We have a bunch of files that we created that we need to upload via ftp to a remote server through the PA.
The files trip the virus detector in the PA. Here's a syslog entry with some identifying information changed:
2014-06-16T15:22:31+10:00 10.84.1.33 [user warning] 22:31,000XXXXXXX,THREAT,virus,1,2014/06/16 15:22:25,10.84.20.250,22.214.171.124,0.0.0.0,0.0.0.0,I2E-ftp-rule-ftp,,,ftp,vsys1,Interior,External,ethernet1/2,ethernet1/1,mylog,2014/06/16 15:22:30,41521,1,36871,32182,0,0,0x0,tcp,deny,"myfile-06.06.0000-Beta-win64.exe",Virus/Win32.WGeneric.cpfjf(2455553),any,medium,client-to-server,236674,0x0,10.0.0.0-10.255.255.255,United States,0,
I scanned these files with several AV programs including clamav and I was able to upload it to virustotal (through the PA!) where it scanned completely clean.
If I turn off virus checking on our ftp rule then someone may be able to download files with viruses so I don't want to do that but we need these files uploaded.
How to do that?
Instead turning off the AV scan for the entire rule, you can put a threat exception for that Threat ID (2455553) in the relevant AV profile.
Here is a document that explains the same:
Or you can also exempt the IP addresses for that threat, so that exception is applied to a particular set of source and destination IP addresses. This is more granular approach than the previous one:
Hope that helps.
Thanks and regards,
Adding a threat exception means that if we ever get one of those we wouldn't be protected.
I want to be able to upload OK but have files tested on download.
Your answer, while helpful, doesn't answer the problem that we created these files and no-one else could find a virus in them.
I tried the "how to add exempt ip addresses" but it didn't work. I never get anything in the lower boxes and I never get an add button.
I created a new AV profile for this rule with this virus exempted from the list. But as I said, this won't protect us in the case someone tries to download a file that really has this virus.
Yes, you are correct. If you add a threat exception, that means, for the time being you wouldn't be protected. But, you always have an option to open a support case and provide detail information to modify the database in future release.
Secondly, there is no option to add exempt ip address on "Anti-Virus" profile. That option is avilable for "Vulnerability-profile".
Hope this helps.
It'd be good to open a support case but how do I do that? Every time I use this site everything has changed. When I try and make a support case I get redirected to salesforce.com and I have no login there.
Like I said when I go there and click on case management I get redirected to a salesforce.com login page. I have no idea what to do then I have no salesforce login.
I finally got the redirect to work but I can't apparently log a case because my support has to go through another company.
When you click on the Case Management link, you should be taken to the following page.
Click on the New Case button to open a case.
If you still encounter issues, open a case by calling Support. Refer to Contact Us for Support phone numbers.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!