antivirus

NAME
SYNOPSIS
DESCRIPTION
CAUTION
WAF
ANTIVIRUS UPDATES, QOS AND FIREWALL
EXTENDED ANTIVIRUS INDEX FILE
SEE ALSO
AUTHOR
COPYRIGHT

NAME

antivirus - Configure the antivirus

SYNOPSIS

[1] antivirus [auto [<country-code>]]

[2] antivirus [extended [url [<URL>]] | vload [(on | off)]]

[3] antivirus whitelist signature (load (ftp | sftp | tftp) <file-server> <file-name> | clear)

[4] antivirus whitelist domainname [(add | del) <domain-name> | raz]

[5] antivirus [maxobject [<file-size>]]

[6] antivirus [pua [(on | off)]]b

[7] antivirus topology (internal | external | auxiliary | vpnipsec) [on | off]

[8] antivirus (update | create) [report | force]

DESCRIPTION

When the antivirus mode is activated, malware (viruses, trojans and worms) coming from the Web are eradicated by the system even before entering into your local networks. The command antivirus is used to configure and manage this antivirus. To activate the antivirus, use the command mode antivirus on.

The antivirus works in both forwarding (web) and reverse (Brweb) modes. In forwarding mode, it blocks all browsing accesses to malware objects while in reverse mode all attempts to upload malware on a protected Web server are blocked.

The antivirus detects MS Office macro viruses, mobile malware, and other threats. It supports 32/64-bit Portable Executable files and 32-bit ELF files. Additionally, it handles the following files:

• PE files compressed or obfuscated with the following tools: Aspack (2.12), UPX (all versions), FSG (1.3, 1.31, 1.33, 2.0), Petite (2.x), PeSpin (1.1), NsPack, wwpack32 (1.20), MEW, Upack, Y0da Cryptor (1.3).

• Almost every mail file format including TNEF (winmail.dat) attachments are supported.

• The most popular file formats like: MS Office and MacOffice files, RTF, PDF, HTML.

• Various obfuscators, encoders, files vulnerable to security risks such as: JPEG (exploit detection), RIFF (exploit detection), uuencode, ScrEnc obfuscation.

The antivirus scans not only simple files but looks inside archive and compression files. The following archive and compression formats are supported: Zip (+ SFX), RAR (+ SFX), Tar, Gzip, Bzip2, MS OLE2, MS Cabinet Files (+ SFX), MS CHM (Compiled HTML), MS SZDD compression format, BinHex, SIS (SymbianOS packages), AutoIt, NSIS.

Note that for performance reasons video/audio streaming contents are not checked by the antivirus in forwarding mode. In reverse mode all uploaded contents are checked.

Every 60 minutes the system automatically checks for virus signature DB updates and if necessary, downloads new virus signatures by connecting to regional servers using HTTPS. Updates are downloaded from db.<country-code>.clamav.net (where the <country-code> is a two letter ISO 3166-1 alpha-2 code) or from database.clamav.net. The first usage form allows you to set the regional update server name. To set the regional update server name use the keyword auto followed by your two letter country code. Use the command countrylist to get a list of valid country codes.

For a higher level of protection, extended antivirus signatures can be loaded into the system. The second usage form allows you to configure the extended antivirus. Extended antivirus signatures can be loaded into the system using a supported file transfer protocol from a location that you should specify as a URL. Supported file protocols are sftp, ftp and tftp. The second usage form allows you to define that URL using the keywords extended url followed by a valid URL (ftp://ftp.cacheguard.net/AV for instance). To allow the system to automatically load extended antivirus signatures from the specified URL, the URL host part should belong to the list of trusted file servers defined with the access command. Additionally, if the file server is protected by username/password, it must be configured using the password command.

To load extended antivirus signatures, three methods can be used. The load method simply downloads signature files without any verifications. The vload (verify load) method allows you to secure downloads by verifying downloaded files contents. This is useful when you download signatures files from a file server managed by CacheGuard Technologies Ltd or one of its referenced partners. When using the vload method, a signature file is downloaded alongside the antivirus signatures file and the antivirus signatures file is verified using that signature file to assure that the downloaded antivirus signatures file has not been altered during its transfer. The signature file name has the same name as the downloaded antivirus signatures file followed by the extension .sig. If the gateway system is managed by a manager system (see the manager command), extended antivirus signatures can be pushed by the manager. In this case you can use the push method. The loading method can be set using the extended method keywords followed by the chosen method name (load, vload, push). Please note that if you modify the extended antivirus URL or its loading method, extended antivirus signatures are not updated during the apply operation. To effectively update extended signatures you should explicitly update the extended signatures by using the antivirus update usage form (see below) or wait for the next automatic update. If the chosen method is push, updates are done in two asynchronous phases: first, updates are pushed by the manager to the gateway and then they are asynchronously taken into account by the gateway.

In case where you encounter a false positive signature match, you should contact our support services to submit your case so we can study it and possibly fix it. Meanwhile, if your activity is blocked because of false positive matches, you have the possibility to bypass their checks with your own whit list of virus names. The third usage form allows you to load a white list of virus signatures form a trusted file server. To load a white list from a file server use the keywords whitelist signature load followed by the protocol to use, the file server name or IP address and the white list file name. Only trusted file servers are allowed. Trusted file servers are allowed using the command access. A valid white list of virus signatures is a plain text file containing virus names (one virus name per line). To clear a previously loaded white list use the keywords whitelist signature clear. On a manager system, the white list of virus signatures is managed globally (ie. is not specific to a template or gateway context and can only be loaded outside a template or gateway context).

The fourth usage form allows you to define a white list of domain names for which the antivirus at the Web gateway is bypassed in forwarding mode. You can use this usage form to white list websites such as www.phishtank.com.

The antivirus scans only files smaller than an upper limit. The fifth usage form allows you to set this upper limit. By default the upper limit is 2048 kilobytes. To change this value use the keyword maxobject followed by the required size in kilobytes. Note that for optimal performance you should not leverage this value. The minimum and maximum authorized values are respectively 1024K and 24576 KB.

Additionally the antivirus may detect, Possibly Unwanted Applications (PUA). The sixth usage form allows you to activate or deactivate the PUA detection mode. To activate the PUA checks use the keyword pua followed by the keyword on. To deactivate the PUA checks use the keyword pua followed by the keyword off. Detected PUA categories are as follows:

• Packed: This is a detection for files that use some kind of runtime packer. A runtime packer can be used to reduce the size of executable files without the need for an external unpacker. While this cannot be considered malicious in general, runtime packers are widely used with malicious files since they can prevent malware from detection by an antivirus product.

• PwTool: Password tools are all applications that can be used to recover or decrypt passwords for various applications like mail clients or system passwords. Such tools can be quite helpful if a password is lost, however, it can also be used to spy out passwords.

• NetTool: NetTools are applications that can be used to sniff, filter, manipulate or scan network traffic or networks. While a networkscanner can be an extremely helpful tool for admins, you may not want to see an average user playing around with it. Same goes for tools like netcat and the like.

• P2P: Peer to Peer clients can be used to generate a lot of unwanted traffic and sometimes it happens that copyrights are violated by downloading copyright protected content (music, movies),therefore we consider them unwanted.

• IRC: IRC Clients can be a productivity killer and depending on the client, can be a powerful platform for malicious scripts (take mIRC for example).

• RAT: Remote Access Trojans are used to remotely access systems, but can be used also by system admins, for example VNC or RAdmin.

• Tool: General system tools, like process killers/finders.

• Spy: Keyloggers, spying tools.

• Server: Server based badware like DistributedNet.

• Script: Known "problem" scripts written in Javascript, ActiveX or similar.

Please note that PUA detection may be too aggressive and lead to false positive matches.

The antivirus is mainly used by the integrated proxy to block malware in Web traffic. But it can also be used as a service offered to external systems such as an MTA (Mail Transfer Agent). Please refer to the commands port and access to configure the antivirus as a service for external systems. The seventh usage form allows you to define the antivirus access topology. The antivirus access topology defines logical network interfaces on which external systems can connect from. To allow connections on the internal interface turn the internal flag on (to deny, turn it off). To allow connections on the external interface turn the external flag on (to deny, turn it off). To allow connections on the auxiliary interface turn the auxiliary flag on (to deny, turn it off). To allow connections on the internal interface from an IPsec VPN turn the vpnipsec flag on (to deny, turn it off).

The antivirus used by the present system is ClamAV. Please refer to the documentation of your external systems to get help on how to connect them to the antivirus.

The eighth usage form allows you to perform an explicit update. To download and create the whole signature database use the keyword create. Updating and creating are asynchronous operations and are executed in background. Note that you have to wait for the termination of other asynchronous commands before running these commands. CAUTION: in order to avoid to flood update servers, explicit update and create operations should be used moderately. Otherwise your system may be banned by some antivirus update servers. When the update (or create) operation is invoked, the user is invited to confirm its execution. The optional argument force, allows you to bypass this confirmation. To print a brief report on the update and create operations, use the keyword report. This report may produce some errors in different contexts. Meaningful errors are as follows:

[ Antivirus signature base update (or create) context ]:

• Error 58: can’t read databases from remote servers.

• Error 59: Remote servers are not fully synchronized (try again later).

• Error 101-109: can’t resolve remote servers names.

• Error 121: the Antivirus extended update program has been killed.

• Error 122: a downloaded Antivirus extended DB is not authentic. Use the command antivirus update to retry a signature update and get error details.

• Error 123: can’t download the Antivirus extended index file.

• Error 124: error(s) during the AV extended DB file(s). Use the command antivirus update to retry a signature update and get error details.

• Error > 124: multiple errors occurred. The error number is the sum of the above error numbers.

[ Antivirus extended signature index update context ]:

• Error 68: file not found on TFTP server.

• Error 78: the resource referenced in the URL does not exist.

• Error 101: the index file signature verification failed.

CAUTION

• A Web Gateway as an antivirus is a network equipment that blocks malware coming from the Web and contributes to reinforce your security. Never deactivate local antivirus on your workstation or servers.

• If for some reason the antivirus service could not start (because for instance the gateway is disconnected from the internet), the Web access is blocked (the antivirus checking can’t be bypassed).

WAF

The present system is a Web gateway that protects against threats coming from the Web. When configured in forwarding mode (mode web on) and when the antivirus is activated, it protects the Web browsing from virus infections (as long as it is implemented in your network as a proxy or a transparent web proxy). When the system is implemented as a reverse proxy (mode rweb on) and WAF (mode waf on) in front of your Web servers, activating the antivirus allows you to scan all attempts to upload files onto your Web servers and instantly blocks malware before they reach the Web servers. Note that the only supported method to upload a file is the POST method with an encryption type of "multipart/form-data".

An HTML code that allows you to upload a file can be as follows:

<form enctype="multipart/form-data" method="post" action="/upload-file.html">

File name: <input type="file" /> <input type="submit" value="Upload" />

</form>

ANTIVIRUS UPDATES, QOS AND FIREWALL

1- If your system is placed behind a third party firewall, you should allow the following traffic in order to allow the antivirus signature updates:

• HTTPS (TCP 443) traffic form the system to the internet.

• Passive FTP (TCP 21) traffic form the system to ftp.cacheguard.net (commercial edition only).

2- If you plan to use the antivirus as a service for external systems and a third party firewall is implemented between those systems and the antivirus, you must allow the following traffic:
• TCP traffic from external systems to the system on its antivirus port (defined by the command port).

• TCP traffic from external systems to the antivirus on ports 61440 to 65535.

3- The QoS applied to signature update traffic that use HTTPS is the same as the QoS defined by "qos shape web external". The QoS applied to signature update traffic that use FTP is the same as the QoS defined by "qos shape file". See the command qos for further information.

EXTENDED ANTIVIRUS INDEX FILE

CacheGuard Technologies Ltd provides extended antivirus signatures available as a subscription service. However you can maintain your own antivirus signatures DB files on a file server and configure the system to automagically load them. To do so you must follow instructions below:

• Signatures DB files should be in gzip format and named with the .gz extension. They should be compatible with ClamAV.

• For each signatures DB file, and MD5 fingerprint file should be present on the file server and named with the .md5 extension. For instance the MD5 file for the signatures DB file named my-virus.gz should be named my-virus.gz.md5. The MD5 file should contain the MD5 fingerprint (in lowercase) of the signatures DB file in a single line (and nothing else).

• An index file file named index, should be maintained and present on the file server. Each line in the index file must contain the following: <signatures-db-file>.gz <size-in-bytes> <md5-fingerprint>. For instance a line in the index file could be: my-virus.gz 86080 648c95f4c2f3f5b8730eea0a735300b7

• An archive compressed file in tar.gz format and named pack.tar.gz should be present on the file server. This archive file should include all previously listed files in a directory specified by the configuration command antivirus extended url <URL> (see above).

SEE ALSO

access (1) countrylist (1) file (1) manager (1) mode (1) port (1) qos (1) rweb (1) waf (1)

AUTHOR

CacheGuard Technologies Ltd <www.cacheguard.com>

Send bug reports or comments to the above author.

COPYRIGHT

Copyright (C) 2009-2023 CacheGuard - All rights reserved