443 error: Object ((gzip)) Corrupted host

Any thoughts on this Alert message?

Policy Name: HTTPS-proxy-00 Action: ProxyAllow: Reason: HTTP AV scanning error Source IP: 192.168.36.34 Source Port: 52873 Destination IP: 52.11.65.185 Destination Port: 443 error: Object ((gzip)) Corrupted host: incoming.telemetry.mozilla.org path: /submit/telemetry/729aa18b-256e-4a3e-8b99-a5f93d02916c/sync/Firefox/78.0.2/release/20200708170202?v=4

I had a few of these last night from different clients and different destinations (mostly Mozilla and HP) . I can't recall seeing one like this before.

Adrian from Australia

Comments

  • XTM version ?

  • edited July 2020

    T70 12.5.4

    Adrian from Australia

  • U1 ??

    Could be another 12.5.4 bug, this one with the Bitdefender engine

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @xxup

    The firebox uses gzip to try and unpack (deflate) any compressed archive it thinks might be an archive. Depending on your settings, it'll log and allow or deny (or lock, or quarantine in some cases) the file.

    The file you're looking at doesn't appear to be an archive and was allowed, so whatever the client computer was doing should have worked just fine.

    The programmed behavior of the firewall is to try to do this if it has any reason to believe it's an archive. This looks like a telemetry (usage report) upload (possibly from a crash or something in Mozilla/Firefox.) That kind of thing would generally be several files packed into one archive. If it's using a different or proprietary scheme to do this, or if it's encrypted, that traffic is completely normal. I'd suspect that Firefox encrypts that type of payload to maintain file integrity.

    -James Carson
    WatchGuard Customer Support

  • So why is is only happening on one Firebox? The T40 on 12.6.1 does not do it and the FireFox browser is also used in that network. Also the source of the error comes from many clients and the destination is many different sites. Here are some more examples..

    Appliance: LIESTAL
    Time: Tue Jul 14 17:05:26 2020 (AEST)
    Process: http
    Message: Policy Name: HTTPS-proxy-00 Action: ProxyAllow: Reason: HTTP AV scanning error Source IP: 192.168.36.26 Source Port: 49880 Destination IP: 13.76.219.184 Destination Port: 443 error: Object
    ((gzip)) Corrupted host: inference.location.live.net path:
    /inferenceservice/v21/pox/GetTileUsingPosition

    Appliance: LIESTAL
    Time: Tue Jul 14 16:41:03 2020 (AEST)
    Process: http
    Message: Policy Name: HTTPS-proxy-00 Action: ProxyAllow: Reason: HTTP AV scanning error Source IP: 192.168.36.20 Source Port: 49908 Destination IP: 54.244.24.105 Destination Port: 443 error: Object
    ((gzip)) Corrupted host: mq.dataservices.hp.com path:
    /projects/53989DE4A4426F820946434B/queues/app_eventinfo/messages

    I have 38 of these alerts starting from 8:33 am yesterday and stopping (so far) last night around 7pm.. As you can see, these are different source PCs and different destination sites.

    Adrian from Australia

  • Hmm.. Cough cough.. Further research has revealed that the errors are also on another Firebox. I did not find it the first time because of how I was searching Dimension. The problem can now be narrowed down to the HTTP proxy and only started at 8:33am yesterday (I went back 45 days in Dimension to confirm this one), when the first PC connected to the Internet. It started later on the other Firebox as not much browsing is done from it.. And now it has stopped since 10:55 today. Interestingly, there is a report that the Dimension database was corrupted and repaired around that time..

    Oh, the joys of technology!

    Adrian from Australia

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @xxup

    I can't really make anything out of the actual data -- one of the support reps would need to see the actual data (to see if it's an actual archive, or is being mis-detected.)

    In each example you provided, they appear to be uploads, but that's about all I can make out of the log.

    If you'd like more info, I'd suggest opening a case so that the support team can look into it further.

    -James Carson
    WatchGuard Customer Support

  • edited July 2020

    Sorry James, I was not expecting you to solve the problem. I just needed something more solid to give to the support people. I suspect that Dimension is somehow tied into this problem - as bizarre as that seems. There have been no more corrupted host entries since the Dimension database fixed itself and both boxes use the same Dimension instance. I will dig deeper this weekend and then lodge a case.

    Adrian from Australia

  • RalphRalph WatchGuard Representative

    Hello xxup,

    Have you seen any more since yesterday ? We've had several GAV updates since.

    Ralph

  • Hello Ralph,
    Not a peep from either Firebox. It must have been a dud GAV update and the Dimension thing was just a coincidence.
    Thank you,
    Adrian

    Adrian from Australia

  • RalphRalph WatchGuard Representative

    Thank you Adrian, that's what we're exploring....

Sign In to comment.