Was wondering if any one else has faced this problem.
I have Sophos antivirus and when I create a rule with the vulnerability protection set to Strict, it blocks my connection to sophos server for updates. Once I relax the VP rule, it looks fine. Interestingly, I cannot see anything in the traffic/threat logs as well.
Has anyone faced such a situation and if yes, how was it managed?
Also, as debugging, create a new profile where you set everything to alert that is:
and then create a new security rule (only for this particular srcip or if its dstip in your case) above the current one. In this new security rule attach the new vuln profile from above.
Now you should hopefully see what is being identified for this traffic flow.
If you are not comfortable with setting all levels to Alert you can set them to Block (since this is just debug) - blocked traffic should be logged if you have set the "log on session end" (I guess "log on session start" wont pickup any threat).
However isnt the Threat log on its own not depending on what the security rule itself is set to? I mean I though the security rule was regarding Traffic logging. If a vuln should log or not is set in the vuln profile itself (such as Alert means log only while Block means block and log, while Allow will not log at all (for this you use Alert instead)).
Mikand - I was under the impression that Vuln profiles with specific actions set does log the events under Threat Monitor. None of the profiles have allow as an action, so I would ideally expect to see everything being logged in. But that is not the case. For some reason I cannot see any traffic or threat logs for Sophos updates. But upon disabling the rule, the updates work but still nothing in the traffic or threat logs
Did you try the suggestion that Mikand gave to create a new VP profile and set everything to alert? Have you updated the the application and threat signatures to the latest? Each CVE has an associated default action (allow, alert, reset, block). If you don't see anything in the threat log going to the dst address of sophos even after setting everything to alert, then It should not get blocked at any setting. If you do see it after setting everything to alert (like under informational threat) check to see what the CSV is set to as default for that CSV. If you don't see anything, I would open a case with TAC.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!