Configure Gateway AntiVirus Actions

When you enable Gateway AntiVirus, you must set the actions to be taken if a virus or error is found in an email message (SMTP or POP3 proxies), web page download or upload post (HTTP proxy), or uploaded or downloaded file (FTP proxy). When Gateway AntiVirus is enabled, it scans each file up to a specified kilobyte count. Any additional bytes in the file are not scanned. This allows the proxy to partially scan very large files without a large effect on performance.

The options for antivirus actions are:

Allow

Allows the packet to go to the recipient, even if the content contains a virus.

Deny

(FTP proxy only)

Denies the file and send a deny message.

Lock

(SMTP and POP3 proxies only)

Locks the attachment. This is a good option for files that cannot be scanned by the XTM device. A file that is locked cannot be opened easily by the user. Only the administrator can unlock the file. The administrator can use a different antivirus tool to scan the file and examine the content of the attachment.

Quarantine

(SMTP proxy only)

When you use the SMTP proxy with the Gateway AntiVirus security subscription, you can send email messages with viruses, or possible viruses, to the Quarantine Server. The SMTP proxy removes the message part that triggered the DLP violation and sends the modified message to the recipient. The removed message part is replaced with the deny message configured in the proxy.

For more information on the Quarantine Server, see About the Quarantine Server. For information on how to set up Gateway AntiVirus to work with the Quarantine Server, see Configure Gateway AntiVirus to Quarantine Email.

Remove

(SMTP and POP3 proxies only)

Removes the attachment and sends the rest of the message to the recipient. Replaces the removed attachment with the deny message configured in the proxy.

Drop

(Not supported in POP3 proxy)

Drops the packet and drops the connection. No information is sent to the source of the message.

Block

(Not supported in POP3 proxy)

Blocks the packet, and adds the IP address of the sender to the Blocked Sites list.

Configure Gateway AntiVirus Actions for a Proxy Action

  1. Select Subscription Services > Gateway AV.
    The Gateway AV configuration page appears.

Screen shot of the Gateway AV configuration page

  1. Select a user-defined proxy action and click Configure. You cannot modify Gateway AntiVirus settings for predefined proxy actions.
    The Gateway AntiVirus configuration settings for that proxy action appear.

Screen shot of the Gateway AV configuration page

  1. To enable Gateway AntiVirus for this proxy action, select the Enable Gateway AntiVirus check box.
  1. From the When a virus is detected drop-down list, select the action the XTM device takes if a virus is detected in an email message, file, web page, or web upload. See the beginning of this section for a description of the actions.
  2. From the When a scan error occurs drop-down list, select the action the XTM device takes when it cannot scan an object or an attachment. Attachments that cannot be scanned include binhex-encoded messages, certain encrypted files, or files that use a type of compression that Gateway AV does not support such as password-protected Zip files. See the beginning of this section for a description of the actions.
  3. To create log messages for the action, select the Log check box for the antivirus response. If you do not want to record log messages for an antivirus response, clear the Log check box.
  4. To trigger an alarm for the action, select the Alarm check box for the antivirus response. If you do not want to set an alarm, clear the Alarm check box for that action.
  5. In the Limit scanning to first text box, type the file scan limit.
    For information about the default and maximum scan limits for each XTM device model, see About Gateway AntiVirus Scan Limits.

If you enable DLP and Gateway AV for the same proxy action, the larger configured scan limit is used for both services.

Configure Alarm Notifications for Antivirus Actions

You can configure an alarm notification to tell users when a proxy rule applies to network traffic. If you enable alarms for a proxy antivirus action, you must also configure the type of alarm to use in the proxy policy.

To configure the alarm type to use for a proxy policy:

  1. Select Firewall > Firewall Policies.
  2. Double click a policy to edit.
  3. Select the Properties tab.
  4. Configure the notification settings as described in Set Logging and Notification Preferences.

See Also

Update Gateway AntiVirus Settings

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base