[7.470][BUG][NOTABUG] httpproxy doesn't scan all content

Found this issue while looking at a thread logged by other member.

httpproxy doesn't catch all files, two url for downloading exe file:

url 1:

http://www.rarlab.com/rar/wrar39b4.exe

url 2:

Download CCleaner 2.21.940 - Download - FileHippo.com

however, first download comes in straight without being captured by httpproxy - browser prompt to save right away.

Below is the httpproxy log:

2009:07:20-10:21:08 dmzalarm httpproxy[3714]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.10.100" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="25991" time="2142 ms" request="0xb16ed850" url="www.rarlab.com/.../html"
2009:07:20-10:21:30 dmzalarm httpproxy[3714]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.10.100" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="1375093" time="14734 ms" request="0xb16ad410" url="www.rarlab.com/.../octet-stream"
2009:07:20-10:22:24 dmzalarm httpproxy[3714]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.10.100" user="" statuscode="200" cached="1" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="6137" time="19 ms" request="0xb16abfa8" url="cache.filehippo.com/.../png"
2009:07:20-10:22:24 dmzalarm httpproxy[3714]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.10.100" user="" statuscode="200" cached="1" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="4574" time="40 ms" request="0xb16ad6a0" url="cache.filehippo.com/.../png"
2009:07:20-10:22:28 dmzalarm httpproxy[3714]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.10.100" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2432" time="523 ms" request="0xb16ad410" url="www.filehippo.com/.../html"
2009:07:20-10:22:31 dmzalarm httpproxy[3714]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.10.100" user="" statuscode="301" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" time="245 ms" request="0xb16ad410" url="www.filehippo.com/.../Freeware"
2009:07:20-10:23:04 dmzalarm httpproxy[3714]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.10.100" user="" statuscode="200" cached="4" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3252640" time="31945 ms" request="0xb164e1c0" url="fs4.filehippo.com/.../octet-stream"

Parents

0 CameronB over 16 years ago

Hi dmzalarm,

If there is no error or virus detected the log will show as a clean logfile line. The logfile will however be quite descriptive on errors for virus detection.

To check this out use the eicar testfile which should show up in your logfile with descriptive entry as below:

http://www.eicar.org/download/eicar.com

id="0056" severity="info" sys="SecureWeb" sub="http" name="web request blocked, virus detected" action="block" method="GET" srcip="207.190.231.66" user="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2386" time="691 ms" request="0xb36c8ce8" url="www.eicar.org/.../x-msdos-program" engine="Astaro-AV" virus="Eicar-Test-Signature
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 CameronB over 16 years ago

Hi dmzalarm,

If there is no error or virus detected the log will show as a clean logfile line. The logfile will however be quite descriptive on errors for virus detection.

To check this out use the eicar testfile which should show up in your logfile with descriptive entry as below:

http://www.eicar.org/download/eicar.com

id="0056" severity="info" sys="SecureWeb" sub="http" name="web request blocked, virus detected" action="block" method="GET" srcip="207.190.231.66" user="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2386" time="691 ms" request="0xb36c8ce8" url="www.eicar.org/.../x-msdos-program" engine="Astaro-AV" virus="Eicar-Test-Signature
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 dmzalarm over 16 years ago in reply to CameronB

Thks Cameron,

That make sense. I should have thought of it and tested it with eicar. Appreciate your time.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel