Virus Blocker Common FAQs

From Edge Threat Management Wiki - Arista
Jump to navigationJump to search

If I use NG Firewall, do I need to install virus software on individual network computers?

We recommend an additional layer of protection on the desktop. Virus Blocker and Virus Blocker Lite scan HTTP, FTP, SMTP, and HTTPS if you are running SSL Inspector. However, there are many other ways for malware to enter the network such as through other protocols or encrypted tunnels or through physical means like a USB key.

If I have Virus Blocker and Virus Blocker Lite installed, are one or both used and in which order?

If you have both virus scanners installed, Virus Blocker is applied to a message first: if a message passes Virus Blocker, then and only then is Virus Blocker Lite applied to the message (there's no point in scanning the message twice if the first scanner has rejected it). This is not to say one scanner is inherently better than the another: note that Virus Blocker is complemented by Virus Blocker Lite and in the case of a virus-free message, the computational overhead of the virus scan includes both scanners. A message that would be rejected by both scanners incurs the computational and time cost of just Virus Blocker. To perform a valid comparison, you should run test messages through the NG Firewall with no scanners installed, Virus Blocker by itself, Virus Blocker Lite by itself and lastly both scanners installed together and compare the results.

How can I test that viruses are being blocked?

An easy way to test HTTP virus scanning is to download the eicar test from a machine behind NG Firewall. If virus scanning is not working the file will download successfully (it is harmless). If it is working a block page will be displayed.

Why do emails with larger attachments sometimes "disappear" or are not delivered?

While NG Firewall is scanning the attachments your email server is still waiting for the message, most likely triggering a timeout setting. If you're using MS Exchange, you'll want to increase the ConnectionInactivityTimeout setting.

Why does the Event Log say a file is blocked, but I can still download it?

When downloading over the web small files are blocked with a block page. Larger files are treated differently. They are fed to the client at a slower rate than they are actually downloaded so the client does not time out while the download happens. After NG Firewall scans the complete file it will either refuse to send the rest if there is a virus or immediately send the rest. This means for large files the Event Log says the file is "blocked", but checking the file size on the client will show that you do not actually have the complete file.