The CloudGen Firewall scans web traffic for malware on a per-access-rule basis when Virus Scanning in the Firewall is enabled. When a user downloads a file, the firewall intercepts and scans the file if it is smaller than the limit set in the large file policy and if the MIME type is listed in the Scanned MIME types list. Files matching a MIME type exception are not scanned. To avoid browser timeouts while downloading the file, a very small amount of data is trickled to the browser to keep the connection open. Data trickling ceases while the file is scanned by the virus scanner. If the large file watermark is set to a very high value, browser sessions might time out. In this case, decrease the large file policy value. If the virus scanning services detects malware, the infected file is discarded, and the user is redirected to a customizable block page. The very small partial download from data trickling might still be present on the client. You can combine virus scanning with TLS Inspection to also scan HTTPS connections.
Before You Begin
- Enable Application Control. For more information, see How to Enable Application Control.
- Create a Virus Scanner service. For more information, see Virus Scanner.
Step 1. Configure the Virus Scanner Engine(s)
Enable and configure the virus scanner. Barracuda CloudGen Firewall F18 and larger support the Avira AV engine.
- Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Virus-Scanner > Virus Scanner Settings.
- Click Lock.
- Enable Avira AV by selecting Yes from the Enable Avira Engine list.
- Click Send Changes and Activate.
Step 2. Enable TLS Inspection and Virus Scanning in the Firewall
If you want to scan files that are transmitted over an TLS-encrypted connection, enable TLS Inspection and the Virus Scanning in the Firewall service.
- Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall > Security Policy.
- Click Lock.
Expand the Enable TLS Inspection drop-down list and enable TLS Inspection.
- Upload your root CA certificate, or create a self-signed Root Certificate.
- (Optional) Click the plus sign (+) in the Trusted Root Certificates section to add additional root certificates.
In the Virus Scanner Configuration section, expand the drop-down list next to Enable Virus Scanning for, and select Yes for HTTP.
In the Scanned MIME types list, add the MIME types of the files you want to scan. Default:
<factory-default-mime-types>
and<no-mime-types>
. For more information, see Virus Scanning and ATP in the Firewall.- (optional) In the Scanned MIME types list, add MIME type exceptions. Prepend an "!" to not scan this MIME type. E.g., !application/mapi-http
(optional) Change the Action if Virus Scanner is unavailable.
(optional) Click Advanced:
- Large File Policy – Action taken if the file exceeds the size set as the Large File Watermark. Select Allow to forward the files unscanned; select Block to discard files that are too big to be scanned.
- Large File Watermark (MB) – The large file watermark is set to a sensible value for your appliance. The maximum value is 4096 MB.
- Stream Scanning Buffer – Select the buffer size for HTTP/HTTPS streaming media using chunked transfer encoding. Select Small for faster response times, or Big to scan larger chunks before forwarding the stream to the client.
- Data Trickling Settings – Change how fast and how much data is transmitted. Change these settings if your browser times out while waiting for the file to be scanned.
- Click Send Changes and Activate.
Step 3. Edit an Access Rule to Enable Virus Scanning
Virus scanning can be enabled for all Pass and Dst NAT access rules.
- Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall > Forwarding Rules.
- Click Lock.
- Double-click to edit the PASS or Dst NAT access rule.
- Click the Application Policy link and select:
- Application Control – required.
- TLS Inspection – optional.
- Virus Scan – required.
- If configured, select a policy from the TLS Inspection Policy drop-down list. For more information, see TLS Inspection in the Firewall.
- Click OK.
- Click Send Changes and Activate.
Monitoring and Testing
- Each file blocked by the virus scanner generates a 5005 Virus Scan file blocked event.
- Test the virus scan setup by downloading EICAR test files from http://www.eicar.com. The block page is customizable. For more information, see How to Configure Custom Block Pages and Texts.
- To monitor detected viruses and malware, go to the FIREWALL > Threat Scan page.
Next Steps
To combine ATP with virus scanning, see Advanced Threat Protection (ATP).