The firewall scans web traffic for malware on a per-access-rule basis when virus scanning in the firewall is enabled. When a user downloads a file, the firewall intercepts and scans the file if it is smaller than the limit set in the large file policy and if the MIME type is listed in the Scanned MIME Types list. Files matching a MIME type exception are not scanned. To avoid browser timeouts while downloading the file, a very small amount of data is trickled to the browser to keep the connection open. Data trickling ceases while the file is scanned by the virus scanner. If the large file watermark is set to a very high value, browser sessions might time out. In this case, decrease the large file policy value. If the virus scanning services detects malware, the infected file is discarded, and the user is redirected to a customizable block page. The very small partial download from data trickling might still be present on the client. You can combine virus scanning with SSL Interception to also scan HTTPS connections.
Before You Begin
- To scan HTTPS traffic, enable SSL Interception. For more information, see How to Configure SSL Interception in the Firewall.
Step 1. Enable the Virus Scanner in the Firewall
Go to FIREWALL > Settings.
- In the Firewall Policy Settings section, enable TCP Stream Reassembly.
Make sure that Application Control is enabled.
In the Virus Scanner section:
Set Enable Virus Scanner to Yes.
Set Enable for HTTP & HTTPS to Yes.
(optional) Click Show to configure Advanced Options:
Change the default behavior If Virus Scanning is not available.
Block All – (default) Block all files.
Allow All – All pages will be allowed.
- Configure the following settings:
- Block Large Files / Large File Limit – To block files that exceed the Large File Limit, enable Block Large Files.The large file policy is set to a sensible value for your appliance. The maximum value is 1024 MB. If disabled, large files will not be scanned. Instead, they will be delivered directly to the client.
- Scanned MIME Types – If applicable, you can add MIME types of files you want the firewall to scan to the Scanned MIME Types list. To add a file type, enter the file path and click +. To remove a file type, click - next to the file entry in the list. Click Reset to Defaults to restore the default list. For more information, see Default MIME Types in Virus Scanner.
- Exemptions – Define exemptions from scanning based on IP addresses and hostnames.
- Archives – Enable, to scan archives and block archive files that are encrypted and cannot be scanned.
- Data Trickling – Change how fast and how much data is transmitted. Change these settings if your browser times out while waiting for the file to be scanned.
- Click Save.
Step 2. Enable the Virus Scanner in Access Rules
Create or edit an access rule for the HTTP / HTTPS connections that you want to apply Virus Protection to. Virus Protection can be enabled for all Allow and DNAT rules.
- Go to FIREWALL > Access Rules.
- Create an access rule with the following settings:
- Action – Select Pass.
- Connection – Select Dynamic NAT.
- Source – Select Trusted LAN, and click +.
- Network Services – Select HTTP+S, and click +.
- Destination – Select Internet, and click +.
Enable Application Control and Virus Scanner.
(optional) Enable SSL Interception.
- Click Save.
Monitoring and Testing
You can test the Virus Scanner setup by downloading EICAR test files from http://www.eicar.com. The block page is customizable. For more information, see How to Configure Custom Block Pages and Texts.
To monitor detected viruses and malware, go to the BASIC > Recent Threats page.
To combine ATP with virus scanning, see Advanced Threat Protection (ATP).