exception for AV is not the same as having AV disabled.
    If you have an exception, the files are still scanned.

    Regarding your problem I think we have to dig deeper. Therefore, you should open a support ticket.


    Sabine

  • Thank you for your time and your suggestion but I'm a Home user and it's my understanding that I cannot open a support ticket.

    --------------------------------------------------------------------
    Sophos UTM 9.719-3 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------