URLs with a .dll extension fail with Antivirus_Engine

search cancel

URLs with a .dll extension fail with Antivirus_Engine_Error

book

Article ID: 435657

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

Users accessing specific URLs with a .dll extension, such as https://<URL>/$login.dll receive Antivirus_Engine_Error ICAP error.

In the Access Logs (can be manually exported in Account Configuration > Log Export) this additional error can be seen:

Sample is of unsupported mimeType

Cause

The Cloud SWG Antivirus engine performs a consistency check between the file extension and its actual content. When a URL contains a .dll extension, the service expects the payload to be a binary executable and not an HTML file.

In cases like coursesondemand.com, the $login.dll is used as a gateway for web login (similar to an HTML file) rather than a standard binary. Because the file content does not match the expected binary signature for a DLL, the engine triggers a "Sample is of unsupported mimeType" mismatch and fails the scan with an antivirus_engine_error.

Resolution

To resolve this issue, a policy exception to bypass the Antivirus engine for the affected domain or specific file pattern needs to be configured.

Portal-based:
- add the URL into Policy > Content & Malware Analysis > Scanning Exemptions > Destinations
UPE:
- to bypass AV scanning fo the domain follow How to exempt destinations from Malware scanning in UPE setup. KB article.

Feedback

thumb_up Yes

thumb_down No