cancel
Showing results for 
Search instead for 
Did you mean: 
malware-alerts
Level 10

Issue with skip large files from being scanned

Jump to solution

Been playing around with a rule to skip large files from being scanned and am trying to understand the behavior.

I'm using the default "Common rules" ruleset

I'm putting my "Skip Large Files Scan" right before the "Enable Composite Opener" rule.

The rule has various conditions for being triggered:

  • Connection.Protocol NOT equal FTP
  • Cycle.Name = RESPONSE
  • MediaType.IsArchive = YES
  • Body.Size or Content-Length Header greater than x-bytes

I've also got an event to write to SysLog when the rule triggers.

I know the rule triggers systematically when downloading files larger than X-bytes (I see the entry in syslog.)

BUT

When I set the action to "Stop Cycle" it skips scanning

When I set the action to "Stop Rule Set" it proceeds to 'Enable Composite Opener' and scans the file anyway.

Anybody can explain why the "Stop Rule Set" does not prevent 'Enable Composite Opener' from executing?

Attached is the screen capture of my ruleset.

Thanks!

0 Kudos
1 Solution

Accepted Solutions
McAfee Employee

Re: Issue with skip large files from being scanned

Jump to solution

This is happening because Anti-Malware still applies when you have stop ruleset set as the action.

Stop cycle also stops Anti-Malware.

Best,

Jon

0 Kudos
6 Replies
diegolocked
Level 7

Re: Issue with skip large files from being scanned

Jump to solution

This almost feels like a bug. What version are you running?

0 Kudos
malware-alerts
Level 10

Re: Issue with skip large files from being scanned

Jump to solution

I'm running v7.2.0.7

0 Kudos
McAfee Employee

Re: Issue with skip large files from being scanned

Jump to solution

This is happening because Anti-Malware still applies when you have stop ruleset set as the action.

Stop cycle also stops Anti-Malware.

Best,

Jon

0 Kudos
McAfee Employee

Re: Issue with skip large files from being scanned

Jump to solution

So in essence your rules are working because the opener isnt being applied, but scanning DOES still apply.

Best,

Jon

0 Kudos
malware-alerts
Level 10

Re: Issue with skip large files from being scanned

Jump to solution

Jon,

Jon Scholten wrote:

This is happening because Anti-Malware still applies when you have stop ruleset set as the action.

Stop cycle also stops Anti-Malware.

Best,

Jon

Is this documented anywhere?

Thanks for your answer, makes more sense now.

0 Kudos
McAfee Employee

Re: Issue with skip large files from being scanned

Jump to solution

Hi again!

It may be some sub-text somewhere, but in general the opener and anti-malware are the big hitters when it comes to file scanning (and therefore causing delay signifigant or not).

Best,

Jon

0 Kudos