Gateway Anti-Virus Alert: Multi-compressed ZIP/GZIP file blocked
TZ470W. I've configured the firewall to block Multi-compressed ZIP/GZIP files. As a result, I'm occasionally flooded with alert e-mails about machines trying to download such a file. It's not user-initiated. The alert e-mail only lists the source and destination IP - not the file name. The same for the System Logs. The source IP-addresses differ, like 220.127.116.11, .248.99.254, 18.104.22.168, 22.214.171.124. They all resolve to a non-existent domain.
I temporarily disabled the blocking of multi-compressed ZIP-files in order for Capture ATP to process those files, but that doesn't list multi-compressed ZIP-files.
It could very well be these downloads are legitimate, like Windows Updates or something like that. But how do I figure out what's being downloaded and where it comes from?
@Simon_Weel did you enabled "Log Virus URI" within the internal settings which might give you a hint?
Ok, I switched it on, but where are those virus-uri's logged?
@Simon_Weel they'll be logged in the Event Log.
Right, I had a look at the System Logs, but it doesn't list the URI:
@Simon_Weel do you have a link to the test file you are using ?
F.Y.I. you should also get a blocked page in the browser showing the file URL as well as in the log (these below are with the Option enabled in the diag page)
F.Y.I. if you want to do an Eicar test you need to enable in the GAV settings and disable the IPS as it blocks the GAV from the Eicar detection, I know this is not what you are doing but it is for other people who want to test the URL logging.
Well, that's the problem. The blocked downloads are not initiated by a user but by the system. So I suspect Windows (or another program) tries to download updates or something like that. The source IP's don't resolve, which either means it' a rogue source or, more probable, a CDN. But without a confirmed source nor a confirmed file name, there's no way to decide whether the download is legit or not...
BTW, tried the EIACR file, but it's intercepted by the browser, no matter what I do...
Simon_Weel, Sorry should have mentioned you need DPI-SSL enabled to block the Eicar now as they are all HTTPS links.
Ah, yes, DPI-SSL.... Another thing I'm wrestling with. As soon as I enable it, I'm flooded with users no longer able to access particular websites and the like. And when excluding those sites from DPI-SSL, they still experience problems.....
OK, I pretty much know what's going on. As I already suspected - most blocked downloads for multi-compressed ZIP-files are coming from windowsupdate.com.
As said, most of the IP-addresses don't resolve. Nirsoft IPNetInfo to the rescue. It lists to who those addresses belong. In this case Akamai and Level 3 Parent. That's a start, but we still don't know about what files it is and where they come from. Again Nirsoft to the rescue - HTTPNetworkSniffer. I let it run for a day on a couple of machines and then had a look at the IP-addresses of the contacted servers. It lists not only the URL where the files are coming from, but also the file in question.
I think I could have done the same with the Packet Monitor on the TZ470, but I don't know exactly how to configure that.
So created an exception for windowsupdate.com and I guess this will eliminate most of the blocked downloads.
Bummer. Adding windowsupdate.com as exception didn't work. Now I'm stuck....
Hi @Simon_Weel , you may also want to enable here also as the App Control should pick it up, you need to enable app control on the Zone also
Hi @Simon_Weel, just been testing with it enabled in the App Control option enabled and it does indeed show the filename, you can tell it is the same as the GAV Alert as the Source and Destination ports are the same see below
Hello @preston, I enabled the option last Friday and boy, did I get results.... My mailbox was flooded with about 30.000 mails.... The majority of them about ActiveSync. We have an on-premise Exchange server and an bunch of connected smart phones. Turns out they all exchange small files with the Exchange server - about 5 per second. And they all get logged....
So now I'm looking for a way to exclude ActiveSync messages from being logged.
Hi Simon_Weel, if you go to device/log settings browse to Security Services/Application Control and edit the filename logging settings, you can either disable the option for Send Events as Email Events as below this way it will log in the GUI and send via Syslog if you re using on-prem Analytics with Syslog or another reporting tool like Fast Vue,
but you won't get the email alerts, or if you wanted to create less emails you can leave enabled but change the redundancy from 0 which includes all events to a higher figure of your choosing.
just to clarify even with this disabled you would still receive the information when it sends you the firewall logs, you just won't receive an email for everytime the event happens in the log.
Right, with some fiddling on the firewall logs and some filters in Outlook to throw away unneeded stuff, I now get a pretty good picture of blocked files and where they come from. Thanks!
@Simon_Weel no problem glad to help