topic Re: How to scan SFTP over SSH file transfers for virus or malware in General Topics

How to scan SFTP over SSH file transfers for virus or malware

CobaltGroup — Wed, 17 Jul 2019 19:46:14 GMT

Hi all,

I just set up SSH decryption, also known as SSH proxy on the palo alto.

When I look at the actual sessions, I do see a checked box near to decrypted, so according to me the decryption itself works.

I also got a warning about a man in the middle attack after I enabled the decryption, because the keys changed.

Now what I want to achieve, is that SFTP file transfers are being scanned for virusses.

I downloaded the eicar.com test file to an external VPS on the internet, and I did SFTP to transfer this eicar.com file to a server I have protected by the palo alto and with SSH proxy decryption enabled.

Even though the palo sees the traffic, marks it as decrypted, and on the security antivirus is enabled, the palo does not seem to care about the fact that a virus is being uploaded.

What am I missing here?

Thank you for the pointers.

Re: How to scan SFTP over SSH file transfers for virus or malware

BPry — Thu, 18 Jul 2019 03:24:56 GMT

@CobaltGroup,

Repeat your test with a WildFire test file that you can download from the WildFire portal. Palo doesn't seem to count eicar files as malicous (because their not) and test with these files I've found to not work reliably as a test with their services.

Re: How to scan SFTP over SSH file transfers for virus or malware

CobaltGroup — Thu, 18 Jul 2019 07:25:45 GMT

I actually did do the test with a couple of different files.

I used the eicar.com file, I use the "wildfire-test-pe-file.exe" file and I downloaded some actual malware.

Even though I see a hit in the decryption policy, I'm under the impression nothing is being scanned, because in the threats nothing at all shows up.

Re: How to scan SFTP over SSH file transfers for virus or malware

SanthoshNarasimula — Wed, 24 Jan 2024 18:26:44 GMT

Did your issue resolved?