Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

ASM and OPSWAT Metadefender Blank Page after file upload

rmoss25
Altostratus
Altostratus

‎20-Feb-2021 07:13 - last edited on ‎22-Nov-2022 15:12 by Fog

Hi,

I am trying to integrate F5 ASM WAF with OPSWAT metadefender but when I try and upload and EICAR file browser just shows a blank white page. I am using a default security policy in blocking mode and have configured the settings according to the F5 BIG IP ASM (WAF) OPSAWT guide.

  • I have configured the ICAP server under  Security > Options > Application Security > Integrated Services > Anti-Virus Protection.
  • I have configured the antivirus block settings under Security > Application Security > Policy Building > Learning and Blocking Settings > Advanced Configuration.
  • I have antivirus scanning for HTTP file uploads and SOAP attachments Security > Application Security > Integrated Services > Anti-Virus Protection.

 

When I try to upload the test file I get a blank browser and if I check the source code in the browser I see the following:

 

window["bobcmn"] = "101110101010102000000022ffffffff2ffffffff20000000220156c0ea200000000200000000200000000300000044multipart%2fform%2ddata%3b%20boundary%3d%2d%2d%2d%2dWebKitFormBounda300000000300000000300000000300000000300000007httpsc3000000b008a59e5661ab20000adb568196d38950bf7928e988d64266cafbda4956605335d523cb0c44e211db089aede8158b2800a5d271c7e2a6f9d94d8c4ad7cd49022d5f72b236f5ca5943b07c111a9484727f3b29e542d2d2302b300000002TS300000165%2d%2d%2d%2d%2d%2dWebKitFormBoundaryxbm3Qt79jKjmxoOz
Content%2dDisposition%3a%20form%2ddata%3b%20name%3d%22filename%22%3b%20filename%3d%22eicar.com%22
Content%2dType%3a%20application%2foctet%2dstream

X5O!P%25@AP[4%5cPZX54(P%5e)7CC)7}%24EICAR%2dSTANDARD%2dANTIVIRUS%2dTEST%2dFILE!%24H%2bH%2a
%2d%2d%2d%2d%2d%2dWebKitFormBoundaryxbm3Qt79jKjmxoOz%2d%2d
200000000";

 

"</script>
</APM_DO_NOT_TOUCH>
<script type="text/javascript" src="/TSbd/08a59e5661ab2000a21cb91986bc897b6b354965ec350caba4c8ca55a7b089798844a4727e8dc553?type=5"></script><noscript>Please enable JavaScript to view the page content.<br/>Your support ID is: 8648386876400468880.</noscript>
</head><body>
</body></html>"

 

Is there something in the ASM policy that needs to be changed?

 

Labels:
11 REPLIES 11

websec
Nimbostratus
Nimbostratus

‎23-Feb-2021 07:16

I have the exact same issue, except we're not using Metadefender but a different scanning engine.

A 'virus found' should result in a response page I have configured with a 500 status code with the supportid embedded in json, but instead I get a 200 with this html page and javascript.

Running v15.1.1

0 Kudos

Ivan_Chernenkii
F5 Employee
F5 Employee

‎23-Feb-2021 12:34

Hello,

 

What client do you use to send request?

Do you configure any other protection on your VS except anti-virus protection?

 

According to data in blocking response page ("Please enable JavaScript to view the page content") it seems like you send request form client, which doesn't support JS, while according to your configuration (may be you have Bot profile) it must have it.

Most probably this issue is not related to anti-virus protection by itself.

 

What violations (blockihg reasons) do you get in request log?

 

Thanks, Ivan

0 Kudos

websec
Nimbostratus
Nimbostratus

‎24-Feb-2021 02:30

We have a basic web page that allows to attach a file upload, eicar.txt is used in our case. This is posted as a multi-part.

Behaviour is consistent with different browsers: both Chrome and Edge show the same result. Both have javascript enabled in the settings.

There are no additional protections active on the VS: DoS protection and Bot defense are disabled.

The only violation that is showed is the 'Virus found'

0 Kudos

Ivan_Chernenkii
F5 Employee
F5 Employee
In response to websec

‎24-Feb-2021 10:38

Ok, got it. Several more questions to localize the problem:

  1. What version of BIG-IP do you use?
  2. What details are show for "Virus found" violation?
  3. Do you send it as regular post request or as AJAX request?
  4. Do you configure any Device ID functionality like Brute force, Session Awareness, Web Scrapping?

Thanks, Ivan

0 Kudos

websec
Nimbostratus
Nimbostratus

‎25-Feb-2021 03:17

0691T00000C13eOQAR.jpgTo answer your questions:

  1. v15.1.1
  2. See image
  3. It's an AJAX request. Here is the full post:

Invoke-WebRequest -Uri "https://www.website.com/api/fdf/form/posttask" `

-Method "POST" `

-Headers @{

"Accept"="application/json, text/javascript, */*; q=0.01"

 "X-DIF-APIKEY"="101D9BEF-F159-4470-BB9C-D6C30AC12F77"

 "X-Requested-With"="XMLHttpRequest"

 "X-DIF-CAT"="asrnl"

 "User-Agent"="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36"

 "Origin"="https://www.website.com"

 "Sec-Fetch-Site"="same-origin"

 "Sec-Fetch-Mode"="cors"

 "Sec-Fetch-Dest"="empty"

 "Referer"="https://www.website.com/uploadtest"

 "Accept-Encoding"="gzip, deflate, br"

 "Accept-Language"="en-US,en;q=0.9,nl;q=0.8"

 "Cookie"="CID=AgAAADeLJKEDWTAfH9/3824Y1hU=; _vwo_uuid_v2=D79FABC26D88B00181DA273DE0FA01732|a3af3f7fde6cd39080de5466a00b3dcc; _ga=GA1.2.239643387.1565878568; _vwo_uuid=D50512767714774C8FD6FFC6562EDC54B; adblockerconsent=accept; __utma=129357340.239643387.1565878568.1608811504.1608811504.1; __utmz=129357340.1608811504.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); cookieconsent=accept; _gid=GA1.2.274112240.1613403340; ASP.NET_SessionId=hwmx0noyheme4rnswzv50id3; nl__api_fdf=rd4o00000000000000000000ffff0a91c064o80; TS010f430c=0153897e825a2d8b6291176f68b75aaf38f80657ede5e3f6bbe9bfa8fd9958326c5f9a67b53a459b1d313fcf0918ec81b2d7b973a4d223de578505ef34c9804e8b7e3ecb06; SC_ANALYTICS_GLOBAL_COOKIE=4f642f1b13ce4ac297873cf1930adca6|True; TS01a8b93c=0153897e82b55b18155e0864755a38a87583565c16b4de3683dc0af8c9810f6079d6fb77930892c6e373d5a82a42a6c3f98f6624de646aeaf24c2d498d24ffa27ce04ecc2c8f60ac56b421840003788a267e11d7ff; TS01931511=0153897e820cbfb068962d6c813f63d0f743dcabce96abc4bc18a75c5a18fad5d4c0149dc659de8455dc119c5a859f6baf598bc370ae8bddfb942aa7b3f7620b9f3f75a56a; OPTOUTMULTI=0:0|c1:1|c4:1; utag_main=v_id:016c95a2c1590021a53a8afa54900306d003606500c48`$_sn:36`$_se:67`$_ss:0`$_st:1613563167708`$dc_visit:14`$recommender_test:1`$ses_id:1613559424231%3Bexp-session`$_pn:16%3Bexp-session"

} `

-ContentType "multipart/form-data; 

boundary=

----WebKitFormBoundaryhaOvsgi1vu8EAy5L

 " `-Body ([System.Text.Encoding]::UTF8.GetBytes("

------WebKitFormBoundaryhaOvsgi1vu8EAy5L

 $([char]13)$([char]10)Content-Disposition: form-data; name=`"data`"$([char]13)$([char]10)$([char]13)$([char]10){`"Title`":`"upload_test`",`"Token`":`"f09e16fb-bde7-4d0f-9e91-004830b6c697`",`"FutureVersion`":false,`"LastUpdate`":`"a7d659b8-6ce3-4223-abf8-2879a7290648`",`"Trigger`":`"1_b_Verder`",`"FormInput`":[{`"Key`":`"rResultCode`",`"Soort`":`"tekst`"},{`"Key`":`"rMeldingenCode`",`"Soort`":`"tekst`"},{`"Key`":`"rMeldingen`",`"Soort`":`"tekst`"},{`"Key`":`"1_v_file`",`"Soort`":`"file_upload`",`"Waarde`":`"eicar.txt`"}]}$([char]13)$([char]10)

------WebKitFormBoundaryhaOvsgi1vu8EAy5L

 $([char]13)$([char]10)Content-Disposition: form-data; name=`"eicar.txt`"; filename=`"eicar.txt`"$([char]13)$([char]10)Content-Type: text/plain$([char]13)$([char]10)$([char]13)$([char]10)$([char]13)$([char]10)

------WebKitFormBoundaryhaOvsgi1vu8EAy5L

 --$([char]13)$([char]10)"));

 

4 No Brute force or session awareness. Web Scraping is renamed to Bot Defense after v14, we also do not use that

 

thx

0 Kudos

Ivan_Chernenkii
F5 Employee
F5 Employee
In response to websec

‎25-Feb-2021 10:00

Thanks for the info.

Do you have single-page application?

If YES, then you need to enable single_page_application system variable on "Security ›› Options : Application Security : Advanced Configuration : System Variables" page.

Also, most probably, you need to enable Ajax Blocking Behavior in Blocking Response Pages configuration.

Can you try it?

 

Thanks, Ivan

0 Kudos

websec
Nimbostratus
Nimbostratus

‎01-Mar-2021 07:20

I think using eicar has raised some flags at our security department. Now my local virusscanner kicks in immediately when I save my testfile, where I had 30 secs before. I'll get back asap when I've found a way to continue testing.

0 Kudos

websec
Nimbostratus
Nimbostratus

‎02-Mar-2021 05:25

Hi Ivan,

After making the changes you suggested we have tested again, unfortunately without any change in behavour.

To clarify some more: we don't want a popup to appear, we want that the Blocking Page Default with our custom response body (in json format) is returned in stead of the html/script code that is presented, so that the web page can act on that json code.

0 Kudos

Ivan_Chernenkii
F5 Employee
F5 Employee
In response to websec

‎02-Mar-2021 08:35

Do you still see "TSbd/xxxx?type=5" in your blocking page?

In general, in v 15.1.1, it means, that "client side challenge" functionality is enabled in one of the features in your policy and appropraite client side challenge can not be resolved by client, that is why you see whitepage.

 

Do you see name of detected virus in violation details of "Virus detected" violation?

 

Thaks, Ivan

0 Kudos

websec
Nimbostratus
Nimbostratus

‎03-Mar-2021 02:01

We do indeed see ""TSbd/xxxx?type=5" in our response.

The description of the Virus detected is "posttask/upload.txt EICAR Test String 11101 0"

Your suggestion that it has something to do with client side challenge functionality led us to this article:

https://support.f5.com/csp/article/K52300750

This looks very much like the behaviour we are experiencing. Could this be our problem?

0 Kudos

Ivan_Chernenkii
F5 Employee
F5 Employee
In response to websec

‎03-Mar-2021 08:23

Yes, I think you are right. It looks exactly like problem, which you have.

0 Kudos
Copyright © 2023 Khoros, LLC