Virus Blockers

From UntangleWiki

Jump to: navigation, search

Untangle Server User's Guide

Contents

[edit]

About Virus Blocker

Virus Blocker is based on an open-source virus scanner, Clam AntiVirus. Virus Blocker is well-known for its speed and accuracy. If fact, according to an independent evaluation, Virus Blocker (Clam AntiVirus) "beats the pants off its commercial competition".

Virus Blocker does the following:

  • Detects viruses, worms, and trojan horses.
  • Scans within archives and compressed files: Zip, RAR, Tar, Gzip, Bzip2, MS OLE2, MS Cabinet Files, MS CHM, and MS SZDD.
  • Protects against an archive bomb, a file that is repeatedly compressed. Such a file causes virus scanners or other programs to crash or hang by consuming all CPU resources. Intensive resource consumption occurs when the virus scanner scans numerous levels of files within files.

Top

[edit]

About Kaspersky Virus Blocker

Kaspersky Virus Blocker protects your network against viruses. Kaspersky Virus Blocker took top honors at Untangle’s AV Fight club (virus.untangle.com) last August and has been recognized by leading industry publications.

As you know, viruses arrive over the network using several techniques, so Kaspersky Virus Blocker scans many protocols for the presence of viruses in traffic:

  • Email: SMTP, POP, IMAP
  • Web: HTTP
  • File Transfer: FTP

Top

[edit]

Why Two Virus Blockers?

Virus Blocker and Kaspersky Virus Blocker complement each other. These two particular solutions together are better than either one alone because they have different engines and virus signature formulations. Most traditional virus blockers use similar engine technology, and so they tend to be redundant rather than complimentary. Different engines can catch viruses that each other might miss. As an analogy, if you have two police departments that employ different techniques to look for criminals, the odds of catching more criminals increases.

Top

[edit]

Changing Virus Scanning of Web Traffic

To change virus scanning of web traffic:

  1. From Virus Blocker or Dual Virus Blocker, click the Show Settings tab.
  2. Specify the HTTP settings:
    1. Click the HTTP tab.
    2. In the table, select the scan check box.
  3. Specify the file types that you want to scan:
    1. Click the File Extension List tab.
    2. Select the scan check box for each file type that you want to scan.
  4. Specify the MIME types that you want to scan:
    1. Click the MIME Type List tab.
    2. Select the scan check box for each MIME type that you want to scan.
  5. Click the Save Settings button.

By default .htm, .html, .js (javascript) and .css (cascading style sheets) are not included in the default File Extension list for scanning. You must add them to the File Extension List if you wish to have them scanned as well.

  1. Click the File Extension List tab.
  2. Select the + Add button to add htm
  3. Select the + Add button to add html
  4. Continue adding any additional web extensions you wish to have scanned
  5. Click the Save Settings button.

Top

[edit]

Changing Virus Scanning of Email

To change virus scanning of email:

  1. From Virus Blocker or Dual Virus Blocker, click the Show Settings tab.
  2. Click the Email tab, and click the SMTP, POP, or IMAP tab that corresponds to the type of email that your company uses.
  3. In the table, select the row that corresponds to the FTP traffic that you want to scan.
    • If you have a local Microsoft Exchange Server, click the SMTP tab.
    • If you use Outlook to download web mail, click the POP tab.
    • If you use a rare, IMAP email client, click the IMAP tab.
  4. Select the scan check box, and click the Save Settings button.
    5. scan When the check box is selected, the Untangle Server scans email for viruses in both directions unless there is a custom policy that overrides these instructions.
    action if Virus detected
    • remove infection. Removes the virus without changing any user data.
    • pass message. Sends email without removing the virus.
    • block message. Blocks the email without removing the virus.

Top

[edit]

Changing Virus Scanning of File Transfers

To change virus scanning of file transfers:

  1. From Virus Blocker or Dual Virus Blocker, click the Show Settings tab.
  2. Click the FTP tab.
  3. Select the scan check box, and click the Save Settings button.

Top

[edit]

Changing Virus Scanning of File Downloads

If you change any virus scanning settings, the Untangle Server resets (terminates) existing connections. Email clients experience a brief disruption, and display a message to email users. Within a few seconds, the email clients reconnect.

To change virus scanning of file downloads:

  1. From Virus Blocker or Dual Virus Blocker, click the Show Settings tab.
  2. Click the General Settings tab.
  3. Specify the values for the following settings:
    4. disable FTP download resume The FTP protocol has an advanced feature that allows an interrupted file download to be resumed (restarted) where the download ended. Although a handy feature for unreliable networks, the Untangle Server cannot scan a file transfer for viruses when this feature is enabled. When FTP download resume is permitted, a file containing a virus could be transmitted over multiple connections and the Untangle Server will only see parts of the file and be unable to perform a complete scan.
    disable HTTP download resume The HTTP protocol has an advanced feature where an interrupted file download may be resumed (restarted) where it left off. Although a handy feature for unreliable networks, the Untangle Server is unable to perform virus scans when this feature is enabled. When HTTP download resume is permitted, it is possible that a file containing a virus could be received over multiple connections. When this occurs, the Untangle Server only sees parts of the file at once and cannot know if it contained a virus.
    scan trickle rate (percent) This is an advanced feature, controlling how quickly files are downloaded relative to scanning. Caution: As an advanced feature, you should not change this value unless instructed to by a member of Untangle Technical Support or one of their authorized representatives.
  4. Click the Save Settings button.

    5. Top

    [edit]

    About Virus Blocker and Kaspersky Virus Blocker Event Log

    Use the following terms and definitions to understand the Virus Blocker Event Log:

    timestamp The time the event took place.
    action The action taken on the document (HTTP response, FTP file, or email). The value depends on the mail protocol, but will contain descriptive text such as block, mark, etc.
    client The client IP Address of the protocol client. For SMTP this is the sender of the mail, and for IMAP/POP the receiver of the mail. For HTTP this is the address of the client browser machine. For FTP, this is the address of the machine receiving files.
    traffic This is a descriptive field identifying the type of traffic (HTTP, mail, etc).
    reason for action The reason the action was taken.
    server The server's IP address. For SMTP this is the machine receiving the email, and for IMAP/POP the machine holding the inbox. For HTTP this is the address of the server machine sending the document. For FTP this is the address of the machine transmitting the files being downloaded.

    Top

    [edit]

    Virus Blocking FAQs


Retrieved from "http://wiki.untangle.com/index.php/Virus_Blockers"
Personal tools