Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Marcel_Gramalla
Collaborator

Anti-Virus & Content Awareness Archive Issues

Hi CheckMates,

I want to describe one or actually two issues I encounter when using Anti-Virus and Content Awareness on my Check Point Gateways. Both issues seem to be related only for Archive Scanning. First of all some information about the config:

- R80.40 JHF94 (also tested with new install of R81 and R81.10)
- HTTPS Inspection enabled
- Anti-Virus enabled (with archive scanning)
- Content Awareness enabled (should block executable files and some other types)

I can easily reproduce the issue on some basic PuTTY downloads here: https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
putty.zip: https://the.earth.li/~sgtatham/putty/latest/w64/putty.zip
putty.tar.gz: https://the.earth.li/~sgtatham/putty/latest/putty-0.76.tar.gz

Scenario 1 (Content Awareness: enabled / Anti-Virus: disabled):
Download of putty.zip fails with log message "error while processing putty.chm: File appears corrupted (13)"
Download of putty.tar.gz gets blocked correctly because of an ".sh" file.

Scenario 2 (Content Awareness: disabled / Anti-Virus: disabled)
Download of putty.zip fails with log message "Failed to process the file - unknown error"
Download of putty.tar.gz fails with log message "Failed to process the file - unknown error"

Scenario 3 (Content Awareness: enabled / Anti-Virus: enabled)
Download of putty.zip fails without log message
Download of putty.tar.gz gets blocked correctly because of an ".sh" file

I already did some basic debugs from sk103939 and the issue reported is: "error reason: Max files in archive" but I couldn't find any information about that and the archives don't have many files in them.

Did somebody of you encounter similar problems or can verify the issue on their setup? I already have a ticket opened but my TAC experience isn't the best lately and you guys helped a lot in the past 🙂

 

0 Kudos
2 Replies
PhoneBoy
Admin
Admin

I suspect this is a bug and a TAC case will be necessary here.

0 Kudos
Marcel_Gramalla
Collaborator

Yeah, I think it obviously is a bug but as it occurs on clean installations as well my hope was to find somebody that has already experienced something similar and/or can validate my findings. 

TAC case already opened as mentioned but (again) not the best experience yet. Investigation hasn't even started yet after a week because of slow response, a canceled call and no instructions from CP.

I will update this thread if we get any mentionable information.