Web Proxy Fail Open for Ranged Data
The web proxy, before 9.6, failed open for chunked data that was missing or had a misconfigured data-range header, and the data wouldn't be scanned. The old behavior created a DoS in some circumstances where the proxy would continually try to retrieve the data from the server, filling the pipe - I've had this happen to me. The behavior now is fail-closed where the connection is reset, and data is not allowed to flow. This new behavior creates an administrative overhead that is unacceptable to many small IT departments. I manage several firewalls, and in three years I've encountered one DoS in several hundred million DNS requests and resulting connections. I would much rather have to create one or two exceptions for the web proxy anti-virus than the nearly 60 I've created since this new behavior began.