SourceOffsite a false-positive worm with Checkpoint FW

If you are having a problem using SourceOffSite, post a message here.

Moderator: SourceGear

Post Reply
Ian

SourceOffsite a false-positive worm with Checkpoint FW

Post by Ian » Fri Jan 28, 2005 12:13 pm

We have users accessing SourceOffsite through a Checkpoint NG R55 firewall running SmartDefense, their built-in IPS component. Recently we began getting false-positive detections with SmartDefense's 'General HTTP Worm Catcher' module.

The error we get in the firewall logs is "Illegal LF-CR in HTTP header" and the firewall blocks the connections.

Strangely enough this only occurs when accessing SourceOffsite thru the encrypted port 8081, and does not occur over un-secured 8080. Unfortunately the quick work-around was to disable this worm protection, but this is not an acceptable option.

Anyone else seen this behavior?

lbauer
Posts: 9736
Joined: Tue Dec 16, 2003 1:25 pm
Location: SourceGear

Post by lbauer » Tue Feb 01, 2005 1:37 pm

We haven't had reports of this before, but I did find this discussion on the web:

http://lists.virus.org/fw1-0501/msg00161.html

SOS uses Blowfish for encryption, and it's possible that something about Blowfish is setting off the worm detector.

You might check with your vendor to see if there are any known problems with Blowfish or encryption in general.
Linda Bauer
SourceGear
Technical Support Manager

Post Reply