MALWARE AND CONTENT SCANNING

Roman,

I tried with eicar, and in my case, XG stops the files with both DPI or Proxy mode.

Were yours an update from beta or a new installation?

I was upgrading it from SFOS 17.5.9 MR-9 to 18 ;)

I assume that DPI - you have toggled only thoe options as below ? 

6523.Przechwytywanie2.PNG

I have done some testing and Malware is blocked only if the security settings are as below, ive try different options but no luck... Im not sure if it must working as is below. Regarding to courses - i think that not ;)

7870.Przechwytywanie5.PNG

Roman,

the configuration are fine. On my box, malwares are stopped. Can you check that the IPS service is on inside System Services menu?

Yes. IPS service is up and running. ;) I 'll reboot today the fw - you know sometimes it helps :D

Can you determine if malware is allowed through on HTTP and HTTPS?  Or if it is blocked on HTTP but not HTTPS.  

Well, i dont really understand what are you asking for. If im undertstanding you correctly then - My service is working on non-standard HTTPS port(8443) Im not using unencrypted traffic to my server. How i did my testing ? From my PHONE(WAN - PublicIP_LTE) ive lunched an up (QFILE) and uploading a tested malware file, THATS ALL ;) all the rest as metnioned above ^^

The Proxy is only used for Internal to external communication.

You cannot rely on the Proxy for external to internal communication.

For such services, you need a reverse proxy (WAF).

So you need to configure the WAF. 

Really a WAF ? 8443 is used for various services in this case im using for a file transfer. Im using DDNS service example: "somename.ddns.myqnapcloud.com" or "somename.ddns.net" all is on port 8443. this port is also used for managment,  server is a QNAP DEVICE. ;) If should using WAF can you point for some "hot to" ? ;)

Roman, Luca is correct. Traffic from lan to wan is filtered by proxy. From wan to lan by reverse proxy. This is not a Sophos limitation but how the protocol works.

You can filter and apply Ips filter from lan to wan and viceversa but ips can stop only certain malware.

Really. So you are tring to say im not able to bloc or scan a traffic from WAN to LAN on a specific port ?? I dont wanna to advertised other solution but on FORTIGATE devices it works excelent so "limitations is not cuzed by a protocol" beside that. So why malware is blocked when im not using DPI but only Webproxy and im uploading  a file from WAN. ? Cant it be done by WAF ? Sophos XG which im using is for HOME USAGE. So im ok if ssl traffic from will inspected via cert from sophos appliance_CA

Really. So you are tring to say im not able to bloc or scan a traffic from WAN to LAN on a specific port ?? I dont wanna to advertised other solution but on FORTIGATE devices it works excelent so "limitations is not cuzed by a protocol" beside that. So why malware is blocked when im not using DPI but only Webproxy and im uploading  a file from WAN. ? Cant it be done by WAF ? Sophos XG which im using is for HOME USAGE. So im ok if ssl traffic from will inspected via cert from sophos appliance_CA

Roman on Fortigate you can scan: http, imap,pop3, smtp,smb,ftp and nntp.

Vote the feature request I opened a couple of years ago:

I can ensure you that not only. ^^ but other then that. Can you also help me with FTPS that isnt scanned by any of sophos engine ? very appreciate fo your spended time for my help :) FTP is setup on FTPS port 990 and im getting error SSL handshake timed out.. for both scanners dpi and webproxy

If it is SFTP, you will need to decrypt the traffic first with XG in order to scan it.

Also if you want FTP traffic to be scanned by XG, you will need to run the FTP server over the default port (21). XG is only port agnostic for HTTP traffic, if you run FTP over a non-standard port, It will not detect it as FTP, hence it will not scan it.

Thanks!

So if im using ftps on 21 xg will not scan it?

No one is able to scan encrypted traffic, if your running FTPS you will need to decrypt it first with SSL/TLS Inspection rules.

Just tested myself with FTPS, XG with the new TLS engine has able to decrypt it and scan over it's default port (990).

NO, I has wrong, XG doesn't scan decrypted FTPS, on v18 your able to decrypt it but not scan it, incredible.

Can someone open a support case?

Of course a license is needed for that.

So i have to change the default port to 990. But other then that it will not scan it ;) BUG ?

The default port of FTP (Plain-Text) is 21, the default port of FTPS (TLS Encrypted) is 990.

Why XG isn't scanning the decrypted FTPS traffic? I don't know. It probably doesn't support it right now.

It's better for you to wait for a answer from a Sophos Employee.

Roman klisiewicz said:

So i have to change the default port to 990. But other then that it will not scan it ;) BUG ?

XG doesn't recognize FTP or Decrypted FTPS on non-standard ports, if you can, run only on their default ports.

Also the first issue you had with HTTPS traffic not being scanned with DPI - You need to create a Decrypt rule (LAN=>WAN) on the SSL/TLS Inspection tab. Or else it won't decrypt it.

Thanks!

In theory, with the new DPI, http/s traffic on whatever port the traffic is running, it should be decrypted.

Here we are talking about FTPS service, which uses TLS but the service is FTP and not HTTP/S.

Michael Dunn could you clarify?

Thanks