From UntangleWiki

Untangle Server User's Guide

Kaspersky Virus Blocker

Other Links: Kaspersky Blocker Description Page Kaspersky Virus Blocker Screenshots Kaspersky Virus Blocker Forums Kaspersky Virus Blocker FAQs

About Kaspersky Virus Blocker

Kaspersky Virus Blocker protects your network against viruses. Kaspersky Virus Blocker took top honors at Untangle’s AV Fight club (virus.untangle.com) last August and has been recognized by leading industry publications.

As you know, viruses arrive over the network using several techniques, so Kaspersky Virus Blocker scans many protocols for the presence of viruses in traffic:

• Email: SMTP, POP, IMAP
• Web: HTTP
• File Transfer: FTP

Top

Why Two Virus Blockers?

Virus Blocker and Kaspersky Virus Blocker complement each other. These two particular solutions together are better than either one alone because they have different engines and virus signature formulations. Most traditional virus blockers use similar engine technology, and so they tend to be redundant rather than complimentary. Different engines can catch viruses that each other might miss. As an analogy, if you have two police departments that employ different techniques to look for criminals, the odds of catching more criminals increases.

Top

Changing Virus Scanning of Web Traffic

1. From Virus Blocker or Kaspersky Virus Blocker, click the Show Settings tab.
2. Specify the HTTP settings:
1. Click the Web tab.
2. Select the Scan HTTP check box, then click the Advanced Settings hotspot.
3. Specify the file types that you want to scan:
1. Click the File Extensions button.
2. Select the scan check box for each file type that you want to scan, then click Update.
4. Specify the MIME types that you want to scan:
1. Click the MIME Types button.
2. Select the scan check box for each MIME type that you want to scan, or click the add (+) button and add your own MIME type, then click Update.
5. Click Save.
6. (Optional) Add .htm, .html, .js (javascript) and .css to the default File Extension list. By default these file types (web extensions) are not included in the default File Extension list for scanning. You must add them to the File Extension List if you wish to have them scanned as well.
1. Click the File Extension button.
2. For each file type, select the add (+) button, and add the file type, then click Update.
3. Click Save.

Top

Changing Virus Scanning of Email

1. From Virus Blocker or Kaspersky Virus Blocker, click the Show Settings tab.
2. Click the Email tab.
3. Select the Scan check box for the type of email that your company uses.

Scan SMTP/POP3/IMAP	When the check box is selected, the Untangle Server scans email for viruses in both directions unless there is a custom policy that overrides these instructions. If you have a local Microsoft Exchange Server, click the SMTP tab. If you use Outlook to download web mail, click the POP tab. If you use a rare, IMAP email client, click the IMAP tab.
Action	If Untangle Server detects a virus: pass message. Sends email without removing the virus. remove infection. Removes the virus without changing any user data. block message. Blocks the email without removing the virus.

4. Click the Save button.

Top

Changing Virus Scanning of File Transfers

1. From Virus Blocker or Kaspersky Virus Blocker, click the Show Settings tab.
2. Click the FTP tab.
3. Select the scan check box, and click the Save button.

Top

Changing Virus Scanning of File Downloads

If you change any virus scanning settings, the Untangle Server resets (terminates) existing connections. Email clients experience a brief disruption, and display a message to email users. Within a few seconds, the email clients reconnect.

1. From Virus Blocker or Kaspersky Virus Blocker, click the Show Settings tab.
2. Do one of the following:
• For file downloads using HTTP, click the Web tab.
• For file downloads using FTP, click the FTP tab.
3. Click the Advanced Settings hotspot.
4. Clear the check box or select the check box disable to enable/disable the following settings:

Disable FTP Resume	The FTP protocol has an advanced feature that allows an interrupted file download to be resumed (restarted) where the download ended. Although a handy feature for unreliable networks, the Untangle Server cannot scan a file transfer for viruses when this feature is enabled. When FTP download resume is permitted, a file containing a virus could be transmitted over multiple connections and the Untangle Server will only see parts of the file and be unable to perform a complete scan.
Disable HTTP Resume	The HTTP protocol has an advanced feature where an interrupted file download may be resumed (restarted) where it left off. Although a handy feature for unreliable networks, the Untangle Server is unable to perform virus scans when this feature is enabled. When HTTP download resume is permitted, it is possible that a file containing a virus could be received over multiple connections. When this occurs, the Untangle Server only sees parts of the file at once and cannot know if it contained a virus.
Scan trickle rate (percent)	This is an advanced feature, controlling how quickly files are downloaded relative to scanning. Caution: As an advanced feature, you should not change this value unless instructed to by a member of Untangle Technical Support or one of their authorized representatives.

5. Click the Save button.

Top

[edit]

About Virus Blocker and Kaspersky Virus Blocker Event Log

Use the following terms and definitions to understand the Virus Blocker Event Log:

timestamp	The time the event took place.
action	The action taken on the document (HTTP response, FTP file, or email). The value depends on the mail protocol, but will contain descriptive text such as block, mark, etc.
client	The client IP Address of the protocol client. For SMTP this is the sender of the mail, and for IMAP/POP the receiver of the mail. For HTTP this is the address of the client browser machine. For FTP, this is the address of the machine receiving files.
traffic	This is a descriptive field identifying the type of traffic (HTTP, mail, etc).
reason for action	The reason the action was taken.
server	The server's IP address. For SMTP this is the machine receiving the email, and for IMAP/POP the machine holding the inbox. For HTTP this is the address of the server machine sending the document. For FTP this is the address of the machine transmitting the files being downloaded.

Top

Kaspersky Virus Blocker FAQs

All Untangle FAQs

How do Untangle Server's Virus Blockers compare to "brand-name" virus blockers?

According to an independent evaluation, Virus Blocker "beats the pants off its commercial competition".

If I use the Untangle Server, do I need to install virus software on individual network computers?

If you have Untangle's Virus Blockers running on the Untangle Server, the Untangle Server scans all inbound and outbound email traffic that goes through the Untangle Server. This protection is your first layer of protection. Imagine this scenario:

Angela is a Resume Writer at Angelic Resumes, Inc. One day she works from a remote location, and downloads an infected file from the Internet to her personal laptop, then to her USB drive. She returns to the office the next day, and, using the USB drive, saves the infected file directly to her desktop computer. Her desktop computer is now infected with a virus. To make matters worse, she emails that file to her coworkers. Her coworkers download the file, and now their desktops are also infected.

In this scenario the file was transfered without going through the Untangle Server. If Angela had emailed the file to her coworkers work email accounts from her personal email account, that email would have passed through the Untangle Server, and the Untangle Server would have prevented the virus from entering your protected network.

You cannot fully ensure that all traffic enters and exits your Untangle Server, Untangle recommends an additional layer of protection. Consider installing anti-virus software on all network desktops and laptops.

For Email, why is blocking (or quarantining) of emails when a virus is detected not always an option?

Only the SMTP protocol allows the Untangle Server to block email messages. The details of the POP and IMAP protocols do not allow the Untangle Server to block or quarantine email messages.

When configuring my Untangle Server to mark virus emails received over IMAP, the subject of the mails changes to [VIRUS]... only after I click on the message. Why?

Most IMAP clients first fetch summary information about emails (subject, sender) so the end user can see a preview list of messages. Only when the user selects (clicks on) the message is the actual content of the message retrieved from the server and the Untangle Server is able to scan the message. Unfortunately, some email clients do not detect the change in subject and update their preview list when the Untangle Server marks the message.

What happens to virus hoaxes?

Spam Blocker, not Virus Blocker or Kaspersky Virus Blocker, blocks virus hoaxes because this type of email is spam, and does not carry an actual virus.

If I have both virus blockers installed, are one or both used and in which order?

If you have only one virus blocker installed then only that scanner will be applied, according to the settings you have established, assuming the Rack element is powered up. If you have two virus scanners installed then the "for fee" service is applied to a message first: if a message passes the "for fee" scanner then and only then the open source scanner is applied to the message (there's no point in scanning the message twice if the first scanner has rejected it.) This is not to say one scanner is inherently better than the another: we point this out in the event you are evaluating the two scanners against one another to determine which or both best fits your needs. In this case, note that the "for fee" scanner is complemented by the open source scanner and in the case of a virus-free message, the computational overhead of the virus scan includes both scanners; where as a message that would be rejected by both scanners incurs the computational and time cost of just the "for fee" scanner. So, to perform a valid comparison, you should run test messages through the Untangle Gateway with no scanners installed, the "for fee" scanner by itself, the open source scanner by itself and lastly both scanners installed together and compare the results.

How can I test that viruses are being blocked?

An easy way to test HTTP virus scanning is to download the eicar test from a machine behind Untangle. If virus scanning is not working the file will download successfully (it is harmless). If it is working a block page will be displayed.

Why does the eventLog say this file is blocked, but I can still download it?

When downloading over the web small files are blocked with a block page. Larger files are treated differently. They are fed to the client at a slower rate than they are actually downloaded so the client does not time out while the download happens. After Untangle scans the complete file it will either refused to send the rest if there is a virus or immediately send the rest. This means for large files the event log says the file is "blocked" then checking the file size on the client will show that you do not actually have the complete file.