Re: File size for emulation

Biju_Nair · ‎2017-10-08

Hi,

Is there a minimum file size for emulation.

I tried downloading a file from eicar.com which was 68 Bytes. But it didnt get emulated, while a file size of 308Bytes got emulated from the same site.

Is this configurable in TE appliance, where we could define the minimum and maximum file size for emulation.

also, Is it possible to exclude some traffic for emulation.

Regards,

Biju

Albin_Hakansson · ‎2017-10-08

If you are running anti-virus while downloading the eicar file, it should have caught it and not have to be emulated.

Maximum file size can be configured. In R80.10 you can find it in "Manage & Settings -> Blades -> Threat Prevention -> Theat Emulation".

As far as I know, there is no lower limit, and it can't be configured

In the threat prevention policy, you decide the "Protected Scope". Here you decide what traffic you want to be inspected according to which Threat prevention profile. So if you wish that some traffic should not be emulated, you can define a new rule, with a threat prevention profile that does not run Threat emulation.

This is assuming your activation mode is According to policy (Check Open the TE unit-> Threat Emulation)

Biju_Nair · ‎2017-10-08

The reason for my question was I was trying to download a file from eicar.com which was 68Bytes and it didn't emulate. However a 308Bytes file got emulated. From the same website.

What could have happened that the 68Byte file didn't emulate.

Regards,

Biju Nair

Sent from my iPhone

Albin_Hakansson · ‎2017-10-08

I'm not sure. Was it the HTTPS file maybe and you are not running HTTPS inspection?

What does your traffic logs say?

Biju_Nair · ‎2017-10-08

It was a http traffic. I forgot to mention one thing that the http traffic is actually from the proxy via ICAP to TE device.

To answer u.... In the firewall log it shows the ICAP traffic from proxy and then in the emulation log it doesnt show anything.

Regards,

Biju Nair

Sent from my iPhone

PhoneBoy · ‎2017-10-08

You can set the maximum file size here (in R80.10):

Prashant · ‎2017-10-08

Hi - Please see the AV/AB logs in case enabled, it might have processed with these blades before the file could be emulated.

Thomas_Werner · ‎2017-10-27

Nope. AV blade currently is not offically available in ICAP - so that can´t be the issue.

Did you check access.log of the ICAP server to be sure the EICAR.COM is really passed to us ?

access.log is stored in $FWDIR/log/c-icap/

It is advisable to change the logformat before consulting the log otherwise you won´t "see" much infos in this log.

To extend logging do the following:

1) vi /opt/CPsuite-R77/fw1/c-icap/etc/c-icap.conf
2) Search for “AccessLog /opt/CPsuite-R77/fw1/log/c-icap/access.log”
3) Add this line before the abaove finding:
LogFormat accessFormat "%tl, %la %a %im %iu %is %huo '%<ho' '%{X-Infection-Found}<ih'"
4) Change the AccessLog line to:
AccessLog /opt/CPsuite-R77/fw1/log/c-icap/access.log accessFormat

So the section in c-icap.conf should now look like this:
LogFormat accessFormat "%tl, %la %a %im %iu %is %huo '%<ho' '%{X-Infection-Found}<ih'"
AccessLog /opt/CPsuite-R77/fw1/log/c-icap/access.log accessFormat

So the troubleshooting flow should be:

1) Do you see the file from the proxy to our ICAP server in access.log

2) Do you see the file being handled in $FWDIR/log/ted.elg

Regards Thomas

Are you a member of CheckMates?

File size for emulation