Dear McAfee friends,
I have a McAfee Web Gateway configuration for ICAP only. We have a webinterface where clients can upload files and we use the the Gateway to scan those files for malware before passing them into the backoffice.
When I upload a text file with EICAR content, the webgateway does it's work and blocks the file. But when I upload a Zeus virus sample (with the .exe renamed to .pdf) the gateway doesn't seem to detect anything and gives the file the thumbs up. Does this ring a bell to anyone?
With kind regards,
Does the sample actually get detected on something like VirusTotal?
If so, then it's probably something in the policy that isn't quite right.
If the McAfee Gateway Edition entry on VirusTotal doesn't catch it, then MWG won't either.
Sounds like we should catch it. Probably you need to file an SR with support and provide the sample and some rule engine traces to allow us to find out what happens here.
I've got some new information. When I push the virus samples with perl from localhost to localhost the AV scanner detects the virus samples.
So the AV scanner does it's job. What happens is that the files we get from the web interface are being encoded to UTF16. Could this be the issue?
Encoding EICAR to UTF16 just gives you the EICAR back. So that get's detected. But a binary file encoded to UTF16 is something else.
Is there anyway I need to configure the MWG to detect and scan UTF16 encoded files?