Community Help Hub

DavidWaugh

Apologies if this is a silly question.

We have a rule called Bypass AV Scanning for Downloads over 300MB from Trusted Domains

with the following condition:

URL.Host.BelongstoTrustedDomains <List of Trusted Domains> equal true AND Body.Size greater than or equals 300000000

Action: Stop Rule Set (So doesnt hit the Malware Scanning Rule)

Before this rule in the ruleset is an Enable Opener rule which the request/ response will hit.

My question is the following:

Suppose I have a large zip file of 325MB that I have download from one of my trusted domains. The zip file contains many files of sizes between 1 MB and 500MB which are extracted by the Enable Opener rule set.

Do any of the embedded files get scanned as individually some are less that 300 MB?

Do none of the embedded files get scanned as the parent container has size greater than 300MB?

Do only those embedded files smaller than 300MB get scanned?

Thanks for helping my understanding.

DavidWaugh

I did some tests on our test web gateway where I did some logging during the cycle and, not just at the Logging Cycle at the end.

I downloaded some rpms from the Fedora repository at

https://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/p/

This is good for testing as there are rpm files of all sizes which contain individual files.

What i noticed was the following:

Each Embedded Object had its own Body.Size and FileName
Each Embedded Object was evaluated against the policy.

In answer to my question:

Do any of the embedded files get scanned as individually some are less that 300 MB? Yes

Do none of the embedded files get scanned as the parent container has size greater than 300MB? No

Do only those embedded files smaller than 300MB get scanned? Yes

View solution in original post

DavidWaugh