MALWARE AND CONTENT SCANNING

Roman,

I tried with eicar, and in my case, XG stops the files with both DPI or Proxy mode.

Were yours an update from beta or a new installation?

I was upgrading it from SFOS 17.5.9 MR-9 to 18 ;)

I assume that DPI - you have toggled only thoe options as below ? 

6523.Przechwytywanie2.PNG

I have done some testing and Malware is blocked only if the security settings are as below, ive try different options but no luck... Im not sure if it must working as is below. Regarding to courses - i think that not ;)

7870.Przechwytywanie5.PNG

Really. So you are tring to say im not able to bloc or scan a traffic from WAN to LAN on a specific port ?? I dont wanna to advertised other solution but on FORTIGATE devices it works excelent so "limitations is not cuzed by a protocol" beside that. So why malware is blocked when im not using DPI but only Webproxy and im uploading  a file from WAN. ? Cant it be done by WAF ? Sophos XG which im using is for HOME USAGE. So im ok if ssl traffic from will inspected via cert from sophos appliance_CA

Roman on Fortigate you can scan: http, imap,pop3, smtp,smb,ftp and nntp.

Vote the feature request I opened a couple of years ago:

I can ensure you that not only. ^^ but other then that. Can you also help me with FTPS that isnt scanned by any of sophos engine ? very appreciate fo your spended time for my help :) FTP is setup on FTPS port 990 and im getting error SSL handshake timed out.. for both scanners dpi and webproxy

If it is SFTP, you will need to decrypt the traffic first with XG in order to scan it.

Also if you want FTP traffic to be scanned by XG, you will need to run the FTP server over the default port (21). XG is only port agnostic for HTTP traffic, if you run FTP over a non-standard port, It will not detect it as FTP, hence it will not scan it.

Thanks!

So if im using ftps on 21 xg will not scan it?

No one is able to scan encrypted traffic, if your running FTPS you will need to decrypt it first with SSL/TLS Inspection rules.

Just tested myself with FTPS, XG with the new TLS engine has able to decrypt it and scan over it's default port (990).

NO, I has wrong, XG doesn't scan decrypted FTPS, on v18 your able to decrypt it but not scan it, incredible.

Can someone open a support case?

Of course a license is needed for that.

So i have to change the default port to 990. But other then that it will not scan it ;) BUG ?

The default port of FTP (Plain-Text) is 21, the default port of FTPS (TLS Encrypted) is 990.

Why XG isn't scanning the decrypted FTPS traffic? I don't know. It probably doesn't support it right now.

It's better for you to wait for a answer from a Sophos Employee.

Roman klisiewicz said:

So i have to change the default port to 990. But other then that it will not scan it ;) BUG ?

XG doesn't recognize FTP or Decrypted FTPS on non-standard ports, if you can, run only on their default ports.

Also the first issue you had with HTTPS traffic not being scanned with DPI - You need to create a Decrypt rule (LAN=>WAN) on the SSL/TLS Inspection tab. Or else it won't decrypt it.

Thanks!

The default port of FTP (Plain-Text) is 21, the default port of FTPS (TLS Encrypted) is 990.

Why XG isn't scanning the decrypted FTPS traffic? I don't know. It probably doesn't support it right now.

It's better for you to wait for a answer from a Sophos Employee.

Roman klisiewicz said:

So i have to change the default port to 990. But other then that it will not scan it ;) BUG ?

XG doesn't recognize FTP or Decrypted FTPS on non-standard ports, if you can, run only on their default ports.

Also the first issue you had with HTTPS traffic not being scanned with DPI - You need to create a Decrypt rule (LAN=>WAN) on the SSL/TLS Inspection tab. Or else it won't decrypt it.

Thanks!

In theory, with the new DPI, http/s traffic on whatever port the traffic is running, it should be decrypted.

Here we are talking about FTPS service, which uses TLS but the service is FTP and not HTTP/S.

Michael Dunn could you clarify?

Thanks

Interesting, i would say, with DPI, yes. 

For HTTP/s on any Port, it works like this way. Now i am not sure, if the same applies for FTP. 

But you run in other technical challenges. Is your FTP Client able to work with an Decryption Certificate? 

Filezilla actually supports that, you could use a Switch to allow Man-in-the-Middle.

Not sure about other FTP Clients. 

LuCar Toni said:

But you run in other technical challenges. Is your FTP Client able to work with an Decryption Certificate? 

Yes, it works!, If you enable TLS Decryption on XG most FTP clients will ask you if you trust the new certificate for the connection. Later on looking at logs you can successfully see that the TLS session has been decrypted.

The problem here, XG It's not scanning the traffic. Its only scanning default plain-text FTP over port 21.

On the log viewer and on the Flow Monitor, It doesn't even detect it as FTPS, It shows as TLS connection over non-standard port. While XG in the applications tab have FTPS as a detectable application.

Thanks!

Can you please show how did ypu setup you fw policy for ftps traffic also rules for ssl/tls tondecrypt the traffic. ive got set it but cant get work regarding to decrypting traffic in logs. ;]

Prism,

can you try to enable decrypt and scan on the firewall rule where you are allowing the FTPS traffic to see if the malware is detected?

Thanks

ofcourse ive have set it up but i cant detect any traffic on the rule.

This is how service is configured. 

And more detailed 

ALSO FIREWALL RULE.

Ticked A security features - maybe here must be selected sth else ?

Hi Luk,

Already tried this.

FTPS traffic is decrypted but isn't scanned.

Thanks!

I'm using FTPS on passive mode, TLS connection happens over Port 990.
 
Data is transmitted over Ports 40100:40200.
 
 

Thanks!

Please open a ticket with support and report the ID here.

Regards

I'm a Home User, the best I can do right now is wait for v18.5 and hope something change about how traffic is scanned on XG, Currently with the new DPI engine is only port agnostic for HTTP traffic, I hope it's fully port agnostic in the future.

Also there's already an Idea, in Sophos Ideas for XG, for FTP scan on any port. The Idea has made in 2017.

https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/32248618-ftp-tracking

FTP connections are currently only tracked on:

SFVH_SO01_SFOS 18.0.0 GA-Build321# cat /etc/snort/etc/snort.conf | grep "run ftp servers on" -A 2
# List of ports you run ftp servers on
portvar FTP_PORTS [21,2100,3535]

Thanks!