BITS blocked by Gateway Anti-Virus with no dropped packets
03/26/2020 1 7689
When you try to download a file by using the Background Intelligent Transfer Service (BITS): "Content file download failed". The same has been seen when trying to update Adobe Acrobat from MACOS using the built-in updater.
As a troubleshooting test, disabling HTTP Inbound Inspection on SonicWall Gateway Anti-Virus will fix this but no related signatures blocking this traffic can be found and running a packet monitor will show all packets forwarded (no drops).
The Accept-Range header is used by the server to inform the client if ranges are supported. Ranges are used by clients to request a partial file (i.e. from bytes 30 to 500).
When you copy a file by using BITS in background mode, the file is copied in multiple small parts. To perform this kind of copy operation, BITS uses the HTTP 1.1 Content-Range header. If you are behind a proxy server or behind a firewall that removes this header, the file copy operation is unsuccessful.
NOTE: When BITS copies files in foreground mode, BITS does not use this header.
However, exploits can be used when servers accept ranges – if an attacker request bytes from 0 to a very large number (larger than 64-bit for example), they can cause a buffer/integer overflow.
NOTE: This should not happen if servers are up-to-date to the latest IIS but if the customer runs a old/outdated server, the attack may pass through.
SonicWall is well known to remove this header as we consider it non-secure however if an application uses HTTP ranges this option must be enabled.
To fix this, please follow these steps:
- Login to your firewall.
- Edit the URL https://IP_Firewall/main.html by replacing main.html with diag.html
- Click Internal Settings
- Enable the option "Keep HTTP header Accept-Range bytes"
This way the SonicWall will not remove the header but this may expose your servers if they're not up-to-date.