Personal tools
Virus Blocker Lite
From UntangleWiki
 Virus Blocker Lite
|
|
About Virus Blocker Lite
Virus Blocker Lite transparently scans your HTTP, FTP and email traffic to protect your network from viruses, trojans and other malware.
Virus Blocker Lite is based on an open-source virus scanner, Clam AV. Clam AV is well-known for its speed and accuracy.
Settings
This section reviews the different settings and configuration options available for the virus scanners.
Web Settings
This section reviews the different settings and configuration options for web traffic.
- Scan HTTP: This enables or disables HTTP scanning.
- File Types: The File Types section allows you to scan files by file extension - just select (or add) your chosen file extension, check your preferred action (scan or not), and save.
- MIME Types: The MIME Types section allows you to scan files by MIME types - just select (or add) your chosen file extension, check your preferred action (scan or not), and save.
Email Settings
This section reviews the different settings and configuration options for email traffic.
- Scan SMTP/POP/IMAP: These options enable or disable scanning the respective protocols.
- Action: The selected action will be taken on a message if a virus is found.
- Setting Action to Remove Infection will remove the infection and wrap the original email for delivery to the intended recipient. If set to Pass Message, the original message will be wrapped and delivered with the attachment intact. In both cases, the subject line is prepended with "[VIRUS]". Due to protocol limitions, only SMTP can be set to Block, which will stop the message from being delivered at all.
FTP Settings
This section reviews the different settings and configuration options for FTP traffic.
- Scan FTP: This enables or disables FTP scanning.
Event Logs
Use the following terms and definitions to understand the Event Logs:
Web Event Log
| Name | Description |
|---|---|
| Timestamp | The time the event took place. |
| Client | The IP address of the client that made the request. |
| Username | The username of the client that made the request, if available. |
| Host | The Host portion of the request. |
| URI | The URI portion of the request. |
| Virus Name | If found, this is the common name of the virus. |
| Server | The IP address of the server that received the request. |
Email Event Log
| Name | Description |
|---|---|
| Timestamp | The time the event took place. |
| Client | The IP address of the client that made the request. |
| Receiver | The email address of the recipient. |
| Sender | The email address of the sender. |
| Subject | The subject of the email. |
| Virus Name | If found, this is the common name of the virus. |
| Server | The IP address of the server that received the request. |
Related Topics
Virus Blocker FAQs
How do Untangle's Virus Blockers compare to "brand-name" virus blockers?
Virus Blocker is based on the award-winning Commtouch AV Engine, which is consistently in top 10 for detecting zero-hour threats.
Virus Blocker Lite is based on ClamAV, the well-respected open source virus scanner.
If I use Untangle, do I need to install virus software on individual network computers?
When your Untangle's Virus Blockers running they are scanning inbound and outbound HTTP, FTP and Email traffic that goes through it. This is your first layer of protection. Imagine this scenario:
Angela is a Resume Writer at Angelic Resumes, Inc. One day she works from a remote location, and downloads an infected file from the Internet to her personal laptop, then to her USB drive. She returns to the office the next day, and, using the USB drive, saves the infected file directly to her desktop computer. Her desktop computer is now infected with a virus. To make matters worse, she emails that file to her coworkers. Her coworkers download the file, and now their desktops are also infected.
In this scenario the file was transfered without going through Untangle. If Angela had emailed the file to her coworkers work email accounts from her personal email account, that email would have passed through the Untangle, which would prevent the virus from entering your protected network. Because of situations like this, we always recommend an additional layer of protection on the desktop.
If I have Virus Blocker and Virus Blocker Lite installed, are one or both used and in which order?
If you have both virus scanners installed, Virus Blocker is applied to a message first: if a message passes Virus Blocker, then and only then is Virus Blocker Lite applied to the message (there's no point in scanning the message twice if the first scanner has rejected it). This is not to say one scanner is inherently better than the another: note that Virus Blocker is complemented by Virus Blocker Lite and in the case of a virus-free message, the computational overhead of the virus scan includes both scanners. A message that would be rejected by both scanners incurs the computational and time cost of just Virus Blocker. To perform a valid comparison, you should run test messages through the Untangle with no scanners installed, Virus Blocker by itself, Virus Blocker Lite by itself and lastly both scanners installed together and compare the results.
How can I test that viruses are being blocked?
An easy way to test HTTP virus scanning is to download the eicar test from a machine behind Untangle. If virus scanning is not working the file will download successfully (it is harmless). If it is working a block page will be displayed.
Why do emails with larger attachments sometimes "dissapear" or are not delivered?
While Untangle is scanning the attachments your email server is still waiting for the message, most likely triggering a timeout setting. If you're using MS Exchange, you'll want to increase the ConnectionInactivityTimeout setting.
Why does the Event Log say a file is blocked, but I can still download it?
When downloading over the web small files are blocked with a block page. Larger files are treated differently. They are fed to the client at a slower rate than they are actually downloaded so the client does not time out while the download happens. After Untangle scans the complete file it will either refuse to send the rest if there is a virus or immediately send the rest. This means for large files the Event Log says the file is "blocked", but checking the file size on the client will show that you do not actually have the complete file.
Why is blocking (or quarantining) of emails when a virus is detected not always an option?
Only the SMTP protocol allows Untangle to completely block email messages. The POP and IMAP protocols do not allow Untangle to block or quarantine email messages, only to remove the infection or pass the message.
When a virus is detected over IMAP, why does the subject of the mail change to [VIRUS]... only after I click on the message?
Most IMAP clients first fetch summary information about emails (subject, sender) so the end user can see a preview list of messages. Only when the user clicks on the message is the actual content of the message retrieved from the server and Untangle is able to scan the message. Unfortunately some email clients do not detect the change in subject and update their preview list when the Untangle Server marks the message.
What happens to virus hoaxes?
Spam Blocker, not Virus Blocker or Kaspersky Virus Blocker, blocks virus hoaxes because this type of email is spam and does not carry an actual virus.
