anti-virus scanning failures

Hi,

I ran the tests against my XG 5.6-mr6.

It failed 3 of the cyren tests, virus over ssl. botnet and anonymiser. Currently I don't scan https/tls due to a certificate issue. Botnet call home is a worry.

It failed all the fortiguard tests because it blocked zip files which is a bit strange because I have scan zip files enabled (I think).

The current version of XG is not capable of blocking everything, but just warns you. I am lead to believe that v17 will fix this issue.

Some of your issues are possibly caused by your rule configuration and order of precedence.

Please post what you think is your rule that should be blocking the test traffic.

Ian

Hi,

I tried tightening my rules to see if there is any improvement in the test results, for botnet, total failure all you can do is set the XG to warn you that the sites are objectionable, not satisfactory.

Ian

I would like to add my results too:

I use decrypt and scan, Avira as AV. Unscannable content is blocked (which it is  safer but manual exception needs to be managed).

Here my Web Policy:

For Fortiguard test, all will fail because unscannable content is enabled.

Regards

I would like to add my results too:

I use decrypt and scan, Avira as AV. Unscannable content is blocked (which it is  safer but manual exception needs to be managed).

Here my Web Policy:

For Fortiguard test, all will fail because unscannable content is enabled.

Regards

Hi Luk,

all I ended up achieving was blocking facebook, so had to remove the vpn avoidance filter.

I need a certificate to re-enable successful https scanning, i did something wrong with the XG CA and have not been able to restore it.

Ian

Hi 

We shall check and update you further.

I was under the impression that all the web category policies were applied by default when "ON" is toggled.  I just now noticed that it says that the profile is not enabled by any security policy... where exactly do i enable this at? 

Is there a guide on best practices for which services / policies to enable?  I'm getting red marks across the entire tests on both URLs, so I must not be enabling something altogether.

I had done the original cyren test here https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/82461/xg-fails-cyren-web-security-test-that-utm9-passes Seems they have updated their test[8-|]

I tried the new test with UTM9.502

I am not doing ssl scanning but my kaspersky av blocked the cyren virus over ssl and I am ok with that. The anonymizer test is probably using ssl and I am not using ssl scanning on UTM so its understandable that the UTM failed that test. Fortinet tests are interesting with UTM failing the 3x zip file but passing 4 and 5[:D] Not too concerned about fortinet tests but it proves that you need multiple layers of security on endpoints as well as parameter to deter some threats.

whimdutr make sure you enable scanning in your firewall rules.

 AaronW make sure you enable scanning in your firewall rules.

I originally did not have this enabled, but for LAN/VPN to WAN policy, I just enabled this and it's still blocking absolutely nothing.

I created a new policy to block ads, spam, spyware, anonymizer and such all with the status of "ON" and it's all still failing.  What's even more disturbing is that on the cyren test, I fail absolutely everything, including the virus scanning.

EDIT: Upon further review, if i browse the site such as https://www.anonymizer.com/, it actually pops up and says that Sophos has blocked the website, but I'm wondering why Cyren is still failing me (and everything else too).

Hi aaron, I am not using XG at the moment so its hard for me to guide you correctly. Make sure you have malware scanning enabled on the screenshot I posted above. Look at your logs firewall/webfiltering to make sure that you are indeed using the intended firewall rule. Test directly with eicar  http://www.eicar.org/85-0-Download.html to test your protection and then retest with cyren etc.

Malware scanning is indeed enabled on the Firewall level and the eicar tests show the Blocked by Sophos screen on http (fails on https, but I do not have decrypt https configured).  This is why it's extremely puzzling that the cyren and fortigate tests fail.

To all:

let's wait for an official answer from Sophos. Aditya Patel and sachingurung will investigate and come here back. I guess that URL is not categorizing some url correctly.

Regards