Manage Security Services > Gateway AntiVirus > Configure Gateway AntiVirus Actions

Configure Gateway AntiVirus Actions

When you enable Gateway AntiVirus, you must set the actions to be taken if a virus or error is found in an email message (SMTP or POP3 proxies), web page download or upload post (HTTP proxy), or uploaded or downloaded file (FTP proxy). When Gateway AntiVirus is enabled, it scans each file up to a specified kilobyte count. Any additional bytes in the file are not scanned. This allows the proxy to partially scan very large files without a large effect on performance.

The options for antivirus actions are:

Allow

Allows the packet to go to the recipient, even if the content contains a virus.

Deny

(FTP proxy only)

Denies the file and send a deny message.

Lock

(SMTP and POP3 proxies only)

Locks the attachment. This is a good option for files that cannot be scanned by the Firebox. A file that is locked cannot be opened easily by the user. Only the administrator can unlock the file. The administrator can use a different antivirus tool to scan the file and examine the content of the attachment.

For information about how to unlock a file locked by Gateway AntiVirus, see Unlock a File Locked by Gateway AntiVirus.

Quarantine

(SMTP proxy only)

When you use the SMTP proxy with the Gateway AntiVirus security subscription, you can send email messages with viruses, or possible viruses, to the Quarantine Server. The SMTP proxy removes the message part that triggered the DLP violation and sends the modified message to the recipient. The removed message part is replaced with the deny message configured in the proxy. If the Quarantine Server cannot be contacted, the message is temporarily rejected.

For more information on the Quarantine Server, see About the Quarantine Server. For information on how to set up Gateway AntiVirus to work with the Quarantine Server, see Configure Gateway AntiVirus to Quarantine Email.

Remove

(SMTP and POP3 proxies only)

Removes the attachment and sends the rest of the message to the recipient. Replaces the removed attachment with the deny message configured in the proxy.

Drop

(Not supported in POP3 proxy)

Drops the packet and drops the connection. No information is sent to the source of the message.

Block

(Not supported in POP3 proxy)

Blocks the packet, and adds the IP address of the sender to the Blocked Sites list.

Configure Gateway AntiVirus Actions for a Proxy

To configure Gateway AV actions, from Fireware Web UI:

  1. Select Subscription Services > Gateway AV.
    The Gateway AV configuration page appears.

Screen shot of the Gateway AV configuration page

  1. Select a user-defined proxy action and click Configure. You cannot modify Gateway AntiVirus settings for predefined proxy actions.
    The Gateway AntiVirus configuration settings for that proxy action appear.

Screen shot of the Gateway AV configuration page

  1. To enable Gateway AntiVirus for this proxy action, select the Enable Gateway AntiVirus check box.
  2. From the When a virus is detected drop-down list, select the action the Firebox takes if a virus is detected in an email message, file, web page, or web upload. See the beginning of this section for a description of the actions.
  3. From the When a scan error occurs drop-down list, select the action the Firebox takes when it cannot scan an object or an attachment. Attachments that cannot be scanned include binhex-encoded messages, certain encrypted files, or files that use a type of compression that Gateway AV does not support such as password-protected Zip files. See the beginning of this section for a description of the actions.

Select the Quarantine or Lock action to avoid loss of data to scan errors. When you unlock a file, make sure you scan the unlocked file with a local AV scanner.

  1. To create log messages for the action, select the Log check box for the antivirus response. If you do not want to record log messages for an antivirus response, clear the Log check box.
  2. To trigger an alarm for the action, select the Alarm check box for the antivirus response. If you do not want to set an alarm, clear the Alarm check box for that action.
  3. In the Limit scanning to first text box, type the file scan limit.
    For information about the default and maximum scan limits for each Firebox model, see About Gateway AntiVirus Scan Limits.

To configure Gateway AV actions, from Policy Manager:

  1. Select Subscription Services > Gateway AntiVirus > Configure.
    The Gateway AntiVirus dialog box appears.

Screen shot of the Gateway AntiVirus dialog box

  1. Select the policy you want to enable Gateway AntiVirus for and click Enable.
    The Gateway AV status changes to Enabled.
  2. Click Configure.
    The General Gateway AntiVirus Settings for that policy appear.

General Gateway AntiVirus Settings page

  1. From the When a virus is detected drop-down list, select the action the Firebox takes if a virus is detected in an email message, file, web page, or web upload. See the beginning of this section for a description of the actions.
  2. From the When a scan error occurs drop-down list, select the action the Firebox takes when it cannot scan an object or an attachment. Attachments that cannot be scanned include binhex-encoded messages, certain encrypted files, or files that use a type of compression that Gateway AV does not support such as password-protected Zip files. See the beginning of this section for a description of the actions.

Select the Quarantine or Lock action to avoid loss of data to scan errors. When you unlock a file, make sure you scan the unlocked file with a local AV scanner.

  1. To create log messages for the action, select the Log check box for the antivirus response. If you do not want to record log messages for an antivirus response, clear the Log check box.
  2. To trigger an alarm for the action, select the Alarm check box for the antivirus response. If you do not want to set an alarm, clear the Alarm check box for that action.
  3. In the Limit scanning to first text box, type the file scan limit.
    For information about the default and maximum scan limits for each Firebox model, see About Gateway AntiVirus Scan Limits.

You can also configure Gateway AntiVirus actions in the Edit Policy Properties dialog box.

  1. Double-click the policy.
  2. Select the Properties tab.
  3. Click .
  4. From the Categories list, select AntiVirus.

If you enable DLP and Gateway AV for the same proxy action, the larger configured scan limit is used for both services.

Configure Gateway AntiVirus Actions in Policy Rulesets from Policy Manager

For the HTTP proxy, the General Gateway AntiVirus settings only apply when AV Scan is selected in the Action drop-down lists on the URL Paths, Content Types, and Body Content Types rulesets for the policy. By default, the Activate Gateway AntiVirus Wizard sets the default action for content that does not match a proxy rule to AV Scan. You can improve Gateway AV performance if you change the default action for content that does not match one of the configured proxy rules.

To optimize performance, you can configure Gateway AV actions for the HTTP proxy to make the proxy more selective about which content types to scan. When you set the None matched action to AV Scan for the URL Paths, Content Types, or Body Content Types categories, the HTTP proxy scans all objects that do not match a rule.

To set the actions for HTTP proxy rulesets, follow the instructions in the subsequent section. You can also use the instructions to configure the Gateway AV actions by content type for the POP3 and SMTP proxies.

Configure AV Actions Based on URL Paths

  1. In the Categories tree, expand HTTP Request and select URL Paths.
    The URL Paths rules and actions settings appear.

  1. From the None matched drop-down list, select Allow.
    With this setting, URLs that do not match a rule in the list are not scanned by Gateway AV.

If you add rules to the URL Paths Rules list, you can set the If matched action to AV Scan to scan the content if the URL matches a rule in the list.

Configure AV Actions Based on Content Types

You can configure the actions for Content Type rules to scan the content types that are most likely to contain a virus, and to not scan other content types. To set the actions more granularly based on content type, use the advanced view of the rules.

  1. In the Categories tree, expand HTTP Response and select Content Types.

  1. From the None matched drop-down list, select Allow.  
    Or, select an option other than the default (AV Scan).
  2. Click Change View.
    The Content Type Rules settings change to the advanced view.

  1. To select which rules to use, select or clear the Enabled check box for each rule .
  2. For each enabled rule, double-click the rule to select the Action to take for that rule.
    The Edit Content Type Rule dialog box appears.
  • To scan all content that matches the rule, set the action to AV Scan.
  • To allow content that matches the rule without an AV scan, set the action to Allow.

For example, you could set the action to AV Scan only for text/* and application/* content types, and set the action to Allow for other content types that are less likely to pose a threat.

For information about HTTP Response Content Types, see HTTP Response: Content Types.

Configure AV Actions Based on Body Content Types

You can also configure the actions for the Body Content Types rules.

  1. In the Categories tree, expand HTTP Response and select Body Content Types.

  1. From the None matched drop-down list, select Allow.  
    Or, select an option other than the default (AV Scan).
  2. From the If matched drop-down list, select AV Scan.
    Or, click Change View to set rules individually for different body content types.

For information about HTTP Response Body Content Types, see HTTP Response: Body Content Types.

Configure Alarm Notifications for Antivirus Actions

You can configure an alarm notification to tell users when a proxy rule applies to network traffic. If you enable alarms for a proxy antivirus action, you must also configure the type of alarm to use in the proxy policy.

To configure the alarm type to use for a proxy policy, from Fireware Web UI:

  1. Select Firewall > Firewall Policies.
  2. Double click a policy to edit.
  3. Select the Properties tab.
  4. Configure the notification settings as described in Set Logging and Notification Preferences.

To configure the alarm type to use for a proxy policy, from Policy Manager:

  1. Double-click the policy to edit.
  2. Select the Properties tab.
  3. Click .
  4. Select the Proxy and AV Alarms category.
  5. Configure the Proxy/AV Alarms settings as described in Set Logging and Notification Preferences.

 

See Also

Update Gateway AntiVirus Settings

Give Us Feedback     Get Support     All Product Documentation     Technical Search