cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Embedded Objects and Malware scanning rule with Body.Size

Jump to solution

Apologies if this is a silly question.

We have a rule called Bypass AV Scanning for Downloads over 300MB from Trusted Domains

with the following condition:

URL.Host.BelongstoTrustedDomains <List of Trusted Domains> equal true AND Body.Size greater than or equals 300000000

Action: Stop Rule Set  (So doesnt hit the Malware Scanning Rule)

Before this rule in the ruleset is an Enable Opener rule which the request/ response will hit.

My question is the following:

Suppose I have a large zip file of 325MB that I have download from one of my trusted domains. The zip file contains many files of sizes between 1 MB and 500MB which are extracted by the Enable Opener rule set.

Do any of the embedded files get scanned as individually some are less that 300 MB?

Do none of the embedded files get scanned as the parent container has size greater than 300MB?

Do only those embedded files smaller than 300MB get scanned?

Thanks for helping my understanding.

 

 

1 Solution

Accepted Solutions

Re: Embedded Objects and Malware scanning rule with Body.Size

Jump to solution

 I did some tests on our test web gateway where I did some logging during the cycle and, not just at the Logging Cycle at the end.

I downloaded some rpms from the Fedora repository at

https://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/p/

This is good for testing as there are rpm files of all sizes which contain individual files.

What i noticed was the following:

  • Each Embedded Object had its own Body.Size and FileName
  • Each Embedded Object  was evaluated against the policy.

In answer to my question:

Do any of the embedded files get scanned as individually some are less that 300 MB? Yes

Do none of the embedded files get scanned as the parent container has size greater than 300MB? No

Do only those embedded files smaller than 300MB get scanned? Yes

 

 

View solution in original post

1 Reply

Re: Embedded Objects and Malware scanning rule with Body.Size

Jump to solution

 I did some tests on our test web gateway where I did some logging during the cycle and, not just at the Logging Cycle at the end.

I downloaded some rpms from the Fedora repository at

https://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/p/

This is good for testing as there are rpm files of all sizes which contain individual files.

What i noticed was the following:

  • Each Embedded Object had its own Body.Size and FileName
  • Each Embedded Object  was evaluated against the policy.

In answer to my question:

Do any of the embedded files get scanned as individually some are less that 300 MB? Yes

Do none of the embedded files get scanned as the parent container has size greater than 300MB? No

Do only those embedded files smaller than 300MB get scanned? Yes

 

 

View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community