I recently bought an ISA550W and are currently evaluating the security features - therefore I tried to download the Eicar "dummy" test virus.
I expected the ISA550W to deny the download, but it got through without a warning.
I tried to download the file from http://www.etes.de/downloads/eicar-testvirus/?file=tl_files/etes/downloads/anwenden/eicar.com, as the eicar website seems to get blocked by one of the other security services.
So the question is:
- is the antivirus service really working?
- how would that be tested typically?
I don't know how you have done the AntiVirus setup but I promise to you this is working. This is always the first thing what I do with every Virus Scanner to see what will happens when the program will stop or prevent the download.
Can you send screenshots what configuration you have done?
I tried again this mornig and now I get a disconnect (as expected) - so it seems to work now (I made a few changes yesterday, so probably that was not enabled correctly).
However I do not see this event in the "security reports"/"Anti virus", although I do see other events in there (so antivirus seems to do its work). Looking at the IP address in the logs this seems to get blocked by the IDS rules (i do see the www.etes.de IP address being blocked in the "security reports"/"IDS").
What also is intersting is that the IDS rules also seem to block the wikipedia page on the EICAR test (
http://de.wikipedia.org/wiki/EICAR-Testdatei) but it does not block the same page accessed over https (
So the questions are now:
Hello H. Erne,
I tested from our lab here by going to the site - http://www.eicar.org/85-0-Download.html
-From there each time I tried to download using one of the HTTP links, the connection was blocked or reset. This is good news.
-When I tried to download using the HTTPS connections, however, it did let me download them. This is not such good news.
I am certain that this is due to the handling of traffic. When connecting with HTTPS, the secure session is setup without issue followed by traffic passing. The ISA is not able to read encrypted traffic and thus it is allowed.
Just remember the ISA is a major security enhancement, but not a total subsitute for local protections.
it is perfectly clear, that the ISA500 is not a 100% security solution, however I try to understand what its features and limitations are - there are a lot of features built in and it is quite difficult to get a feeling on what is in the box and what not...
The competitors (at least Fortinets FortiGate C-Series, not sure about SonicWall TZ) supports that - they can inspect all SSL traffic - so their AV/IDS works over https encrypted connections also - which from a security point of view is a clear advantage...