We have a bunch of files that we created that we need to upload via ftp to a remote server through the PA.
The files trip the virus detector in the PA. Here's a syslog entry with some identifying information changed:
2014-06-16T15:22:31+10:00 10.84.1.33 [user warning] 22:31,000XXXXXXX,THREAT,virus,1,2014/06/16 15:22:25,10.84.20.250,220.127.116.11,0.0.0.0,0.0.0.0,I2E-ftp-rule-ftp,,,ftp,vsys1,Interior,External,ethernet1/2,ethernet1/1,mylog,2014/06/16 15:22:30,41521,1,36871,32182,0,0,0x0,tcp,deny,"myfile-06.06.0000-Beta-win64.exe",Virus/Win32.WGeneric.cpfjf(2455553),any,medium,client-to-server,236674,0x0,10.0.0.0-10.255.255.255,United States,0,
I scanned these files with several AV programs including clamav and I was able to upload it to virustotal (through the PA!) where it scanned completely clean.
If I turn off virus checking on our ftp rule then someone may be able to download files with viruses so I don't want to do that but we need these files uploaded.
How to do that?
Instead turning off the AV scan for the entire rule, you can put a threat exception for that Threat ID (2455553) in the relevant AV profile.
Here is a document that explains the same:
Or you can also exempt the IP addresses for that threat, so that exception is applied to a particular set of source and destination IP addresses. This is more granular approach than the previous one:
Hope that helps.
Thanks and regards,
Adding a threat exception means that if we ever get one of those we wouldn't be protected.
I want to be able to upload OK but have files tested on download.
Your answer, while helpful, doesn't answer the problem that we created these files and no-one else could find a virus in them.
I tried the "how to add exempt ip addresses" but it didn't work. I never get anything in the lower boxes and I never get an add button.
I created a new AV profile for this rule with this virus exempted from the list. But as I said, this won't protect us in the case someone tries to download a file that really has this virus.
Yes, you are correct. If you add a threat exception, that means, for the time being you wouldn't be protected. But, you always have an option to open a support case and provide detail information to modify the database in future release.
Secondly, there is no option to add exempt ip address on "Anti-Virus" profile. That option is avilable for "Vulnerability-profile".
Hope this helps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!