- Computers & electronics
- Networking
- Gateways/controllers
- Watchguard
- WFS Gateway Anti-Virus
- User guide
WatchGuard WFS Gateway Anti-Virus v9.0 Guide
Add to my manuals20 Pages
Watchguard WFS Gateway Anti-Virus: Comprehensive email protection for your network. It seamlessly integrates with the Watchguard SMTP Proxy to scan incoming and outgoing emails for viruses and malicious attachments, safeguarding your systems from potential threats. Automatic updates ensure you have the latest protection against evolving threats. Easy to configure and manage, WFS Gateway Anti-Virus provides peace of mind and enhances your email security posture.
advertisement
WatchGuard
®
Gateway AntiVirus
™
Guide
Gateway AntiVirus™ for WatchGuard System Manager 7.5
Notice to Users
Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc.
Copyright, Trademark, and Patent Information
Copyright© 1998 - 2007 WatchGuard Technologies, Inc. All rights reserved.
Complete copyright, trademark, patent, and licensing information can be found in the WatchGuard System
Manager User Guide .
All trademarks or trade names mentioned herein, if any, are the property of their respective owners.
WFS Software Number v7.5
Document Version: 7.5
ii Gateway AntiVirus for E-mail
Contents
About Virus Signatures ....................................................2
Gateway AntiVirus Procedures ..........................................2
Installing Gateway AntiVirus ..............................................3
Enabling Gateway AntiVirus ..............................................4
Getting Gateway AntiVirus Status and Updates ..................5
Seeing Gateway AntiVirus status ........................................ 5
Updating Gateway AntiVirus signatures ............................. 5
Updating the antivirus engine ............................................ 6
Clear Gateway AntiVirus statistics ...................................... 6
Renew Gateway AntiVirus Licenses ................................... 7
AntiVirus License expiration ............................................... 7
Configuring Gateway AntiVirus System Settings ..................7
Configure Gateway AntiVirus ............................................... 8
Configuring Gateway AntiVirus in the SMTP Proxy ...............9
Add an SMTP Proxy with Gateway AntiVirus ...................... 9
Configure Gateway AntiVirus for an existing SMTP Proxy ...
Using Gateway AntiVirus with More Than One Proxy ..........14
Gateway AntiVirus Headers ............................................14
Monitoring Gateway AntiVirus Activity ..............................15
Gateway AntiVirus for E-mail iii
iv Gateway AntiVirus for E-mail
WatchGuard
Gateway AntiVirus ™
Guide
Viruses are malicious computer programs that try to attack your computer or computers on your network. Viruses can be dangerous, and they can cause damage to files and resources.
Some viruses find passwords and other sensitive information, and some can use your system or network to at tack other systems.
WatchGuard® Gateway AntiVirus stops viruses before they get to computers on your network. Gateway AntiVirus uses the
WatchGuard SMTP Proxy. When you enable Gateway AntiVirus, the WatchGuard SMTP Proxy looks at e-mail messages, finds viruses, and removes them.
N OTE
Gateway AntiVirus works with the SMTP Proxy. If your organization does not use SMTP to get e-mail, Gateway
AntiVirus does not give virus protection.
Gateway AntiVirus finds viruses encoded with common e-mail attachment methods. These include base64, binary, 7-bit and
8-bit encoding. Gateway AntiVirus does not find viruses in uuencoded or binhex-encoded messages.
Gateway AntiVirus for E-mail 1
About Virus Signatures
When a new virus is identified on the Internet, the features that make the virus unique are identified and recorded. The features that make a virus unique are known as the virus signature.
Gateway AntiVirus uses these virus signatures to find viruses.
Gateway AntiVirus includes more than 40,000 virus signatures in the default configuration.
New viruses appear on the Internet frequently. To make sure that Gateway AntiVirus gives your network the best protection, you must update the virus signatures frequently. You can configure the Firebox® to update virus signatures automatically from WatchGuard. You can also update virus signatures manually on your Firebox. These updates are made available when new viruses are identifie d .
N
OTE
You must keep virus signatures current to get the best protection from Gateway AntiVirus. However, new virus threats appear frequently. WatchGuard cannot guarantee that our product will stop every virus, or prevent damage to your systems or networks from a virus.
Gateway AntiVirus Procedures
To use Gateway AntiVirus, you must do these steps:
1
Install the Gateway AntiVirus feature. See “Installing
2
Enable the Gateway AntiVirus feature. See “Enabling
3
Update Gateway AntiVirus for the first time. See “Getting
Gateway AntiVirus Status and Updates” on page 5.
4 Configure Gateway AntiVirus system settings. See
“Configuring Gateway AntiVirus System Settings” on page 7.
5 Configure Gateway AntiVirus in the SMTP Proxy. See
“Configuring Gateway AntiVirus in the SMTP Proxy” on page 9.
2 Gateway AntiVirus for E-mail
Installing Gateway AntiVirus
Installing Gateway AntiVirus
To install Gateway AntiVirus, you must have:
• A Gateway AntiVirus license key.
• An SMTP e-mail server behind the Firebox.
• The SMTP Proxy. For information on how to add the SMTP
Proxy, see “Configuring Gateway AntiVirus in the SMTP
1 From Policy Manager, select Setup > Licensed Features .
The Licensed Features dialog box appears.
2 Click Add .
3 In the Add/Import License Keys dialog box, type or paste your license key. You can click Browse to find it on your computer or network. Click OK .
The license key appears on the Licensed Features dialog box.
Gateway AntiVirus for E-mail 3
Enabling Gateway AntiVirus
Before you configure and use Gateway AntiVirus, you must enable Gateway AntiVirus on your Firebox. To do this:
1 Click Start > Programs > WatchGuard > Firebox System
Manager .
2 In the Connect to Firebox dialog box, type the IP address and status passphrase for the Firebox.
3 Click the Policy Manager button to start Policy Manager.
You can select Tools > Policy Manager from the
WatchGuard menu to start Policy Manager.
4 In Policy Manager, select Setup > Gateway AntiVirus .
The Gateway AntiVirus window appears.
4
5 Select the Enable antivirus engine check box. Click OK .
6 Select File > Save > To Firebox .
The first time you enable the antivirus engine, you must save the configuration to the Firebox.
7 Type your configuration passphrase.
8 Click OK .
Gateway AntiVirus for E-mail
Getting Gateway AntiVirus Status and Updates
Getting Gateway AntiVirus Status and Updates
You can see the status and get updates for Gateway AntiVirus on the Security Services tab in the Firebox System Manager.
Seeing Gateway AntiVirus status
Gateway AntiVirus status tells you if Gateway AntiVirus protection is enabled. You can also see when the license expires and information about the virus scanner and the virus signatures.
To see Gateway AntiVirus status:
1 Start Firebox System Manager.
2 Click on the Security Services tab.
Gateway AntiVirus status appears. You only see Gateway AntiVirus status after you install the Gateway AntiVirus license.
Updating Gateway AntiVirus signatures
Gateway AntiVirus is automatically configured to update the
antivirus signatures every two hours. See “Configure Gateway
AntiVirus” on page 8 to change this setting. You can also
update signatures manually. If the virus signatures are not current, you are not protected from the latest viruses.
Gateway AntiVirus for E-mail 5
6
To update Gateway AntiVirus manually:
1 Start Firebox System Manager.
2 Click on the Security Services tab.
Gateway AntiVirus status appears.
3 Click Update Signatures .
The Firebox downloads the latest available signature update for
Gateway AntiVirus. You can see information about the update in
Traffic Monitor.
You can configure Gateway AntiVirus to update virus signatures
automatically. See “Configure Gateway AntiVirus” on page 8 for
more information.
Updating the antivirus engine
WatchGuard may periodically make antivirus engine updates available for Gateway AntiVirus. When an engine update is made available, you will be notified by a LiveSecurity bulletin email.
It is critical that you update your engine as soon as a new engine is available. Newer signatures may only work with newer antivirus engines. You have access to new engines for the term of your Gateway Antivirus subscription.
To update the Gateway AntiVirus engine manually:
1 Start Firebox System Manager.
2 Click on the Security Services tab.
Gateway AntiVirus status appears.
3 Click Update AV Engine .
The Firebox downloads the latest Gateway AntiVirus engine. You can see information about the update in Traffic Monitor.
You can configure Gateway AntiVirus to download engine
updates automatically. See “Configure Gateway AntiVirus” on page 8 for more information.
Clear Gateway AntiVirus statistics
Clear Gateway AntiVirus statistics to see only new statistics.
To clear Gateway AntiVirus statistics:
1 Start Firebox System Manager.
2 Click on the Security Services tab.
Gateway AntiVirus status appears.
3 Click Clear GAV Statistics .
Gateway AntiVirus for E-mail
Configuring Gateway AntiVirus System Settings
4 You are prompted for the configuration passphrase. Type the configuration passphrase and click OK .
The statistics are cleared and the Firebox starts to record statistics again. The Stats since field shows the last time and date that the statistics were cleared. The Files scanned and Viruses found fields show zeroes until a new file is examined or a virus is found.
N OTE
After you clear statistics, you can still see older log messages in the log files.
Renew Gateway AntiVirus Licenses
You can go to the web page to renew your Gateway AntiVirus license from Firebox System Manager.
To renew the license:
1 Start Firebox System Manager.
2 Click on the Security Services tab.
Gateway AntiVirus status appears.
3 Click Renew Licenses .
A web browser window starts with the license renewal page open.
You must log in to your LiveSecurity account to view this page.
AntiVirus License expiration
When a Gateway AntiVirus license expires, all Gateway Antivirus features stop working. You must add a new or upgrade license to resume AntiVirus protection.
Configuring Gateway AntiVirus System Settings
You use the Gateway AntiVirus™ window to enable Gateway
AntiVirus and configure Gateway AntiVirus. This window configures the Gateway AntiVirus feature for all SMTP Proxies on the Firebox. You can also create different configurations in each
SMTP Proxy. For more information, see “Configuring Gateway
AntiVirus in the SMTP Proxy,” on page 9.
Gateway AntiVirus for E-mail 7
Configure Gateway AntiVirus
1 In Policy Manager, select Setup > Gateway AntiVirus . The
Gateway AntiVirus dialog box appears.
8
2 If Gateway AntiVirus is not enabled, select the Enable antivirus engine check box.
3 To temporarily decompress files that are compressed to scan contents for viruses, select the Temporarily decompress attachments before a scan checkbox.
This option allows the Firebox to examine the contents of compressed files, for example Zip files, TAR files, and TGZ files.
N OTE
Gateway AntiVirus can only examine one level of a compressed file. Hackers can hide viruses in compressed files that are inside other compressed files. Gateway AntiVirus supports several compression methods. See the Release Notes for this product for a list of the compression file types supported by this release.
4 To record debug log messages for Gateway AntiVirus, select the Enable debug log messages checkbox.
Use this checkbox to record log messages about the functionality of the antivirus service. It is not usually necessary to record these messages unless the antivirus service does not operate correctly. If this option is selected, log messages are recorded that give more detail about the operation of the antivirus engine. These messages can be used with Tech Support to troubleshoot problems.
Gateway AntiVirus for E-mail
Configuring Gateway AntiVirus in the SMTP Proxy
5 You can set a maximum attachment size to examine in the
Maximum size of file attachments to scan field.
GatewayAntiVirus allows you to configure the attachment file size from 10 KB to 4096 KB. You can use the arrows to move up or down in 128 KB increments, or type a number between 10 and 4096.
N OTE
Note that this setting does not automatically change the setting in the SMTP Proxy general tab for Maximum Size. The smallest size setting of these two properties takes precedence.
6 To get automatic updates to the antivirus engine, select the
Enable automatic AV engine download checkbox.
Automatic engine updates enable you to have the best antivirus protection available from WatchGuard for the Gateway AntiVirus service.
7 To get signature updates automatically, select the Update automatically checkbox. Select or type the number of hours between update checks.
Signature updates allow Gateway AntiVirus to protect your system from new virus threats that appear. Set the Firebox to get frequent automatic updates to protect your network better.
Configuring Gateway AntiVirus in the SMTP Proxy
You use Gateway AntiVirus™ to find and stop viruses with the
SMTP Proxy. The Firebox uses the SMTP Proxy to examine email messages.
This guide gives you the basic procedure to add an SMTP Proxy, and the procedure for configuring Gateway AntiVirus. For full configuration information for the SMTP Proxy, see your Watch-
Guard System Manager User Guide.
Add an SMTP Proxy with Gateway AntiVirus
To add an SMTP Proxy and configure Gateway AntiVirus:
1 Start Policy Manager.
2 Select Edit > Add Service , expand the Proxies folder, and select SMTP .
3 Click Add .
4 Type a name for the service and click OK .
Gateway AntiVirus for E-mail 9
5 Configure the Incoming and Outgoing connections and traffic configurations for your network.
N
OTE
Gateway AntiVirus can be configured for incoming e-mail, outoging e-mail, or both. You can use these instructions for both incoming and outgoing connections.
6 Click the Properties tab. Click the Incoming or Outgoing button. Click the AntiVirus tab.
The AntiVirus configuration for this Proxy appears.
10
7 To enable AntiVirus on this Proxy, select the Enable antivirus protection for this service check box.
8 To remove attachments that contain viruses, select the Strip attachments that contain viruses check box.
N
OTE
This option is enabled in the default configuration. It is recommended that you use this option. Your users are only protected from viruses if this check box is selected.
Gateway AntiVirus for E-mail
Configuring Gateway AntiVirus in the SMTP Proxy
9 To remove compressed attachments that can not be scanned by Gateway AntiVirus, select the Strip compressed attachments that can not be scanned check box.
Compressed attachments that can not be scanned include files that use unsupported compression formats such as RAR 3.0, and password-protected ZIP or other compressed files. This is not enabled by default. It is not recommended that you enable this option.
10 To remove attachments that exceed the maximum size, select the Strip attachments that exceed maximum size check box.
You can configure the maximum size in the Gateway AntiVirus
recommended that you enable it.
11 To remove attachments with malformed encoding, select the Strip attachments with malformed encoding check box.
12 To remove attachments that are not encoded according to
MIME standards, select the Strip attachments with non standard mime encoding check box.
Malformed MIME encoding is an exploit that attempts to alter a standard MIME encoding to bypass the content check in Gateway
AntiVirus. Non-standard encoding is MIME data that is crafted to appear as correct, but does not adhere to strict standards for the particular MIME encoding. If you enable one or both of these options, those maformed or non-standard MIME object, Gateway
AntiVirus strips the MIME object.
13 Click OK .
The Service Properties window appears.
14 When you complete the configuration for the SMTP Proxy, click OK .
15 Click OK to close the Add Service dialog box.
16 Save the configuration to the Firebox. Select File > Save >
To Firebox .
17 Select a configuration file to save, or type the name of a new file, and click Save .
18 Type the configuration passphrase in the Save to Firebox dialog box.
19 Click Continue to save the file to the Firebox.
Gateway AntiVirus for E-mail 11
20 Click OK after the Firebox is configured.
Configure Gateway AntiVirus for an existing SMTP
Proxy
To add Gateway AntiVirus to an existing SMTP Proxy:
1 Start Policy Manager.
2 Double-click the SMTP Proxy service.
3 Click the Properties tab. Click the Incoming button. Click the AntiVirus tab.
The AntiVirus configuration for this Proxy appears.
12
4 To enable AntiVirus on this Proxy, select the Enable antivirus protection for this service checkbox.
5 To remove attachments that contain viruses, select the Strip attachments that contain viruses checkbox.
N OTE
This option is enabled in the default configuration. It is recommended that you use this option. Your users are only protected from viruses if this checkbox is selected.
Gateway AntiVirus for E-mail
Configuring Gateway AntiVirus in the SMTP Proxy
6 To remove compressed attachments that can not be scanned by Gateway AntiVirus, select the Strip compressed attachments that can not be scanned checkbox.
Compressed attachments that can not be scanned include files that use unsupported compression formats such as RAR 3.0, and password-protected ZIP or other compressed files. This is not enabled by default. It is not recommended that you enable this option.
7 To remove attachments that exceed the maximum size, select the Strip attachments that exceed maximum size checkbox.
You can configure the maximum size in the Gateway AntiVirus
recommended that you enable it.
8 To remove attachments with malformed encoding, select the Strip attachments with malformed encoding check box.
9 To remove attachments that are not encoded according to
MIME standards, select the Strip attachments with non standard mime encoding check box.
10 Malformed MIME encoding is an exploit that attempts to alter a standard MIME encoding to bypass the content check in Gateway
AntiVirus. Non-standard encoding is MIME data that is crafted to appear as correct, but does not adhere to strict standards for the particular MIME encoding. If you enable one or both of these options, those maformed or non-standard MIME object, Gateway
AntiVirus strips the MIME object.
11 Click OK .
The Service Properties window appears.
12 When you complete the configuration for the SMTP Proxy, click OK .
13 Save the configuration to the Firebox. Select File > Save >
To Firebox .
14 Select a configuration file to save, or type the name of a new file, and click Save .
15 Type the configuration passphrase in the Save to Firebox dialog box.
16 Click Continue to save the file to the Firebox.
Gateway AntiVirus for E-mail 13
17 Click OK after the Firebox is configured.
Using Gateway AntiVirus with More Than One
Proxy
You can use more than one SMTP Proxy to find and remove viruses for different servers in your organization.
Each proxy that uses Gateway AntiVirus is configured with options that are unique to that proxy. For example, you can use different proxy antivirus configurations for e-mail that is for different servers or different destinations.
Gateway AntiVirus Headers
Gateway AntiVirus adds a header to each e-mail message. An email message can include mulitple parts separated by MIME boundaries (multipart MIME). Each MIMEparts has a separate set of headers. If a part includes an attachment, Gateway Anti-
Virus adds the header
X-AntiVirus to the set of headers. This header indicates antivirus activity for the part. The X-AntiVirus header indicates whether the message is clean, infected with a virus, or whether there is another error in the antivirus process. If a part includes an attachment, the antivirus action is included in the header.
The action can be allow or deny .
In this example, an attachment is infected with a virus, and the virus is detected by Gateway AntiVirus for E-mail: date time smtp-proxy[ signature number ]: Attachment attachment_name is infected with virus virus_name , denying attachment
If an attachment is denied, the body for that part of the message is replaced. The new part is a message similar to the value of the smtp-proxy header, for example:
Attachment attachment_name is infected with virus virus_name , attachment denied
14 Gateway AntiVirus for E-mail
Monitoring Gateway AntiVirus Activity
Monitoring Gateway AntiVirus Activity
You can monitor Gateway AntiVirus with the logging tools. The
Firebox System Manager includes reports and real-time log message monitors.
When Gateway AntiVirus scans an attachment or identifies a virus and removes an attachment, it records a log message in the log file.
These are example Gateway AntiVirus log messages in the Simple Log format:
Meaning
The Firebox scanned an attachment that does not contain a virus.
Message
AV: attachment filename is clean
Where filename is the name of the file that is scanned
AV: attachment filename is infected with virus virusname , denying attachment
Where filename scanned, and
is the file that is
is the name of the virus that is detected.
AV: attachment size not scanned due to size, denying attachment
The Firebox scanned an attachment and found a virus.
The attachment was removed.
Gateway AntiVirus found a file that exceeds the size limit, and removed it. This occurs when
Gateway AntiVirus is configured to strip attachments that exceed the maximum size.
The example below shows a debugging log. In addition to the messages listed above, it includes log messages that describe the operation of each step that Gateway AntiVirus.
12/03/04 11:09 smtp-proxy[197]: Entering InitAV
12/03/04 11:09 smtp-proxy[197]: [60.100.253.9:4847 10.9.9.3:25] removing ESMTP keyword "PIPELINING"
12/03/04 11:09 smtp-proxy[197]: [60.100.253.9:4847 10.9.9.3:25] removing ESMTP keyword "VRFY"
12/03/04 11:09 smtp-proxy[197]: [60.100.253.9:4847 10.9.9.3:25] removing ESMTP keyword "ETRN"
12/03/04 11:09 smtp-proxy[197]: [60.100.253.9:4847 10.9.9.3:25] removing ESMTP keyword "XVERP"
12/03/04 11:09 smtp-proxy[197]: AV: attachment avnormal.txt will be scanned
12/03/04 11:09 avd[138]: Accepted client on 10
12/03/04 11:09 smtp-proxy[197]: AV: received response, response is / tmp/clamav/s0 4096
Gateway AntiVirus for E-mail 15
12/03/04 11:09 smtp-proxy[197]: AV: socket setup complete
12/03/04 11:09 smtp-proxy[197]: AV: entering AVCleanSpace
12/03/04 11:09 smtp-proxy[197]: AV: scan file path /tmp/clamav/s0/
1197, av state 0, max file size 4194304
12/03/04 11:09 smtp-proxy[197]: AV: attachment encoding is base64
12/03/04 11:09 smtp-proxy[197]: AV: write to disk complete, bytes written 33537
12/03/04 11:09 smtp-proxy[197]: AV: scan command is "scan default 197 / tmp/clamav/s0/1197"
12/03/04 11:09 smtp-proxy[197]: AV: scan response is "clean 197"
12/03/04 11:09 smtp-proxy[197]: AV: attachment avnormal.txt is clean
12/03/04 11:09 smtp-proxy[197]: mail from address
12/03/04 11:09 smtp-proxy[197]: rcpt to address
12/03/04 11:09 smtp-proxy[197]: AV: base64 encode attachment
12/03/04 11:09 smtp-proxy[197]: AV: attachment read from disk (33537) and written to socket (46071)
12/03/04 11:09 smtp-proxy[197]: AV: antivirus scan done
12/03/04 11:09 smtp-proxy[197]: AV: entering AVCleanSpace
12/03/04 11:09 smtp-proxy[197]: AV: attachment avviral.txt will be scanned
12/03/04 11:09 smtp-proxy[197]: AV: scan file path /tmp/clamav/s0/
2197, av state 0, max file size 4194304
12/03/04 11:09 smtp-proxy[197]: AV: attachment encoding is base64
12/03/04 11:09 smtp-proxy[197]: AV: write to disk complete, bytes written 68
12/03/04 11:09 smtp-proxy[197]: AV: scan command is "scan default 197 / tmp/clamav/s0/2197"
12/03/04 11:09 smtp-proxy[197]: AV: scan response is "virus 197 Eicar-
Test-Signature"
12/03/04 11:09 smtp-proxy[197]: AV: antivirus action is deny
12/03/04 11:09 smtp-proxy[197]: AV: attachment avviral.txt is infected with virus Eicar-Test-Signature, denying attachment
12/03/04 11:09 smtp-proxy[197]: mail from address
12/03/04 11:09 smtp-proxy[197]: rcpt to address
12/03/04 11:09 smtp-proxy[197]: AV: antivirus scan done
12/03/04 11:09 smtp-proxy[197]: AV: entering AVCleanSpace
16 Gateway AntiVirus for E-mail
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement
Table of contents
- 3 Contents
- 5 WatchGuard Gateway AntiVirus™ Guide
- 6 About Virus Signatures
- 6 Gateway AntiVirus Procedures
- 7 Installing Gateway AntiVirus
- 8 Enabling Gateway AntiVirus
- 9 Getting Gateway AntiVirus Status and Updates
- 9 Seeing Gateway AntiVirus status
- 9 Updating Gateway AntiVirus signatures
- 10 Updating the antivirus engine
- 10 Clear Gateway AntiVirus statistics
- 11 Renew Gateway AntiVirus Licenses
- 11 AntiVirus License expiration
- 11 Configuring Gateway AntiVirus System Settings
- 12 Configure Gateway AntiVirus
- 13 Configuring Gateway AntiVirus in the SMTP Proxy
- 13 Add an SMTP Proxy with Gateway AntiVirus
- 16 Configure Gateway AntiVirus for an existing SMTP Proxy
- 18 Using Gateway AntiVirus with More Than One Proxy
- 18 Gateway AntiVirus Headers
- 19 Monitoring Gateway AntiVirus Activity