Contents

Related Topics

Configure Gateway AntiVirus Actions

When you enable Gateway AntiVirus for a proxy policy, you set the actions to be taken if a virus is found or a file cannot be scanned in an:

  • Email message (SMTP, IMAP, or POP3 proxies)
  • Web page download or upload post (HTTP, TCP-UDP, or Explicit proxy)
  • Uploaded or downloaded file (FTP proxy)

Gateway AntiVirus default and maximum scan size limits are set based on the hardware capabilities of each Firebox model. Minimum scan size for all models is 1 MB. Gateway AntiVirus does not scan files larger than the scan limit you set.

The default and maximum scan size limits changed in Fireware v12.0.1. When you upgrade Fireware OS, the Gateway AntiVirus Scan size limit does not automatically change to the new default. We recommend that you update the Scan size limit to the default value for your Firebox model. For more information, see About Gateway AntiVirus Scan Limits.

You can configure Gateway AV to take these actions when it identifies a virus or when a scan error occurs:

Allow Closed

Allows the packet to go to the recipient, even if the content contains a virus.

Deny (FTP proxy only)Closed

Denies the file and sends a deny message. You can customize the deny message in the proxy action.

Lock (SMTP, IMAP, and POP3 proxies only)Closed

Locks the attachment. This is a good option for files that cannot be scanned by the Firebox. A file that is locked cannot be opened easily by the user. Only the administrator can unlock the file. The administrator can use a different antivirus tool to scan the file and examine the content of the attachment.

For information about how to unlock a file locked by Gateway AntiVirus, see Unlock a File Locked by Gateway AntiVirus.

Quarantine (SMTP proxy only)Closed

When you use the SMTP proxy with the Gateway AntiVirus security subscription, you can send email messages with viruses, or possible viruses, to the Quarantine Server. The SMTP proxy removes the message part that triggered the scanner and sends the modified message to the recipient. The removed message part is replaced with the deny message configured in the proxy. If the Quarantine Server cannot be contacted, the message is temporarily rejected.

For more information on the Quarantine Server, see About the Quarantine Server. For information on how to set up Gateway AntiVirus to work with the Quarantine Server, see Configure Gateway AntiVirus to Quarantine Email.

Remove (SMTP, IMAP, and POP3 proxies only)Closed

Removes the attachment and sends the rest of the message to the recipient. Replaces the removed attachment with the deny message configured in the proxy.

Drop (Not supported in IMAP or POP3 proxies)Closed

Drops the packet and drops the connection. No information is sent to the source of the message.

Block (Not supported in IMAP or POP3 proxies)Closed

Blocks the packet, and adds the IP address of the sender to the Blocked Sites list.

Gateway AntiVirus actions occur only when a rule in the proxy action is configured with the AV Scan action. For information about how to configure Gateway AntiVirus in rules in a proxy action, see Enable Gateway AntiVirus in a Proxy Policy.

Configure Gateway AntiVirus Actions for a Proxy

For each proxy action, you can enable Gateway AntiVirus and you can select the actions to take when a virus is detected and when a scan error occurs. When you enable Gateway AntiVirus for a proxy action, this automatically changes the action for rules in the proxy action from Allow to AV Scan.

You can configure the Gateway AntiVirus actions for a proxy in the Gateway AV settings in the proxy action. Or you can edit the proxy action settings in the Gateway AntiVirus settings. The procedure in this topic uses the second method.

To configure Gateway AV actions, from Fireware Web UI:Closed
  1. Select Subscription Services > Gateway AV.
    The Gateway AV configuration page appears.

Screen shot of the Gateway AV configuration page

  1. Select a user-defined proxy action and click Configure..
    The Gateway AntiVirus configuration settings for that proxy action appear.

Screen shot of the Gateway AV configuration page

  1. To enable Gateway AntiVirus for this proxy action, select the Enable Gateway AntiVirus check box.
  2. From the When a virus is detected drop-down list, select the action the Firebox takes if a virus is detected in an email message, file, web page, or web upload. See the beginning of this section for a description of the actions.
  3. From the When a scan error occurs drop-down list, select the action the Firebox takes when it cannot scan an object or an attachment. Attachments that cannot be scanned include binhex-encoded messages, certain encrypted files, or files that use a type of compression that Gateway AV does not support such as password-protected Zip files. See the beginning of this section for a description of the actions.

Select the Quarantine or Lock action to avoid loss of data to scan errors. When you unlock a file, make sure you scan the unlocked file with a local AV scanner.

  1. From the When content exceeds scan size limit drop-down list, select the action the Firebox takes when content exceeds the configured scan size limit. Gateway AV default and maximum scan size limits are set based on the hardware capabilities of each Firebox model. Minimum scan size for all models is 1 MB. For information about the default and maximum scan limits for each Firebox model, see About Gateway AntiVirus Scan Limits.
  2. From the When content is encrypted drop-down list, select the action the Firebox takes when Gateway AV cannot scan a file because it is encrypted (password protected).
  3. To create log messages for the action, select the Log check box. If you do not want to record log messages for an antivirus response, clear the Log check box.
  4. To trigger an alarm for the action, select the Alarm check box. If you do not want to set an alarm, clear the Alarm check box for that action.
  5. In the Scan size limit text box, type the file scan limit in kilobytes. This sets the maximum size file that can be scanned by Gateway AV. For information about the default and maximum scan limits for each Firebox model, see About Gateway AntiVirus Scan Limits.

The scan limit also controls the maximum size of files that APT Blocker sends for analysis. APT Blocker cannot send files larger than 10 MB for analysis. If you set the Gateway Antivirus scan limit to higher than 10 MB, APT Blocker does not send files larger than 10 MB for analysis.

To configure Gateway AV actions, from Policy Manager:Closed
  1. Select Subscription Services > Gateway AntiVirus > Configure.
    The Gateway AntiVirus dialog box appears.

Screen shot of the Gateway AntiVirus dialog box

  1. Select the policy you want to enable Gateway AntiVirus for and click Enable.
    The Gateway AV status changes to Enabled.
  2. Click Configure.
    The General Gateway AntiVirus Settings for that policy appear.

Screen shot of General Gateway AntiVirus Settings page

  1. From the When a virus is detected drop-down list, select the action the Firebox takes if a virus is detected in an email message, file, web page, or web upload. See the beginning of this section for a description of the actions.
  2. From the When a scan error occurs drop-down list, select the action the Firebox takes when it cannot scan an object or an attachment. Attachments that cannot be scanned include binhex-encoded messages, certain encrypted files, or files that use a type of compression that Gateway AV does not support such as password-protected Zip files. See the beginning of this section for a description of the actions.

Select the Quarantine or Lock action to avoid loss of data to scan errors. When you unlock a file, make sure you scan the unlocked file with a local AV scanner.

  1. From the When content exceeds scan size limit drop-down list, select the action the Firebox takes when content exceeds the configured scan size limit.
  2. From the When content is encrypted drop-down list, select the action the Firebox takes when Gateway AV cannot scan a file because it is encrypted (password protected).

This setting applies to Fireware v12.0.1 and higher. In lower versions of Fireware, when an encrypted file cannot be scanned, the Firebox takes the action configured for When a scan error occurs.

  1. To create log messages for the action, select the Log check box. If you do not want to record log messages for an action, clear the Log check box.
  2. To trigger an alarm for the action, select the Alarm check box. If you do not want to set an alarm for an action, clear the Alarm check box.
  3. In the Scan size limit text box, type the file scan limit in kilobytes. This sets the maximum size file that can be scanned by Gateway AV. For information about the default and maximum scan limits for each Firebox model, see About Gateway AntiVirus Scan Limits.

The scan limit also controls the maximum size of files that APT Blocker sends for analysis. APT Blocker cannot send files larger than 10 MB for analysis. If you set the Gateway Antivirus scan limit to higher than 10 MB, APT Blocker does not send files larger than 10 MB for analysis.

You can also configure Gateway AntiVirus actions in the Edit Policy Properties dialog box.

  1. Double-click the policy.
  2. Select the Properties tab.
  3. Click .
  4. From the Categories list, select AntiVirus.

If you enable DLP and Gateway AV for the same proxy action, the larger configured scan limit is used for both services.

For the HTTP proxy (and the Explicit and TCP-UDP proxies), the General Gateway AntiVirus settings only apply when AV Scan is selected in the Action drop-down lists on the URL Paths, Content Types, and Body Content Types rules for the policy.

By default, when you enable Gateway AntiVirus for a proxy policy from the Gateway AntiVirus configuration, the default action for content that does not match a proxy rule is automatically set to AV Scan. You can improve Gateway AV performance if you change the default action for HTTP content that does not match a configured proxy rule. For more information, see Configure Gateway AntiVirus Actions for HTTP Content

See Also

Update Gateway AntiVirus Settings

Give Us Feedback     Get Support     All Product Documentation     Technical Search

© 2018 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, WatchGuard Dimension, Firebox, Core, Fireware, and LiveSecurity are registered trademarks or trademarks of WatchGuard Technologies in the United States and/or other countries.