What we have:
Two gateways as virtual machines.
One gateway as appliance (4000) at a remote location.
Rules and lists are identical on all three machines. MWG versions are identical, too.
Since a couple of days nearly all downloads from our site are blocked.For example:
[23/Oct/2014:15:19:03 +0200] "USERNAME" "IP_address" "McAfeeGW: Heuristic.BehavesLike.Win32.Suspicious-DTR.K" "http://www.triumph-adler.de/C125712200447418/vwLookupDownloads/KxDriver_cCD_cLP_20141017.zip/$FILE/K..."
OK, annoying enough, as the files are clean.
But the strange thing is, this happens only on the virtual machines. No problem on the appliance.
Has anyone seen something similar? And has an explanation? This drives me crazy.
This is not a HA cluster. Both VM are tied together by 'Central management'.
It does not matter whether I use VM1 or VM2, both block the download and log an entry like the one above.
And the appliance does not.
DATs, engines, younameit are at the same level on all three machines.
generally there should not be any difference between running on VMWare and running on native hardware. I assume there must be a difference between the physical and the virtual nodes.
Is the appliance also part of the central management? If not I recommend to look at the AV settings in use. Probably they are different. Maybe there is a white list entry on the physical node that matches your test requests.
Also have a look at the license. It might be that the virtual nodes use a license with has Gateway Anti Malware enabled, while the physical nodes uses the more "limited" AV license. This means that some of the behaviour analysis does not take place on the physical node - so the files are not caught.
Thanks for looking into it.
1. The appliance is not part of CM. But I double-checked the settings. They are identical. (And as I am a narrow minded old guy, I asked a colleague to do the same. He didn't find any differences either.)
2. License is the same on all three machines.
And yes, the behaviour should and must be the same whether we talk hardware or virtual. But it is not. That costs my last three hairs.
We definitely want to prevent MWG affecting your last three hairs ;-)
I think to find out what exactly happens here I would need to see the configuration. So basically there are two options, if you like you can file a service request and attach a feedback of a virtual and a physical node and - if possible - a sample link. As an alternative you can PM me an eMail address and I send you some instructions where to put some data for me and I can take a look for you.
Note: It is not that I don't believe your comparison! With the feedback I would be able to restore your configuration to a virtual/physical machine and make some additional tests which will be helpful in understanding the issue and probably find what the difference is.
>>We definitely want to prevent MWG affecting your last three hairs ;-)
>>Note: It is not that I don't believe your comparison!
No offense taken. I hope that I will be proven wrong.
Will file a SR, but will also PM you my address. (If you have time, answer, if not, discard it.)
try using "Rule Tracing Central" on the VM and the appliance and check the rule processing for differences. I would bet that there is a whitelist somewhere hidden in the ruleset
Thanks for the hint.
But it didn't help that much.
On both machines the request went through the rules tree to the rule set Gateway Anti-Malware. (The rules here are the default ones.)
At the appliance the last rule 'Block If Virus Is Found' is left without a fuss.
At the VM the request dies there.
take a look at the Malware Engine settings at (iirc) Policy -> Settings -> Engines -> AntiMalware -> Gateway (I currently have no Web Gateway at hand). Perhaps there are different settings.