Optimize Gateway AntiVirus for HTTP Traffic
Follow these recommendations to optimize Gateway AntiVirus performance for HTTP traffic.
Scan Objects based on Content Types
The setup wizards and the Gateway AntiVirus Activation wizard configure HTTP proxy policies to use a proxy action that scans allowed traffic for viruses. To optimize performance, we recommend that you configure the proxy action to use content types to determine whether to scan an object.
The content type in the HTTP header tells the browser whether to render or download an object. Threats are typically downloaded, so you can skip AV scans for some common content types that are not downloaded, such as:
To scan objects based on content types, in Policy Manager, configure the HTTP proxy action as follows:
- In the URL Paths ruleset, from the None matched action drop-down list, select Allow.
- In the Content Types ruleset:
- In advanced view, add rules for safer content types and set the rule action to Allow. For more information, see Add, Change, or Delete Rules.
- Click the Up and Down buttons to move the rules for safer content types to the top of the list. For more information, see Change the Order of Rules.
- Keep the Default rule action set to AV Scan so that content types you do not choose to allow are scanned.
- In the Body Content Types ruleset, from the None matched action drop-down list, select Allow. This does not mean that all other file types are allowed without an AV scan. The HTTP proxy can still decide to scan files based on the Content Types ruleset.
For more information, see the Optimize Gateway AntiVirus for HTTP Traffic video tutorial.
Use the Default Gateway AntiVirus Scan Limit
Most malware is delivered in files smaller than 1 MB. Because larger files are less likely to spread in a viral way, we recommend that you do not increase the default scan limit setting for your device.
If you increase the scan limit, Gateway AntiVirus scans larger files which can result in fewer concurrent connections through your Firebox.
For more information, see About Gateway AntiVirus Scan Limits
To add another layer of protection to Gateway AntiVirus, we recommend that you enable the IntelligentAV security service on supported devices.
When you enable IntelligentAV, Gateway AntiVirus uses two scan engines to detect and block malware before it can enter your network. First, Gateway AntiVirus scans a file with its anti-malware engine. If Gateway AntiVirus does not detect a virus and IntelligentAV is enabled, IntelligentAV then analyzes the file.
For more information, see Enable IntelligentAV.
Enable APT Blocker
To stop APT (Advanced Persistent Threat) malware in files and email attachments, we recommend that you enable APT Blocker.
Only files that have been scanned and processed as clean by Gateway AntiVirus are scanned by APT Blocker. APT Blocker scans compatible file types if they are enabled in the Gateway AntiVirus configuration.
For more information, see Enable or Disable APT Blocker for a Proxy Policy.