I want to describe one or actually two issues I encounter when using Anti-Virus and Content Awareness on my Check Point Gateways. Both issues seem to be related only for Archive Scanning. First of all some information about the config:
- R80.40 JHF94 (also tested with new install of R81 and R81.10)
- HTTPS Inspection enabled
- Anti-Virus enabled (with archive scanning)
- Content Awareness enabled (should block executable files and some other types)
I can easily reproduce the issue on some basic PuTTY downloads here: https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
Scenario 1 (Content Awareness: enabled / Anti-Virus: disabled):
Download of putty.zip fails with log message "error while processing putty.chm: File appears corrupted (13)"
Download of putty.tar.gz gets blocked correctly because of an ".sh" file.
Scenario 2 (Content Awareness: disabled / Anti-Virus: disabled)
Download of putty.zip fails with log message "Failed to process the file - unknown error"
Download of putty.tar.gz fails with log message "Failed to process the file - unknown error"
Scenario 3 (Content Awareness: enabled / Anti-Virus: enabled)
Download of putty.zip fails without log message
Download of putty.tar.gz gets blocked correctly because of an ".sh" file
I already did some basic debugs from sk103939 and the issue reported is: "error reason: Max files in archive" but I couldn't find any information about that and the archives don't have many files in them.
Did somebody of you encounter similar problems or can verify the issue on their setup? I already have a ticket opened but my TAC experience isn't the best lately and you guys helped a lot in the past 🙂