Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 11 replies
  • Subscribers 32 subscribers
  • Views 3808 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Why can I Download EICAR wenn DPI is on

DirkJung

I want to Change Virus protection to ssl/DPI on Sophos V 18.

I set a ssl rule. When I go to the original eicar website i  can´t download any Eicar testfile.

On this website

https://ipinfo.info/html/testvirus.php

I´m able to download eicar (zip) and eicar (double zip) when ssl/DPI is on. When I change to webproxy download will be blocked.

Is that a bug of V18 ?

 

Dirk

 

 



This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to rfcat_vk

    Hi folks,

    further thoughts on this issue. You would need to setup an SSL/TLS rule that enables decrypt and not use the default rule. I suspect that is where my tests have gone wrong because I am using the default rule which is do not decrypt.

    Ian

Children
  • 0 in reply to rfcat_vk

    I checked it in the logs:

    The download is hosted on meineipadresse.de and my profile does encryption on it.

    However it is TLS1.3. Maybe this is a bug or fallback behrvior  in XG?

    (I have encryption for 1.3 active as well)

  • 0 in reply to rfcat_vk

    I tested this a couple of different ways, using both the web proxy and DPI - neither blocked the download from eicar.org (both the HTTP and HTTPS links) with decrypt and scan disabled (that is in the SSL "decrypt all" rule itself).

    Sophos Home picked it up regardless, as did the XG when HTTPS inspection was enabled. That struck me as being a bit weird, though I've not looked closely at anything.

    The check content for malware was turned on in all instances, I don't have a v17 to check this behaviour against.

     

    Regards