Palo Alto Networks Knowledgebase: Antivirus block page presents inconsistent behavior

Antivirus block page presents inconsistent behavior

4546
Created On 02/07/19 23:36 PM - Last Updated 02/07/19 23:36 PM
Symptom

Testing a virus download from different websites using SSL Decryption yields different results.

Sometimes you receive a response page indicating Virus/Spyware Download block, and on other sites you don't see a response page. In the first case, you can also see that whenever the response page is triggered, a reset is only sent to the server. The reason for this is that instead of reset-both, the firewall presents a response page to the client and a reset to the server.

 

The configured action for the Antivirus profile is reset-both.

User-added image

 

We are presented with two samples of the EICAR file, hosted in different websites:

 

First website

https://secure.eicar.org/eicarcom2.zip

At the time of testing, secure.eicar.org resolves to IP address 213.211.198.58

The resulting Threat log entry shows a reset-both action:

 

User-added image

The web-browser does not present with a response page:

User-added image

 

Second website

https://www.ikarussecurity.com/fileadmin/user_upload/testviren/eicarcom2.zip

At the time of testing, www.ikarussecurity.com resolves to IP address 91.212.136.200

 

User-added image 

The web-browser presents with a response page:

User-added image

 

 



Resolution

The behavior is 'as designed'.

 

The reason for the behavior presented with the first website, https://secure.eicar.org/eicarcom2.zip, is, we don't detect the threat in the first packet of the response. In this case, the HTTP headers were already transmitted to the client. In this situation we can't send the response page, and therefore the only action taken is sending a reset to both client and server as configured in the profile.

In the case of the second website, https://www.ikarussecurity.com/fileadmin/user_upload/testviren/eicarcom2.zip, we detect the threat early, in the first packet of the response, so we are able to send a response page to the client.



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm6lCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language