FLEX 200H - detects infected files but passes them on

HUBERTKASPRZAK
HUBERTKASPRZAK Posts: 8  Freshman Member
First Comment
edited September 16 in USG FLEX H Series

Hello, I have it FLEX 200 H - V1.21(ABWV.0)ITS-24WK35-m5760 device detects infected files but passes them on.

All Replies

  • Zyxel_Judy
    Zyxel_Judy Posts: 1,627  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security Zyxel Certified Network Engineer Level 1 - Nebula

    Hi @HUBERTKASPRZAK ,

    If the firewall alerts you that a malware-infected file has been found but the file was still forwarded to you, please ensure that the "Destroy Infected File" option is enabled under Security Services > Anti-Malware. This setting ensures that infected files are modified or blocked before being forwarded, preventing them from being executed.

    If you have followed these steps but are still receiving infected files, please provide the following information for further investigation:

    • A screenshot of the relevant configuration
    • The type of issue encountered
    • Logs or screenshots showing the infected file passing through

    Judy

    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • HUBERTKASPRZAK
    HUBERTKASPRZAK Posts: 8  Freshman Member
    First Comment
    edited September 21

    • This is my configuration, it allows infected files or does not recognize them despite the infection of *.zip *.exe *.pdf files
  • HUBERT_KASPRZAK
    HUBERT_KASPRZAK Posts: 7  Freshman Member
    First Comment

    For 1 month, Flex did not detect 40 infected files in mail, it only detected 2

  • Zyxel_Judy
    Zyxel_Judy Posts: 1,627  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security Zyxel Certified Network Engineer Level 1 - Nebula

    HI @HUBERTKASPRZAK ,

    This is my configuration, it allows infected files or does not recognize them despite the infection of *.zip *.exe *.pdf files

    We are unclear about your message. Could you please provide the following information as a list?

    • A screenshot of the relevant configuration
    • The type of files encountered issue
    • Logs or screenshots showing the infected file passing through
    • How you confirmed that the files are infected after they passed through

    Judy

    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • HUBERT_KASPRZAK
    HUBERT_KASPRZAK Posts: 7  Freshman Member
    First Comment
    edited October 1

    • After observing the device for 1 month with the FLEX 200 H - V1.21(ABWV.0)ITS-24WK35-m5760 software, I found that it did not detect 40 email infected with extensions*. bat, exe, pdf, rar, img, doc. Fortunately, Eset removed the threat after downloading the message. Attached is the 200H setting and a screenshot from Secureporter.I am able to send infected messages to test the operation of the device.

  • Zyxel_Judy
    Zyxel_Judy Posts: 1,627  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security Zyxel Certified Network Engineer Level 1 - Nebula

    Hi @HUBERT_KASPRZAK ,

    Could you clarify which email protocol your service uses? Is it server-to-server SMTP (encrypted) or POP3?

    • If using server-to-server SMTP (encrypted): In most cases, server-to-server communication runs over STARTTLS. When the mail service transmits using encryption, the firewall's anti-malware feature cannot inspect the traffic.
    • If using POP3 for mail receiving: Please provide the infected file, and we will analyze it and get back to you with feedback.

    Judy

    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • bbp
    bbp Posts: 66  Ally Member
    First Answer First Comment Friend Collector Fifth Anniversary

    These days both POP3 and IMAP are encrypted too. @HUBERTKASPRZAK needs to configure "SSL inspection" for 200H to be able to inspect encrypted traffic.

  • HUBERT_KASPRZAK
    HUBERT_KASPRZAK Posts: 7  Freshman Member
    First Comment

    Pop3, port standard 110. Please provide the e-mail address to which the virus messages should be sent


  • Zyxel_Nami
    Zyxel_Nami Posts: 657  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Engineer Level 1 - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hello @HUBERT_KASPRZAK

    I have just sent you the private message, please provide the file there, thank you

    See how you've made an impact in Zyxel Community this year!

    https://bit.ly/Your2024Moments_Community

    Nami

  • Zyxel_Judy
    Zyxel_Judy Posts: 1,627  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security Zyxel Certified Network Engineer Level 1 - Nebula

    Hi @HUBERT_KASPRZAK ,

    Thank you for providing the test file.

    Regarding our lab test: We used the EICAR test file to verify that our anti-malware software can effectively scan and remove detected files, as shown in this screenshot.

    However, it failed to detect the email attachments you provided. We will investigate solutions to enhance the accuracy of antivirus signature detection.

    Judy

    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community