Hi,
You pasted the same accesslogs from your first post and didn't checked for amp and archiveinspect logs...
Still, based on accesslogs, I don't know for sure why the 1st request was denied but the 2nd one was successful. I can just make assumptions that it's either a wanted behaviour (like the max. number of AMP scans in flight has been reached and the file is allowed) or a bug.
In the 1st request you can clearly see that AMP was the one blocking the file transfer.
1626075135.000 59953 10.1.1.119 TCP_DENIED_SSL/403 0 GET https://downloads.solarwinds.com:443/solarwinds/Release/SU/15.2.3/SU-MFT-Server-Linux-64bit-v15.2.3.tar.gz - DIRECT/downloads.solarwinds.com application/x-gzip BLOCK_AMP_RESP_12-<Policy>-<Profile>-DefaultGroup-NONE-NONE-DefaultGroup-NONE <"IW_comp",5.0,1,"-",0,0,0,-,"-",-,-,-,"-",-,-,"-","-",-,-,"IW_comp",-,"Unknown","Computers and Internet","-","Unknown","Unknown","-","-",0.00,0,-,"Unknown","-",2,"-",-,-,"-","-",-,2,"-",-,-> - - x-amp-verdic 2, x-amp-malware-name -, x-amp-upload -,x-amp-filename -, x-amp-sha –
BLOCK_AMP_RESP | The Web Proxy blocked the response based on the Advanced Malware Protection settings for the Access Policy group. |
x-amp-verdict | Verdict from Advanced Malware Protection file scanning: - 0: File is not malicious.
- 1: File was not scanned because of its file type.
- 2: File scan timed out.
- 3: Scan error.
- Greater than 3: File is malicious.
|
The 2nd request seems to be just fine:
1626075221.631 3770 10.1.1.119 TCP_MISS_SSL/200 14810991 GET https://downloads.solarwinds.com:443/solarwinds/Release/SU/15.2.3/SU-MFT-Server-Linux-64bit-v15.2.3.tar.gz - DIRECT/downloads.solarwinds.com application/x-gzip DEFAULT_CASE_12-<Policy>-<Profile>-DefaultGroup-NONE-NONE-DefaultGroup-NONE <"IW_comp",5.0,1,"-",0,0,0,0,"-",-1,0,-1,"-",0,0,"-","-",-,-,"IW_comp",-,"Unknown","Computers and Internet","-","Unknown","Unknown","-","-",31429.16,0,-,"Unknown","-",0,"-",0,0,"SU-MFT-Server-Linux-64bit-v15.2.3.tar.gz","428aa2d1923bcadc751b366dbddbbdd5257aa8e5e97c88a2cce62e749e9d4182",4,ARCHIVESCAN_UNSCANABLE,"UnScanable Concurrent Requests Exceeded-Allowed",-,-> - - x-amp-verdic 0, x-amp-malware-name -, x-amp-upload 0,x-amp-filename SU-MFT-Server-Linux-64bit-v15.2.3.tar.gz, x-amp-sha 428aa2d1923bcadc751b366dbddbbdd5257aa8e5e97c88a2cce62e749e9d4182
DEFAULT_CASE | The Web Proxy allowed the client to access the server because none of the AsyncOS services, such as Web Reputation or anti-malware scanning, took any action on the transaction. |
| Verdict from the AMP reputation server for the file: 1 – Unknown 2 – Clean 3 – Malicious 4 – Unscannable
|
ARCHIVESCAN_UNSCANABLE – The archive is blocked because it contain a file which cannot be scanned. The Verdict Detail is “UnScanable Archive-Blocked.”
x-amp-verdict | Verdict from Advanced Malware Protection file scanning: - 0: File is not malicious.
- 1: File was not scanned because of its file type.
- 2: File scan timed out.
- 3: Scan error.
- Greater than 3: File is malicious.
|
x-amp-upload | Indicator of upload and analysis request: “0” indicates that Advanced Malware Protection did not request upload of the file for analysis. “1” indicates that Advanced Malware Protection did request upload of the file for analysis. |
References:
https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa11-0/user_guide/b_WSA_UserGuide/b_WSA_UserGuide_chapter_010111.html#con_1599723
BR,
Octavian
