05-07-2013 08:44 AM
Greetings,
Was wondering if any one else has faced this problem.
I have Sophos antivirus and when I create a rule with the vulnerability protection set to Strict, it blocks my connection to sophos server for updates. Once I relax the VP rule, it looks fine. Interestingly, I cannot see anything in the traffic/threat logs as well.
Has anyone faced such a situation and if yes, how was it managed?
Cheers
Kalyan
05-07-2013 09:07 AM
Are you saying you have "log at session end" checked in the actions tab, and you still don't see them show up in the threat log?
05-07-2013 09:28 PM
Also, as debugging, create a new profile where you set everything to alert that is:
Critical: Alert
High: Alert
Medium: Alert
Low: Alert
Informational: Alert
and then create a new security rule (only for this particular srcip or if its dstip in your case) above the current one. In this new security rule attach the new vuln profile from above.
Now you should hopefully see what is being identified for this traffic flow.
If you are not comfortable with setting all levels to Alert you can set them to Block (since this is just debug) - blocked traffic should be logged if you have set the "log on session end" (I guess "log on session start" wont pickup any threat).
However isnt the Threat log on its own not depending on what the security rule itself is set to? I mean I though the security rule was regarding Traffic logging. If a vuln should log or not is set in the vuln profile itself (such as Alert means log only while Block means block and log, while Allow will not log at all (for this you use Alert instead)).
05-08-2013 12:03 AM
Yes, I do have it as Log at session end.
05-08-2013 12:06 AM
Mikand - I was under the impression that Vuln profiles with specific actions set does log the events under Threat Monitor. None of the profiles have allow as an action, so I would ideally expect to see everything being logged in. But that is not the case. For some reason I cannot see any traffic or threat logs for Sophos updates. But upon disabling the rule, the updates work but still nothing in the traffic or threat logs 
Cheers
05-09-2013 06:03 AM
Did you try the suggestion that Mikand gave to create a new VP profile and set everything to alert? Have you updated the the application and threat signatures to the latest? Each CVE has an associated default action (allow, alert, reset, block). If you don't see anything in the threat log going to the dst address of sophos even after setting everything to alert, then It should not get blocked at any setting. If you do see it after setting everything to alert (like under informational threat) check to see what the CSV is set to as default for that CSV. If you don't see anything, I would open a case with TAC.
05-09-2013 09:50 AM
Tried all means possible. I am now raising it with TAC.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
