Support Center > Search Results > SecureKnowledge Details
Anti-Virus does not detect malicious file when downloading over HTTPS, although the same malicious file is detected correctly when downloading it over HTTP Technical Level
Symptoms
  • Anti-Virus does not detect malicious file when downloading over HTTPS.

  • Anti-Virus detects the same malicious file correctly when downloading over HTTP.

  • Scenario:

    1. Enable Anti-Virus blade
    2. Download Anti-Virus updates
    3. Enable Anti-Virus inspection of all file types ('Threat Prevention' tab - Profiles - select the profile - click on 'Edit...' - go to 'Anti-Virus Settings' - in 'File Types' section, select 'Process all file types')
    4. Generate/Install HTTPS Inspection Certificate ('Threat Prevention' tab - expand 'Advanced' - expand 'HTTPS Inspection' - go to 'Gateways' - "Create" new Certificate - "Add" your Security Gateway object - install policy)
    5. Install the created Certificate on internal Client in "Trusted Root Certification Authorities"
    6. From the internal Client, connect to Server over HTTP - download a malicious file - it will be detected correctly
    7. From the internal Client, connect to Server over HTTPS - download a malicious file - it will not be detected as malicious
  • Kernel debug ('fw ctl debug -m dlpk + cmi' and 'fw ctl debug -m fw + malware') when downloading a malicious file via HTTPS shows:

    ............
    ;mal_conn_table_get_conn_policy: dir 0, Client_IP_Address:Source_Port -> Server_IP_Address:443 IPP 6 policy X, profile N; 
    ............
    ;dlpk_cmi_AV_handle_async_result: conn_id=Y, session_id=Z, dlpk action=ACCEPT;
    ............
    ;dlpk_cmi_AV_handle_async_result: session_type=1; action=ACCEPT; av_session_initiators=1; current_av_session_initiators=0;
    ............
    
Solution
Note: To view this solution you need to Sign In .