CacheGuard OS
User's Guide - Version 5.7.6

The Antivirus

The antivirus module blocks all malware coming from the Web so viruses, trojans and worms are all eradicated even before entering into your networks. This module works in forwarding (web) mode as well as in reverse (rweb) mode. In forwarding mode, it rejects all accesses to malware objects while in reverse mode all attempts to upload malware on a protected Web server are blocked. To activate the Antivirus module use the following commands:

mode antivirus on
apply

The antivirus detects MS Office macro viruses, mobile malware, and other threats. It supports 32/64-bit Portable Executable files and 32-bit ELF files. Additionally, it handles the following files:

PE files compressed or obfuscated with the following tools: Aspack (2.12), UPX (all versions), FSG (1.3, 1.31, 1.33, 2.0), Petite (2.x), PeSpin (1.1), NsPack, wwpack32 (1.20), MEW, Upack, Y0da Cryptor (1.3).
Almost every mail file format including TNEF (winmail.dat) attachments are supported.
The most popular file formats like: MS Office and MacOffice files, RTF, PDF, HTML.
Various obfuscators, encoders, files vulnerable to security risks such as: JPEG (exploit detection), RIFF (exploit detection), uuencode, ScrEnc obfuscation.

The antivirus module scans not only simple files but looks inside archive and compression files. The following archive and compression formats are supported: Zip (+ SFX), RAR (+ SFX), Tar, Gzip, Bzip2, MS OLE2, MS Cabinet Files (+ SFX), MS CHM (Compiled HTML), MS SZDD compression format, BinHex, SIS (SymbianOS packages), AutoIt, NSIS.

Automatic Updating

The system periodically checks the malware signature database and if necessary, downloads updates by connecting to your regional servers using HTTP. Updates are downloaded from servers named db..clamav.net where the is a two letters country code. To set the regional update server use the following commands:

antivirus auto <country-code>
apply

Use the command countrylist to get a list of valid country codes.

The Antivirus & WAF

CacheGuard is a Web gateway that protects against threats coming from the Web. If you implement CacheGuard in front of your Web servers (rweb or reverse mode), the Gateway may act as a WAF (Web Application Firewall) protecting your Web infrastructure against threats coming from the Internet. So when rweb, waf and antivirus are all activated, CacheGuard scans all attempts to upload files onto your Web servers and instantly blocks malware before they can reach Web servers. Note that the only supported method to upload a file is the POST method with an encryption type of multipart/form-data. For security reasons, the PUT method is always rejected by the system.

Testing the Antivirus

The European Expert Group for IT Security provides some virus file for testing purpose. You can find these files on the website http://www.eicar.org.