3 Replies Latest reply on Oct 26, 2012 12:50 PM by pcoates

    Inconsistent skipping of Antimalware Scanning

    pcoates

      Hi Guys,

       

      I've been working on having the AV Scanner not engaged for files over a certain size.

       

      I'm using a rule with a Content Length limit OR body.size limit at the top of my antimalware rule.

       

      I've currently set it to 40MB(41943040B) but am experiencing inconsistent behaviour.

       

      I know that sometimes it will go to the progress page and sometimes not depending if the Content length value is available or if the Web Gateway has to calculate and append it after downloading.

       

      However I am seeing a mix of scanning and not scanning when over the file size.

       

      For example, I downloaded the latest dat executable and it went directly to my browser download window, assumabely due to the fact it received the proper content length header info.

       

      I then download a different 70MB exe file, and it takes me to the progress page, and then performs scanning on it as well.

       

      I've noticed that zip files will consistently always go to both the progress and scanning page no matter what.

       

       

      Has anyone experienced similar behaviour and do you have any recommendations?

       

      I'll attach a screenshot of the basic rules.

       

      Thanks

        • 1. Re: Inconsistent skipping of Antimalware Scanning

          Hi pcoates,

           

          I have the suspicion you might have a rule that uses the "enable composite opner" event somewhere higher up in your rule sets.

          DAT files are probably nothing the mWG can "open" to inspect it, but zip files and most exe's are. so you are skipping AV indeed, but the opener is still applied, meaning it will take that zip file apart and start embedded cycles for every object inside. and if those objects are smaller than 40MB, they might even get AV scanned.

          • 2. Re: Inconsistent skipping of Antimalware Scanning
            btlyric

            In the default Enable Opener rule set, there is no file size criteria placed on Enable Composite Opener so all files that can be opened will be flagged as such. If you want to limit the size of files that are scanned by the AV engine, you could add a limitation there.

             

            Depending on the type of file(s) involved, you may need additional criteria. For example, I've seen a sitation involving a Subversion checkout where MWG pulls down every file in the repo and globs them all into one big temporary file which it then proceeds to extract.

            • 3. Re: Inconsistent skipping of Antimalware Scanning
              pcoates

              Thanks guys, it was the composite open causing issues and just added a size rule to this as well for the desired results

               

              Cheers