Malware and Virus protection in Sophos XG

Personally I would not use the proxy, use DPI unless you absolutely need a feature of the older proxy. So turn those two checkboxes off under Security Features.

Then verify that the traffic you are wanting to scan is in fact running through the firewall rule where you've turned on scanning and that it is in fact HTTPS/HTTP.

Thank you for your response. 

With DPI the SSL is decrypted ?

I have test to uncheck the two checkbox, but same result. The files is not blocked.

Where i can check if the test has been run ? (if possible)

Best regards,

Did you check that the firewall rule for which you're turning on checking is the one being used? And through what mechanism are you downloading the files? (Ie. through a browser, via FTP, etc.)

Yes, i have checked the rules. The firewall used is the good. I download the files from the browser, and the files is in this webpages. 

https://www.eicar.org/download-anti-malware-testfile/

Thank you

Best regards

I just tried downloading it and it was stopped because the site is known for executable downloads (I.e. by a web filter, not a file filter). I think I could proceed, but I also have InterceptX running so that might also stop it.

To actually get SSL/TLS decryption you have to add a SSL/TLS rule that decrypts. So it's a two-step: 0) Make sure SSL/TLS decryption is on globally and that you're using the DPI engine, 1) Make sure that SSL/ TLS decryption is ON in the firewall rule, and 2) make sure there is an SSL/TLS rule (same page as Firewall rules, third tab) that causes decryption to occur. This is sort-of the opposite of Firewall rules: if a no firewall rule applies to a packet it is dropped, but if none of the SSL/TLS rule applies to a packet it is NOT decrypted. 

The switch in the Firewall rule and the SSL/TLS rule work together: the switch in the Firewall rule being ON tells the system to then continue to the SSL/TLS rules to make the final decision. Which could be to decrypt or not, but if no rules apply the decision is NOT. By default there is no "decrypt most everything" SSL/TLS rule that you would place near the bottom of the SSL/TLS list in order to allow the higher Exclusion by Website rule to exempt some sites.

I would also make sure that you have IPS turned on using policies that cover your machine, and also turn on Zero-day. Either of these might also catch the file.

I would also add that once you're actually doing SSL/TLS decryption (which you're not by default), some websites will break. For example your Amazon Prime or Netflix streaming will have issues or not work at all. There is a whole art to handling this... I think I might go write a guide for new adopters who are using XG at home.

Thank you so much for your response.

Your are right, i have missing the third tab, with the configuration of the SSL Rules.

Now,the browser has been block the download of the file with the information of the "Malware detected". 

Yes, i use Sophos XG in home version. I'am a developper Web and like the admin sys. I test some application, utils, and so one. 

Indeed my Alexa Streming has broken :). For this, i have created a group of list of mac address with all mac of my PCs / phones / tablets, and in the rules of decryption SSL, i have selected only this group of mac. Seem's to work perfecly. 

I think it's a good idea to make a guide on this topic. I am not an expert in English, but if you need help, it is gladly.

Thank you for your support and the time granted, it is very appreciable and contributes to the quality of the tool.

Sébastien

Yeah, I use my XGS-87 at home, too. It's a combination of a hobby and higher security in today's world.You should also look into Sophos Central, which makes it easy to manage when you're away from home. (And I super-recommend it if you're using a Sophos WiFi AP, to manage it from there instead of the XGS.) Also, if you're doing a commercial license and yearly support, it's not too bad to add a couple of InterceptX endpoints to the mix for another layer of security on the laptop itself. (And if you're on a Mac, I highly recommend Little Snitch, a reverse firewall.)

For all of my devices, I assign static DHCP addresses, and reserve a small band for dynamic addresses. Then I set up Clientless Users for each device. The usernames need to be unique, so I do something like username 'wayne-laptop' and name 'wayne', username 'Wayne-phone' and name 'wayne'. It's the username that matters, and the name is more for displaying the list.

And these Clientless users of course have the IP addresses assigned by static DHCP. Then in my firewall rules I require known users. So I can plug in a new device, it gets a dynamic IP address, but it can't get anywhere because it's not a known user. Then set up a static IP for it, create a Clientless User for it, and have it renew its DHCP lease.

In my case, added my AppleTV to a do-not-decrypt TLS rule so I don't have to chase whenever the far end adds another server domain and things break and I have to add them to an exception list.

At the same time, I would not exclude my devices wholesale. May as well have TLS decryption off in that case. (You'll notice, perhaps to your disappointment, that the vast majority of TLS/SSL traffic isn't decrypted anyhow because of large-swath exceptions that are necessary for Apple, Microsoft, etc. So if you're going to exclude all of your personal devices, just leave it off.)

Of course, you also need to download your appliance's CA certificate to all devices that DO get decrypted and set them to be trusted, since XG is doing a man-in-the-middle "attack" essentially and each device needs to trust the XG CA in order to not complain constantly. It's all a bit painful for a home user, but we're using XG for higher security, so...

I also do the same thing at the DHCP level.

It's practical, on the other hand, I find it restrictive to have to create a user without a client for each machine, even if I recognize that it is a solution.

What I regret with this is that you can create a user with a "list of mac addresses".

It would be interesting if he added this functionality. I think it should not be simple in the sense that a mac address can end up on multiple users.

I may recreate the different users, at least in the logs, they will appear more clearly than a simple ip address.

Thanks again for your suggestions.

For home use, it's not too difficult to create a clientless user for each machine and you only do it once. But it lets you do lots of cool things on a per-user basis, and you can create groups of users. Much easier than working with IP addresses. And, as I said, you can also require known users in a firewall rule, which will then not apply to any non-clientless-user-systems you might have.

And many logs and displays can be filtered by user, too.