Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 27 subscribers
  • Views 14394 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Malware and Content Scanning - scan http logs

Ishai Cohen

hey guys,

 

when some of my games try to update (overwatch and swtor), the update fail because they cant reach the update server.

when i disable the http scanning on the rule to the wan, the update works.

 

so, where can i see the logs of packets that dropped due to http scanning (sophos engine).

and where can i exclude addresses if its false positive, like in this case.

 

thanks!



This thread was automatically locked due to age.
Parents
  • +1

    You should be able to view this in the Log Viewer. From any page, on the top right corner click ‘Log Viewer’ which will open up in a new window. It defaults to the firewall logs but there’s a drop down that lets you view ‘Malware’. You might also want to check the Web Filter logs in that same drop down.

    You can exclude specific IP addresses, domains or category of websites (as defined by Sophos) from malware scanning by going to the ‘Exceptions’ tab on the ‘Web’ page. It should be fairly self explanatory from there - create a new exception with the domain you want to exclude and make sure ‘Content and Malware scanning’ is selected to be skipped on the right side of the dialog.

  • 0 in reply to shred

    hi,

     

    i didnt found anything in the logs.

     

    so when i opened the game launcher i used tcpview to see where it goes, and i filtered by dst ip.

     

    i got this result:

    the rule in that image is simply giving access to the pc to the wan.

    soon as i removed http scanning from that rule, it worked :X

    i didnt get blocks from the anti-virus component (not anti-malware :) )

    and nothing from web access policy.

  • +1 in reply to Ishai Cohen

    The ‘Invalid Traffic’ is a weird one, because that is actually “common” in the sense that you will see a lot of those entries in your firewall logs but it’s typically not an issue. There was a post about this from a Sophos employee and the recommendation was to turn off logging of ‘Invalid Traffic’ or else your firewall logs will rapidly become full of these entries. I’ll see if I can find it but bottom line, I don’t think that is your issue since turning off ‘Scan HTTP’ is fixing it.

    When you enable ‘Scan HTTP’ on a firewall rule, this enables the Malware and Content Scanning which a part of that is using the Sophos Anti-Virus engine (default). This is all done by sending the traffic through a web proxy which alone can cause issues with some applications. My guess is your issue is from either 1) the anti virus engine or 2) that particular traffic going through the web proxy (even if its just being allowed to pass). As mentioned in my previous post, I would create an exception for that particular IP address (or preferably a domain if you can determine one since the IP address may change) to skip the ‘Malware and Content Scanning’.

    If you enable the “Allow All” Web Policy in your firewall rule, you should be able to see all your traffic in the firewall log under “Web Filter” which can help you determine if there’s a domain being used.

Reply
  • +1 in reply to Ishai Cohen

    The ‘Invalid Traffic’ is a weird one, because that is actually “common” in the sense that you will see a lot of those entries in your firewall logs but it’s typically not an issue. There was a post about this from a Sophos employee and the recommendation was to turn off logging of ‘Invalid Traffic’ or else your firewall logs will rapidly become full of these entries. I’ll see if I can find it but bottom line, I don’t think that is your issue since turning off ‘Scan HTTP’ is fixing it.

    When you enable ‘Scan HTTP’ on a firewall rule, this enables the Malware and Content Scanning which a part of that is using the Sophos Anti-Virus engine (default). This is all done by sending the traffic through a web proxy which alone can cause issues with some applications. My guess is your issue is from either 1) the anti virus engine or 2) that particular traffic going through the web proxy (even if its just being allowed to pass). As mentioned in my previous post, I would create an exception for that particular IP address (or preferably a domain if you can determine one since the IP address may change) to skip the ‘Malware and Content Scanning’.

    If you enable the “Allow All” Web Policy in your firewall rule, you should be able to see all your traffic in the firewall log under “Web Filter” which can help you determine if there’s a domain being used.

Children
  • 0 in reply to shred

    i believe this:

    2) that particular traffic going through the web proxy (even if its just being allowed to pass).

    was the root cause.

     

    anyway, the game launcher used many many ips, and i added them all and it still didnt work :(

    i devour the logs file with no luck

    so i searched the game forums and they used cdns servers for patching and load balancing :p

    after i add their cdn domain, it all worked :)

  • 0 in reply to Ishai Cohen

    Awesome, glad it’s working. If it was in fact the web proxy causing the issue, just realize in the future if you ever start messing with Web Policies (setting it to anything other than “None” in your firewall rule), you might also run into the same issue since that also uses the same web proxy.