Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Subscribers 28 subscribers
  • Views 591 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Not blocking Test Virus at all

John Aceti

Not sure what is going on but my XG v18 sr5 not blocking any AV test viruses. Most all other blocks in polices etc work fine. I have everything selected in the AV settings, using dual realtime tried changing it, nothing, nothing in log. My PC AV reports on it and cleans.

ANyone else having this issue? System completely updated and today is 6/16/2021



This thread was automatically locked due to age.
Parents
  • 0

    Hello,

    Are those samples being downloaded through TLS? If It is, you will need to create a new TLS Inspection Policy in order to Decrypt the traffic.

    Without doing this the Firewall won't be able to inspect the SSL/TLS Encrypted connection for Malware/PUA.

    Also, can you try downloading an Eicar sample to see If It triggers the Block message? Download through both HTTP and HTTPS.

    At last, can you send a picture of your Firewall Rule?

    Thanks!

  • 0 in reply to Prism

    Yeah, I think your right, I went to the sophostest page and went to the Eicar section. First my pc software blocked the page, I bypassed it and then the sophos xg prevented. But when I go to Eicar.ORG page which is SSL it does not block it. I thought I had https decryption enabled.

  • 0 in reply to John Aceti

    I was fooled by the TLS at first: a Firewall Rule can say to do it, but that just refers things to the TLS Rules and if one of the TLS Rules doesn't explicitly cause something to be decrypted -- i.e. you fall off the end of the TLS Rules -- it won't be decrypted. So you also need to have a TLS Rule in place.

  • 0 in reply to Wayne Folta
    1
    Exclusions by website or category
    in 373.89 KB, out 92.99 KB
    Any zone, Any host, Anybody
    Any zone, Any host
    Business Cloud Apps, Financial ...
    Maximum compatibility
    Don't decrypt
    2
    Inspect Traffic
    in 4.28 KB, out 6.68 KB
    LAN, Any host, Anybody
    Any zone, Any host
    Any website, Any service
    Maximum compatibility
    Decrypt
  • 0 in reply to John Aceti

    I don't think it is decrypting my SSL traffic

  • +1 in reply to John Aceti

    You should be able to view the TLS logs and see if the URL is decrypted. When you fall off the end of the TLS Rules, it doesn't log anything -- just as it doesn't log when you fall off the end of the Firewall Rules and get dropped. But since you have a rule there that should catch it, there should be an entry in the log. Can you confirm that?

  • +1 in reply to Wayne Folta

    yup, decrypting and now able to to block the Eicar.Com file but the text file goes through, maybe because that is not a file type that is inpsected? Also not looking into a single zip file

Reply Children
  • 0 in reply to John Aceti

    It was cached in my browser. Okay all seems to be working except one issue with Firefox not liking my SSL decryption from the firewall. Seems Opera and Chrome are fine, just Firefox with  this message


    Software is Preventing Firefox From Safely Connecting to This Site