local network. While the virus scanning firewall takes care of blocking inbound infected files from
reaching the local network, ZoneDefense can be used for stopping viruses to spread from an
already infected local host to other local hosts. When the NetDefendOS virus scanning engine
has detected a virus, the NetDefend Firewall will upload blocking instructions to the local
switches and instruct them to block all traffic from the infected host or server.
Since ZoneDefense blocking state in the switches is a limited resource, the administrator has the
possibility to configure which hosts and servers that should be blocked at the switches when a
virus has been detected.
For example: A local client downloads an infected file from a remote FTP server over the Internet.
NetDefendOS detects this and stops the file transfer. At this point, NetDefendOS has blocked the
infected file from reaching the internal network. Hence, there would be no use in blocking the
remote FTP server at the local switches since NetDefendOS has already stopped the virus.
Blocking the server's IP address would only consume blocking entries in the switches.
For NetDefendOS to know which hosts and servers to block, the administrator has the ability to
specify a network range that should be affected by a ZoneDefense block. All hosts and servers
that are within this range will be blocked.
The feature is controlled through the anti-virus configuration in the ALGs. Depending on the
protocol used, there exist different scenarios of how the feature can be used.
For more information about this topic refer to Chapter 12, ZoneDefense.
6.5.3. Anti-Virus Options
When configuring anti-virus scanning in an ALG, the following parameters can be set:
General options
Mode This must be one of:
i. Disabled - Anti-virus is switched off.
ii. Audit - Scanning is active but logging is the only action.
iii. Protect - Anti-virus is active. Suspect files are dropped and
logged.
Fail mode behavior If a virus scan fails for any reason then the transfer can be dropped,
or allowed with the event being logged. If this option is set to Allow
then a condition such as the virus database not being available or
the current subscription expiring will not cause files to be dropped.
Instead, they will be allowed through and a log message will be
generated to indicate a failure has occurred.
Scan Exclude Option
Certain filetypes may be explicitly excluded from virus-scanning if that is desirable. This can
increase overall throughput if an excluded filetype is a type which is commonly encountered in a
particular scenario, such as image files in HTTP downloads.
NetDefendOS performs MIME content checking on all the filetypes listed in Appendix C, Verified
MIME filetypes to establish the file's true filetype and then look for that filetype in the excluded
list. If the file's type cannot be established from its contents (and this may happen with filetypes
not specified in Appendix C, Verified MIME filetypes) then the filetype in the file's name is used
Chapter 6: Security Mechanisms
545
To Next Page
Loading...
