In this article:
Before you Begin
- You must have a Malware and an Advanced Threat Detection license subscription. For more information, see Licensing.
- Verify that you have configured a System Notification Email address. For more information, see How to Configure the System Email Notification Address.
- Verify that you have enabled malware protection for the HTTP proxy. For more information, see How to Configure Malware Protection in the HTTP Proxy.
- Verify that all file types you want to scan with ATD are not listed in the Virus Scan Exceptions. For more information, see How to Configure Malware Protection in the HTTP Proxy.
Step 1. Configure ATD Scan Policy and Risk Threshold
Configure the ATD scan policy to determine if the user will have to wait for scanning to complete before the file is forwarded.
- Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Virus Scanner > Virus Scanner Settings.
- Click Lock.
- In the left menu, click ATD.
In the ATD Scan Policy section, select the Global Policy: Deliver First, then Scan – The user receives the file immediately. If malware is found the quarantine policy applies.
- If needed set the individual scan policies for each file type:
- Apply Global Policy (default)
- Do Not Scan – This file type is not scanned and immediately forwarded to the user.
- Deliver First, then Scan – The user receives the file immediately. If malware is found the quarantine policy applies.
- Scan First, then Deliver – The user is redirected to a scanning page. After the scan is complete the download starts.
- In the ATD Threats section, select the Block Threats policy:
- High Only – File classified as high risk are blocked.
- High and Medium (Default) – Files classified as high or medium risk are blocked.
- High, Medium and Low – Files classified as high, medium or low risk are blocked. Only files with classification None are allowed.
- Set Send Notification Emails to:
- No – No notification emails are sent when malware is found.
- To System Notification Email (Default)– A notification email is sent to the system notification email address. For more information, see How to Configure the System Email Notification Address.
- To Explicit Address – Enter the Explicit Email Address and Explicit SMTP Server the Barracuda NG Firewall will use to send the notification emails.
- (optional) Set the ATD Data Retention (in days). These values determine how long files are kept on the system before they are deleted.
- Click Send Changes and Activate.
Step 2. Enable ATD in the Firewall, Configure Automatic Quarantine Policy and Quarantine for the HTTP Proxy
You must enable ATD in the security policy of the forwarding firewall and enable the quarantine for the HTTP proxy.
- Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Security Policy.
- Click Lock.
- In the Advanced Threat Detection section click Enable ATD in the firewall.
- Select the Automatic Blacklist Policy:
- No auto quarantining – No connections are blocked.
- User only – All connections by the infected user are blocked regardless of the source IP address.
- User@IP (AND) – All connections originating from the infected source IP address and the infected user are blocked.
- User, IP (OR) – All connections coming from the infected source IP address and/or the infected user are blocked.
- Select the Enable Quarantine for HTTP Proxy checkbox.
- Click Send Changes and Activate.
Step 3. Create an Automatic Quarantining Access Rule
To block users and/or IP addresses, you must create an access rule using the ATD User Quarantine network object. Place the Deny or Block rule before any other access rules handling traffic for these IP addresses and/or users. Enable Transparent Redirect on Port 80 to redirect HTTP traffic from quarantined users or IP addresses to the custom quarantine block page. Non-HTTP traffic is simply blocked or denied.
- Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services >Firewall > Forwarding Rules.
- Click Lock.
- Create a new access rule:
- Action – Select Deny or Block.
- Source – Select ATD User Quarantine network object.
- Destination – Select Any (0.0.0.0/0) network object.
- Service – Select Any.
- In the left menu, click Advanced.
- In the Miscellaneous section, set Block Page for TCP 80 to Quarantine Page.
- Click OK.
- Place the access rule, so that no rule before it matches the same traffic.
- Click Send Changes and Activate.
Quarantine Management
Manually Placing a User and/or IP Address in Quarantine
If you are not using automatic quarantine policy, the administrator can also place a user in quarantine manually.
- Go to FIREWALL > ATD.
- Click the Scanned Files tab.
- Double click the malicious file. The ATD File Details widow opens.
- In the File Download section select the user in the list.
- Click Quarantine. The Select Quarantine Policy window opens.
- Select the Quarantine Policy:
- Block only Users – Place the user in quarantine, but not the source IP address.
- Block only IP Addresses – Place the IP address in quarantine, but not the user.
- Block User @ IP (logic AND) – Place user@IP address in quarantine. Both user and IP address have to match.
- Block User, IP (logic OR) – Place the user and IP address in quarantine. Either user or IP address have to match.
- Click OK.
The user and/or IP address are now in quarantine network object (Click the Quarantine tab to verify). Create an access rule using the ATD User Quarantine network object to block connection to and from the infected users and/or IP addresses.
Removing a User and/or IP Address from Quarantine
- Go to FIREWALL > ATD.
- Click the Quarantine Tab.
- Right click the user or IP address you want to remove from quarantine.
- Click Remove from Quarantine.
The user and/or IP address is removed from the quarantine network object.
Download a Scan Report
You can download a short or long version of scan report.
- Go to FIREWALL > ATD.
- Double click the scanned file.
- Click Download Report and select the report type:
- Summery Report
- Full Report