About Gateway AntiVirus
Hackers use many methods to attack computers on the Internet. Viruses, including worms and trojans, are malicious computer programs that self-replicate and put copies of themselves into other executable code or documents on your computer. When a computer is infected, the virus can destroy files or record key strokes.
To help protect your network from viruses, you can purchase the Gateway AntiVirus subscription service. Gateway AntiVirus operates with the SMTP, IMAP, POP3, HTTP, FTP, Explicit, and TCP-UDP proxies. When a new attack is identified, the features that make the virus unique are recorded. These recorded features are known as the signature. Gateway AntiVirus uses signatures to find viruses when content is scanned by the proxy.
When you enable Gateway AntiVirus for a proxy, Gateway AntiVirus scans the content types configured for that proxy. Gateway AntiVirus can scan these compressed file types:
- XML/HTML container
- OLE container (Microsoft Office documents)
- MIME (mainly email messages in EML format)
- bz2 (Bzip)
- swf (flash; limited support).
To add another layer of protection to the Gateway AntiVirus security service, enable IntelligentAV. IntelligentAV uses artificial intelligence, not signatures, to identify and block known and unknown malware. For more information, see About IntelligentAV.
WatchGuard cannot guarantee that Gateway AntiVirus can stop all viruses, or prevent damage to your systems or networks from a virus.
From Firebox System Manager, you can see statistics on current Gateway AntiVirus activity on the Firebox, as described in Gateway AntiVirus Statistics.
Activate and Update Gateway AntiVirus
New viruses appear on the Internet frequently. To make sure that Gateway AntiVirus gives you the best protection, the Firebox must download signature updates frequently. You can configure the Firebox to update the signatures automatically from WatchGuard, as described in Configure the Gateway AntiVirus Update Server. To see your signature update status or force a manual update, see Subscription Services Status and Manual Signatures Updates.
About Gateway AntiVirus and Proxy Policies
Gateway AntiVirus can work with the WatchGuard SMTP, POP3, IMAP, HTTP, FTP, TCP-UDP, and Explicit proxies. When you enable Gateway AntiVirus, these proxies examine various types of traffic and perform an action that you specify, such as to drop the connection or to block the packet and add its source address to the Blocked Sites list.
Gateway AntiVirus scans different types of traffic according to which proxy policies you use the feature with:
- SMTP, IMAP, or POP3 proxy — Gateway AntiVirus looks for viruses and intrusions encoded with frequently used email attachment methods. You can also use Gateway AntiVirus and the SMTP proxy to send virus-infected email to the Quarantine Server. For more information, see About the Quarantine Server and Configure Gateway AntiVirus to Quarantine Email.
- HTTP proxy or Explicit proxy — Gateway AntiVirus looks for viruses in web pages that users try to download and files that users upload to web pages. For more information, see About the HTTP-Proxy and HTTP-Proxy: AntiVirus.
- TCP-UDP proxy — This proxy scans traffic on dynamic ports. It recognizes traffic for several different types of proxies, including HTTP and FTP. The TCP-UDP proxy then sends traffic to the appropriate proxy to scan for viruses or intrusions.
- FTP proxy — Gateway AntiVirus looks for viruses in uploaded or downloaded files.
Each proxy that uses Gateway AntiVirus is configured with options that are unique to that proxy. For example, the categories of items you can scan is different for each proxy.
For all proxies, you can limit file scanning up to a specified kilobyte count. The default scan limit and maximum scan limits are different for each Firebox model. Gateway AntiVirus does not scan files larger than the configured scan size limit.
For more information about the default and maximum scan limits for each Firebox model, see About Gateway AntiVirus Scan Limits.
To make sure Gateway AntiVirus has current signatures, you can enable automatic updates for the Gateway AntiVirus server, as described in Configure the Gateway AntiVirus Update Server.
Gateway AntiVirus and Reputation Enabled Defense
We recommend you enable Reputation Enabled Defense (RED) to reduce the resources used by Gateway AntiVirus. When you use RED, your Firebox device skips AV scans for sites with a very good reputation, and refuses access to sites with a very poor reputation.
For more information, see About Reputation Enabled Defense.
Gateway AntiVirus and File Exceptions
Gateway AntiVirus does not scan files that are on the File Exceptions list.
For more information, see Configure File Exceptions.