We have users accessing SourceOffsite through a Checkpoint NG R55 firewall running SmartDefense, their built-in IPS component. Recently we began getting false-positive detections with SmartDefense's 'General HTTP Worm Catcher' module.
The error we get in the firewall logs is "Illegal LF-CR in HTTP header" and the firewall blocks the connections.
Strangely enough this only occurs when accessing SourceOffsite thru the encrypted port 8081, and does not occur over un-secured 8080. Unfortunately the quick work-around was to disable this worm protection, but this is not an acceptable option.
Anyone else seen this behavior?
SourceOffsite a false-positive worm with Checkpoint FW
Moderator: SourceGear
We haven't had reports of this before, but I did find this discussion on the web:
http://lists.virus.org/fw1-0501/msg00161.html
SOS uses Blowfish for encryption, and it's possible that something about Blowfish is setting off the worm detector.
You might check with your vendor to see if there are any known problems with Blowfish or encryption in general.
http://lists.virus.org/fw1-0501/msg00161.html
SOS uses Blowfish for encryption, and it's possible that something about Blowfish is setting off the worm detector.
You might check with your vendor to see if there are any known problems with Blowfish or encryption in general.
Linda Bauer
SourceGear
Technical Support Manager
SourceGear
Technical Support Manager