The following are enabled:
Other global settings
-
Guest accounts are disabled
-
IWSVA uses IP address as the User ID method
-
The Quarantine folder located at /var/iwss/Quarantine
Application Control
HTTPS Decryption
HTTP Inspection
-
HTTP Scanning is disabled by default
-
HTTP Inspection has six default filters
-
All filters' default action is "Allow (Scan)"
HTTP virus scanning
-
HTTP Scanning is enabled
-
No files are blocked
-
All files are scanned
-
Block compressed files with more than 50,000 files when expanded
-
Block compressed files that will be larger than 200 MB when expanded
-
Block compressed files with more than 10 layers of compression
-
IWSVA handles large files as follows:
-
Web Reputation is enabled
-
Application Control is enabled
-
No application is blocked in the global policy.
-
The allow and block logs are disabled.
-
The block log interval is five minutes.
Virus scanning actions
-
Clean virus-infected files
-
Delete harmful files that cannot be cleaned, for example worms, and Trojans
-
Pass (ignore) password-protected files
-
Ignore files containing macros
Java scanning (Malicious Mobile Code (MMC) module)
-
Valid signature, trusted certificate: Pass applet
-
Valid signature, flagged certificate: Block applet
-
No signature: Open applet and examine code
-
Invalid signature: Block applet
-
IWSVA validates an applet signature by checking the expiration date of all certificates
in the chain
-
IWSVA strips certificates that it cannot verify (trust)
-
IWSVA allows to connect back to the originating server
-
It does not allow an applet to write or read data on a local disk, or to bind to a
local port
Additional behaviors:
-
Applets cannot create new thread groups
-
Applets cannot create unlimited threads (maximum 8)
-
Applets cannot create unlimited active windows (maximum 5)
-
Applets are left unsigned after instrumentation
ActiveX security rules and settings
-
For the .cab file type IWSVA will block flagged and invalid signatures
-
For these file types (.exe, .ocx) IWSVA will block invalid signatures
-
Check the expiration date of the signing certificate
-
Check the revocation status of the certificate
-
If unable to check the revocation status, set status to valid
URL filtering policies
-
URL filtering is enabled
-
If you select the "block w/override" action, the default password is blank. You must
enter a password.
-
If you select the "time limit" action, the default time limit is 0 minutes.
-
Global and guest policies block the following sites (under the company prohibited
rule):
-
Known "Dialer" sites,
-
Disease vectors
-
Known virus accomplice content
-
Illegal drug content
-
Violence , hate, and racism content
-
Adult/matured content
-
Nudity, Intimate Apparel/Swimsuit
-
Sex Education
-
Pornography
-
The setting of Safe Search is off for each search engine
URL Access Control
FTP scanning
-
FTP scanning is enabled (uploads and downloads)
-
No file are blocked
-
All files are scanned
-
Block compressed files with more than 50,000 files when expanded
-
Block compressed files that will be larger than 200 MB when expanded
-
Block compressed files with more than 10 layers of compression
-
IWSVA handles large files as follows:
Virus scanning actions
-
Clean virus-infected files
-
Encrypts quarantined files
-
Does not scan spyware/grayware
-
Deletes harmful files that cannot be cleaned (such as worms and Trojans)
-
Quarantines password-protected files
-
Ignores files that contain a macro
Reports and Logs
-
Stores report logs to database, purges those older than 30 days
-
Includes performance data
-
Purges logs older than five days
Updates
-
Checks hourly for bot pattern, Smart Scan Agent pattern, Protocol Information Extraction
pattern, virus, spyware, and IntelliTrap, IntelliTrap exception updates
-
Checks weekly for scan engine, Advanced Threat Scan Engine, and URL filtering engine
updates
Notifications
