About Gateway AntiVirus
Hackers use many methods to attack computers on the Internet. Viruses, including worms and Trojans, are malicious computer programs that self-replicate and put copies of themselves into other executable code or documents on your computer. When a computer is infected, the virus can destroy files or record key strokes.
To help protect your network from viruses, you can purchase the Gateway AntiVirus subscription service. Gateway AntiVirus operates with the SMTP, POP3, HTTP, FTP, and TCP-UDP proxies. When a new attack is identified, the features that make the virus unique are recorded. These recorded features are known as the signature. Gateway AV uses these signatures to find viruses when content is scanned by the proxy.
When you enable Gateway AV for a proxy, Gateway AV scans the content types configured for that proxy. Gateway AV can scan these compressed file types: .zip, .gzip, 7z, .tar, .jar, .rar, .chm, .lha, .pdf, XML/HTML container, OLE container (Microsoft Office documents), MIME (mainly email messages in EML format), .cab, .arj, .ace, .bz2 (Bzip), .swf (flash; limited support).
WatchGuard cannot guarantee that Gateway AV can stop all viruses, or prevent damage to your systems or networks from a virus.
From Fireware Web UI, you can see statistics on current Gateway AntiVirus activity on the Dashboard > Subscription Services page as described in Subscription Services Status and Manual Signatures Updates.
From Firebox System Manager, you can see statistics on current Gateway AntiVirus activity on the Firebox, as described in Gateway AntiVirus Statistics.
Activate and Update Gateway AV
New viruses appear on the Internet frequently. To make sure that Gateway AV gives you the best protection, you must update the signatures frequently. You can configure the Firebox to update the signatures automatically from WatchGuard, as described in Configure the Gateway AV Update Server. To see your signature update status or force a manual update, see Subscription Services Status and Manual Signatures Updates.
About Gateway AntiVirus and Proxy Policies
Gateway AV can work with the WatchGuard SMTP, POP3, HTTP, FTP, and TCP-UDP proxies. When you enable Gateway AV, these proxies examine various types of traffic and perform an action that you specify, such as to drop the connection or to block the packet and add its source address to the Blocked Sites list.
Gateway AV scans different types of traffic according to which proxy policies you use the feature with:
- SMTP or POP3 proxy — Gateway AV looks for viruses and intrusions encoded with frequently used email attachment methods. You can also use Gateway AV and the SMTP proxy to send virus-infected email to the Quarantine Server. For more information, see About the Quarantine Server and Configure Gateway AntiVirus to Quarantine Email.
- HTTP proxy — Gateway AV looks for viruses in web pages that users try to download and files that users upload to web pages.
- TCP-UDP proxy — This proxy scans traffic on dynamic ports. It recognizes traffic for several different types of proxies, including HTTP and FTP. The TCP-UDP proxy then sends traffic to the appropriate proxy to scan for viruses or intrusions.
- FTP proxy — Gateway AV looks for viruses in uploaded or downloaded files.
Each proxy that uses Gateway AV is configured with options that are special to that proxy. For example, the categories of items you can scan is different for each proxy.
For all proxies, you can limit file scanning up to a specified kilobyte count. The default scan limit and maximum scan limits are different for each Firebox model. The Firebox scans the start of each file up to the specified kilobyte count. This allows large files to pass with partial scanning.
For more information about the default and maximum scan limits for each Firebox model, see About Gateway AntiVirus Scan Limits.
To make sure Gateway AV has current signatures, you can enable automatic updates for the Gateway AV server, as described in Configure the Gateway AV Update Server.
Gateway AV and Reputation Enabled Defense
We recommend you enable Reputation Enabled Defense (RED) to reduce the resources used by Gateway AV. When you use RED, your Firebox device skips AV scans for sites with a very good reputation, and refuses access to sites with a very poor reputation.
For more information, see About Reputation Enabled Defense.