- CheckMates
- :
- Products
- :
- Quantum
- :
- Threat Prevention
- :
- Maximum file size to scan and action taken in R80....
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maximum file size to scan and action taken in R80.10
Hi guys,
in R77.30 we had the option to configure the maximum file size to be scanned and what action to be taken if file size exceeded by Threat Prevention Blade. Now in R80.10 I know we can still set the file size using DBEdit (sk93616). But what about the action to be taken if the file size exceeds? Is it still possible to set in R80.10?
Regards,
Vinicius Oliveira
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've been wondering the same thing. The closest thing I could find is under Manage & Settings --> Blades --> Threat Prevention, it seems the decision to Block / Allow when file size is exceeded depends on whether you have the Fail Mode configured to fail-open or fail-closed?
I haven't found a similar looking setting anywhere else. But, it seems to me, you may want the behavior of these two things to be very different. I.E. allow large files but still fail-closed if there is an issue with Threat Prevention blades.
I'd love to hear if there's something I missed. But, I agree, this behavior seems different than how it was handled in R77.30.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Daniel,
I wonder if when a file size is exceeded in AV blade (Not emulation), it generates an internal system error (Or just a log entry??) and then the Fail Mode is applied.
Thank you for your contribution.
Best regards,
Vinicius Oliveira
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So we need to be more specific here:
1) AV Signature check
This is a file hash check against our big Threat Cloud database. The hash is calculated "on the fly" on a file without the need to reassemble the packets. Afaik this AV scanning engine does not have any file size limit. Most AV catches come from this engine
2) AV deep scan and archive scan
This is where we need to reassemble packets into a file to do deep scan (heuristic scan with an AV engine) or archive scanning (because we need to unpack the files from the archive). This scan engine has the default file size limit of 150MB mentioned already (configurable via GUIDBEDIT)
3) Fail mode
all of the above AV engines and also AB & TE are handled by the Engine Fail-Mode setting shown above in case of errors:
There is also a way to set fail-mode on specific blades (AV,AB,TE) only if necessary.
Afaik all of the above also applies to R80.
Regards Thomas
