[8.940][OPEN] UTM unable to catch virus (sophos endpoint does)

Hi All

I have HTTp proxy with both antivirus enabled. Also I have sophos endpoint installed.

It seems that the endpoint catch more virus that the UTM. I would expect the sophos engine to get the following since (that's my understanding) both sophos engines are the same (UTM and endpoint)

Log below from the endpoint alert

Event: Access has been blocked to **********/gipoto/dabstepinattack.php" as 'Mal/ExpJS-AA' has been found at this website.

Relevant log from web filter

2012:05:05-10:41:07 ****httpproxy[4521]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.***.***" dstip="173.236.50.237" user="" statuscode="200" cached="4" profile="REF_CnNPwVRtng (Internal Users)" filteraction="REF_DefaultHTTPCFFBlockAction (Internal Users)" size="11580" request="0xa96de5e0" url="http://********/gipoto/dabstepinattack.php" exceptions="" error="" country="United States" category="178" reputation="neutral" categoryname="Internet Services" content-type="text/html"

However, this was not the case. According to virus total ,avira sees that as malware
https://www.virustotal.com/url/1306b95314166571070869cc804ca15e91a734fd24f72565117c4566b9deaa4f/analysis/1336217603/
but is not blocked

Thanks

Parents

0 wingman over 12 years ago

ok so I have another link that it's blocked: 88665.com

Endpoint sees that as:
20120626 162238 Blocked web request to "88665.com" for user AA000000\wingman. 'Mal/HTMLGen-A' has been found at this website, reference ID 111862441.

I would expect utm to get this

2012:06:26-17:24:35 **** httpproxy[4527]: id="0061" severity="info" sys="SecureWeb" sub="http" name="web request blocked, reputation limit" action="block" method="GET" srcip="192.168.2.5" dstip="" user="" statuscode="403" cached="0" profile="REF_CnNPwVRtng (Internal Users)" filteraction="REF_DefaultHTTPCFFBlockAction (Internal Users)" size="2927" request="0x96c4678" url="88665.com/" exceptions="" error="" country="Germany" reason="category" category="130" reputation="malicious" categoryname="Malicious Sites"
2012:06:26-17:24:36 **** httpproxy[4527]: id="0061" severity="info" sys="SecureWeb" sub="http" name="web request blocked, reputation limit" action="block" method="GET" srcip="192.168.2.5" dstip="" user="" statuscode="403" cached="0" profile="REF_CnNPwVRtng (Internal Users)" filteraction="REF_DefaultHTTPCFFBlockAction (Internal Users)" size="2960" request="0xc3964018" url="88665.com/favicon.ico" exceptions="cache" error="" country="Germany" reason="category" category="130" reputation="malicious" categoryname="Malicious Sites"

but endpoint web protection got it first. I am using samples from : http://mirror1.malwaredomains.com/updates/20120531.txt

https://www.virustotal.com/url/0dc59107a6f59095478ecb6f676db028603233a8998b59d8e531406a7e08a016/analysis/1340728020/

0 BrucekConvergent over 12 years ago in reply to wingman

ok so I have another link that it's blocked: 88665.com

Endpoint sees that as:
20120626 162238 Blocked web request to "88665.com" for user AA000000\wingman. 'Mal/HTMLGen-A' has been found at this website, reference ID 111862441.

I have to say I've had a number of sites with the same experience... UTM 9 (both AV engines on) lets a URL through, but the Sophos Endpoint (managed by said UTM) seems to detect malicious code, almost always identified as the Mal/HTMLGen-A listed above. Not sure if it's a false positive, or the endpoint engine is handling it better, etc.

CTO, Convergent Information Security Solutions, LLC

https://www.convergesecurity.com

Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries. Use the advice given at your own risk.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 BrucekConvergent over 12 years ago in reply to wingman

ok so I have another link that it's blocked: 88665.com

Endpoint sees that as:
20120626 162238 Blocked web request to "88665.com" for user AA000000\wingman. 'Mal/HTMLGen-A' has been found at this website, reference ID 111862441.

I have to say I've had a number of sites with the same experience... UTM 9 (both AV engines on) lets a URL through, but the Sophos Endpoint (managed by said UTM) seems to detect malicious code, almost always identified as the Mal/HTMLGen-A listed above. Not sure if it's a false positive, or the endpoint engine is handling it better, etc.

CTO, Convergent Information Security Solutions, LLC

https://www.convergesecurity.com

Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries. Use the advice given at your own risk.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

No Data