option is the Fail Mode property, which is always set to Deny when using anti-virus scanning
with an IP Policy object. IP Policy objects are discussed further in Section 3.6.7, “IP Policy”.
As mentioned before, anti-virus scanning of email attachments in IMAP traffic can only be done
using IP policies.
Configuring anti-virus scanning with either an IP rule or an IP policy is described further in
Section 6.5.4, “Activating Anti-Virus Scanning”.
6.5.2. Implementation
Streaming
As a data transfer is streamed through the NetDefend Firewall, NetDefendOS will scan the data
for the presence of viruses if the anti-virus module is enabled. Since data is being streamed and
not being read completely into memory, a minimum amount of memory is required and there is
minimal effect on overall throughput.
Pattern Matching
The inspection process is based on pattern matching against a database of known virus patterns
and can determine, with a high degree of certainty, if a virus is in the process of being
downloaded to a user behind the NetDefend Firewall. Once a virus is recognized in the contents
of a file, the download can be terminated before it completes.
Types of Data Scanned
As described above, anti-virus scanning is enabled on a per ALG basis and can scan data
downloads associated with the HTTP, FTP, SMTP and POP3 ALGs. More specifically:
• Any uncompressed file type transferred through these ALGs can be scanned.
• If the data file transferred has been compressed, ZIP and GZIP files can be scanned as well as
nested compressed files within them (up to 10 levels of nesting).
• For the HTTP ALG, webpage scripts and URLs are scanned.
Messages displayed by the HTTP ALG
If enabled through the HTTP ALG, webpage scripts and URLs as well as files can be scanned for
malicious code. If a threat is encountered, the connection is dropped and NetDefendOS will
generate a log message for the event. HTTPS traffic cannot be scanned so this does not apply for
that protocol.
As well as the connection being dropped, NetDefendOS will try to insert a message into the web
browser HTML of the affected user indicating the action taken (in some cases it might not be
possible to do this successfully). For malicious files and scripts, the following is an example of an
inserted message:
Chapter 6: Security Mechanisms
542
To Next Page
Loading...
