Showing results for 
Search instead for 
Did you mean: 
Level 10

Inconsistent skipping of Antimalware Scanning

Hi Guys,

I've been working on having the AV Scanner not engaged for files over a certain size.

I'm using a rule with a Content Length limit OR body.size limit at the top of my antimalware rule.

I've currently set it to 40MB(41943040B) but am experiencing inconsistent behaviour.

I know that sometimes it will go to the progress page and sometimes not depending if the Content length value is available or if the Web Gateway has to calculate and append it after downloading.

However I am seeing a mix of scanning and not scanning when over the file size.

For example, I downloaded the latest dat executable and it went directly to my browser download window, assumabely due to the fact it received the proper content length header info.

I then download a different 70MB exe file, and it takes me to the progress page, and then performs scanning on it as well.

I've noticed that zip files will consistently always go to both the progress and scanning page no matter what.

Has anyone experienced similar behaviour and do you have any recommendations?

I'll attach a screenshot of the basic rules.


0 Kudos
3 Replies
Level 9

Re: Inconsistent skipping of Antimalware Scanning

Hi pcoates,

I have the suspicion you might have a rule that uses the "enable composite opner" event somewhere higher up in your rule sets.

DAT files are probably nothing the mWG can "open" to inspect it, but zip files and most exe's are. so you are skipping AV indeed, but the opener is still applied, meaning it will take that zip file apart and start embedded cycles for every object inside. and if those objects are smaller than 40MB, they might even get AV scanned.

0 Kudos
Level 12

Re: Inconsistent skipping of Antimalware Scanning

In the default Enable Opener rule set, there is no file size criteria placed on Enable Composite Opener so all files that can be opened will be flagged as such. If you want to limit the size of files that are scanned by the AV engine, you could add a limitation there.

Depending on the type of file(s) involved, you may need additional criteria. For example, I've seen a sitation involving a Subversion checkout where MWG pulls down every file in the repo and globs them all into one big temporary file which it then proceeds to extract.

0 Kudos
Level 10

Re: Inconsistent skipping of Antimalware Scanning

Thanks guys, it was the composite open causing issues and just added a size rule to this as well for the desired results


0 Kudos