Firewall unable to respond 'reset' to malicious content and HTTP response

Symptom

The firewall can't respond 'reset' when malicious content and HTTP response code are sent as a single packet although Antivirus Profile Action 'reset-both' is properly configured.

This limitation can be seen when downloading the eicar test file (eicar_com.zip) from the public eicar site (http://www.eicar.org/). the customer see the followings.

• The firewall sends "Virus/Spyware Download Blocked" page to the browser when downloading the eicar test file (eicar_com.zip) from the public eicar site (http://www.eicar.org/.)
• While "Virus/Spyware Download Blocked" page is sent the configured action (In this case ,reset-both) is logged as the triggered action of the event in Threat log.

If the customer locates the eicar test file (eicar_com.zip) on their webserver and then attempts to download the test file thru the firewall, you see the following.

• "reset-both" is properly triggered and RST is sent from the firewall to the browser side.
• Also the configured action (In this case ,reset-both) is logged properly as the triggered action of the event in Threat log.

Case 1

This case shows the summary of how the limitation works.

Here is the example of the HTTP transaction between the browser and  the eicar site "http://www.eicar.org/" for downloading the eicar test file (eicar_com.zip). The ip address for the eicar site is 188.40.238.250. And the browser's ip addresss is 1.1.1.4.

Screen Shot for the capture showing that the example of the HTTP transaction between the browser and  the eicar site "http://www.eicar.org/" for downloading the eicar test file (eicar_com.zip). 

You can see the HTTP transactions between the browser and  the eicar site are taking place in the below order from the above capture.

• The browser is sending "GET /download/eicar_com.zip HTTP/1.1" at No 809 packet .
• The eicar site is sending the malicious content and HTTP response code 200 as a single packet at No 812 packet.
• The firewall is sending "HTTP/1.1 503 Service Unavailable" with the page "Download of the virus/spyware has been blocked in accordance with company policy. Please contact your system administrator if you believe this is in error" to the browser side at No 813 packet.

Screen Shot for the threat log generated when downloading eicar_com.zip from the eicar test site:

• We can see that reset-both is logged as the triggered action though the tfirewall is sending "HTTP/1.1 503 Service Unavailable".

Case 2

This case shows a summary of how the firewall is sending "reset" to  the malicious content.

Here is the example of the HTTP transaction between the browser and  the private web server for downloading the eicar test file (eicar_com.zip). The IP address for the private web server hosting eicar_com.zip is 10.128.128.218 and the browser's IP addresss is 1.1.1.4.

Screenshot for the capture showing the example of the HTTP transaction between the browser and the private web server for downloading the eicar test file (eicar_com.zip):

Also please note that we can learn the private web server is sending the malicious content and HTTP response code 200 as two packets at No 2004 and 2005 packets, from "red colored place" in the above screen capture.

You can see the HTTP/TCP transactions between the browser and the private server side are taking place in the below order from the above capture.

• The browser is sending "GET /download/eicar_com.zip HTTP/1.1" at No 2002 packet .
• The private web server is sending the malicious content and HTTP response code 200 as two packets at No 2004 and 2005 packets.
• Also you can see that the firewall is sending RST to the browser side at No 2010 packet instead of "HTTP/1.1 503 Service Unavailable" from the below screen capture. Also you can see the No 2002 packet and  No 2010 packet  can be seen in the same TCP stream from the following  screen capture.

Screenshot for the capture showing the firewall is sending an RST packet to  the browser after receiving  the malicious content and HTTP response code 200 as two packets at No 2004 and 2005 packets from the private server:

Screenshot for the threat log generated when downloading eicar_com.zip from the private server:

• We can see that reset-both is logged as the triggered action and the firewall is sending RST.