Print Download Documentation Send Feedback

Previous

Next

Edit Pattern String

What can I do here?

Use this window to add, edit or remove worm pattern definitions.

Getting Here

Getting Here - Manage & Settings > Blades > General > Inspection Settings > General > Protections table > Protection > Profile > Advanced page > Add or edit command in table

Or:

Security Policies > Threat Prevention > Policy > Threat Tools > IPS Protections > Protection > Advanced page > Add or edit command in table

Worm Pattern Definitions

Worm patterns are described using regular expressions that define the suspicious pattern in HTTP URLs. Regular expressions are a very flexible way of pattern matching. If Web Security matches the pattern in a URL, the packet is dropped.

What is a CIFS worm pattern?

CIFS worm patterns are described using regular expressions that define suspicious patterns. Patterns are matched against file names (including file paths but excluding the disk share name) that the client is trying to read or write from the server.

The file names used by many worms are predictable and thus can be blocked using worm patterns.

These patterns can also be used to block certain CIFS services (like the remote registry service) that utilize the IPC$ hidden share.

If Web Intelligence matches the pattern in a file name to one of its list of worm patterns, the packet is dropped.

Worm Patterns

This is an example of a worm pattern file:

(
        : (
  :pattern ("\.test\?")
  :pattern_date (1021220693)
  :worm_name (TestWorm)
  :mode (true)
 )
)