Unable to let anti-virus work

dtmtech
dtmtech Posts: 11
First Anniversary First Comment
edited April 2021 in Security
I have a USG110 firewall (last firmware 4.62) which I cannot configure properly to scan viruses. I am using eicar.com as reference -> http://www.eicar.org/download/eicar.com.txt.

While it is understood https sites are not checked unless SSL scan is activated (but this does not allow to access non-https sites) there is no way to activate the ZyXEL antivirus even with http sites. Needless to say both antivirus and antispam licenses are valid and activated. I also tried implementing a blacklist rule for some type of files without success (following https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=015554&lang=EN# )

UTM profile and security policies are configured according to the attached images. What am I doing wrong?

thank you

Davide

Davide






All Replies

  • USG_User
    USG_User Posts: 369  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Did you activate "Scan and detect EICAR test virus" in UTM Profile > Antivirus?


  • USG_User said:
    Did you activate "Scan and detect EICAR test virus" in UTM Profile > Antivirus?



    same as in your picture
  • USG_User
    USG_User Posts: 369  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited February 2021
    First and despite of any A/V scans, you should not create a rule which is allowing anything on first position of your rule set. Any traffic match this rule and can pass the firewall! You should create different single rules, e.g. for website access: from LAN1 to WAN only for port 80, 8080  and 443. And additionally you assign an UTM profile to that specific "website" rule, for example A/V when it makes sense to scan this website traffic for virusses.

    Regarding your A/V scan problem ... what are your settings within the A/V profile management?


  • USG_User said:
    First and despite of any A/V scans, you should not create a rule which is allowing anything on first position of your rule set. Any traffic match this rule and can pass the firewall! You should create different single rules, e.g. for website access: from LAN1 to WAN only for port 80, 8080  and 443. And additionally you assign an UTM profile to that specific "website" rule, for example A/V when it makes sense to scan this website traffic for virusses.

    Regarding your A/V scan problem ... what are your settings within the A/V profile management?



    You are right, indeed, the snapshot  (any->any) was last attempt after having started from "LAN2 (my network) WAN (internet router)" and having tried also "LAN2 - any" as suggested in some ZyXEL support sheet. The A/V profile is set as shown below but I also tried with check white/black list (also tried with a dedicated black list profile for certain files - e.g. *.pdf -  without success)
  • USG_User
    USG_User Posts: 369  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    How did you test the EICAR test virus? Do you know that you have to pass to another USG zone that the rules are being applied? For example copying the test virus from one coputer to another in your LAN2 caused to nothing because traffic within your LAN2 will not pass the USG. You have to download the testvirus from the internet, for example. Also sending by email couldn't work since the POP3 or IMAP access to ISP is mostly SSL encrypted and not readable without SSL inspection.
  • USG_User said:
    How did you test the EICAR test virus? Do you know that you have to pass to another USG zone that the rules are being applied? For example copying the test virus from one coputer to another in your LAN2 caused to nothing because traffic within your LAN2 will not pass the USG. You have to download the testvirus from the internet, for example. Also sending by email couldn't work since the POP3 or IMAP access to ISP is mostly SSL encrypted and not readable without SSL inspection.

    as written at the beginning I am donwnloading it from internet - e.g. http://www.eicar.org/download/eicar.com.txt.
  • USG_User
    USG_User Posts: 369  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Sorry.

    I will test it here with the link ...
  • USG_User
    USG_User Posts: 369  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    I was not able to reconstruct the EICAR download. The problem is that the website is https encrypted and that's why our USG is not able to "look inside" the encrypted packets. And the http download is presently not available with eicar.org.
    That's why I tried to copy the eicar.com.txt from one LAN zone into another, with switched-off MS A/V at destination client machine. But also in that case anything was blocking the copy process because of virus found. But this was not the client and not the USG.

    Finally we considered different times in past to not longer purchase a A/V licence for the USG since mainly all traffic is encrypted nowadays and we don't want to implement SSL inspection. But single licences would cost more than a licence bunch which includes all licences.
    SSL inspection is finally a broken encryption chain where certificates will be exchanged. And for example, in case of online banking, what would you say if the banking certificate is exchanged by a USG SSL certificate? I wouldn't trust any connection if I don't see the bank certificate in the browser.

    But if you could provide a http or ftp download for EICAR test virus, I could give it a try for you.

  • USG_User said:
    I was not able to reconstruct the EICAR download. The problem is that the website is https encrypted and that's why our USG is not able to "look inside" the encrypted packets. And the http download is presently not available with eicar.org.
    That's why I tried to copy the eicar.com.txt from one LAN zone into another, with switched-off MS A/V at destination client machine. But also in that case anything was blocking the copy process because of virus found. But this was not the client and not the USG.

    Finally we considered different times in past to not longer purchase a A/V licence for the USG since mainly all traffic is encrypted nowadays and we don't want to implement SSL inspection. But single licences would cost more than a licence bunch which includes all licences.
    SSL inspection is finally a broken encryption chain where certificates will be exchanged. And for example, in case of online banking, what would you say if the banking certificate is exchanged by a USG SSL certificate? I wouldn't trust any connection if I don't see the bank certificate in the browser.

    But if you could provide a http or ftp download for EICAR test virus, I could give it a try for you.

    Feedback much appreciated, thank you. Indeed also my conclusion is that A/V (and antispam as everything goes through SSL) is quite useless (even if it would work which seems not to be the case) as now almost everything goes through https.

    The link I provided before is not https (not available through the website but they all work):

    None of the them are found by USG110.

    I also checked that A/V service scans the correct ports (i.e. 80,21 etc.) and it seems so. I also made simpler tests trying to blacklist specific files with defined extensions and also this does not work.



  • USG_User
    USG_User Posts: 369  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    The provided links to eicar.org seem to be http links but will be redirected to https pages each. And once encrypted, the download will pass the firewall.

    We need a real http or ftp download for testing.

Security Highlight