community.sophos.com
Open in
urlscan Pro
54.72.116.62
Public Scan
URL:
https://community.sophos.com/sophos-xg-firewall/f/discussions/94279/bug-sophos-xg-does-not-block-eicar-file-in-realtime-since...
Submission: On July 05 via api from HR — Scanned from DE
Submission: On July 05 via api from HR — Scanned from DE
Form analysis 3 forms found in the DOM
<form>
<fieldset class="search" id="header-1511_searchFields">
<div id="searchbox" data-pipeline="External Search Query Pipeline" data-tab="Community" class="CoveoSearchInterface Coveostate CoveoComponentState CoveoComponentOptions CoveoQueryController CoveoDebug coveo-after-initialization"
style="display: block;">
<div class="CoveoFacetsMobileMode"></div>
<div class="CoveoSearchbox" data-enable-omnibox="true" data-enable-query-suggest-addon="true">
<div class="CoveoOmnibox coveo-query-syntax-disabled magic-box" role="search" aria-haspopup="listbox">
<div class="magic-box-input">
<div class="magic-box-underlay"><span class="magic-box-highlight-container"><span data-id="start" data-success="true"><span data-id="Any" data-success="true" data-value=""></span></span></span><span class="magic-box-ghost-text"></span>
</div><input autocomplete="off" type="text" role="combobox" form="coveo-dummy-form" aria-autocomplete="list" title="Insert a query. Press enter to send" aria-expanded="false"
aria-owns="coveo-magicbox-suggestions-e73fa7c9-78d6-1424-c6ce-9a1ed5437b4e" aria-controls="coveo-magicbox-suggestions-e73fa7c9-78d6-1424-c6ce-9a1ed5437b4e" aria-label="Search">
<div class="magic-box-clear coveo-accessible-button" role="button" aria-label="Clear" tabindex="-1" aria-hidden="true">
<div class="magic-box-icon"><svg focusable="false" enable-background="new 0 0 13 13" viewBox="0 0 13 13" xmlns="http://www.w3.org/2000/svg" role="img" aria-label="Clear" class="magic-box-clear-svg">
<title>Clear</title>
<g fill="currentColor">
<path
d="m7.881 6.501 4.834-4.834c.38-.38.38-1.001 0-1.381s-1.001-.38-1.381 0l-4.834 4.834-4.834-4.835c-.38-.38-1.001-.38-1.381 0s-.38 1.001 0 1.381l4.834 4.834-4.834 4.834c-.38.38-.38 1.001 0 1.381s1.001.38 1.381 0l4.834-4.834 4.834 4.834c.38.38 1.001.38 1.381 0s .38-1.001 0-1.381z">
</path>
</g>
</svg></div>
</div>
</div>
<div class="magic-box-suggestions">
<div class="coveo-magicbox-suggestions" id="coveo-magicbox-suggestions-e73fa7c9-78d6-1424-c6ce-9a1ed5437b4e" role="listbox" aria-label="Search Suggestions">
<div role="option"></div>
</div>
</div>
</div>
<a class="CoveoSearchButton coveo-accessible-button" role="button" aria-label="Search" tabindex="0"><span class="coveo-search-button"><svg focusable="false" enable-background="new 0 0 20 20" viewBox="0 0 20 20" xmlns="http://www.w3.org/2000/svg" role="img" aria-label="Search" class="coveo-search-button-svg"><title>Search</title><g fill="currentColor"><path class="coveo-magnifier-circle-svg" d="m8.368 16.736c-4.614 0-8.368-3.754-8.368-8.368s3.754-8.368 8.368-8.368 8.368 3.754 8.368 8.368-3.754 8.368-8.368 8.368m0-14.161c-3.195 0-5.793 2.599-5.793 5.793s2.599 5.793 5.793 5.793 5.793-2.599 5.793-5.793-2.599-5.793-5.793-5.793"></path><path d="m18.713 20c-.329 0-.659-.126-.91-.377l-4.552-4.551c-.503-.503-.503-1.318 0-1.82.503-.503 1.318-.503 1.82 0l4.552 4.551c.503.503.503 1.318 0 1.82-.252.251-.581.377-.91.377"></path></g></svg></span><span class="coveo-search-button-loading"><svg focusable="false" enable-background="new 0 0 18 18" viewBox="0 0 18 18" xmlns="http://www.w3.org/2000/svg" role="img" aria-label="Loading" class="coveo-search-button-loading-svg"><title>Loading</title><g fill="currentColor"><path d="m16.76 8.051c-.448 0-.855-.303-.969-.757-.78-3.117-3.573-5.294-6.791-5.294s-6.01 2.177-6.79 5.294c-.134.537-.679.861-1.213.727-.536-.134-.861-.677-.728-1.212 1.004-4.009 4.594-6.809 8.731-6.809 4.138 0 7.728 2.8 8.73 6.809.135.536-.191 1.079-.727 1.213-.081.02-.162.029-.243.029z"></path><path d="m9 18c-4.238 0-7.943-3.007-8.809-7.149-.113-.541.234-1.071.774-1.184.541-.112 1.071.232 1.184.773.674 3.222 3.555 5.56 6.851 5.56s6.178-2.338 6.852-5.56c.113-.539.634-.892 1.184-.773.54.112.887.643.773 1.184-.866 4.142-4.57 7.149-8.809 7.149z"></path></g></svg></span></a>
</div>
<div aria-live="polite" class="coveo-visible-to-screen-reader-only"></div>
</div>
</fieldset>
</form><form>
<script type="text/javascript">
jQuery(function() {
jQuery('#fragment-2944_fragment-2944_editor').evolutionHtmlEditor({
width: '100%',
height: '60px',
submittable: true,
contentTypeId: 'f586769b-0822-468a-b7f3-a94d480ed9b0',
enterToSubmitPrompt: 'Antwort eingeben',
submitLabel: 'Antworten',
beforeSubmitHtml: '\u003ca href=\"#\" data-messagename=\"telligent.evolution.widgets.thread.fullEditor\" class=\"button\"\u003eVollständiger Editor\u003c/a\u003e\u003cspan class=\"suggest-field\"\u003e\u003cinput type=\"checkbox\" id=\"fragment-2944_suggest\" class=\"suggest\" /\u003e\u003clabel for=\"fragment-2944_suggest\"\u003eAls Antwort vorschlagen\u003c/label\u003e\u003c/span\u003e',
afterSubmitHtml: '',
placeholder: '',
autoResize: true
}).on('evolutionHtmlEditorSubmit', function(e) {
(function() {
jQuery.telligent.evolution.messaging.publish('telligent.evolution.widgets.thread.submit', {
from: 'fragment-2944-nested'
});
})(e.html);
});
});
</script>
</form><form>
<footer>
<!-- Logo and legal -->
<div id="legal">
<div class="container clear">
<ul>
<li>
<a href="https://community.sophos.com/w/getting-started">Getting started</a>
</li>
<li>
<a href="https://www.sophos.com/en-us/legal.aspx">Legal</a>
</li>
<li>
<a href="https://www.sophos.com/en-us/legal/sophos-group-privacy-notice.aspx">Privacy</a>
</li>
<li>
<a href="https://www.sophos.com/en-us/legal/cookie-information.aspx">Cookies</a>
</li>
</ul>
<div id="footer-logo">
<a href="https://www.sophos.com/en-us.aspx"><div class="footer-logo"></div></a>
</div>
<p> © 1997 - 2023 Sophos Ltd. All rights reserved. </p>
</div>
</div>
</footer>
</form>Text Content
This website uses cookies to make your browsing experience better. By using our
site you agree to our use of cookies. Learn More!
Accept
Sophos Community
* Site
Clear
SearchLoading
* User
* Site
* Search
* User
* Community & Product Forums
* Sophos Endpoint
* Sophos Firewall
* Sophos Central
* Sophos Factory
* Sophos Mobile
* Sophos NDR
* Sophos Sensor
* Sophos Switch
* Sophos Wireless
* Sophos Email
* UTM Firewall
* Community Chat
* Community Blogs & Events
* Sophos Community Blog
* Community Security Blog
* Product Documentation Blog
* Application Control
* Getting Started
* Sophos Partners
* MSP Guides
* Member Recognition
* Community Leaderboards
* Launch Support Portal
*
New Sophos Support Phone Numbers in Effect July 1st, 2023
Sophos Firewall
Discussions Bug? Sophos XG does not block EICAR file in realtime since last
update
* Release Notes & News
* Discussions
* Recommended Reads
* Early Access Programs
* Mehr
* Neu
Bei Sophos Firewall ist für die Teilnahme eine Mitgliedschaft erforderlich – zum
Beitreten hier klicken
Thread Info
* Status Vorgeschlagene Antwort
* Stimmen anzeigen Anmelden, um über diesen Thread abzustimmen 0 Anmelden, um
über diesen Thread abzustimmen
* Gesperrt Gesperrt
* Antworten 20 Antworten
* Antworten 1 Antwort
* Abonnenten 30 Abonnenten
* Aufrufe 48468 Aufrufe
* Benutzer 0 Mitglieder sind hier
* Sophos Firewall
* webfiltering
* Update
* realtime
* Web Protection
* scanning
* sophos
Optionen
* RSS
*
Suggested
* strongswan / ipsec - Certificate chain with 3 certificates does not work.
X.509 Certificate Chain Files
Hello to all, I would like to set up an L2TP remote access VPN connection
with authentication via certificate. Unfortunately, this does not work if an
intermediate certificate is used without having to...
* block download exe files
any one can help me? please.... is there any way to block download exe files
over browsers. if any one has answer please describe it step by step. i have
xg230 with firmware SFOS 19.5.2 MR-2-Build624...
* Sophos XG Firewall Blocking Antivirus Updates
We've recently installed WatchGuard EPDR and it's failing to download
updates. Their support guys have provided a list of URLs that need to be
accessible and I've had a go at allowing access through the...
* SD-RED 60 does not work correctly after updating to firmware version 3.0.009
After the firmware update to version 3.0.009 there are disconnections between
RED (VLAN-Mode) and a Cisco switch. The traffic through the RED does not work
for about 4 minutes, and then the LAN-port of...
* Does Sophos MFA Expire
Please does Sophos MFA expire? I configured MFA on SSL VPN about 3 months ago
and I had issues connecting sometime last week. I had to delete my MFA
account, rescan the QR Code on the user portal before...
Diese Diskussion wurde gesperrt.
Du kannst keine neue Antworten mehr für diese Diskussion verfassen. Wenn du eine
Frage hast, kannst du eine neue Diskussion starten
BUG? SOPHOS XG DOES NOT BLOCK EICAR FILE IN REALTIME SINCE LAST UPDATE
FormerMember Vor über 6 Jahren
Hi,
since last update, Sophos XG does not block EICAR files in real-time scan mode
anymore!
The file is downloaded without scanning!
In Batch mode the file is blocked as before!
Regards Meghan
This thread was automatically locked due to age.
* 1
* Alle Antworten
* Antworten
* Am ältesten
* Stimmen
* Am neuesten
* 0 lferrara Vor über 6 Jahren
Meghan,
check your settings and try to switch from batch to real again. On my XG is
working with no issue.
* Höher bewerten 0 Niedriger bewerten
* 0 FormerMember Vor über 6 Jahren als Antwort auf lferrara
Hi,
..
I've tried a few times now, but the download isn't blocked by XG, and my
Endpoint security doesn't detects the eicar.com/.zip files as virus ...
Does XG remove the malicious Code from the file?
Regards Meghan
* Höher bewerten 0 Niedriger bewerten
* 0 Bill Roland Vor über 6 Jahren als Antwort auf FormerMember
Yep, I've had this concern as well, as it was one of the first things I
tried to "verify" my XG was working and I was very alarmed to see that I
could download it. However I do note that in the Malware Log, it is
detected by XG as "EICAR-AV-Test" so I assume it is allowing it through
so you can test your AV solution? I have no idea, it has been that way
since day one for me, not something new with the latest firmware.
* Höher bewerten 0 Niedriger bewerten
* 0 lferrara Vor über 6 Jahren als Antwort auf Bill Roland
Are you using decrypt and scan?
On my XG worked since v15.
* Höher bewerten 0 Niedriger bewerten
* 0 FormerMember Vor über 6 Jahren als Antwort auf lferrara
I am using decrypt, but what i have found out, is that xg removes the
eicar.com file out of the zip, and all code in eicar.com file.
So, my theorie is that Xg is cleaning the files from malicious code in
Realtime, while it blocks the files in batch.
Regards Meghan
* Höher bewerten 0 Niedriger bewerten
* 0 lferrara Vor über 6 Jahren als Antwort auf FormerMember
Meghan,
inside log viewer > malware log you should see the eicar entries. I
tested with all possible eicar files and no one was downloaded. I am
using decrypt and scan, https scan and firefox.
Regards
* Höher bewerten 0 Niedriger bewerten
* 0 Ashen1 Vor über 6 Jahren als Antwort auf FormerMember
Hi Meghan,
since when did you notice this behavior? will try to see this for myself,
thanks for sharing though.
* Höher bewerten 0 Niedriger bewerten
* 0 FormerMember Vor über 6 Jahren als Antwort auf Ashen1
Hi all,
I've got this issue since the Update on mr6
Regards
* Höher bewerten 0 Niedriger bewerten
* 0 sachingurung Vor über 6 Jahren
Hi Megan,
Please show us what configurations are made to prevent the EICAR file and how
did the network receive the EICAR file? Also, try changing the AV engines and
let us know the results.
Thanks
Sachin Gurung
Team Lead | Sophos Technical Support
Knowledge Base | @SophosSupport | Video tutorials
Remember to like a post. If a post (on a question thread)
solves your question use the 'This helped me' link.
* Höher bewerten 0 Niedriger bewerten
* 0 Bill Roland Vor über 6 Jahren als Antwort auf sachingurung
I can confirm that changing from Real Time to Batch blocks the EICAR file
from downloading. Change it back to Real Time and the file downloads but
is apparently stripped out and empty.
* Höher bewerten 0 Niedriger bewerten
* 0 FormerMember Vor über 6 Jahren als Antwort auf Bill Roland
Max. scan size: 1536mb
Engines: dual scan
I am downloading the testfiles from www.eicar.org
Regards Meghan
* Höher bewerten 0 Niedriger bewerten
* 0 sachingurung Vor über 6 Jahren als Antwort auf FormerMember
Is the HTTPS and HTTP scanning enabled in the firewall rule that handles
the internet traffic? Also, check the AV pattern updates are up2date.
Thanks
Sachin Gurung
Team Lead | Sophos Technical Support
Knowledge Base | @SophosSupport | Video tutorials
Remember to like a post. If a post (on a question thread)
solves your question use the 'This helped me' link.
* Höher bewerten 0 Niedriger bewerten
* 0 FormerMember Vor über 6 Jahren als Antwort auf sachingurung
Hi Sachin,
yes the scanning functions are enabled.
Regards Meghan
* 0 Michael Dunn Vor über 6 Jahren als Antwort auf FormerMember
Please be aware that when using Real Time scanning, the majority of the
time you will not see a block page. You will instead get an incomplete
download.
Real Time scanning basically sends the 200 OK response the client as soon
as it gets it from the server. Then as the file is received from the
server it stores it on disk and simultaneous send it to the client. As
the last 1K of data is received from the server, it is withheld from the
client. Now the XG has the whole file and scans it. If clean, it sends
the last 1K. If a virus, it kills the connection to the client so that
it is an incomplete download.
With small files, the same logic applies but because it happens so
quickly there are differences. For example, the client may get a 200 OK
and no content. The client doesn't report it as a failed download.
Either way, the XG Malware logs should show that a virus was detected.
Can you confirm - when you say that you can download eicar - do you
actually see the full malware test string in the final file that is saved
to the client harddrive? Does the XG log a virus found?
* 0 FormerMember Vor über 6 Jahren als Antwort auf Michael Dunn
Hello Michael Dunn,
as i've written before, the Eicar files are without any content/code.
In the EICAR.zip file, there is no file inside the zip, and in both
eicar.txt and eicar.com, there is no code inside the files, thay are
empty.
What I'am concerned about, is that EICAR is NOT logged as virus by XG.
Regards Meghan
* 0 Michael Dunn Vor über 6 Jahren als Antwort auf FormerMember
So SFOS is blocking correctly, this is just a logging problem.
So to confirm:
You click on Log Viewer. In the pop-up you say View logs for Malware.
There is nothing there?
Just as a double check:
Go to System Services, Log Settings. Under Anti-virus, everything is
checked.
If everything looks good but still no logs.... I'm not sure. reboot?
* 0 FormerMember Vor über 6 Jahren als Antwort auf Michael Dunn
Hi,
I've just checked these things, and no Virus is logged.
The log settings are correct.
I've tried rebooting, but nothing changed.
Regards Meghan
* 0 Michael Dunn Vor über 6 Jahren als Antwort auf FormerMember
I cannot think of anything that would make logging work when in Batch
mode and logging not work when in Real Time.
I don't think there is anything else in the forums that could help...
Other people have confirmed it works for them. If you wanted to follow
up further, I would contact Sophos Support.
* 0 Rick Leslie Vor über 6 Jahren
WFIW: I've just tried downloading all of the EICAR files and they were
blocked in both https and http. I also created a .txt test file in notepad
and pasted the EICAR text into it and sent it to myself as an attachment,
that was also blocked.
I'm in dual AV scanning, real-time mode.
--------------------------------------------------------------------------------
Self employer computer technician (mostly domestic) and photographer.
Language: English English (UK) - No, NOT (U.S.).
Why is it that the IT world assumes that if you speak English then it is
American, not English.
English did not come from America, that's why it's not called American!!!
* 0 rfcat_vk Vor über 6 Jahren als Antwort auf Rick Leslie
Hi Rick,
love your signature. I agree entirely and I find the Americanisation of
words very frustrating.
Ian
XG115W - v19.5.2 mr-2 - Home
If a post solves your question please use the 'Verify Answer' button.
Bearbeiten
Einfügen
Format
Tabelle
Tools
Bearbeiten
Einfügen
Format
Tabelle
Tools
Vollständiger EditorAls Antwort vorschlagen
Antworten
Ungefiltertes HTML
* Getting started
* Legal
* Privacy
* Cookies
© 1997 - 2023 Sophos Ltd. All rights reserved.
Zitat