Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 2 subscribers
  • Views 989 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM AV scanner allowed Trojan

GrandMasterJ
I wasn't sure where else to put this question.

I am using decrypt and scan on the Web Protection side of things.  I have the dual AV scanner active.

I downloaded the Eicar file over HTTPS and it was blocked for being a virus.  I downloaded it in a .zip and it was blocked.  I downloaded the eicarcom2.zip file and it was blocked for "malicious downloads" not "virus infected" which makes me think that the scanner didn't come into effect, only the blacklisting of malicious websites did.

I also downloaded a zipped trojan over NNTPS that Sophos endpoint is capable of detecting and it went through.  Does the AV only scan files through the common HTTP/HTTPS protocols?  Downloading the Eicar zip rules out that it only scans at a depth of 1.  Related question: what depth does the UTM's AV scanner go to?

Thanks for any information provided.


This thread was automatically locked due to age.
Parents
  • 0
    Web Filtering AV doesn't filter NNTPS (or NNTP).  The potential scattered time/order, origin, and encoded nature of "data" over NNTP doesn't really lend itself to mid-point inspection or action.

    In my test the UTM scanned to a nested zip depth of ~100 (9.113) but not further.

    Safer computing practices may be worth consideration.
Reply
  • 0
    Web Filtering AV doesn't filter NNTPS (or NNTP).  The potential scattered time/order, origin, and encoded nature of "data" over NNTP doesn't really lend itself to mid-point inspection or action.

    In my test the UTM scanned to a nested zip depth of ~100 (9.113) but not further.

    Safer computing practices may be worth consideration.
Children
No Data