Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 28 subscribers
  • Views 9573 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to bypass HTTP scanning for certain objects/IPs?

Maxim Grechikhin

Hi all,

 

Recently I faced an issue when using firewall rule with HTTP scanning enabled. My beloved PCRadio application is not able to load the list of radio stations and in Malware log I see the following:

Malware
2018-10-19 10:48:50
HTTP
username@sub.domain.local
192.168.xxx.xxx
78.46.160.33
Unscannable
Virus
  
08001

Disabling HTTP scanning in the related firewall rule solves this problem, but I want to use HTTP scanning for all users in our network.

Primary Antivirus engine: Sophos

Appliance: XG135w (SFOS 17.1.2 MR-2)



This thread was automatically locked due to age.
  • 0

    Hi,

    have you disabled scan audio and video in the web tab?

    Ian

  • 0 in reply to rfcat_vk

    Hi rfcat_vk,

    The option "Scan audio and video files" is not enabled in those settings of Malware protection.

    I think more crucial is the setting for "Action on Malware Scan Failure" which is "Block (Best protection)" by default. And I agree with this policy, but how to create exclusions?

  • 0 in reply to Maxim Grechikhin

    Hi Maxim,

    in the web tab -> exceptions you can create exceptions based on category, url etc

    If you want the easy path, create an exception based on music download or something similar, whatever category your radio stations come under.

    Ian

  • 0 in reply to rfcat_vk

    The only things that I've got in regards with these blocks are IP addresses shown in malware log. Something tells me that bypass based on IP address won't be working.

  • 0 in reply to Maxim Grechikhin

    Assumption is you are using the destination address? There are possible issues using IP address and those being a round robin load distributor sp depending on your luck whether you hit the same address twice?

    Ian

  • 0 in reply to rfcat_vk

    I am not using IP addr. And I do not know what destinations (URL or IP addr) PCradio (binary application) uses while downloading the list of radio stations which is being blocked by HTTP scanning process.

  • 0 in reply to Maxim Grechikhin

    In that case you will have to use category until you gain more experience with debugging in XG to refine your list.

    Ian

  • 0 in reply to Maxim Grechikhin

    Maxim Grechikhin said:

    The only things that I've got in regards with these blocks are IP addresses shown in malware log. Something tells me that bypass based on IP address won't be working.

     

     
    Load the Log Viewer.  Click the button to switch to detailed view. Enter in IP in search.  Change modules to just Malware and Web Filtering.
     
    You should be able to see the domain name in there.
     
    Out of curiosity... I tried looking for PCRADIO and found some phone apps and a few different windows apps, some old, some no longer downloadable.  Do you have a link to download the specific app you are using?
     
     
    Also, the action on malware failure affects three common things:  The first is corrupted files and archives.  The second is archives (eg zips, etc) that are (usually deliberately) built to take long time to unpack (see zipbomb), however the most common is encrypted files such as password protected zips and pdfs.
     
     
  • 0 in reply to Michael Dunn

    Hi Michael,

    Thank you for your reply. It is useful. But I do not want to work towards excluding a specific category from HTTP scanning because it is the way to potential risks not only on my PC. The link to download PCradio is: https://pcradio.ru/playradio.html

    While the issue is on the stage of looking for solution I changed the default action for malware scan failure objects to "allow" which is not good as well, but I hope the solution will be found soon. 

     

    Update: Following your instructions I have found that the app tried to download a zipped file from the url: "stream.pcradio.ru/.../list_ru.zip" 

  • 0 in reply to Maxim Grechikhin

    I have checked, the file is encrypted.  There is no product bug.

     

    So you can either allow all encrypted file unscanned, or you can create an exception that skips AV scanning for this file.

    Web > Exceptions.  Selection criteria is "stream\.pcradio\.ru\/list\/list_ru\/list_ru\.zip" and skip malware scanning.