search cancel

The Content Analysis Blacklist function is not blocking upload of a file

book

Article ID: 173528

calendar_today

Updated On:

Products

Content Analysis Software - CA

Issue/Introduction

I have calculated the SHA1 hash for a file and have entered it into Symantec Content Analysis (CA) from GUI > Services > Whitelist/Blacklist.


The Content Analysis is able to detect and block that SHA1 hash when downloaded (RESPMOD).
Content Analysis is not blocking upload of the file for POST request (REQMOD), though the hash is in the blacklist.

Cause

The issue is that when the file is being uploaded, it is being MIME-encoded. Due to the fact that the file is MIME-encoded, the hash of the payload is altered. In doing so, the calculated hash from the original file will not match.

Resolution

POST requests will still be scanned by Antivirus and Predective Analysis functions. If the file is malicious, these functions will detect the malicious payload

Attachments