CacheGuard-OS
User's Guide - Version UF-2.0.2

The Antivirus

The antivirus module blocks all malware coming from the Web so viruses, trojans and worms are all eradicated even before entering into your networks. This module works in forwarding (web) mode as well as in reverse (rweb) mode. In forwarding mode, it rejects all accesses to malware objects while in reverse mode all attempts to upload malware on a protected Web server are blocked. To activate the Antivirus module use the following commands:

mode antivirus on
apply

The antivirus detects MS Office macro viruses, mobile malware, and other threats. It supports 32/64-bit Portable Executable files and 32-bit ELF files. Additionally, it handles the following files:

PE files compressed or obfuscated with the following tools: Aspack (2.12), UPX (all versions), FSG (1.3, 1.31, 1.33, 2.0), Petite (2.x), PeSpin (1.1), NsPack, wwpack32 (1.20), MEW, Upack, Y0da Cryptor (1.3).
Almost every mail file format including TNEF (winmail.dat) attachments are supported.
The most popular file formats like: MS Office and MacOffice files, RTF, PDF, HTML.
Various obfuscators, encoders, files vulnerable to security risks such as: JPEG (exploit detection), RIFF (exploit detection), uuencode, ScrEnc obfuscation.

The antivirus module scans not only simple files but looks inside archive and compression files. The following archive and compression formats are supported: Zip (+ SFX), RAR (+ SFX), Tar, Gzip, Bzip2, MS OLE2, MS Cabinet Files (+ SFX), MS CHM (Compiled HTML), MS SZDD compression format, BinHex, SIS (SymbianOS packages), AutoIt, NSIS.

Automatic Updating

The system periodically checks the malware signature database and if necessary, downloads updates by connecting to your regional servers using HTTP. Updates are downloaded from servers named db.<country-code>.clamav.net where the <country-code> is a two letters country code. To set the regional update server use the following commands:

antivirus auto <country-code>
apply

Use the command countrylist to get a list of valid country codes.

The Antivirus & WAF

If you implement CacheGuard in front of your Web servers (rweb or reverse mode), it can act as a WAF (Web Application Firewall) protecting your Web infrastructure against threats coming from the internet. So when rweb, waf and antivirus are all activated, CacheGuard scans all attempts to upload files onto your Web servers and instantly blocks malware before they can reach Web servers. Note that the only supported method to upload a file is the POST method with an encryption type of multipart/form-data. For security reasons, the PUT method is always rejected by the system.

The Antivirus & MTA

The antivirus is mainly used by the integrated proxy to block malware in Web traffic. But it can also be used as a service offered to an MTA (Mail Transfer Agent). As an example consider that your MTA is located behind the internal interface of your appliance and has the IP address 10.0.10.250. To configure your appliance to provide access to your MTA use the following commands:

ip internal 10.0.10.254 255.255.255.0
port antivirus 8083
antivirus topology internal on
access antivirus add internal 10.0.10.250 255.255.255.255
apply

Now you can configure you MTA to use the appliance as an antivirus service. The antivirus used by this appliance is ClamAV. Please refer to the documentation of your MTA to get help on how to connect it to the antivirus. For instance if your MTA is exim4 you should add the following line to your exim4 configuration file:

av_scanner = clamd: 10.0.10.254 8083

Testing the Antivirus

The European Expert Group for IT Security provides some virus file for testing purpose. You can find these files on the website http://www.eicar.org.