This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM AV scanner allowed Trojan

I wasn't sure where else to put this question.

I am using decrypt and scan on the Web Protection side of things.  I have the dual AV scanner active.

I downloaded the Eicar file over HTTPS and it was blocked for being a virus.  I downloaded it in a .zip and it was blocked.  I downloaded the eicarcom2.zip file and it was blocked for "malicious downloads" not "virus infected" which makes me think that the scanner didn't come into effect, only the blacklisting of malicious websites did.

I also downloaded a zipped trojan over NNTPS that Sophos endpoint is capable of detecting and it went through.  Does the AV only scan files through the common HTTP/HTTPS protocols?  Downloading the Eicar zip rules out that it only scans at a depth of 1.  Related question: what depth does the UTM's AV scanner go to?

Thanks for any information provided.

This thread was automatically locked due to age.

0 TheDrew over 11 years ago

The UTM's scanner only protects web based traffic so anything coming over another port (IRC, NNTP, etc) won't be scanned by the web filter. Email is an exception as there's a email protection module with it's own scanners.
Cancel
Vote Up 0 Vote Down

Cancel
0 teched_01 over 11 years ago

Web Filtering AV doesn't filter NNTPS (or NNTP). The potential scattered time/order, origin, and encoded nature of "data" over NNTP doesn't really lend itself to mid-point inspection or action.

In my test the UTM scanned to a nested zip depth of ~100 (9.113) but not further.

Safer computing practices may be worth consideration.
Cancel
Vote Up 0 Vote Down

Cancel