Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1231
Views
0
Helpful
4
Replies

Web Security Appliance - Malware End-user Notification

pierre-alain.tallot
Level 1
Level 1

‎07-24-2015 12:13 AM

Hello,

 

We are currently setting up a Web Security Appliance S380 to one of our customers.

There is a question that we would like to ask about the notification received by the end-user.

 

When we try to download a malware file from http://www.eicar.org/85-0-Download.html the connection is reset.

No notification or information that a malware has been found, and no information either in the accesslogs.

 

The notification when the site is blocked for "BLOCK-WEBCAT" is working correctly, but not for malware.

Is there a way to enable this notification for the end-user?

 

Thanks.

Regards,

Labels:
0 Helpful
4 Replies 4

Handy Putra
Cisco Employee
Cisco Employee

‎07-25-2015 09:45 PM

Hello,

 

Which eicar file that you are trying to download? since from the look of it all the vicar files under protocol HTTP from that site are broken and getting browser error page.

However if you are downloading vicar files under the HTTPS protocol and the connection been Decrypted by WSA, you will then get the block page from WSA.

Also in WSA access policy make sure you have set the category for this to 'Monitor' therefore the appliance can perform anti Malware/Virus scanning and also from the access policy under "Access Policies: Anti-Malware and Reputation Settings" make sure you have set the 'block' action for necessary Malware categories and Other categories.

When you download the eicar file under the HTTPS protocol, you should seeing similar below access logs:

1437885646.423 975 10.137.76.158 TCP_MISS_SSL/200 39 CONNECT tunnel://secure.eicar.org:443/ - DIRECT/secure.eicar.org - DECRYPT_WEBCAT_7-DefaultGroup-DefaultGroup-NONE-NONE-NONE-DefaultGroup <IW_csec,0.8,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_csec,-,"-","-","Unknown","Unknown","-","-",0.32,0,-,"-","-",-,"-",-,-,"-","-"> 


1437885647.198 774 10.137.76.158 TCP_DENIED_SSL/403 0 GET https://secure.eicar.org:443/eicar.com - DIRECT/secure.eicar.org application/octet-stream BLOCK_AMW_RESP_12-handy.access-DefaultGroup-NONE-NONE-NONE-DefaultGroup <IW_csec,0.8,23,"EICAR-AV-Test",0,536029,13538,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_csec,-,"Trojan Horse","-","Unknown","Unknown","-","-",0.00,0,-,"Unknown","EICAR-AV-Test",-,"-",-,-,"-","-"> 

 

0 Helpful

pierre-alain.tallot
Level 1
Level 1
In response to Handy Putra

‎07-27-2015 12:52 AM

Hello,

 

Thank you for your answer.

Actually, we first want to make it succeed for the HTTP protocol.

 

Concerning all the settings you told me, I put them correctly; default action is "Monitor" in the Access Policies and for advanced malware the default action for all malware categories is "Block".

I show you a printscreen of what I get for the http address : http://www.eicar.org/download/eicar.com

 

And in the accesslogs I have this line written:

1437983431.011 0 172.16.14.193 TCP_DENIED/407 0 GET http://www.eicar.org/download/eicar.com - NONE/- - OTHER-NONE-test_AD-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-"> -


1437983431.023 0 172.16.14.193 TCP_DENIED/407 0 GET http://www.eicar.org/download/eicar.com - NONE/- - OTHER-NONE-test_AD-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-"> -


1437983431.060 30 172.16.14.193 TCP_MISS/200 0 GET http://www.eicar.org/download/eicar.com "domain\user@user" DIRECT/www.eicar.org application/octet-stream OTHER-NONE-test_AD-malware_policy-NONE-NONE-DefaultGroup <IW_csec,-1.2,0,"-",0,0,0,1,"-",-,-,-,"-",-,-,"-","-",-,-,IW_csec,-,"-","-","Unknown","Unknown","-","-",0.00,0,-,"Unknown","-",-,"-",-,-,"-","-"> -

 

We tried this Eicar URL with another web proxy and it showed the explicit blocked malware page, on the http protocol as well, so the problem is not coming from Eicar website.

 

We would appreciate your help.

Regards,

Preview file
44 KB
0 Helpful

Handy Putra
Cisco Employee
Cisco Employee
In response to pierre-alain.tallot

‎08-01-2015 08:37 PM

Hello,

You are correct, looks like it is WSA appliance issue.

What is the version of the WSA? if its running 8.5.2-027, confirmed hitting defect CSCuu92408 (EICAR/Malware download aborting with AV positive match).

I have tested with WSA version 7.7.0 and 8.0.8 and they are all works right away however in version 8.5.2-027, WSA will give out TCP_MISS/200 in the logs while in the browser getting browser error page or connections reset in Firefox.

 

The workaround in the defect is to disabled the Adaptive Scanning or AVC, however i have tried that but still the WSA resetting the connections in that version.

The only way to get it to block for port 80 connections for downloading Eicar file is to create custom URL category and block it from there.

For that defect, looks like the development team is still working on it and no fix yet available.

0 Helpful

pierre-alain.tallot
Level 1
Level 1
In response to Handy Putra

‎08-03-2015 01:09 AM

Hello,

 

OK thanks for your answer, I will have a look at it.

 

Regards,

0 Helpful
Customers Also Viewed These Support Documents