Anti-virus not blocking EICAR tests

frerealexis
frerealexis Posts: 21  Freshman Member
First Anniversary First Comment
edited April 2021 in Security

My anti virus is licenced OK. All instructions have been followed as indicated at How to test the EICAR Anti-Virus test file? But the EICAR virus tests are not blocked by USG210. This virus get to my PC and my windows defender destroys them, but no logs present in UTM statistiques or logs.

All Replies

  • frerealexis
    frerealexis Posts: 21  Freshman Member
    First Anniversary First Comment

    My device is A0:E4:CB:84:38:01 ; serial number S152L21560739

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,278  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @frerealexis,

    If you download the test EICAR files by using an HTTPS link, you need to enable SSL inspection.

    You can follow the steps in the FAQ to enable SSL inspection and import certificate to the test PC.

    How to block HTTPS websites using Content Filtering and SSL Inspection?

    Make sure the signature version is the latest 2.0.2.549.

    Enable “Scan and detect EICAR test virus”.

    Enable SSL Inspection in the security policy rule.

  • frerealexis
    frerealexis Posts: 21  Freshman Member
    First Anniversary First Comment
    1. concerning the HTTP links : the firewall does not stop them.
    2. concerning HTTPS : yes, SSl is activated but when I update the certificat, I runs and then I get this message : SSL Certificate version 1.1.064 on device is latest. (success) at Mon Nov 18 08:45:43 2019. So I can't get the latest version.
    3. Concerning HTTPS : I could not post this comment until disactivating SSL because of this certificat error : MOZILLA_PKIX_ERROR_MITM_DETECTED which made me laugh...
  • Zyxel_Emily
    Zyxel_Emily Posts: 1,278  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @frerealexis,

    Download eicar.txt/eicar.zip via HTTPS

    The PC is still able to download the file successfully, but the file is unable to extract or the content will be modified as “0”. And USG will display log that destroyed the file.

    Download eicar.txt/eicar.zip via HTTP

    Before the file is downloaded, the action is detected by Antivirus software on the PC at the handshaking stage.

  • frerealexis
    frerealexis Posts: 21  Freshman Member
    First Anniversary First Comment

    When I try http to this site : http://www.eicar.org/download/eicar.com.txt, I first get the warning message generated by the UTM PROFILE filtering.

    But I can still continue and download sucessfully

    And when I try the https it comes directly

    I cannot continue testing. For me the USG210 does not block virus.

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,278  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @frerealexis,

    I apply your configuration file on USG210 and enable #2 of security policy rule.

    Connect one PC in LAN2 and import the default certificate to PC.

    Download eicar.txt and eicar.zip via HTTPS. EICAR is detected and destroyed.

    If you’d like to check why EICAR is not detected at your site, feel free to contact me in private message and share the remote access with me.

  • frerealexis
    frerealexis Posts: 21  Freshman Member
    First Anniversary First Comment

    THank you Emily, but I cannot install the certificate to 40 PCs on my network. Why is it necessary to have a certificate en EACH PC ? why can't the firewall detect the virus before sending it to the PC ?

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,278  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @frerealexis,

    For HTTPS traffic, SSL Inspection decrypts the packets and scans them to UTM function check. Clients need to support certificate and import it, because the certificate has been changed, the client will confirm with CA server. That’s why the client needs to import that certificate which is generated from the USG.

    If you’d like to check why EICAR is not detected at your site, feel free to contact me in private message and share the remote access with me.

  • Well, I use Zyxel firewalls since year 2006.

    I read in the past that eicar test files can be downloaded anyway but please deactivate your antivirus on the pc, deactivate idp and cf on the firewall, let antivirus on the firewall active also on the firewall rules and go to eicar site, download from http the txt virus file then check the firewall logs, you must see a log, and open the txt file downloaded to the pc, yes you can download it, but please open, you can see something different instead of the original content of the file. If not satisfied, deactivate also the antivirus on the firewall, download same txt file and open it to see the content, then reactivate antivirus on the firewall and redownload same file, open and you'll see different content.

    Regarding https downloads, I can't speak, I haven't an ssl checking firewall but I know that certificates on the devices are mandatory.

    I tell you another thing that happend to me already: if my firewall have idp and cf activated I never see an antivirus blocking log, cause the download was always blocked first from the cf service and logged me, sometimes after cf log I can see the idp service log that also notifies the block of the "attack". I said "sometimes" cause I have a good USG60 but it is not so fast with all services activated as I buy for years. (till one month ago I had a 12/1 Mb/s wan, now I must deactivate AV cause appliance discards packets with a double wan for total 80/20 and the obtained throughput is 50/20 always down/up).

    Do your tests, I can't believe your firewall can't block eicar virus.

Security Highlight