Showing results for 
Search instead for 
Did you mean: 

Web Security Appliance - Malware End-user Notification



We are currently setting up a Web Security Appliance S380 to one of our customers.

There is a question that we would like to ask about the notification received by the end-user.


When we try to download a malware file from the connection is reset.

No notification or information that a malware has been found, and no information either in the accesslogs.


The notification when the site is blocked for "BLOCK-WEBCAT" is working correctly, but not for malware.

Is there a way to enable this notification for the end-user?




Cisco Employee



Which eicar file that you are trying to download? since from the look of it all the vicar files under protocol HTTP from that site are broken and getting browser error page.

However if you are downloading vicar files under the HTTPS protocol and the connection been Decrypted by WSA, you will then get the block page from WSA.

Also in WSA access policy make sure you have set the category for this to 'Monitor' therefore the appliance can perform anti Malware/Virus scanning and also from the access policy under "Access Policies: Anti-Malware and Reputation Settings" make sure you have set the 'block' action for necessary Malware categories and Other categories.

When you download the eicar file under the HTTPS protocol, you should seeing similar below access logs:

1437885646.423 975 TCP_MISS_SSL/200 39 CONNECT tunnel:// - DIRECT/ - DECRYPT_WEBCAT_7-DefaultGroup-DefaultGroup-NONE-NONE-NONE-DefaultGroup <IW_csec,0.8,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_csec,-,"-","-","Unknown","Unknown","-","-",0.32,0,-,"-","-",-,"-",-,-,"-","-"> 

1437885647.198 774 TCP_DENIED_SSL/403 0 GET - DIRECT/ application/octet-stream BLOCK_AMW_RESP_12-handy.access-DefaultGroup-NONE-NONE-NONE-DefaultGroup <IW_csec,0.8,23,"EICAR-AV-Test",0,536029,13538,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_csec,-,"Trojan Horse","-","Unknown","Unknown","-","-",0.00,0,-,"Unknown","EICAR-AV-Test",-,"-",-,-,"-","-"> 





Thank you for your answer.

Actually, we first want to make it succeed for the HTTP protocol.


Concerning all the settings you told me, I put them correctly; default action is "Monitor" in the Access Policies and for advanced malware the default action for all malware categories is "Block".

I show you a printscreen of what I get for the http address :


And in the accesslogs I have this line written:

1437983431.011 0 TCP_DENIED/407 0 GET - NONE/- - OTHER-NONE-test_AD-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-"> -

1437983431.023 0 TCP_DENIED/407 0 GET - NONE/- - OTHER-NONE-test_AD-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-"> -

1437983431.060 30 TCP_MISS/200 0 GET "domain\user@user" DIRECT/ application/octet-stream OTHER-NONE-test_AD-malware_policy-NONE-NONE-DefaultGroup <IW_csec,-1.2,0,"-",0,0,0,1,"-",-,-,-,"-",-,-,"-","-",-,-,IW_csec,-,"-","-","Unknown","Unknown","-","-",0.00,0,-,"Unknown","-",-,"-",-,-,"-","-"> -


We tried this Eicar URL with another web proxy and it showed the explicit blocked malware page, on the http protocol as well, so the problem is not coming from Eicar website.


We would appreciate your help.




You are correct, looks like it is WSA appliance issue.

What is the version of the WSA? if its running 8.5.2-027, confirmed hitting defect CSCuu92408 (EICAR/Malware download aborting with AV positive match).

I have tested with WSA version 7.7.0 and 8.0.8 and they are all works right away however in version 8.5.2-027, WSA will give out TCP_MISS/200 in the logs while in the browser getting browser error page or connections reset in Firefox.


The workaround in the defect is to disabled the Adaptive Scanning or AVC, however i have tried that but still the WSA resetting the connections in that version.

The only way to get it to block for port 80 connections for downloading Eicar file is to create custom URL category and block it from there.

For that defect, looks like the development team is still working on it and no fix yet available.




OK thanks for your answer, I will have a look at it.