Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 28 subscribers
  • Views 2102 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

checksum failed / downloading files when Malware and content scanning in Web Rule is ON

admin info

Hi guys,
We have an issue with WEB Security profile / AV Scanning on our Sophox xg 18.0.354
When 'Malware and content scanning' is ON (scan HTTP and decrypted HTTPS) packets that has to be downloaded from internet repository ( AWS virtual machine, GitHub, BitBucket ) gets errors for CHECKSUM integrity.
When 'Malware and content scanning' is OFF all packages are downloaded ok.


Schema: Server(192.168.101.30) (running a task scheduled to update/download packages from internet repositorys) --> Sophos XG (gateway) --> Internet Repositorys (AWS virtual machine as for our exemple)


Test: For HTTPS i've created a Profile that DO NOT Decrypt HTTPS from Source Server to Any
For "Malware and content scanning" I have the following settings -> Action on malware scan failure = Allow / Do not scan files larger than = 30mb / NOT Checked 'Block potentially unwanted app..'


LOGS for 1 specific package wich I\ve tested:


1. 2020-04-16 15:10:02 00---> with SCAN enabled- Result FAILED
messageid="16001" log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" fw_rule_id="14" user="USER@domain.com" user_group="Domain Sophos Users" web_policy_id="4" web_policy="" category="ParkedDomain" category_type="Acceptable" url="AAA.AAA.us/.../fhir-types-1.0.65.tgz" content_type="application/x-tgz" override_token="" response_code="" src_ip="192.168.101.30" dst_ip="52.2.XX.XX" protocol="TCP" src_port="58591" dst_port="80" bytes_sent="409" bytes_received="492564" domain="AAA.AAA.us" exception="" activity_name="" reason="" user_agent="npm/6.14.4 node/v10.20.1 win32 x64" status_code="200" transaction_id="ff5b2b87-42ce-487f-aca2-09f3eb823acf" referer="install fhir-types" download_file_name="fhir-types-1.0.65.tgz" download_file_type="application/x-tgz" upload_file_name="" upload_file_type="" con_id="2527543296" app_name="" app_is_cloud="0" override_name="" override_authorizer="" used_quota="0"

From this log it seems that file has been downloaded ok...but in fact it gets the following error wich could be viewed on server console from where the task is running 


2. This is the error for CHECKSUM
npm ERR! code EINTEGRITY
npm ERR! sha512-sKgzGOAWveGIN+6DsPrYjjJLXOroOf8WagX8SXxcjrqTmOQgdtd1IUC0nfVUTq0Qw3qCZjpLgUXRyAI3luaGxA== integrity checksum failed when using sha512: wanted sha512-sKgzGOAWveGIN+6DsPrYjjJLXOroOf8WagX8SXxcjrqTmOQgdtd1IUC0nfVUTq0Qw3qCZjpLgUXRyAI3luaGxA== but got sha512-SlyRELvlGprO5+6WmJnVjAksPZ/z3+aEn/HXk7EoT61YHsGri0/6mGvsjtGVTERVDTHa2lPqEs2lnxYhyCzDKg==. (491753 bytes)

 

Any idea on this matter ? (If I make myself clear ...)



This thread was automatically locked due to age.
Parents
  • 0

    Hi  

    Would you please confirm the AV scanning mode ? Is it set to real or batch ?

    If it is set to real then please set it to batch mode and confirm the issue status.

  • 0 in reply to Vishal_R

    Thanks for your reply Vishal,

    I tried your settings, but still  

    Same result:

    Log: 

    2020-04-21 13:34:17
    messageid="16001" log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" fw_rule_id="14" user="USER@DOMAIN.com" user_group="Domain  SOPHOS Users" web_policy_id="4" web_policy="" category="ParkedDomain" category_type="Acceptable" url="AAA.AAA.us/.../fhir-types-1.0.67.tgz" content_type="application/x-tgz" override_token="" response_code="" src_ip="192.168.101.30dst_ip="52.2.XX.XX" protocol="TCP" src_port="48625" dst_port="80" bytes_sent="409" bytes_received="529623" domain="AAA.AAA.us" exception="" activity_name="" reason="" user_agent="npm/6.14.4 node/v10.20.1 win32 x64" status_code="200" transaction_id="5e7d2e39-3984-4c61-89e3-f04af994f603" referer="install fhir-types" download_file_name="fhir-types-1.0.67.tgz" download_file_type="application/x-tgz" upload_file_name="" upload_file_type="" con_id="2344906496" app_name="" app_is_cloud="0" override_name="" override_authorizer="" used_quota="0"
     
     

    Error: npm ERR! code EINTEGRITY
    npm ERR! sha512-CkjJ3Flfp23MRWnefNu2vBivw8j9NksQV7mLeMP+UYdQ0TgfgEp+dRhCW0f3Rv30bO0gXCCOTvACH1IeEuswlA== integrity checksum failed when using sha512: wanted sha512-CkjJ3Flfp23MRWnefNu2vBivw8j9NksQV7mLeMP+UYdQ0TgfgEp+dRhCW0f3Rv30bO0gXCCOTvACH1IeEuswlA== but got sha512-xUofh891ujAtgjtJvzzfRYMEXi0IMWWeZg8Ysn8i+yMMDIzQzcdMF7/KeUkeYGPk0J+s8HNAAdKIWJwBn+2f/g==. (528253 bytes)

     

    I have read another post where it said that the Scanning Engine should be AVIRA " Swapping the AV engine to Avira Under the Services > Malware Protection menu got around the issue for me." ... should I test this or it does not have anything to do with it ?!

  • 0 in reply to admin info

    Hi  

    Ye please try with same. If dual AV engine has been selected then set it to specific and test one by one with both and confirm the status, this may help us to narrowdown if the issue is with specific AV engine only.

Reply Children
  • 0 in reply to Vishal_R

    Thank's for your reply Vishal,

    Scan engine is set to " SINGLE engine "

    I have test it using/changed to AVIRA engine and the result is different:

    2020-04-21 13:53:34
    messageid="16001" log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" fw_rule_id="14" user="USER@DOMAIN.com" user_group="Domain SOPHOS Users" web_policy_id="4" web_policy="" category="ParkedDomain" category_type="Acceptable" url="AAA.AAA.us/.../fhir-types-1.0.67.tgz" content_type="application/x-tgz" override_token="" response_code="" src_ip="192.168.101.30" dst_ip="52.2.XX.XX" protocol="TCP" src_port="49576" dst_port="80" bytes_sent="409" bytes_received="529623" domain="AAA.AAA.us" exception="" activity_name="" reason="" user_agent="npm/6.14.4 node/v10.20.1 win32 x64" status_code="200" transaction_id="5fabfb95-b3d4-4bd4-ac66-fc1ca69cc2bf" referer="install fhir-types" download_file_name="fhir-types-1.0.67.tgz" download_file_type="application/x-tgz" upload_file_name="" upload_file_type="" con_id="2260131008" app_name="" app_is_cloud="0" override_name="" override_authorizer="" used_quota="0"

    npm WARN tarball tarball data for @angular/common@7.2.16 (sha512-lPo2Vt5zmKeKTdMxHMUuViouMiK4QsmO6dGTIhJ7QAx9mov0QYb4sUVKN9Ix32Aeeznaa97qJnhevyDncJqvSA==) seems to be corrupted. Trying one more time.

    For me, both AV engine scan points into a SHA512 problem. But I cannot figure it out because i'm not that technical ..... 

  • 0 in reply to admin info

    Hi  

    This would required further investigation with support,so you may log a support case for this issue.

    As this would required web proxy debug, AV service debug, PCAP on destination and drop packet on destination for non working and working scenario and from that logs we need to check and verify the details.

  • 0 in reply to Vishal_R

    Somehow it works with WebProxy Enabled 

    The differences between log entries FAILED VS OK is the BYTES SENT : -->  bytes_sent="409" when FAILED  VS  bytes_sent="448" when runs OK (probably when checksum integrity data verification fails)

    LOG: 

    messageid="16001" log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" fw_rule_id="14" user="USER@DOMAIN.comuser_group="Domain SOPHOS Users" web_policy_id="4" web_policy="" category="ParkedDomain" category_type="Acceptable" url="AAA.AAA.us/.../fhir-types-1.0.67.tgz" content_type="application/x-tgz" override_token="" response_code="" src_ip="192.168.101.30" dst_ip="52.2.XX.XX" protocol="TCP" src_port="60131" dst_port="80" bytes_sent="448" bytes_received="529623" domain="AAA.AAA.us" exception="" activity_name="" reason="" user_agent="npm/6.14.4 node/v10.20.1 win32 x64" status_code="200" transaction_id="" referer="install fhir-types" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id="2256928768" app_name="" app_is_cloud="0" override_name="" override_authorizer="" used_quota="0"

    Should this work as it is WITH WebProxy ENABLED" or it should work under DPI!?

  • 0 in reply to admin info

    Hi  

    Ideally it should work with both, I mean once you set Web proxy OR DPI at once it should not create such problem.  If it is getting observed only with DPI then we may required IPS debug along with other previous logs which I mentioned.

  • 0 in reply to Vishal_R

    Hello All, 

    If we have a public URL which we could reproduce the issue from our end. That would be great. We have conducted few test based on file types and seen no issue with the same settings using DPI engine. 

     

    Sample Site-> https://file-examples.com/ 

  • 0 in reply to Aditya Patel

    This is the last log with public url inserted. I have to mention that it runs with WebProxy Filter = ON and to point that in "DPI" configuration the download is accomplished but for some reason when it checks CHECKSUM is failing and get's the error.

     

    2020-05-18 10:56:00
    messageid="16001" log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" fw_rule_id="5" user="USER@DOMAIN.com" user_group="Domain SOPHOS Users" web_policy_id="4" web_policy="" category="ParkedDomain" category_type="Acceptable" url="nexus.medicasoft.us/.../fhir-types-1.0.76.tgz" content_type="application/x-tgz" override_token="" response_code="" src_ip="192.168.100.139" dst_ip="52.2.33.11" protocol="TCP" src_port="50705" dst_port="80" bytes_sent="398" bytes_received="492014" domain="nexus.medicasoft.us" exception="" activity_name="" reason="" user_agent="npm/6.14.5 node/v10.15.3 win32 x64" status_code="200" transaction_id="0efd1b86-dd56-4cf4-8357-730a37db7562" referer="install" download_file_name="fhir-types-1.0.76.tgz" download_file_type="application/x-tgz" upload_file_name="" upload_file_type="" con_id="2310066560" app_name="" app_is_cloud="0" override_name="" override_authorizer="" used_quota="0"

     

    Thank you for your interest in this matter Aditya Patel.  As I was saying to Vishal -> " I know I was supposed to come back with info but for this matter I haven't got the chance to open a ticket.

    My colleagues said that they're ok for now with this configuration (with proxy filtering) and we'll wait for MR1 Firmware Update to be released and will test again then. "