antivirus

NAME
SYNOPSIS
DESCRIPTION
CAUTION
WAF
ANTIVIRUS UPDATES, QOS AND FIREWALL
SEE ALSO
AUTHOR
COPYRIGHT

NAME

antivirus - Configure the antivirus

SYNOPSIS

antivirus [auto [<country-code>]]

antivirus [maxobject [<file-size>]]

antivirus [extended [url [<URL>]] | vload [(on | off)]]

antivirus [pua [(on | off)]]b

antivirus (update | create) [report | force]

antivirus whitelist signature (load (ftp | sftp | tftp) <file-server> <file-name> | clear)

antivirus whitelist domainname [(add | del) <domain-name> | raz]

antivirus topology (internal | external | auxiliary | vpnipsec) [on | off]

DESCRIPTION

When the antivirus is activated, malware (viruses, trojans and worms) coming from the Web are eradicated by the system before entering into your local networks. The command antivirus is used to configure and manage the antivirus. To activate the antivirus feature use the command mode antivirus on.

The antivirus feature works in both forwarding (web) and reverse (Brweb) modes. In forwarding mode, it blocks all browsing accesses to malware objects while in reverse mode all attempts to upload malware on a protected Web server are blocked.

The antivirus detects MS Office macro viruses, mobile malware, and other threats. It supports 32/64-bit Portable Executable files and 32-bit ELF files. Additionally, it handles the following files:

• PE files compressed or obfuscated with the following tools: Aspack (2.12), UPX (all versions), FSG (1.3, 1.31, 1.33, 2.0), Petite (2.x), PeSpin (1.1), NsPack, wwpack32 (1.20), MEW, Upack, Y0da Cryptor (1.3).

• Almost every mail file format including TNEF (winmail.dat) attachments are supported.

• The most popular file formats like: MS Office and MacOffice files, RTF, PDF, HTML.

• Various obfuscators, encoders, files vulnerable to security risks such as: JPEG (exploit detection), RIFF (exploit detection), uuencode, ScrEnc obfuscation.

The antivirus scans not only simple files but looks inside archive and compression files. The following archive and compression formats are supported: Zip (+ SFX), RAR (+ SFX), Tar, Gzip, Bzip2, MS OLE2, MS Cabinet Files (+ SFX), MS CHM (Compiled HTML), MS SZDD compression format, BinHex, SIS (SymbianOS packages), AutoIt, NSIS.

Note that for performance reasons video/audio streaming contents are not checked by the antivirus in forwarding mode. In reverse mode all uploaded contents are checked.

Every 30 minutes the system automatically checks for virus signature DB updates and if necessary, downloads new virus signatures by connecting to regional servers using HTTPS. Updates are downloaded from db.<country-code>.clamav.net (where the <country-code> is a two letter country code) or from database.clamav.net. The first usage form allows you to set the regional update server name. To set the regional update server name use the keyword auto followed by your two letter country code. Use the command countrylist to get a list of valid country codes.

The antivirus scans only files smaller than an upper limit. The second usage form allows you to set this upper limit. By default the upper limit is 2048 kilobytes. To change this value use the keyword maxobject followed by the required size in kilobytes. Note that for optimal performance you should not leverage this value. The minimum and maximum authorized values are respectively 1024K and 24576 KB.

For a higher level of protection, extended antivirus signatures can be loaded into the system. The third usage form allows you to set the URL from where extended signatures can be loaded. The vload (verify load) option allows you to secure downloads. This is useful when you download extended signatures provided by CacheGuard or one of its referenced partners. Please note that if you modify the path part of the url or the vload value only, extended antivirus signatures are not updated during the apply operation. To effectively update extended signatures you should explicitly update the extended signatures by using the antivirus update form of the command or wait for the next automatic update.

Additionally the antivirus may detect, Possibly Unwanted Applications (PUA). The fourth usage form allows you to activate or deactivate the PUA detection mode. To activate the PUA checks use the keyword pua followed by the keyword on. To deactivate the PUA checks use the keyword pua followed by the keyword off. Detected PUA categories are as follows:

• Packed: This is a detection for files that use some kind of runtime packer. A runtime packer can be used to reduce the size of executable files without the need for an external unpacker. While this cannot be considered malicious in general, runtime packers are widely used with malicious files since they can prevent malware from detection by an antivirus product.

• PwTool: Password tools are all applications that can be used to recover or decrypt passwords for various applications like mail clients or system passwords. Such tools can be quite helpful if a password is lost, however, it can also be used to spy out passwords.

• NetTool: NetTools are applications that can be used to sniff, filter, manipulate or scan network traffic or networks. While a networkscanner can be an extremely helpful tool for admins, you may not want to see an average user playing around with it. Same goes for tools like netcat and the like.

• P2P: Peer to Peer clients can be used to generate a lot of unwanted traffic and sometimes it happens that copyrights are violated by downloading copyright protected content (music, movies),therefore we consider them unwanted.

• IRC: IRC Clients can be a productivity killer and depending on the client, can be a powerful platform for malicious scripts (take mIRC for example).

• RAT: Remote Access Trojans are used to remotely access systems, but can be used also by system admins, for example VNC or RAdmin.

• Tool: General system tools, like process killers/finders.

• Spy: Keyloggers, spying tools.

• Server: Server based badware like DistributedNet.

• Script: Known "problem" scripts written in Javascript, ActiveX or similar.

Please note that PUA detection may be too aggressive and lead to false positives.

The fifth usage form allows you to perform an explicit update. To download and create the whole signature database use the keyword create. Updating and creating are asynchronous operations and are executed in background. Note that you have to wait for the termination of other asynchronous commands before running these commands. CAUTION: in order to avoid to flood update servers, explicit update and create operations should be used moderately. Otherwise your system may be banned by some antivirus update servers. When the update (or create) operation is invoked, the user is invited to confirm its execution. The optional argument force, allows you to bypass this confirmation. To print a brief report on the update and create operations, use the keyword report. This report may produce some errors in different contexts. Meaningful errors are as follows:

[ Antivirus signature base update (or create) context ]:

• Error 58: can’t read databases from remote servers.

• Error 59: Remote servers are not fully synchronized (try again later).

• Error 101-109: can’t resolve remote servers names.

• Error 121: the Antivirus extended update program has been killed.

• Error 122: a downloaded Antivirus extended DB is not authentic. Use the command antivirus update to retry a signature update and get error details.

• Error 123: can’t download the Antivirus extended index file.

• Error 124: error(s) during the AV extended DB file(s). Use the command antivirus update to retry a signature update and get error details.

• Error > 124: multiple errors occurred. The error number is the sum of the above error numbers.

[ Antivirus extended signature index update context ]:

• Error 68: file not found on TFTP server.

• Error 78: the resource referenced in the URL does not exist.

• Error 101: the index file signature verification failed.

In case where you encounter a false positive signature match, you should contact our support services to submit your case so we can study it and possibly fix it. Meanwhile, if your activity is blocked because of false positive matches, you have the possibility to bypass their checks with your own whit list of virus names. The sixth usage form allows you to load a white list of virus signatures form a trusted file server. To load a white list from a file server use the keywords whitelist signature load followed by the protocol to use, the file server name or IP address and the white list file name. Only trusted file servers are allowed. Trusted file servers are allowed using the command access. A valid white list of virus signatures is a compressed (gzip format) text file containing virus names (one virus name per line). To clear a previously loaded white list use the keywords whitelist signature clear.

The seventh usage form allows you to define a white list of domain names for which the antivirus at the Web gateway is bypassed in forwarding mode. You can use this usage form to white list websites such as www.phishtank.com.

The antivirus is mainly used by the integrated proxy to block malware in Web traffic. But it can also be used as a service offered to external systems such as an MTA (Mail Transfer Agent). Please refer to the commands port and access to configure the antivirus as a service for external systems. The eighth usage form allows you to define the antivirus access topology. The antivirus access topology defines logical network interfaces on which external systems can connect from. To allow connections on the internal interface turn the internal flag on (to deny, turn it off). To allow connections on the external interface turn the external flag on (to deny, turn it off). To allow connections on the auxiliary interface turn the auxiliary flag on (to deny, turn it off). To allow connections on the internal interface from an IPsec VPN turn the vpnipsec flag on (to deny, turn it off).

The antivirus used by the present system is ClamAV. Please refer to the documentation of your external systems to get help on how to connect them to the antivirus.

CAUTION

• A Web Gateway as an antivirus is a network equipment that blocks malware coming from the Web and contributes to reinforce your security. Never deactivate local antivirus on your workstation or servers.

• If for some reason the antivirus service could not start (because for instance the gateway is disconnected from the Internet), the Web access is blocked (the antivirus checking can’t be bypassed).

WAF

The present system is a Web gateway that protects against threats coming from the Web. When configured in forwarding mode (mode web on) and when the antivirus is activated, it protects the Web browsing from virus infections (as long as it is implemented in your network as a proxy or a transparent web proxy). When the system is implemented as a reverse proxy (mode rweb on) and WAF (mode waf on) in front of your Web servers, activating the antivirus allows you to scan all attempts to upload files onto your Web servers and instantly blocks malware before they reach the Web servers. Note that the only supported method to upload a file is the POST method with an encryption type of "multipart/form-data".

An HTML code that allows you to upload a file can be as follows:

<form enctype="multipart/form-data" method="post" action="/upload-file.html">

File name: <input type="file" /> <input type="submit" value="Upload" />

</form>

ANTIVIRUS UPDATES, QOS AND FIREWALL

1- If your system is placed behind a third party firewall, you should allow the following traffic in order to allow the antivirus signature updates:

• HTTPS (TCP 443) traffic form the system to the Internet.

• Passive FTP (TCP 21) traffic form the system to ftp.cacheguard.net (commercial edition only).

2- If you plan to use the antivirus as a service for external systems and a third party firewall is implemented between those systems and the antivirus, you must allow the following traffic:
• TCP traffic from external systems to the system on its antivirus port (defined by the command port).

• TCP traffic from external systems to the antivirus on ports 61440 to 65535.

3- The QoS applied to signature update traffic that use HTTPS is the same as the QoS defined by "qos shape web external". The QoS applied to signature update traffic that use FTP is the same as the QoS defined by "qos shape file". See the command qos for further information.

SEE ALSO

access (1) countrylist (1) mode (1) port (1) qos (1) rweb (1) waf (1)

AUTHOR

CacheGuard Technologies Ltd <www.cacheguard.com>

Send bug reports or comments to the above author.

COPYRIGHT

Copyright (C) 2009-2021 CacheGuard - All rights reserved