ProxySG & Advanced Secure Gateway

 View Only

  • 1.  Question regarding ProxyAV

    Posted Sep 05, 2017 07:29 AM

    Hi

    I have a question regarding the ProxyAV. I do not know if this is the right forum. 
    The old Blue Coat forums used to have a section dedicated to ProxyAV & CAS as far as I can remember.

    We have a proxy policy with malware scanning for all traffic by default, the Blue Coat Proxy is connected to a ProxyAV. 
    Password protected Archives are blocked.

    When trying to download a password protected PDF we get one of three different outcomes:

    Success - File is downloaded
    Failure - Exception log message 1 below 
    Failure - Exception log message 2 below

     

    All these three different results occured for the same file, namely:
    http://www.novapdf.com/uploads/novapdf_en/media_items/pdf-example-password.original.pdf

    What could be the explaination for getting different results for the samt file (no change in policy)?
    How can a PDF trigger an archive error?
    The policy to block password protected archives, is that supposed to block password protected PDFs also? 

     

    Log message 1 (excerpt):
    URL: http://www.novapdf.com/uploads/novapdf_en/media_items/pdf-example-password.original.pdf
    ATEXT=Cause: File is password protected (engine error code: 0x000A0000)
    File has been dropped.

    Log message 2 (excerpt):
    URL: http://www.novapdf.com/uploads/novapdf_en/media_items/pdf-example-password.original.pdf
    ATEXT=Cause: Maximum total files in archive exceeded (engine error code: 0x00070000)
    File has been dropped.



  • 2.  RE: Question regarding ProxyAV

    Posted Sep 06, 2017 02:53 AM

    The file is an sample file taken from this page:

    http://www.novapdf.com/kb/pdf-example-files-created-with-novapdf-138.html



  • 3.  RE: Question regarding ProxyAV

    Posted Sep 06, 2017 04:27 AM

    Hi,

    that sounds very strange indeed and I would recommend to have this analyzed in a proper support case.

    Some ideas:

    - the SG uses more than one AV with ICAP load balancing and the AVs have different configurations

    - I've heard of strange results when "Trickling" is used and the initial download is terminated correctly by the AV after some bytes have been transferred to the client. Then the client asks for the same file again but now only requests the rest of the file from an offset (range). So what the AV sees now is only a part of the file which may lead to different results.

    And yes, the password protected archive option should apply to archives only. But I guess deep down a PDF is a kind of archive as well given all the files you can embedd in it. Much like MS office documents.

    Kind Regards,

    Gunnar



  • 4.  RE: Question regarding ProxyAV

    Posted Sep 06, 2017 07:39 AM

    I know you mentioned ProxyAV, but in case you're actually using CAS: Enabling the "File reputation" service may also result in such odd behaviour, since this service caches the verdict of a file, but not all the other information related to the file in a complete manner. So on the first attempt to download the file a normal scan with everything invloved is peformed, but on subsequent requests the CAS may recognize the file as already known and not malicious and just reply back with OK. At some point the hash is removed the file reputation cache, and the next request is scanned as expected again.