Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
HristoGrigorov

EICAR in ZIP archive

I cannot get our firewall to detect this URL:

https://s3-eu-west-1.amazonaws.com/cp-chk-files/e.zip

It is ZIP-ed EICAR used in CheckMe and I think the problem is coming from the fact that IPS does not inspect ZIP archives and Anti-Virus is not detecting EICAR at all.

HTTPS Inspection and AV archive scanning are enabled.

For example this one is detected without any problems:

http://s3-eu-west-1.amazonaws.com/cp-chk-files/win7_64bit_big.zip

Are my observations correct or am I doing something wrong ?

0 Kudos
7 Replies
_Val_
Admin
Admin

Do you have HTTPS Inspection on and appropriate AVI rule configured?

0 Kudos
HristoGrigorov

Yep, already mentioned it in my post. 

0 Kudos
_Val_
Admin
Admin

Yes you did, missed that. I guess it worth taking this with TAC then

0 Kudos
Wolfgang
Authority
Authority

@HristoGrigorov 

got it detected....

eicar_block.png

Wolfgang

HristoGrigorov

Thank you, must be a configuration issue at my side then.

0 Kudos
HristoGrigorov

I think I found what the problem is.

I have HTTPS bypass for an Updatable Object that resolves to the same IP as the server that is hosting this archive.

I suspect it is one of Zoom, Webex or Skype for Business ones.

0 Kudos
_Val_
Admin
Admin

could be the case

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events