Antivirus block page presents inconsistent behavior
Symptom
Testing a virus download from different websites using SSL Decryption yields different results.
Sometimes you receive a response page indicating Virus/Spyware Download block, and on other sites you don't see a response page. In the first case, you can also see that whenever the response page is triggered, a reset is only sent to the server. The reason for this is that instead of reset-both, the firewall presents a response page to the client and a reset to the server.
The configured action for the Antivirus profile is reset-both.
We are presented with two samples of the EICAR file, hosted in different websites:
First website
https://secure.eicar.org/eicarcom2.zip
At the time of testing, secure.eicar.org resolves to IP address 213.211.198.58
The resulting Threat log entry shows a reset-both action:
The web-browser does not present with a response page:
Second website
https://www.ikarussecurity.com/fileadmin/user_upload/testviren/eicarcom2.zip
At the time of testing, www.ikarussecurity.com resolves to IP address 91.212.136.200
The web-browser presents with a response page:
Resolution
The behavior is 'as designed'.
The reason for the behavior presented with the first website, https://secure.eicar.org/eicarcom2.zip, is, we don't detect the threat in the first packet of the response. In this case, the HTTP headers were already transmitted to the client. In this situation we can't send the response page, and therefore the only action taken is sending a reset to both client and server as configured in the profile.
In the case of the second website, https://www.ikarussecurity.com/fileadmin/user_upload/testviren/eicarcom2.zip, we detect the threat early, in the first packet of the response, so we are able to send a response page to the client.