This article applies to:
Question:
- I am downloading eicar virus file via SWG and it is not blocked. Why is it not blocked?
Reply:
If cache is in use then this could be the reason.
The cache used by SWG is Squid. Squid sees that the virus file size is different than what it issupposed to be (1 byte difference) and therefore strips and does notpass the file content and you get a 0 size file which isnot a virus anymore and SWG does not have to block it.
This is the correct behavior by Squid (according to RFC) even if a bit confusing.
If you stop the cache, SWG will block it because size will not be zero.
The behaviour described in this article only applies to the EICAR test virus. Actual viruses (not "0 size") are blocked correctly.