Bug? Sophos XG does not block EICAR file in realtime since last update

Hi Megan,

Please show us what configurations are made to prevent the EICAR file and how did the network receive the EICAR file? Also, try changing the AV engines and let us know the results.

Thanks

I can confirm that changing from Real Time to Batch blocks the EICAR file from downloading.  Change it back to Real Time and the file downloads but is apparently stripped out and empty. 

Max. scan size: 1536mb

Engines: dual scan

I am downloading the testfiles from www.eicar.org

Regards Meghan

Is the HTTPS and HTTP scanning enabled in the firewall rule that handles the internet traffic? Also, check the AV pattern updates are up2date.

Thanks

Hi Sachin,

yes the scanning functions are enabled.

Regards Meghan

Please be aware that when using Real Time scanning, the majority of the time you will not see a block page.  You will instead get an incomplete download.

Real Time scanning basically sends the 200 OK response the client as soon as it gets it from the server.  Then as the file is received from the server it stores it on disk and simultaneous send it to the client.  As the last 1K of data is received from the server, it is withheld from the client.  Now the XG has the whole file and scans it.  If clean, it sends the last 1K.  If a virus, it kills the connection to the client so that it is an incomplete download.

With small files, the same logic applies but because it happens so quickly there are differences.  For example, the client may get a 200 OK and no content.  The client doesn't report it as a failed download.

Either way, the XG Malware logs should show that a virus was detected.

Can you confirm - when you say that you can download eicar - do you actually see the full malware test string in the final file that is saved to the client harddrive?  Does the XG log a virus found?

Hello Michael Dunn,

as i've written before, the Eicar files are without any content/code.

In the EICAR.zip file, there is no file inside the zip, and in both eicar.txt and eicar.com, there is no code inside the files, thay are empty.

What I'am concerned about, is that EICAR is NOT logged as virus by XG.

Regards Meghan

Hello Michael Dunn,

as i've written before, the Eicar files are without any content/code.

In the EICAR.zip file, there is no file inside the zip, and in both eicar.txt and eicar.com, there is no code inside the files, thay are empty.

What I'am concerned about, is that EICAR is NOT logged as virus by XG.

Regards Meghan

So SFOS is blocking correctly, this is just a logging problem.

So to confirm:
You click on Log Viewer.  In the pop-up you say View logs for Malware.  There is nothing there?

Just as a double check:
Go to System Services, Log Settings.  Under Anti-virus, everything is checked.

If everything looks good but still no logs....  I'm not sure.  reboot?

Hi,

I've just checked these things, and no Virus is logged.

The log settings are correct.

I've tried rebooting, but nothing changed.

Regards Meghan

I cannot think of anything that would make logging work when in Batch mode and logging not work when in Real Time.

I don't think there is anything else in the forums that could help...  Other people have confirmed it works for them.  If you wanted to follow up further, I would contact Sophos Support.