This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF anomaly on url="/Microsoft-Server-ActiveSync" - Samsung Email App 6.1.30.30 v with XG publishing Exchange

Hi there,

After Samsung Email App (for Andoird OS) Update to version 6.1.30.30 , our XG 18.0.3 MR3 Publishing Rule (WAF) for Exchange server gets an error:

1. on Client side: Couldn't verify account

2. on XG logs : 403 WAF Anomaly - Inbound Anomaly Score Exceeded

2020-11-09 11:08:02Web server protectionmessageid="17071" log_type="WAF" log_component="Web Application Firewall" user="-" server="mail.domain.domain" src_ip="194.76.244.147" local_ip="xxx.xxx.xxx.xxx" protocol="HTTP/1.1" url="/Microsoft-Server-ActiveSync" query_string="?Cmd=Options&User=temp%40softinfo.ro&DeviceId=SEC10D234385E4A8&DeviceType=SamsungDevice" cookie="-" referer="-" method="OPTIONS" response_code="403" reason="WAF Anomaly" extra="Inbound Anomaly Score Exceeded (Total Score: 5)" content_type="text/html" user_agent="Android-SAMSUNG-SM-G950F/101.80000" response_time="1242" bytes_sent="4782" bytes_received="715" fw_rule_id="10"

3. WAF Rule hasn't been modified: 

WAF Publishing Exchange Rule: exchange general
Exceptions :
Paths : /Microsoft-Server-ActiveSync*
Skip this checks - Static URL hardening - Checked
Advanced - Never change HTML during static URL hardering of gorm hardering

How to debug or Has anyone encountered this problem?

Many thanks in advanced



This thread was automatically locked due to age.
Parents
  • Hello admin info,

    Thank you for contacting the Sophos Community!

    For infrastructure rules as far as I know that specific ID is not part of them

    UTM and XG v15-v17.5 XG v18.0
    981020 901100
    981021 901110
    981022 removed
    981175 949100
    981176 949190
    981200 959100
    981201 980100
    981202 980110
    981203 980120
    981204 980130
    981205 980140

    Also in the KB about how to bypass Firewall rules  the 949110 is an example to bypass.

    Did you find this 949110 somewhere else where it says it is part of the infrastructure?

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Sophos Support call result this morning suggests that bypassing 949110 is not ideal.

    Notes from Support

    # Checked internally with the team and got the update that it is not suggested to disable the Infrastructure rules ID 949110. If an infrastructure rule is added to the Skip filter rules list, then you make yourself vulnerable to other possible attacks.

    # the Samsung email client is performing activities similar those that would indicate an attack. That email client version is performing actions that the XG WAF sees as dangerous.

    # Suggested Either change to another email client or another version of the same client.

    I've submitted a case with Samsung as well.

  • i think its more than just the samsung app - and for me skipping that rule did not get things working. 

    Have you learned anything new in the past 12 days on this topic ?

  • Disappointingly, no.  All communication from Samsung support stopped after I send them the feedback from Sophos Support.

    I rolled back the Samsung Email App to what came with a Galaxy S8... it worked for about 16 hours, but then the error returned.

    Without question, the issue relates to both how the Samsung Email App functions and Sophos version 18.0.3.  Unbelievably frustrating.

    Tried the Android MS Outlook App and Gmail App... they work, but sporadically.

    Wish I could roll back to Sophos version 17.  It has become that much of a frustration.

  • I contacted support and found that after troubleshooting the reverse-proxy log on the XG we were about to see that there was a limit on the XG of 1MB that needed changing by a sophos engineer ( he advised me that these changes would be overwritten when a firmware update was completed) I said why would an option not be created in the GUI to allow this change to be made by users of the XG and SG firewalls ( yes this issue exists in both the XG and SG ) or to at-least increase the minimum setting to be maybe 15MB or something like that.

    Anyway after this change that had to be made on the backend ie via ssh and in the Database tables of the XG/SG. Now things are back to normal for the most part.

    I hope this helps someone.

  • Thank's for the response,

    There is a GUI specific setting in the Web Server- Protection Policies - Antivirus Limit scan size 

    Is that what your talking about ? That was the change made by the support through console ?

Reply Children
No Data