Can a stateful firewall detect a virus/trojan in replica?

[unsichtbarre]

So I was wondering if a stateful firewall (Sonicwall) could detect a virus during replication over a VPN?

Say, a file server that is being replicated has a virus/trojan on the source side. The Sonicwall is detecting and blocking a trojan that it detects between the source and destination proxy, which also kills the job.

The only other possibility I can imagine is that the Sonicwall is incorrectly identifying Veeam replication as a virus/trojan; but this is contradicted by the fact that other jobs run successfully (DC's, Exchange, etc), it is only the Fileserver replication that is setting the Sonicwall off.

Thanks,

-J

[Vitaliy S.]

Hi John,

Can you try any other 3rd party tool to check if you have any malware/virus/trojan on the file server. Also do you have any details on what file sonicwall is reporting about?

Thanks!

[unsichtbarre]

Yes, we found a Trojan buried in a folder on the fileshare! I do not have the model number of the device, but the report is as follows:

Time ID Category Priority Message Source Destination
19:30 Oct 01 809 Security Services Alert Gateway Anti-Virus Alert Trojan Blocked <Source Proxy IP> <Destination proxy IP>

[Vitaliy S.]

Wow! Glad that you've nailed it, though it is still not very clear to me how this firewall parses VPN traffic and searches for trojans.

[unsichtbarre]

Not quite nailed - and not clear at all to me how a Sonicwall is able to parse compressed and de-duped Veeam Replication frames? It should be stated that the Sonicwall is used to create the VPN, so it has access to the frames prior to IPsec encryption.

Here are a few other details:

• There are about 10 VMs, mostly in jobs of 1 or 2 VM's/job. Only one is affected.
  The affected VM is in its own job. Veeam sends disk 1 and gets about 70 of 400 GB from disk 2 transmitted when the firewall blocks traffic. The job simply gets "stuck" from about the 2nd hour until we manually stop it (as much as 25 hours later).
  We did locate several trojans on the affected VM, but several Antivirus platforms report them as erradicated.
  If I am reading the log file correctly, it is blocking 192.168.0.10, 51252 (port 51252) on the source side to 192.168.100.10,2504 (port 2504) on the destination side.
  All of the other jobs process successfully, even while the affected VM (a fileserver) is stuck. They all use the same proxies.

THX,
-J

[foggy]

Not quite nailed - and not clear at all to me how a Sonicwall is able to parse compressed and de-duped Veeam Replication frames?

They state it "integrates advanced decompression technology that automatically decompresses and scans files on a per packet basis".