Virus/Malware Scan Rules Parent topic

HTTP > Advanced Threat Protection > Policies | Policy List or Add | Virus/Malware Scan Rule
IWSVA can scan HTTP traffic for viruses, nonvirus threats, and block certain content from entering the LAN according to its type. Create multiple policies to have IWSVA apply different scan criteria to different user groups within your organization.
  • Advanced Threat Scan—Checks for less conventional threats including document exploits. Some detected files could be safe and need only require further observation and analysis in a virtual environment. Select to Block or Monitor.
  • Block These File Types—You can have IWSVA block certain file types, before starting the transfer; blocked files are not delivered to the client and they are not scanned.
    • Check the box of a category to select all file types in that category.
    • Click "Show Details" and uncheck the file types that should be allowed within a check category.
  • Scan These File Types—For the greatest protection against Internet threats, Trend Micro recommends that you scan all file types.
    • All scannable files: All files are scanned; determination of file type is based on file name only, but because all files are scanned, the type is irrelevant.
    • IntelliScan: Only files of a type known to be potentially harmful are scanned; determination of file type is based on the internal file property.
    • Selected file extensions: Only files of the type you specify are scanned; determination of file type is based on filename only.
    • MIME content type to skip: By default, IWSVA skips some file types when virus scanning to improve performance and user experience with streaming audio and video applications.
    To change the default scanning behavior and enable scanning of these MIME file types, simply remove the MIME file type to be scanned from the "MIME content type to skip" exceptions list. Files skipped by default include:
    • application/vnd.rn-realmedia
    • audio/wav
    • audio/x-wav
    • audio/Microsoft-wave
    • audio/mpeg
    • audio/x-mpeg
    • audio/mid
    • image/gif
    • image/jpeg
    • image/png
    • image/x-xbitmap
    • image/x-icon
    • image/vnd.microsoft.icon
    • video/avi
    • video/mpeg
    • video/quicktime
    • video/x-ms-asf
    • video/x-ms-wmv
    • video/x-msvideo
    • Enable MIME type validation: Enabling validation performs a true-file-type check on the MIME stream. However, not all MIME types can be accurately detected. If false positives occur, disable the MIME type validation and content-type validation will occur.
  • IntelliTrap— Detects potentially malicious code in real-time, compressed executable files that arrive with HTTP data. Virus writers often attempt to circumvent virus filtering by using different file compression schemes. IntelliTrap provides heuristic evaluation of compressed files that help reduce the risk that a virus compressed using these methods will enter a network through the Web. Malicious, compressed executable files receive the actions specified in the Action tab. IntelliTrap is enabled by default.
  • Compressed File Handling—Compressed files can pose a special security risk. They often contain numerous files (any one of which could be harmful). They can be password protected to thwart scanning. They can contain hundreds of compression layers, which can slow or stall processing. And malicious hackers can use them to smuggle harmful code past the scanner or take control of the system.
  • Large File Handling—When transferring large files, users might notice a lag, or the client browser could time out while IWSVA is scanning the file. The impact is not usually noticed on transfers of less than 100MB, but the exact tipping point obviously depends on bandwidth, hardware, proxy performance, compression layers, and the file size.
    A percentage of external data received by IWSVA is sent to the browser in chunks without scanning. The last chunk is sent to the browser to complete the download only after the entire set of data is received and scanned. Sending smaller chunks not only maintains the IWSVA - Web browser connection, but also keeps end-users posted of the download progress.
  • Quarantined File Handling—Trend Micro recommends that you encrypt all quarantined files. The default quarantine directory is:
    /var/iwss/quarantine
    You can change the location in the Administration > IWSVA Configuration > Quarantine Management page.
See also: