NG Firewall Protect Apps

Firewall

Firewall provides traditional firewall functionality, blocking and/or flagging traffic based on rules.

The term "Firewall" has grown to encompass many functionalities and meanings. It is often used interchangeably with router, gateway, and Unified Threat Management (UTM). Even the NG Firewall is a "next-gen" firewall. There are also host-based firewalls that run on the local host computer.

The "Firewall" app is a traditional firewall used to block and/or flag TCP and UDP sessions passing through the NG Firewall using rules. The Firewall app provides the same functionality as the traditional "firewall" - the ability to use rules to control which computers communicate on a network.

Settings

This section discusses the different settings and configuration options available for Firewalls.

Status

This displays the current status and some statistics.

Figure 1. Apps Firewall Status

Rules

The Rules tab allows you to specify rules for blocking, Passing, or Flagging traffic that crosses the NG Firewall.

The Rules documentation describes how rules work and how they are configured. The Firewall uses rules to determine whether to block/pass a specific session and whether it is flagged. Flagging a session marks it in the logs for review in the event logs or reports but has no direct effect on network traffic.

Typically, the NG Firewall is installed as a NAT/gateway device or behind another NAT/gateway device in bridge mode. In this scenario, all inbound sessions are blocked by NAT except for those explicitly allowed with port forwards. Because of this, the Firewall does not block anything by default. It is up to you to decide the best fit for your network, whether you only want to block specific ports or block everything and allow only a few services.

Rule Actions
  • Pass: Allows the traffic that matches the rule to flow.
  • Block: Blocks the traffic that matches the rule.

Additionally, a session can be flagged. If the Flag is checked, the event is flagged in the event log for easier viewing. The flag is always enabled if the action is blocked.

Figure 2. Apps Firewall Rules

Firewall Reports

The Reports tab provides a view of all reports and events for all traffic handled by Firewall.

Reports

This application's reports can be accessed via the Reports tab at the top or the Reports tab within the settings. All pre-defined reports and custom reports created will be listed.

Reports can be searched and further defined using the time selectors and the Conditions window at the bottom of the page. The data used in the report can be obtained on the Current Data window on the right.

Pre-defined Report Queries

Report Entry Description
Firewall Summary A summary of firewall actions.
Scanned Sessions The amount of scanned, flagged, and blocked sessions over time.
Top Scanned Hostnames The number of scanned session grouped by hostname.
Top Flagged Hostnames The number of flagged session grouped by hostname.
Top Blocked Hostnames The number of blocked sessions grouped by hostname.
Top Scanned Clients The number of scanned session grouped by client.
Top Flagged Clients The number of flagged session grouped by client.
Top Blocked Clients The number of blocked session grouped by client.
Top Scanned Usernames The number of scanned session grouped by username.
Top Flagged Usernames The number of flagged session grouped by username.
Top Blocked Usernames The number of blocked session grouped by username.
Top Scanned Server Ports The number of scanned session grouped by server (destination) port.
Top Flagged Server Ports The number of flagged session grouped by server (destination) port.
Top Blocked Server Ports The number of blocked session grouped by server (destination) port.
All Events All events scanned by Firewall App.
Flagged Events Events flagged by Firewall App.
Blocked Events Events blocked by Firewall App.

The tables queried to render these reports:

Related Topics

Intrusion Prevention

Intrusion Prevention is an Intrusion Detection system that detects malicious activity on your network.

Intrusion Prevention uses signatures to detect malicious activity, drawing upon a known attack pattern database. If a session matches a signature, its enabled action directs Intrusion Prevention to Log (records the incident but does not stop the activity) or Block (records the incident and does stop the activity).

There is tremendous diversity between networks, and it is possible for a signature to correctly identify malicious activity on one network and incorrectly match legitimate traffic on another. Logging all matching signatures can make it difficult to monitor Intrusion Prevention effectively, and blocking can disrupt legitimate traffic, causing your network to appear broken. Therefore, it is legitimate for there to be many signatures set as disabled or not active in Intrusion Prevention. You are advised to use the recommended actions specified by the signature database providers.

The database contains over 40,000 signatures, making managing signatures difficult. Rules are used to configure groups of signatures based on matching various attributes. A condition can match an attribute, such as a class type. All signatures that match are configured in Intrusion Prevention according to the rule action. Any signature not matched by a rule is Disabled. A default set of rules based on system memory is enabled by default.

The signature database is automatically updated several times a week. New and updated rules are configured according to the rules.

The Intrusion Prevention All Events log records all detected activity for enabled signatures. You should review this log daily.

Note: Intrusion Prevention installs but is off by default.
Note: Intrusion Prevention can be memory intensive and requires at least 2GB of RAM. The amount used combines the number of enabled signatures and the amount of traffic that goes through your system.

Settings

When To Scan

Intrusion Prevention can be run before or after other network processing. Which option depends largely on your reasons for using Intrusion Prevention.

When other Network Processing is selected (the default), IPS sees all traffic, even if it will subsequently be dropped by the firewall. This means IPS will see much malicious activity, such as port scans and intrusion attempts on the public IP addresses on almost all networks, even though that traffic will ultimately be dropped. The advantage of this approach is that Intrusion Prevention sees and logs everything, providing the most complete picture. The disadvantage is that it usually logs so much that the Intrusion Prevention event log quickly becomes ignored because it logs thousands of events daily, which is normal.

IPS only scans traffic passing through the firewall when other Network Processing is selected. For most networks where an NG firewall is running with a public IP and doing NAT and only port forwarding select or no traffic at all, this will be extremely different from scanning "prerouting." The advantage of this mode is that IPS will only scan/log on traffic that is entering your network and, therefore, ignores a lot of the standard "noise" from incoming port scans and vulnerability scans that just get dropped at the firewall and logs only on traffic that should potentially concern the administrator. Another advantage is that it fully allows bypass traffic to work as expected. The disadvantage of this mode is that it provides a less complete picture of activity on the public interface, and it no longer logs attempts that just get dropped.

Status

The Status tab shows the following information:
  • Memory Usage: The amount of system memory the IPS engine uses compared to your installed system memory.
  • Metrics: The number of blocked, logged, and scanned sessions.
  • Overview: Signatures and Signature Updates.
    1. Signatures: Total number of signatures available and the number set for Log, Block, Disabled.
    2. Updates: The last time the signature database was updated and the last time a check was performed. Database updates do not occur on each check.
      Figure 3. Apps Intrusion-Prevention Status

Rules

Rules allow you to control which signatures are enabled (and their actions) or disabled. For each signature, the rules are evaluated in order, and the action from the first matching rule is used to determine the status of that signature. The Intrusion Prevention rules are the mechanism that determines which signatures are enabled and what their associated actions are. These rules have no impact on network traffic and are not evaluated against packets, sessions, or network traffic in any manner.

Any signature not matched by any rule is disabled.

The Rules documentation describes how rules generally work and how they are configured. The major difference between the Intrusion Prevention and Conditions List is that.

At the bottom of the tab, a status bar indicates the number of signatures affected by the currently defined rules.

When adding or editing a rule, the bottom of the edit window will show how many signatures are affected by the conditions as you build the rule.

Figure 4. Apps Intrusion-Prevention Rules

Rule Conditions

Conditions define which signatures will match the rule. If and only all conditions match, the rule is considered a match.

The following conditions are specific to Intrusion Prevention rules:

Name Syntax Function
Signature identifier Numeric Matches if the value matches the exact or partial signature identifier.
Group identifier Numeric Matches if the value matches the exact or partial group identifier.
Category Checkbox Matches if the value is in one of the checked categories.
Classtype Checkbox Matches if the value is in one of the checked classtypes.
Message Text Matches if the value matches the exact or partial signature subject message.
Protocol Checkbox Matches if the value is in one of the checked protocols.
Source Address Text Matches if the value matches the exact or partial source address.
Source Port Text Matches if the value matches the exact or partial source port.
Destination Address Text Matches if the value matches the exact or partial destination address.
Destination Port Text Matches if the value matches the exact or partial destination port.
Signature Text Matches if the value matches the exact or any part of the entire signature.
Custom Boolean Matches if the value is a custom signature.
Recommended Action Select Matches if the value is a signature's recommended action.
System Memory Numeric Matches if system memory matches this value.

Rule Actions

When all conditions are met, signatures will be configured into Intrusion Prevention as follows:

Action Function
Recommended Each signature will use its specific Recommended Action. If that Recommended Action is disabled, it will not be enabled.
Enable Log Each signature will be enabled to log.
Enable Block if Recommended is Enabled Only if the signature's Recommended Action is Log will the signature be configured for Block. Use this for "wide" condition matches like classtype.
Enable Block Each signature will be enabled to block. Use this for "narrow" matches like sid and gid.
Disable Each signature will be disabled and not used by Intrusion Prevention.
Whitelist Each signature's Source and/or Destination networks will be modified to exclude networks defined by the selected variables.

Signatures

The Signature tab shows the entire database of signatures, both the defaults set provided as well as any custom signatures you may add.

Figure 5. Apps Intrusion-Prevention Signatures

Navigation

By default, signatures are grouped by classtype, and you can expand the groups to view the individual signatures.

To better find specific signatures, you can use the Filter to select signature fields and the match you're looking for. The grid view will change to show those signatures matching the filter.

If your filter returned one or more matches, you can create a rule from the filter by clicking Create Rule.

Mousing over a grid cell will show appropriate information related to that cell. For example, if you mouse over the Rule Action cell, you'll see which rule is affecting this signature.

Custom Signatures

You may create and maintain your signatures, but most use the default database.

If you want to add custom signatures you can do so either by clicking Add.

Alternatively, if you want to create a new custom signature on an existing signature, you can click Copy then edit that copy.

Note: Don't be tempted to copy a signature to change its Recommended Action. Create a Rule instead!

Variables

This tab provides administrators access to Suricata variables. These variables are used in rules to specify criteria for the source and destination of a packet.

Suricata's most important variable is $HOME_NET. $HOME_NET defines the network or networks you are trying to protect - it is computer automatically based on your network configuration - it includes all local networks (including aliases). Under nearly every circumstance, you will want to leave these values as-is.

Using the Add button, custom variables can be added. Adding variables may be used by users who are adding their own rules. This should only be attempted by advanced users with a strong knowledge of Suricata signature creation.

Figure 6. Apps Intrusion-Prevention Variables

Bypass Rules

Bypass rules enable you to configure traffic that should not be scanned by Intrusion Prevention. The Rules documentation describes how rules generally work and how they are configured.

Figure 7. Apps Intrusion-Prevention Bypass-Rules

Updates

The signature database is checked automatically every night. Updates are typically released 2-3 times a week. The signature database does not affect custom signatures. New signatures will be integrated into Intrusion Prevention according to defined rules.

All Events

The All Events report shows all enabled signature matches found by Intrusion Prevention.

If there are signatures that are currently set to an action of Log and you determine the signature should be blocked, you can click the Block button on the far right. The Block button is disabled for any signature that is already blocked.

Figure 8. Reports Cat Intrusion-prevention Rep All-events

Intrusion Prevention Reports

The Reports tab provides a view of all reports and events for all traffic handled by Intrusion Prevention.

Reports

This application's reports can be accessed via the Reports tab at the top or the Reports tab within the settings. All pre-defined reports will be listed along with any custom reports that have been created.

Reports can be searched and further defined using the time selectors and the Conditions window at the bottom of the page. The data used in the report can be obtained on the Current Data window on the right.

Table 1. Pre-defined Report Queries
Report Entry Description
Intrusion Prevention Summary A summary of intrusion detection and prevention actions.
Intrusion Detection (all) The amount of detected and blocked intrusions over time.
Intrusion Detection (logged) The amount of detected intrusions over time.
Intrusion Detection (blocked)

The amount of blocked intrusions over time.

Top Rules (all) The number of intrusions detevted by rule.
Top Rules (logged) The number of intrusions logged by rule.
Top Rules (blocked) The number of intrusions blocked by rule.
Top Signatures (all) The number of intrusions detected by signature.
Top Signatures (logged) The number of intrusions logged by signature.
Top Signatures (blocked) The number of intrusions blocked by signature.
Top Classtypes (all) The number of intrusions detected by classtype.
Top Classtypes (logged) The number of intrusions logged by classtype.
Top Classtypes (blocked) The number of intrusions blocked by classtype.
Top Categories (all) The number of intrusions detected by category.
Top Categories (logged) The number of intrusions logged by category.
Top Categories (blocked) The number of intrusions blocked by category.
Top Source IP Addresses (all) The number of intrusions detected by source IP address.
Top Source IP Addresses (logged) The number of intrusions logged by source IP address.
Top Source IP Addresses (blocked) The number of intrusions blocked by source IP address.
Top Source Ports (all) The number of intrusions detected by source port.
Top Source Ports (logged) The number of intrusions logged by source port.
Top Source Ports (blocked) The number of intrusions blocked by source port.
Top Destination IP Addresses (all) The number of intrusions detected by destination IP address.
Top Destination IP Addresses (logged) The number of intrusions logged by destination IP address.
Top Destination IP Addresses (blocked) The number of intrusions blocked by destination IP address.
Top Destination Ports (all) The number of intrusions detected by destination port.
Top Destination Ports (logged) The number of intrusions logged by destination port.
Top Destination Ports (blocked) The number of intrusions blocked by destination port.
Top Protocols (all) The number of intrusions detected by protocol.
Top Protocols (logged) The number of intrusions logged by protocol.
Top Protocols (blocked) The number of intrusions blocked by protocol.
All Events All sessions scanned by Intrusion Prevention.
Logged Events All sessions matching Intrusion Prevention signatures and logged.
Blocked Events All sessions matching Intrusion Prevention signatures are blocked.

The tables queried to render these reports:

Related Topics

Phish Blocker

Phish Blocker protects users from phishing attacks over email (SMTP). It inspects emails for fraudulent emails, also known as phish. A phishing email attempts to acquire sensitive information such as passwords and credit card details by masquerading as a trustworthy person or business in an official electronic communication, such as an email.


Settings

This section discusses the different settings and configuration options available for Phish Blocker.

Status

This displays the current status and some statistics.


Email

These settings apply only to the scanned SMTP messages.
  • Scan SMTP: This enables or disables SMTP scanning.
  • Action: The action was taken regarding the message if the spam score is high enough.

If set to Mark, "[Phish]..." will be prepended to the email subject line and delivered. If set to Pass, the message will be delivered as originally sent. The drop will inform the sending server the mail was successfully delivered, but the NG Firewall will drop the mail, so it is never delivered. Quarantine will send the mail to users' email quarantine for them to release or delete as they see fit. For more information, refer to Quarantine.


Phish Blocker Reports

The Reports tab provides a view of all reports and events for all traffic handled by Phish Blocker.

Reports

This applications reports can be accessed via the Reports tab at the top or the Reports tab within the settings. All pre-defined reports will be listed along with any custom reports that have been created.

Reports can be searched and further defined using the time selectors and the Conditions window at the bottom of the page. The data used in the report can be obtained on the Current Data window on the right.

Table 2. Pre-defined Report Queries:
Report Entry Description
Phish Blocker Summary A summary of phish blocking actions for email activity.
Email Usage (all) The amount of scanned, clean, and phish email over time.
Email Usage (scanned) The amount of scanned email over time.
Email Usage (clean) The amount of clean email over time.
Email Usage (phish) The amount of phish email over time.
Phish Ratio The ratio of phish (true) to ham (false)
Top Phish Recipients The number of email addresses with phish.
Top Phish Sender Addresses The number of IP addresses sending phish.
All Email Events All email sessions are scanned by Phish Blocker.
All Phish Events All email sessions are detected as phishing attempts.
Quarantined Events All email sessions are detected as phishing attempts and quarantined.
The tables queried to render these reports:

Related Topics

Threat Prevention

Threat Prevention blocks potentially harmful traffic from entering or exiting the network. This app can prevent cyber attacks on your servers (e.g., web, VoIP, and email). It is also useful to prevent data loss if users mistakenly try to connect to a phishing site or other malicious host.


Threat Prevention uses Threat Intelligence technology managed by Webroot BrightCloud®. Webroot BrightCloud® assesses each IP address and provides it a reputation score—the reputation score results from running an IP address through BrightCloud’s sensor network. The Sensor Network analyzes the IP address based on real-time Global Threat Databases that are kept up to date with new and emerging threats. The Threat Prevention app queries the BrightCloud® service, requesting the reputation score and historical data of each IP address or URL. The session may be blocked Based on the IP address or URL rating. The Threat Prevention app default blocks sessions with a "High Risk" rating. IP addresses or URLs rated as High Risk may be associated with the following types of attacks:
  • Spam Sources - IP addresses involved in tunneling spam messages through a proxy, anomalous SMTP activities, and forum spam activities.
  • Windows Exploits - IP addresses that distribute malware, shell code, rootkits, worms, or viruses on Windows platforms.
  • Web Attacks - IP addresses using cross-site scripting, iFrame injection, SQL injection, cross-domain injection, or domain password brute force attacks to target vulnerabilities on a web server.
  • Botnets - IP addresses acting as Botnet Command and Control (C&C) centers and infected zombie machines controlled by the C&C servers.
  • Denial of Service - The Denial of Service category includes DOS, DDOS, anomalous sync flood, and anomalous traffic detection.
  • Scanners - IP addresses involved in unauthorized reconnaissance activities such as probing, host scanning, port scanning, and brute force login attempts.
  • Phishing - IP addresses hosting phishing sites and sites related to fraudulent activities.
  • TOR Proxy - IP addresses acting as exit nodes for the TOR Network. Exit nodes are the last point along the proxy chain and directly connect to the originator’s intended destination.
  • Proxy - IP addresses providing proxy services, including VPN and open web proxy services.
  • Mobile Threats - Denial of service, packet sniffing, address impersonation, and session hijacking.

Settings

This section discusses the different settings and configuration options available for Threat Prevention.

Status

The Status screen shows the running state of Threat Prevention and relevant metrics, such as the number of blocked sessions and high-risk threats.

Figure 9. Threat Prevention Status

Threats

You can review the threshold for IP Addresses and URL Threats in the Threats tab. The recommended and default Reputation Threshold is "High Risk." "High Risk" is the only setting that should be deployed without reviewing and understanding the implications on network traffic. 'Suspicious" will block significantly more network traffic than "High Risk" will block.

Figure 10. Threat Prevention Threats

Pass Sites

The Pass Sites tab allows you to specify IP Addresses or URLs to exclude from Threat Prevention lookups to ensure they are permitted by this app.

Figure 11. Threat Prevention Pass Sites

Rules

The Rules tab allows you to specify rules for blocking, Passing, or Flagging traffic that crosses the NG Firewall.

The Rules describe how rules work and how they are configured. Threat Prevention uses rules to determine to block/pass the specific session and if the session is flagged. Flagging a session marks it in the logs for review in the event logs or reports, but has no direct effect on the network traffic.

In addition to all the common rule types, four are unique to Threat Prevention, and these can be useful for making exceptions to the general *Reputation Threshold* setting.
  • Client address reputation: The reputation value of a source IP address returned by the Webroot BrightCloud® service. This applies to incoming connections from the Internet to open services on your network.
  • Server address reputation: The reputation value of a destination IP address returned by the Webroot BrightCloud® service. This applies to outgoing connections to the Internet from hosts on your network.
  • Client address category: The reputation category of a source IP address returned by the Webroot BrightCloud® service. This applies to incoming connections from the Internet to open services on your network.
  • Server address category: The reputation category of a destination IP address returned by the Webroot BrightCloud® service. This applies to outgoing connections to the Internet from hosts on your network.

Rule Actions

  • Pass: Allows the traffic that matches the rule to flow.
  • Block: Blocks the traffic that matches the rule.

Additionally, a session can be flagged. If the flag is checked, the event is flagged for easier viewing in the event log. The flag is always enabled if the action is blocked.

Figure 12. Threat Prevention Rules

Threat Lookup

Threat Lookup enables you to get threat information from an IP address or URL. This is useful for validating afterward or confirming the reputation and other details of the IP address or URL in advance. Enter an IP Address or URL in the input field and click Search to get information.

Figure 13. Threat Prevention Threat Lookup

Threat Results

Result Description
Address/URL The IP Address or URL you requested to search.
Country The country where the IP Address or URL originates.
Popularity The popularity of the IP Address or URL is based on the volume of lookups.
Recent Threat Count The number of recent occurrences in which the IP Address or URL has been associated with a threat.
Age The amount of time since the IP Address or URL was first noticed.
Reputation The IP Address or URL's reputation is determined by the Webroot BrightCloud reputation service.
Details A description of the Reputation value.

Advanced

The Advanced section enables you to configure additional Threat Prevention options.
Custom block page URL:

Set an external location to redirect users when denied access to a web site by Threat Prevention. This is useful if you want your server to process the denial differently than the built-in denial options.

Enabling this option will only redirect internal/outbound traffic to your custom page. It will not function to redirect external/inbound traffic (such as Port Forwarded traffic).

Block Options:
Close connection for blocked HTTPS sessions without redirecting to the block page If enabled, secure sites blocked by Threat Prevention do not redirect the user to a denial page and close the connection without any notice to the user. This is useful when you are not using SSL Inspector, and the server's root certificate is not installed on the client device.
Figure 14. Threat Prevention Advanced

Threat Prevention Reports

This applications reports can be accessed via the Reports tab at the top or the Reports tab within the settings. All pre-defined reports will be listed along with any custom reports that have been created.

Reports

Reports can be searched and further defined using the time selectors and the Condition window at the bottom of the page. The data used in the report can be obtained on the Current Data window on the right.

Pre-defined report queries:

Report Entry Description
Web Traffic Summary A summary of web Threat Prevention actions.
Non-Web Traffic Summary A summary of non-web Threat Prevention actions.
Web Top Scanned Threats The number of web scanned sessions to servers grouped by threat reputation.
Web Top Blocked Threats The number of web blocked sessions to servers grouped by threats reputation.
Web Top Scanned Categories The number of other scanned sessions to servers grouped by threat.
Web Top Blocked Categories The number of web sessions blocked grouped by threat.
Web Top Blocked Countries Top blocked web sessions to servers grouped by country.
Web Top Scanned Hosts The number of web scanned sessions grouped by server.
Web Top Blocked Hosts The number of web blocked session grouped by client.
Non-Web Top Scanned Threats (by client) The number of non-web scanned sessions from clients grouped by threat reputation.
Non-Web Top Blocked Threats (by client) The number of non-web blocked sessions from clients grouped by threat reputation.
Non-Web Top Scanned Threats (by server) The number of non-web scanned sessions to servers grouped by threat reputation.
Non-Web Top Blocked Threats (by server) The number of non-web blocked sessions to servers grouped by threat reputation.
Non-Web Top Scanned Categories (by client) The number of non-web scanned sessions from clients grouped by threat.
Non-Web Top Blocked Categories (by client) The number of non-web blocked sessions from clients grouped by threat.
Non-Web Top Scanned Categories (by server) The number of non-web scanned sessions to servers grouped by threat.
Non-Web Top Blocked Categories (by server) The number of non-web blocked sessions to servers grouped by threat.
Non-Web Top Blocked Countries (by client) Top non-web blocked sessions from clients grouped by country.
Non-Web Top Blocked Countries (by server) Top non-web blocked sessions to servers grouped by threat.
Non-Web Top Scanned Clients The number of non-web scanned session grouped by client.
Non-Web Top Blocked Clients The number of non-web blocked session grouped by client.
Non-Web Top Scanned Servers The number of non-web scanned sessions grouped by server.
Non-Web Top Blocked Server The number of non-web blocked session grouped by client.
All Web Events Shows all scanned web requests.
Blocked Web Events Shows all blocked web requests.
Non-Web All Events All non-web events are scanned by Threat Prevention.
Non-Web Blocked Events Non-web events are blocked by Threat Prevention.
The tables queried to render these reports:

Virus Blocker

Virus Blocker transparently scans your HTTP, FTP, and SMTP traffic to protect your network from viruses, trojans, and other malware. It scans within archives such as zip, rar, tar, gzip, bzip2 (and more).


As files are downloaded onto the network, Virus Blocker scans downloads using many technologies:
  1. It will collect metadata about the file and query the NG Firewall threat intelligence database for information about the file based on its fingerprint.
  2. A local scan using Bitdefender's signature database will run on the server while the cloud lookup is performed.
  3. A heuristic scan looks for suspicious patterns in executable files.
  4. Dynamic analysis is performed by evaluating code in an emulator and looking for malicious activity.

If the download fails any of the above tests, it is considered malware, and the download is blocked.

Settings

This section discusses the different settings and configuration options for virus scanners.

Status

This displays the current status and some statistics.

Figure 15. Virus Blocker Status

Scan Options

Scan options configure what network traffic and content to scan.
  • Scan HTTP: This turns HTTP scanning on or off.
  • Scan SMTP: This option enables the scanning of SMTP message attachments.
  • Action: If a virus is found, the selected action will be taken on a message.
  • Setting Action to Remove Infection will remove the infected attachment and wrap the original email for delivery to the intended recipient. If set to Pass Message, the original message will be wrapped and delivered with the attachment intact. In both cases, the subject line is prepended with "[VIRUS]." Block will block the message from being delivered.
  • Scan FTP: This turns scanning of FTP downloads on or off.
    Figure 16. Virus Blocker Scan Options

Pass Sites

This section allows you to specify sites that are not scanned. The list uses the Glob Matcher syntax.

Note: Use caution when adding sites to this list!
For each protocol, the behavior is as follows:
  • HTTP0: Match the HTTP Host header.
  • FTP: Match the server IP address or domain address (if a reverse DNS address exists).
  • Email: Match the client or server IP address or domain address (if a reverse DNS address exists).
    Figure 17. Virus Blocker Pass Sites

Advanced

Advanced settings can tune specific behavior of virus blockers.

The first option is to turn certain scanners on/off. When a virus blocker scans a file, it is scanned by multiple engines, a local antivirus engine, and the cloud ScoutIQ™ engine.

Using all available engines is recommended.

Figure 18. Virus Blocker Advanced

File Extensions

File extensions configure which HTTP files will be scanned. The defaults are the recommended values. However, in some cases, you may want to add or remove certain file extensions.

An understsanding of security tradeoffs and pragmatism is essential before changing these settings. Unlike other URL-based scanning of other apps like Web Filter, Virus Blocker runs an in-depth analysis of the file, including signatures, heuristics, and emulation. Unlike host-based antivirus, the gateway is a unique resource shared among the whole network, and it cannot scan on-exec as it does not know what the client plans to execute. Scanning is expensive, and turning on certain extensions (like .png files) can damage the network. Analyzing reports to see how many scans are being done and if those resources are being spent on worthwhile scan resources is a good exercise. It is common to see millions of scans of some application update.

MIME Types

Similar to file extensions, this lists the MIME types to be scanned, regardless of extension. The same logic and warnings apply here as well.

Virus Blocker Reports

The Reports tab provides a view of all reports and events for all traffic handled by Virus Blocker.

Reports

This application's reports can be accessed via the Reports tab at the top or the Reports tab within the settings. All pre-defined reports and custom reports created will be listed.

Reports can be searched and further defined using the time selectors and the Conditions window at the bottom of the page. The data used in the report can be obtained on the Current Data window on the right.

Pre-defined report queries:

Report Entry Description
Virus Blocker Web Summary A summary of virus blocking actions for web activity.
Virus Blocker FTP Summary A summary of virus blocking actions for FTP activity.
Virus Blocker Email Summary A summary of virus blocking actions for Email activity.
Web Usage (all) The amount of scanned and blocked web requests over time.
Web Usage (scanned) The amount of scanned web requests over time.
Web Usage (blocked) The amount of blocked web requests over time.
Web Top Blocked Viruses The top web virus is blocked.
Web Top Blocked Clients The top web clients by blocked virus count.
Web Top Blocked Sites The top web sites by blocked virus count.
Web Top Scanned Sites The top web sites by scan count.
FTP Usage (all) The amount of scanned and blocked FTP requests over time.
FTP Usage (scanned) The amount of scanned FTP requests over time.
FTP Usage (blocked) The amount of blocked FTP requests over time.
FTP Top Blocked Viruses The number of blocked viruses by FTP activity.
FTP Top Blocked Clients The number of clients with blocked viruses by FTP activity.
FTP Top Blocked Sites The number of clients with blocked viruses by FTP activity.
Email Usage (all) The amount of scanned and blocked email over time.
Email Usage (scanned) The amount of scanned email over time.
Email Usage (blocked) The amount of blocked email over time.
Email Top Blocked Viruses The number of blocked viruses by Email activity.
Email Top Blocked Clients The number of clients with blocked viruses by Email activity.
Email Top Blocked Sites The number of clients with blocked viruses by Email activity.
Scanned Web Events All HTTP sessions scanned by Virus Blocker.
Infected Web Events Infected HTTP sessions are blocked by Virus Blocker.
Clean Web Events Scanned HTTP sessions are marked clean.
Scanned Email Events All email sessions scanned by Virus Blocker.
Infected Email Events Infected email sessions are blocked by Virus Blocker.
Clean Email Events Scanned email sessions are marked clean.
Scanned FTP Events All FTP sessions scanned by Virus Blocker.
Infected FTP Events Infected FTP sessions are blocked by Virus Blocker.
Clean FTP Events Scanned FTP sessions are marked clean.
The tables queried to render these reports:

Related Topics

Virus Blocker Lite

Virus Blocker Lite transparently scans your HTTP, FTP, and SMTP traffic to protect your network from viruses, trojans, and other malware. It scans within archives such as zip, rar, tar, gzip, bzip2 (and more).

Virus Blocker Lite is based on an open-source virus scanner, Clam AV. Clam AV is well-known for its speed and accuracy.

Settings

This section discusses the different settings and configuration options available for the virus scanners.

Status

This displays the current status and some statistics.


Scan Options

Scan options configure what network traffic and content to scan.
  • Scan HTTP: This turns HTTP scanning on or off.
  • Scan SMTP: This option enables the scanning of SMTP message attachments.
  • Action: If a virus is found, the selected action will be taken on a message.
    1. Setting Action to Remove Infection will remove the infected attachment and wrap the original email for delivery to the intended recipient.
    2. If set to Pass Message, the original message will be wrapped and delivered with the attachment intact.
      Note: The subject line is prepended with [VIRUS] in both cases.
    3. Block will block the message from being delivered.
    4. Scan FTP: This turns scanning of FTP downloads on or off.

Pass Sites

This section allows you to specify sites that are not scanned. The list uses the Glob Matcher syntax.

Note: Use caution when adding sites to this list!
For each protocol, the behavior is as follows:
  • HTTP: Match the HTTP Host header.
  • FTP: Match the server IP address or domain address (if a reverse DNS address exists).
  • Email: Match the client or server IP address or domain address (if a reverse DNS address exists).

Advanced

Advanced settings can tune specific behavior of virus blockers.

The first option is to turn certain scanners on/off. When a virus blocker scans a file, it is scanned by multiple engines, a local antivirus engine, and the cloud ScoutIQ™ engine.

Using all available engines is recommended.


File Extensions

File extensions configure which HTTP files will be scanned. The defaults are the recommended values. However, in some cases, you may want to add or remove certain file extensions.

An understanding of security tradeoffs and pragmatism is essential before changing these settings. Unlike other URL-based scanning of other apps like Web Filter, Virus Blocker runs an in-depth analysis of the file, including signatures, heuristics, and emulation. Unlike host-based antivirus, the gateway is a unique resource shared among the whole network. Furthermore, unlike host-based antivirus, it cannot scan-on-exec as it has no knowledge of what the client plans to execute. Scanning is expensive, and turning on certain extensions (like .png files) can damage the network. Analyzing reports to see how many scans are being done and if those resources are being spent on worthwhile scan resources is a good exercise. It is common to see millions of scans of some application's update.

MIME Types

This is similar to file extensions, but it lists the MIME types to be scanned regardless of extension. The same logic and warnings apply here as well.

Virus Blocker Lite Reports

The Reports tab provides a view of all reports and events for all traffic handled by Virus Blocker Lite.

Reports

This applications reports can be accessed via the Reports tab at the top or the Reports tab within the settings. All pre-defined reports will be listed along with any custom reports that have been created.

Reports can be searched and further defined using the time selectors and the Conditions window at the bottom of the page. The data used in the report can be obtained on the Current Data window on the right.

Table 3. Pre-Defined Report Queries
Report Entry Description
Virus Blocker Lite Web Summary A summary of virus blocking actions for web activity.
Virus Blocker Lite FTP Summary A summary of virus blocking actions for FTP activity.
Virus Blocker Lite Email Summary A summary of virus blocking actions for Email activity.
Web Usage (all) The amount of scanned and blocked web requests over time.
Web Usage (scanned) The amount of scanned web requests over time.
Web Usage (blocked) The amount of blocked web requests over time.
Web Top Blocked Viruses The top web virus is blocked.
Web Top Blocked Clients The top web clients by blocked virus count.
Web Top Blocked Sites The top web sites by blocked virus count.
Web Top Scanned Sites The top web sites by scan count.
FTP Usage (all) The amount of scanned and blocked FTP requests over time.
FTP Usage (scanned) The amount of scanned FTP requests over time.
FTP Usage (blocked) The amount of blocked FTP requests over time.
FTP Top Blocked Viruses The number of clients with blocked viruses by FTP activity.
FTP Top Blocked Clients The number of clients with blocked viruses by FTP activity.
FTP Top Blocked Sites The number of clients with blocked viruses by FTP activity.
Email Usage (all) The amount of scanned and blocked email over time.
Email Usage (scanned) The amount of scanned email over time.
Email Usage (blocked) The amount of blocked email over time.
Email Top Blocked Viruses The number of blocked viruses by Email activity.
Email Top Blocked Clients The number of clients with blocked viruses by Email activity.
Email Top Blocked Sites The number of clients with blocked viruses by Email activity.
Scanned Web Events All HTTP sessions are scanned by Virus Blocker Lite.
Infected Web Events Infected HTTP sessions are blocked by Virus Blocker Lite.
Clean Web Events Scanned HTTP sessions are marked clean.
Scanned Email Events All email sessions are scanned by Virus Blocker Lite.
Infected Email Events Infected email sessions are blocked by Virus Blocker Lite.
Clean Email Events Scanned email sessions are marked clean.
Scanned FTP Events All FTP sessions are scanned by Virus Blocker Lite.
Infected FTP Events Infected FTP sessions are blocked by Virus Blocker Lite.
Clean FTP Events Scanned FTP sessions are marked clean.
The tables queried to render these reports:

Related Topics

Virus Blockers Common

This section discusses the different settings and configuration options available for the virus scanners.

Status

This displays the current status and some statistics.


Scan Options

Scan options configure what network traffic and content to scan.
  • Scan HTTP: This turns HTTP scanning on or off.
  • Scan SMTP: This option See rule description. The scanning of SMTP message attachments.
  • Action: If a virus is found, the selected action will be taken on a message.
    • Setting Action to Remove Infection will remove the infected attachment and wrap the original email for delivery to the intended recipient. If set to Pass Message, the original message will be wrapped and delivered with the attachment intact. In both cases, the subject line is prepended with "[VIRUS]." Block will block the message from being delivered.
  • Scan FTP: This turns scanning of FTP downloads on or off.

Pass Sites

This section allows you to specify sites that are not scanned. The list uses the Glob Matcher syntax.

Note: Use caution when adding sites to this list!
For each protocol, the behavior is as follows:
  • HTTP: Match the HTTP Host header.
  • FTP: Match the server IP address or domain address (if a reverse DNS address exists).
  • Email: Match the client or server IP address or domain address (if a reverse DNS address exists).

Advanced

Advanced settings can tune specific behavior of virus blockers.

The first option is to turn certain scanners on/off. When a virus blocker scans a file, it is scanned by multiple engines, a local antivirus engine, and the cloud ScoutIQ™ engine.

Using all available engines is recommended.


File Extensions

File extensions configure which HTTP files will be scanned. The defaults are the recommended values. However, in some cases, you may want to add or remove certain file extensions.

An understanding of security tradeoffs and pragmatism is essential before changing these settings. Unlike the other URL-based scanning of other apps like Web Filter, Virus Blocker runs in depth analysis of the file, including signatures, heuristics, and emulation. Unlike host-based antivirus, the gateway is a unique resource shared among the whole network, andit has no ability to scan-on-exec as it has no knowledge of what the client plans to execute, unlike host-based antivirus. Scanning is expensive, and turning on certain extensions (like .png files) can cripple the network. Analyzing reports to see how many scans are being done and if those resources are being spent on worthwhile scan resources is a good exercise. It is not uncommon to see millions of scans of some application's update.

MIME Types

Similar to file extensions, but this lists the MIME types to be scanned, regardless of extension. The same logic and warnings apply here as well.