Page 1 of 3 123 LastLast
Results 1 to 10 of 22
  1. #1
    Untangler ctaranto's Avatar
    Join Date
    Feb 2017
    Location
    MA
    Posts
    73

    Default Virus Blocker not blocking eicar files

    New user to Untangle (home user) and have a pretty basic install.

    WAN <-> Untangle <-> Wireless Router (LAN)

    WAN is VZ FiOS, plugged into WAN port. LAN port on the Untangle box is plugged into a LAN port of the wireless router. All internal on the same subnet (172.20.0.x).

    Web filtering, Policy Manager, and Bandwidth control all working great.

    I enabled Virus Blocker but it doesn't block the obvious virus test (http://www.eicar.org/download/eicar.com).

    Any thoughts on why and debugging?

  2. #2
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    16,024

    Default

    1) Check the reports - do you see that request under "Scanned Web Events" ?
    2) Did you install Virus Blocker recently? If so you may need to wait until the signatures fully download.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untangler ctaranto's Avatar
    Join Date
    Feb 2017
    Location
    MA
    Posts
    73

    Default

    I see a handful of events from a laptop that isn't the system I'm testing. Interesting that the system I'm testing is not showing up on this list.

    Yes, I did just install it. I will wait a little while to see if the signature download is the issue (didn't realize it - the interface doesn't really identify that it is doing it).

    Thanks...

  4. #4
    Master Untangler
    Join Date
    Dec 2014
    Posts
    117

    Default

    Also check that you have no bypass rules setup for your testing ip under Config->Network->Bypass Rules.

  5. #5
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    16,024

    Default

    If its not shown in the scanned events its not being scanned.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  6. #6
    Untangler ctaranto's Avatar
    Join Date
    Feb 2017
    Location
    MA
    Posts
    73

    Default

    Quote Originally Posted by degraw32 View Post
    Also check that you have no bypass rules setup for your testing ip under Config->Network->Bypass Rules.
    Thanks. I had already check that. I only have my VoIP phones bypasses (by IP address) and things going to port 5060 (for VoIP as well).

  7. #7
    Untangler ctaranto's Avatar
    Join Date
    Feb 2017
    Location
    MA
    Posts
    73

    Default

    Nevermind. Complete user error. I forgot I had my VPN client running. I turned it off and now it blocks that particular link.

    But ... runs at http://metal.fortiguard.com/tests/ do not get blocked (downloading the plain .com file succeeds). Also, activity at http://metal.fortiguard.com/tests/ do not get logged.

    Odd behavior...

    Update: Seems like any access to "metal.fortiguard.com" is not being logged (somehow bypassed). Going to "wholefoodsmarket.com" gets logged every time from the same machine.

    Update 2: The same machine just did a package update check and those were logged as well. fortiguard still not...
    Last edited by ctaranto; 03-28-2017 at 09:56 AM.

  8. #8
    Master Untangler
    Join Date
    Feb 2016
    Posts
    181

    Default

    Interesting. If I run the "plain test" (the first one), Untangle fails. But if I download the EICAR file separately, within the test using the download link, Untangle blocks an infected download from http://metal.fortiguard.com/generated/ei.

    I'm not sure what that means...
    Last edited by Sam Graf; 03-28-2017 at 10:34 AM.

  9. #9
    Untangler ctaranto's Avatar
    Join Date
    Feb 2017
    Location
    MA
    Posts
    73

    Default

    I get the same behavior.

    It gets a little stranger.
    1. Run the first test of "Plain test file". It fails because the eicar.com file is downloaded.
    2. Click on the link of the eicar infected file. It downloads (ie. not blocked).
    3. Copy the link to the EICAR infected file and paste it in the browser. VB blocks it.
    4. Go back and click on the link in step 2. VB now blocks it.
    5. Re-run the test. The test fails (VB doesn't block the infected file).
    6. Go back and click on the link in step 2. VB now doesn't block it.

    Something is broken.

    The runs where VB is supposed to block but doesn't never gets logged.
    Last edited by ctaranto; 03-28-2017 at 12:40 PM.

  10. #10
    Master Untangler Chrismal's Avatar
    Join Date
    Sep 2016
    Location
    Malta
    Posts
    165

    Default

    That test is geared to there product it is useless, I even read some place that 1 of there own products failed it ( in dlsreprots forums) The test failed in untangle cos the extension is not scanned in UT, Do not wory UT does a great job agains malware I can tell you it blocks many infections on networks I have UT on and devices are always clean
    Last edited by Chrismal; 03-28-2017 at 01:00 PM.

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2