Anti-Virus

What can I do here?

Use this window to configure the Anti-Virus settings for the Threat Prevention profile.

Configuring Anti-Virus Settings

You can configure Threat Prevention to exclude files from inspection, such as internal emails and internal file transfers. These settings are based on the interface type (internal or external, as defined in SmartConsole) and traffic direction (incoming or outgoing).

Before you define the scope for Threat Prevention, you must make sure that your DMZ interfaces are configured correctly. To do this:

1. In SmartConsole, click Gateways & Servers and double-click the Security Gateway.

   The gateway window opens and shows the General Properties page.

2. From the navigation tree, click Network Management and then double-click a DMZ interface.
3. In the General page of the Interface window, click Modify.
4. In the Topology Settings window, click Override and Interface leads to DMZ.
5. Click OK and close the gateway window.

   Perform this procedure for each interface that goes to the DMZ.

You can configure these Anti-Virus settings in the Anti-Virus page:

• Anti-Virus UserCheck Settings:
  • Prevent - Select the UserCheck message that opens for a Prevent action.
  • Ask - Select the UserCheck message that opens for an Ask action.
• Protected Scope:
  • Inspect incoming files from:

    Sends only incoming files from the specified interface type for inspection. Outgoing files are not inspected. Select an interface type from the list:

    • External - Inspect incoming files from external interfaces. Files from the DMZ and internal interfaces are not inspected.
    • External and DMZ - Inspect incoming files from external and DMZ interfaces. Files from internal interfaces are not inspected.
    • All - Inspect all incoming files from all interface types.
  • Inspect incoming and outgoing files - Sends all incoming and outgoing files for inspection.
• The Protocols that Anti-Virus scans:
  • HTTP
  • FTP
  • Mail (SMTP) - Click Mail to configure the SMTP traffic inspection. This links you to the Mail page of the Profile settings.
• File Types:
  • Process file types known to contain malware
  • Process all file types - Select Enable deep inspection scanning, if needed. Remember, it impacts performance.
  • Process specific file types families

  To configure the specific file type families:

  1. Click Configure.
  2. In the File Types Configuration window, for each file type, select the Anti-Virus action for the file type.
  3. Click OK to close the File Types Configuration window.
• Archives - You can configure the Anti-Virus profile to enable archive scanning.

Enabling Archive Scanning

You can configure the Anti-Virus settings to enable archive scanning. The Anti-Virus engine unpacks archives and applies proactive heuristics. The use of this feature impacts network performance.

Select Enable Archive scanning (impacts performance) and click Configure:

1. Stop processing archive after (seconds) - Sets the amount in seconds to stop processing the archive. The default is 30 seconds.
2. When maximum time is exceeded (action on file) - Sets to block or allow the file when the time for processing the archive is exceeded. The default setting is Allow.

Blocking Viruses

To block viruses and malware in your organization:

1. In SmartConsole, click Gateways & Servers and double-click the Security Gateway.
2. In the General Properties page, select the Anti-Virus Software Blade.

   The First Time Activation window opens.

3. Select According to the Anti-Bot and Anti-Virus policy and click OK.
4. Close the gateway Properties window and publish the changes.
5. Click Security Policies > Threat Prevention > Policy > Threat Prevention.
6. Click Add Rule.

   A new rule is added to the Threat Prevention policy. The Software Blade applies the first rule that matches the traffic.

7. Make a rule that includes these components:
   • Name - Give the rule a name such as Block Virus Activity.
   • Protected Scope - The list of network objects you want to protect. In this example, the Any network object is used.
   • Action - The Profile that contains the protection settings you want. The default profile is Optimized.
   • Track - The type of log you want to get when detecting malware on this scope. In this example, keep Log and also select Packet Capture to capture the packets of malicious activity. You will then be able to view the actual packets in SmartConsole > Logs & Monitor > Logs.
   • Install On - Keep it as All or choose specified gateways to install the rule on.
8. Install the Threat Prevention policy.