The Content Analysis Blacklist function is not blocking upload of a file
Last Updated February 04, 2019
I have calculated the SHA1 hash for a file and have entered it into Symantec Content Analysis (CA) from GUI > Services > Whitelist/Blacklist.
The Content Analysis is able to detect and block that SHA1 hash when downloaded (RESPMOD). Content Analysis is not blocking upload of the file for POST request (REQMOD), though the hash is in the blacklist.
The issue is that when the file is being uploaded, it is being MIME-encoded. Due to the fact that the file is MIME-encoded, the hash of the payload is altered. In doing so, the calculated hash from the original file will not match.
POST requests will still be scanned by Antivirus and Predective Analysis functions. If the file is malicious, these functions will detect the malicious payload
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe