topic Re: File size for emulation in Firewall and Security Management

File size for emulation

Biju_Nair — Sun, 08 Oct 2017 17:11:39 GMT

Hi,

Is there a minimum file size for emulation.

I tried downloading a file from eicar.com which was 68 Bytes. But it didnt get emulated, while a file size of 308Bytes got emulated from the same site.

Is this configurable in TE appliance, where we could define the minimum and maximum file size for emulation.

also, Is it possible to exclude some traffic for emulation.

Regards,

Biju

Re: File size for emulation

Albin_Hakansson — Sun, 08 Oct 2017 18:36:46 GMT

If you are running anti-virus while downloading the eicar file, it should have caught it and not have to be emulated.

Maximum file size can be configured. In R80.10 you can find it in "Manage & Settings -> Blades -> Threat Prevention -> Theat Emulation".

As far as I know, there is no lower limit, and it can't be configured

In the threat prevention policy, you decide the "Protected Scope". Here you decide what traffic you want to be inspected according to which Threat prevention profile. So if you wish that some traffic should not be emulated, you can define a new rule, with a threat prevention profile that does not run Threat emulation.

This is assuming your activation mode is According to policy (Check Open the TE unit-> Threat Emulation)

Re: File size for emulation

Biju_Nair — Sun, 08 Oct 2017 19:04:50 GMT

The reason for my question was I was trying to download a file from eicar.com which was 68Bytes and it didn't emulate. However a 308Bytes file got emulated. From the same website.

What could have happened that the 68Byte file didn't emulate.

Regards,

Biju Nair

Sent from my iPhone

Re: File size for emulation

Albin_Hakansson — Sun, 08 Oct 2017 19:15:30 GMT

I'm not sure. Was it the HTTPS file maybe and you are not running HTTPS inspection?

What does your traffic logs say?

Re: File size for emulation

Biju_Nair — Mon, 09 Oct 2017 03:43:15 GMT

It was a http traffic. I forgot to mention one thing that the http traffic is actually from the proxy via ICAP to TE device.

To answer u.... In the firewall log it shows the ICAP traffic from proxy and then in the emulation log it doesnt show anything.

Regards,

Biju Nair

Sent from my iPhone

Re: File size for emulation

PhoneBoy — Mon, 09 Oct 2017 04:24:40 GMT

You can set the maximum file size here (in R80.10):

Re: File size for emulation

Prashant — Mon, 09 Oct 2017 05:23:49 GMT

Hi - Please see the AV/AB logs in case enabled, it might have processed with these blades before the file could be emulated.

Re: File size for emulation

Thomas_Werner — Fri, 27 Oct 2017 13:49:58 GMT

Nope. AV blade currently is not offically available in ICAP - so that can´t be the issue.

Did you check access.log of the ICAP server to be sure the EICAR.COM is really passed to us ?

access.log is stored in $FWDIR/log/c-icap/

It is advisable to change the logformat before consulting the log otherwise you won´t "see" much infos in this log.

To extend logging do the following:

1) vi /opt/CPsuite-R77/fw1/c-icap/etc/c-icap.conf
2) Search for “AccessLog /opt/CPsuite-R77/fw1/log/c-icap/access.log”
3) Add this line before the abaove finding:
LogFormat accessFormat "%tl, %la %a %im %iu %is %huo '%<ho' '%{X-Infection-Found}<ih'"
4) Change the AccessLog line to:
AccessLog /opt/CPsuite-R77/fw1/log/c-icap/access.log accessFormat

So the section in c-icap.conf should now look like this:
LogFormat accessFormat "%tl, %la %a %im %iu %is %huo '%<ho' '%{X-Infection-Found}<ih'"
AccessLog /opt/CPsuite-R77/fw1/log/c-icap/access.log accessFormat

So the troubleshooting flow should be:

1) Do you see the file from the proxy to our ICAP server in access.log

2) Do you see the file being handled in $FWDIR/log/ted.elg

Regards Thomas