Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
886 Views 6 Replies Latest reply: May 9, 2013 3:44 PM by Jon Scholten RSS
malware-alerts Apprentice 65 posts since
Feb 14, 2012
Currently Being Moderated

May 9, 2013 1:20 PM

Issue with skip large files from being scanned

Been playing around with a rule to skip large files from being scanned and am trying to understand the behavior.

 

I'm using the default "Common rules" ruleset

 

I'm putting my "Skip Large Files Scan" right before the "Enable Composite Opener" rule.

 

The rule has various conditions for being triggered:

  • Connection.Protocol NOT equal FTP
  • Cycle.Name = RESPONSE
  • MediaType.IsArchive = YES
  • Body.Size or Content-Length Header greater than x-bytes

 

I've also got an event to write to SysLog when the rule triggers.

 

I know the rule triggers systematically when downloading files larger than X-bytes (I see the entry in syslog.)

 

BUT

 

When I set the action to "Stop Cycle" it skips scanning

When I set the action to "Stop Rule Set" it proceeds to 'Enable Composite Opener' and scans the file anyway.

 

Anybody can explain why the "Stop Rule Set" does not prevent 'Enable Composite Opener' from executing?

 

Attached is the screen capture of my ruleset.

 

Thanks!

Attachments:

More Like This

  • Retrieving data ...

Bookmarked By (1)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points