User's Guide - Version UF-2.2.1

The Antivirus

The antivirus detects malware (virus, trojans, worms) in Web traffic incoming from the external zone and blocks them at the gateway even before they can enter into your networks. The antivirus can operate in forwarding/browsing (web) mode as well as in reverse (rweb) mode. In forwarding mode, it rejects all attempts to access malware in Web traffic while in reverse mode, all attempts to upload a malware on protected Web servers are blocked (in rweb mode, CacheGuard appliance is implemented in front of Web servers). To activate the antivirus, you can use the mode antivirus on command followed by the apply command.
The antivirus detects MS Office macro viruses, mobile malware, and other threats. It supports 32/64-bit Portable Executable files and 32-bit ELF files. It scans not only simple files but also inspects inside archive and compression files such as, but not limited to, zip (+ sfx), rar (+ sfx), tar, gzip, bzip2, MS OLE2, MS cabinet files (+ sfx), MS CHM (Compiled HTML), MS szdd compression format, BinHex, SIS (SymbianOS packages), AutoIt, NSIS. In addition, the following file types are inspected:

Automatic Updating

CacheGuard appliance periodically checks the malware signature database and if necessary, downloads updates. Updates are downloaded from a public service named on the internet. It is important to note that any download abuse can be blocked by that service for a given period of time which is not on the CacheGuard appliance control. In order to not be banned by that service, it is recommended to let CacheGuard appliance to automatically update the signature database and avoid any explicit updates (unless it is absolutely necessary).

To complete the standard malware signature database offered by, additional malware signatures are proposed as an optional service by CacheGuard Technologies Ltd that you can easily subscribe to. After having subscribed to that optional service, you can simply activate it on your CacheGuard appliance by setting the provided password and file server name on your CacheGuard appliance (commands to use would be access file and password file).

Antivirus & WAF

When CacheGuard appliance is implemented as a WAF in front of your Web servers (the rweb and waf modes are both activated) the antivirus scans all attempts to upload files onto your protected/cloaked real Web servers. In case where a malware is detected in an uploaded file, CacheGuard appliance instantly blocks that upload even before the uploaded file can reach Web servers. Note that the only supported method to upload a file by the antivirus is the POST method with an encryption type of multipart/form-data. The following commands activate and configure the antivirus to scan any attempt to upload a file on the Web server having the IP address and protected/cloaked by CacheGuard appliance:

Antivirus & MTA

The antivirus is natively used by the integrated Web proxy to block malware in Web traffic. However, it can also be used as a service offered to external clients/services such an MTA (Mail Transfer Agent). For instance, to give access to a a remote exim4 MTA having the IP address and communicating with CacheGuard appliance via its internal network interface, you can use the following commands: In this example, the exim4 MTA should then be configured to use CacheGuard appliance as an antivirus service by adding the av_scanner = clamd: 8083 line to its configuration file.

Testing the Antivirus

The European Expert Group for IT Security provides some virus file for testing purpose. You can find those files on the website. To test the antivirus with the help of those testing virus files, you must download and put them on a an HTTP (not HTTPS) Web server and then try to download them via your CacheGuard appliance Web proxy. If your CacheGuard antivirus is properly configured, the download attempt should be blocked by your CacheGuard appliance. To directly test from the website which use HTTPS (and not HTTP), you must activate the SSL mediation on your CacheGuard appliance. Please refer to the SSL Mediation section to learn how to activate the SSL mediation.