Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 29 subscribers
  • Views 21324 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

anti-virus scanning failures

whimdutr

Running Sophos XG 16.5 MR6 with what I believe includes AV, IPS and such, but I was running some basic security tests and it looks like all the virus scanning and botnet protection is not working at all.

This fails ALL the tests: http://www.cyren.com/security-test

Fails ALL but the first one: http://metal.fortiguard.com/tests/

 

Web -> Protection

  • Scan Engine: Dual Engine
  • Malware scan mode: Batch
  • Malware that cannot be scanned: Block
  • Do not scan files larger than 75MB
  • Scan audio and video: Unchecked (caused issues with streaming)
  • Enable pharming protection: Unchecked (caused issues with iOS Snapchat app)

 

Are the above settings wrong or is it possible that I'm looking in the completely wrong section?  It doesn't feel like Sophos is actually doing anything UTM related to protect me.



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    I ran the tests against my XG 5.6-mr6.

    It failed 3 of the cyren tests, virus over ssl. botnet and anonymiser. Currently I don't scan https/tls due to a certificate issue. Botnet call home is a worry.

    It failed all the fortiguard tests because it blocked zip files which is a bit strange because I have scan zip files enabled (I think).

    The current version of XG is not capable of blocking everything, but just warns you. I am lead to believe that v17 will fix this issue.

    Some of your issues are possibly caused by your rule configuration and order of precedence.

    Please post what you think is your rule that should be blocking the test traffic.

     

    Ian

  • 0 in reply to rfcat_vk

    Hi,

    I tried tightening my rules to see if there is any improvement in the test results, for botnet, total failure all you can do is set the XG to warn you that the sites are objectionable, not satisfactory.

    Ian

  • 0 in reply to rfcat_vk

    I would like to add my results too:

    I use decrypt and scan, Avira as AV. Unscannable content is blocked (which it is  safer but manual exception needs to be managed).

    Here my Web Policy:

    For Fortiguard test, all will fail because unscannable content is enabled.

    Regards

  • 0 in reply to lferrara

    Hi Luk,

    all I ended up achieving was blocking facebook, so had to remove the vpn avoidance filter.

    I need a certificate to re-enable successful https scanning, i did something wrong with the XG CA and have not been able to restore it.

    Ian

  • 0 in reply to lferrara

    Hi 

    We shall check and update you further.

  • 0 in reply to lferrara

    I was under the impression that all the web category policies were applied by default when "ON" is toggled.  I just now noticed that it says that the profile is not enabled by any security policy... where exactly do i enable this at? 

     

    Is there a guide on best practices for which services / policies to enable?  I'm getting red marks across the entire tests on both URLs, so I must not be enabling something altogether.

  • 0 in reply to lferrara

    I had done the original cyren test here https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/82461/xg-fails-cyren-web-security-test-that-utm9-passes Seems they have updated their test[8-|]

    I tried the new test with UTM9.502

    I am not doing ssl scanning but my kaspersky av blocked the cyren virus over ssl and I am ok with that. The anonymizer test is probably using ssl and I am not using ssl scanning on UTM so its understandable that the UTM failed that test. Fortinet tests are interesting with UTM failing the 3x zip file but passing 4 and 5[:D] Not too concerned about fortinet tests but it proves that you need multiple layers of security on endpoints as well as parameter to deter some threats.

     

     make sure you enable scanning in your firewall rules.

  • 0 in reply to Billybob

      make sure you enable scanning in your firewall rules.

     

     

    I originally did not have this enabled, but for LAN/VPN to WAN policy, I just enabled this and it's still blocking absolutely nothing.

     

    I created a new policy to block ads, spam, spyware, anonymizer and such all with the status of "ON" and it's all still failing.  What's even more disturbing is that on the cyren test, I fail absolutely everything, including the virus scanning.

     

    EDIT: Upon further review, if i browse the site such as https://www.anonymizer.com/, it actually pops up and says that Sophos has blocked the website, but I'm wondering why Cyren is still failing me (and everything else too).

Reply
  • 0 in reply to Billybob

      make sure you enable scanning in your firewall rules.

     

     

    I originally did not have this enabled, but for LAN/VPN to WAN policy, I just enabled this and it's still blocking absolutely nothing.

     

    I created a new policy to block ads, spam, spyware, anonymizer and such all with the status of "ON" and it's all still failing.  What's even more disturbing is that on the cyren test, I fail absolutely everything, including the virus scanning.

     

    EDIT: Upon further review, if i browse the site such as https://www.anonymizer.com/, it actually pops up and says that Sophos has blocked the website, but I'm wondering why Cyren is still failing me (and everything else too).

Children