Monday, February 4, 2008

New bug (USG300)

I finally got around to register my Zywall USG 300 and activate the Anti-virus and IDP. To see that the service was in fact running I visited the Eicar site. I was very disappointed to see that there was no reaction from ZyAgent.

Checking the internal log in the zywall reviled that the event had in fact been handled.


# Time Priority Category Message Source Destination Note
1 2008-02-04 00:29:57 warn Anti-Virus HTTP Virus infected - ID:2053,EICAR-Test-File,anti_virus_test_file.htm. xxx.xxx.xxx.xxx:80 xxx.xxx.xxx.xxx:4093 FILE DESTROY


This reminded me of the situation with my last post , where the logging was inconsistent. So I checked the syslog string that was sent from the Zywall.


<140>Feb 4 00:32:18 zywall-usg-300 src="xxx.xxx.xxx.xxx:80" dst="xxx.xxx.xxx.xxx:4123" msg="HTTP Virus infected - ID:2053,EICAR-Test-File,anti_virus_test_file.htm." note="FILE DESTROY" user="unknown" devID="xxxxxxxxxxxxx" cat="Anti Virus"


Once again we see there is a mismatch with the categories. It was tested with both last available beta firmware and the last FCS firmware. Both had the same problem.

The problem has been reported to the beta team, there has been no feedback yet. Due to Chinese new years, I don't think there will be any feedback for at least a week.

I had a chance to look a the new USG 200 today, and it looked very nice. It is fan-less so might be a better option then the USG 300 as a home device. The new 2.1 firmware has some nice improvements to make life more easy. I might post some screen shoots and pictures if I get around to it.

wbr
Ted

No comments: