Configure APT Blocker
You can use APT Blocker in addition to Gateway AntiVirus to provide protection against advanced malware techniques that exploit zero-day vulnerabilities and evade traditional signature-based scanning.
APT Blocker is part of the same scan process as Gateway AntiVirus. When you enable APT Blocker in a proxy action, APT Blocker scans content only when content matches a proxy action rule configured with the AV Scan action.
To use APT Blocker, you must have a feature key that enables the service.
For more information, see:
APT Blocker and NTP
When you use APT Blocker, WatchGuard recommends that you enable NTP to make sure the time is synchronized with the data center. For more information on how to enable and configure NTP, see Enable NTP and Configure NTP Servers.
APT Blocker and IPv6
Enable APT Blocker and Configure APT Blocker Actions
Before you can enable APT Blocker, Gateway AntiVirus must be enabled for one or more active proxy policies. For more information, see Enable Gateway AntiVirus in a Proxy Policy.
When you configure APT Blocker, you specify the action that APT Blocker takes for each threat level. Options include:
Allows and delivers the file or email attachment to the recipient.
- HTTP and FTP — Drops the connection immediately. The Firebox does not give any error messages to the sending server.
- SMTP and POP3 — If you use the drop action with the SMTP-proxy or POP3-proxy, the attachment is stripped before the message is delivered to the recipient.
- HTTP and FTP — Drops the connection, and the sender or source address is added to the Blocked Sites list for 20 minutes.
- SMTP and POP3 — If you use the block action with the SMTP-proxy or POP3-proxy, the attachment is stripped before the message is delivered to the recipient. The sender or source address is added to the Blocked Sites list for 20 minutes.
Quarantine (SMTP only)
When you use the SMTP-proxy with APT Blocker, you can send email messages to the Quarantine Server. The SMTP-proxy removes the part of the message that triggered APT Blocker and sends the modified message to the recipient. The removed part of the message is replaced with the deny message that is configured in the proxy action settings. If the Quarantine Server cannot be contacted, the message is temporarily rejected.
For more information on the Quarantine Server, see About the Quarantine Server.
For the HTTP-proxy and FTP-proxy, the quarantine action is converted to a Drop action. For the POP3-proxy, the quarantine action is converted to a Strip action.
To enable APT Blocker:
- Select Subscription Services > APT Blocker.
- Select the Enable APT Blocker check box.
- For each threat level, select the action. Available actions are:
- To send a log message for an APT Blocker action, select the Log check box.
- To trigger an alarm for an APT Blocker action, select the Alarm check box.
Click the Notification Settings button to configure the types of alarm notifications you want to receive.
- Click OK.
Configure Other APT Blocker Settings
In the Policies section, you can disable or enable APT Blocker for each policy in your configuration. For more information, see Enable or Disable APT Blocker for a Proxy Policy.
To disable or enable APT Blocker for each policy, select the Policies tab. For more information, see Enable or Disable APT Blocker for a Proxy Policy
To send APT Blocker requests to a region-specific or local on-premise server, select the Advanced tab. For more information, see Configure APT Blocker Server Settings.
To monitor APT Blocker activity, configure logging for APT Blocker, and view APT Blocker Dimension reports, see Monitor APT Blocker Activity.
To configure notification settings for APT Blocker, click Notification Settings. For more information, see Set Logging and Notification Preferences.
To specify files that you do not want APT Blocker to scan, click File Exceptions. For more information, see Configure File Exceptions.