- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: File size for emulation
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
File size for emulation
Hi,
Is there a minimum file size for emulation.
I tried downloading a file from eicar.com which was 68 Bytes. But it didnt get emulated, while a file size of 308Bytes got emulated from the same site.
Is this configurable in TE appliance, where we could define the minimum and maximum file size for emulation.
also, Is it possible to exclude some traffic for emulation.
Regards,
Biju
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you are running anti-virus while downloading the eicar file, it should have caught it and not have to be emulated.
Maximum file size can be configured. In R80.10 you can find it in "Manage & Settings -> Blades -> Threat Prevention -> Theat Emulation".
As far as I know, there is no lower limit, and it can't be configured
In the threat prevention policy, you decide the "Protected Scope". Here you decide what traffic you want to be inspected according to which Threat prevention profile. So if you wish that some traffic should not be emulated, you can define a new rule, with a threat prevention profile that does not run Threat emulation.
This is assuming your activation mode is According to policy (Check Open the TE unit-> Threat Emulation)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The reason for my question was I was trying to download a file from eicar.com which was 68Bytes and it didn't emulate. However a 308Bytes file got emulated. From the same website.
What could have happened that the 68Byte file didn't emulate.
Regards,
Biju Nair
Sent from my iPhone
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not sure. Was it the HTTPS file maybe and you are not running HTTPS inspection?
What does your traffic logs say?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It was a http traffic. I forgot to mention one thing that the http traffic is actually from the proxy via ICAP to TE device.
To answer u.... In the firewall log it shows the ICAP traffic from proxy and then in the emulation log it doesnt show anything.
Regards,
Biju Nair
Sent from my iPhone
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can set the maximum file size here (in R80.10):
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi - Please see the AV/AB logs in case enabled, it might have processed with these blades before the file could be emulated.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nope. AV blade currently is not offically available in ICAP - so that can´t be the issue.
Did you check access.log of the ICAP server to be sure the EICAR.COM is really passed to us ?
access.log is stored in $FWDIR/log/c-icap/
It is advisable to change the logformat before consulting the log otherwise you won´t "see" much infos in this log.
To extend logging do the following:
1) vi /opt/CPsuite-R77/fw1/c-icap/etc/c-icap.conf
2) Search for “AccessLog /opt/CPsuite-R77/fw1/log/c-icap/access.log”
3) Add this line before the abaove finding:
LogFormat accessFormat "%tl, %la %a %im %iu %is %huo '%<ho' '%{X-Infection-Found}<ih'"
4) Change the AccessLog line to:
AccessLog /opt/CPsuite-R77/fw1/log/c-icap/access.log accessFormat
So the section in c-icap.conf should now look like this:
LogFormat accessFormat "%tl, %la %a %im %iu %is %huo '%<ho' '%{X-Infection-Found}<ih'"
AccessLog /opt/CPsuite-R77/fw1/log/c-icap/access.log accessFormat
So the troubleshooting flow should be:
1) Do you see the file from the proxy to our ICAP server in access.log
2) Do you see the file being handled in $FWDIR/log/ted.elg
Regards Thomas
