At present, when testing whether or not the File Inspection feature is enabled by using the eicar.org test download files, you will see different behaviour when "SSL decryption" enabled or disabled. Umbrella File Inspection only AV scans downloads at eicar.org if SSL decryption is enabled.
Understanding the detection process for eicar
To enable blocking of eicar.org, please enable SSL decryption. Note that SSL decryption is required even when visiting the site over HTTP. The reason for this is because we do not proxy any domain that also serves SSL traffic, even if you visit over HTTP.
- The Umbrella Intelligent Proxy makes a decision whether to send a domain to the proxy at the DNS layer.
- The DNS request happens before the HTTP/HTTPS connection, which means that when a domain is subject to the proxy, both HTTP and HTTPS traffic is always proxied.
- When HTTP/HTTPS traffic reaches our Intelligent Proxy, the first step is to make a redirect to identify the user.
Unfortunately without SSL decryption enabled this redirect is not possible, and means that we may not be able to correctly identify users in some scenarios (for example Roaming Users).
In order to prevent HTTPS requests being broken for these users, Umbrella does not proxy domains (like eicar.org) that serve both HTTP/HTTPS traffic, unless SSL decryption is enabled.
To get the best security and efficacy from the feature, we strongly recommend to install the Cisco Root CA and enable SSL decryption. This allows eicar.org test files to be blocked and increases the number of domains that will be subject to File Inspection through our Intelligent Proxy.
Below is a summary of expected behaviour:
SSL Decryption OFF
- Eicar.org sites NOT blocked at https://www.eicar.org/download/eicar.com - The domain is not proxied at all because SSL decryption is disabled.
- Our own test site hosting eicar will be blocked: http://proxy.opendnstest.com/download/eicar.com
SSL Decryption ON
- Eicar blocked by AV scanning at both http://www.eicar.org/download/eicar.com and https://www.eicar.org/download/eicar.com