Virus Blockers Common

From Edge Threat Management Wiki - Arista
Revision as of 03:48, 27 December 2016 by Dmorris (talk | contribs)
Jump to navigationJump to search

Settings

This section reviews the different settings and configuration options available for the virus scanners.


Web

This section reviews the different settings and configuration options for web traffic.

  • Scan HTTP: This enables or disables HTTP scanning.
  • File Types: The File Types section allows you to scan files by file extension - just select (or add) your chosen file extension, check your preferred action (scan or not), and save.
  • MIME Types: The MIME Types section allows you to scan files by MIME types - just select (or add) your chosen file extension, check your preferred action (scan or not), and save.


Email

This section reviews the different settings and configuration options for email traffic.

  • Scan SMTP: This option enables scanning of SMTP message attachments.
  • Action: The selected action will be taken on a message if a virus is found.
Setting Action to Remove Infection will remove the infected attachment and wrap the original email for delivery to the intended recipient. If set to Pass Message, the original message will be wrapped and delivered with the attachment intact. In both cases, the subject line is prepended with "[VIRUS]". Block will block the message from being delivered.


FTP

This section reviews the different settings and configuration options for FTP traffic.

  • Scan FTP: This enables or disables scanning of FTP downloads.


Pass Sites

This section allows you to specify sites that are not scanned. The list uses the Glob Matcher syntax.

NOTE: Use caution when adding sites to this list!

For each protocol, the behavior is as follows:

  • HTTP. Match the HTTP Host header.
  • FTP. Match the server IP address or domain address (if a reverse DNS address exists).
  • Email. Match the client or server IP address or domain address (if a reverse DNS address exists).


Advanced

Advanced settings can tune specific behavior of virus blocker.

The first options can enable/disable certain scanners. When a file is scanned by virus blocker, it is scanned by multiple engines, a local antivirus engine and the cloud ScoutIQ™ engine.

Using all available engines is recommended.

File extensions

File extensions configure which HTTP files will be scanned. The defaults are the recommended values. However, in some cases you may with to add or remove certain file extensions.

A understanding of security tradeoffs and pragmatism is essential before changing these settings. Unlike the other URL-based scanning of other apps like Web Filter, Virus Blocker runs in depth analysis of the file, including signatures, heuristics, and emulation. Unlike host-based antivirus, the gateway is a unique resource shared among the whole network and furthermore it has no ability to scan-on-exec as it has no knowledge of what the client plans to execute, unlike host-based antivirus. Scanning is expensive and turning on certain extensions (like .png files) can cripple the network. Analyzing reports to see how many scans are being done and if those resources are being spent on worthwhile scan resources is a good exercise. It is not uncommon to see millions of scans of some application's update.

MIME types

Similar to file extensions, but these list the MIME types to be scanned, regardless of extension. The same logic and warnings apply here as well.