Anti-Virus

What can I do here?

Use this window to configure the Anti-Virus settings for the Threat Prevention profile.

Configuring Anti-Virus Settings

You can configure Threat Prevention to exclude files from inspection, such as internal emails and internal file transfers. These settings are based on the interface type (internal or external, as defined in SmartConsole) and traffic direction (incoming or outgoing).

Before you define the scope for Threat Prevention, you must make sure that your DMZ interfaces are configured correctly. To do this:

1. In SmartConsole, click Gateways & Servers and double-click the Security Gateway.

   The gateway window opens and shows the General Properties page.

2. From the navigation tree, click Network Management and then double-click a DMZ interface.
3. In the General page of the Interface window, click Modify.
4. In the Topology Settings window, click Override and Interface leads to DMZ.
5. Click OK and close the gateway window.

   Perform this procedure for each interface that goes to the DMZ.

You can configure the Anti-Virus profile to enable archive scanning. The Anti-Virus engine unpacks archives and applies proactive heuristics. If you use this feature, it can have an impact on network performance.

To configure Anti-Virus settings for a Threat Prevention profile:

1. In SmartConsole, select Security Policies > Threat Prevention.
2. From the Threat Tools section, click Profiles.

   The Profiles page opens.

3. Right-click the profile, and click Edit.
4. From the navigation tree, click Anti-Virus.
5. Select the Anti-Virus UserCheck Settings options:
   • Prevent - Select the UserCheck message that opens for a Prevent action.
   • Ask - Select the UserCheck message that opens for an Ask action.
6. In the Protected Scope section, select an interface type and traffic direction option:
   • Inspect incoming files from:

     Sends only incoming files from the specified interface type for inspection. Outgoing files are not inspected. Select an interface type from the list:

     • External - Inspect incoming files from external interfaces. Files from the DMZ and internal interfaces are not inspected.
     • External and DMZ - Inspect incoming files from external and DMZ interfaces. Files from internal interfaces are not inspected.
     • All - Inspect all incoming files from all interface types.
   • Inspect incoming and outgoing files - Sends all incoming and outgoing files for inspection.
7. Select the applicable Protocols that Anti-Virus scans.
8. Optional: Configure how Anti-Virus inspects SMTP traffic.
   1. Click Configure.

      The Anti-Virus Mail Configuration window opens.

   2. Configure the MIME Nesting settings.
      • Maximum MIME nesting is X levels - For emails that contain nested MIME content, Set the maximum number of levels that the ThreatSpect engine scans in the email.
      • When nesting level is exceeded block/allow file - If there are more nested levels of MIME content than the configured amount, select to Block or Allow the email file.
9. Select File Types:
   • Process file types known to contain malware
   • Process all file types
   • Process specific file types families
10. To configure the specific file type families:
    1. Click Configure.
    2. In the File Types Configuration window, for each file type, select the Anti-Virus action for the file type.
    3. Click OK to close the File Types Configuration window.
11. Click OK and close the Threat Prevention profile window.
12. Install Policy.

To enable Archive Scanning:

1. Select Enable Archive scanning (impacts performance)
2. Click Configure.
3. Set the amount in seconds to Stop processing archive after X seconds. The default is 30 seconds.
4. Set to block or allow the file When maximum time is exceeded.

   The default setting is Allow.

5. Click OK and close the Threat Prevention profile window.
6. Install Policy.

Blocking Viruses

To block viruses and malware in your organization:

1. In SmartConsole, click Gateways & Servers and double-click the Security Gateway.
2. In the General Properties page, select the Anti-Virus Software Blade.

   The First Time Activation window opens.

3. Select According to the Anti-Bot and Anti-Virus policy and click OK.
4. Close the gateway Properties window and publish the changes.
5. Click Security Policies > Threat Prevention > Policy > Threat Prevention.
6. Click Add Rule.

   A new rule is added to the Threat Prevention policy. The Software Blade applies the first rule that matches the traffic.

7. Make a rule that includes these components:
   • Name - Give the rule a name such as Block Virus Activity.
   • Protected Scope - The list of network objects you want to protect. In this example, the Any network object is used.
   • Action - The Profile that contains the protection settings you want. The default profile is Optimized.
   • Track - The type of log you want to get when detecting malware on this scope. In this example, keep Log and also select Packet Capture to capture the packets of malicious activity. You will then be able to view the actual packets in SmartConsole > Logs & Monitor > Logs.
   • Install On - Keep it as All or choose specified gateways to install the rule on.
8. Install the Threat Prevention policy.