SonicOS 7.1 Objects

Anti-Virus

SonicWall Gateway Anti-Virus (GAV) service delivers real-time virus protection directly on the SonicWall network security appliance by using SonicWall's IPS-Deep Packet Inspection v2.0 engine to inspect all traffic that traverses the SonicWall gateway. Building on SonicWall's reassembly-free architecture, SonicWall GAV inspects multiple application protocols, as well as generic TCP streams, and compressed traffic. Because SonicWall GAV does not have to perform reassembly, there are no file-size limitations imposed by the scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also performed on a single-pass, per-packet basis.

SonicWall GAV delivers threat protection by matching downloaded or emailed files against an extensive and dynamically updated database of threat virus signatures. Virus attacks are caught and suppressed before they travel to desktops. New signatures are created and added to the database by a combination of SonicWall's SonicAlert Team, third-party virus analysts, open source developers, and other sources.

SonicWall GAV can be configured to protect against internal threats as well as those originating outside the network. It operates over a multitude of protocols including SMTP, POP3, IMAP, HTTP, FTP, NetBIOS, instant messaging and peer-to-peer applications, and dozens of other stream-based protocols, to provide you with comprehensive network threat prevention and control. Because files containing malicious code and viruses can also be compressed and therefore inaccessible to conventional anti-virus solutions, SonicWall GAV integrates advanced decompression technology that automatically decompresses and scans files on a per-packet basis.

SonicWall GAV parses supported email protocols for the header fields To, CC, and BCC. The information in these fields are displayed and logged in Capture ATP for both sender and receiver.

To configure an Anti-Virus Security Action Profile

  1. Navigate to OBJECT | Action Profiles > Security Action Profile.
  2. Do one of the following:

    • Add a new Security Action Profile.

      1. Click the Add icon.
      2. Enter an Action Profile Name.
    • Edit an existing Security Action Profile.

      Hover over an existing Security Action Profile and click the Edit icon.

  3. Click the Anti-Virus tab.

  4. Enable Gateway Anti-Virus to enable SonicWallGateway Anti-Virus service.

  5. Select the Anti-Virus Profile to be used to build an action profile.

    Global Settings

    To apply the rules defined by SonicOS.

    Profile Settings

    To customize the rules for a specific requirement.

  6. Select the profile to be applied to Prevent and Log from the respective drop-down menus.

    Prevent To restrict the transfer of files with specific attributes. Enabling Prevent restricts data file transfers for each protocol, except the TCP Stream.
    Log To keep a record of your SonicWallGateway Anti-Virus traffic.

    You can select the default or custom Profiles created on OBJECT | Profile Objects > Anti-Virus > Anti-Virus Profiles page. For more information, refer to Adding Gateway Anti-Virus Profiles.

  7. Set the ANTI-VIRUS PROFILE options.

    Enable Cloud Gateway Anti-Virus Database To enable SonicWall Anti-Virus protection if your Anti-Virus software exists in the Cloud.
    Inbound Inspection

    To inspect all inbound HTTP, FTP, IMAP, SMTP, and POP3 traffic.

    By the default, SonicWall Gateway Anti-Virus inspects all inbound HTTP, FTP, IMAP, SMTP, and POP3 traffic. Within the context of SonicWall Gateway Anti-Virus, enabling the Inbound Inspection protocol traffic handling refers to:

    • Non-SMTP traffic initiating from a Trusted, Wireless, or Encrypted zone destined to any zone.
    • Non-SMTP traffic from a Public zone destined to an Untrusted zone.
    • SMTP traffic initiating from a non-Trusted zone destined to a Trusted, Wireless, Encrypted, or Public zone.
    • SMTP traffic initiating from a Trusted, Wireless, or Encrypted zone destined to a Trusted, Wireless, or Encrypted zone.
    Outbound Inspection To inspect all outbound HTTP, FTP, SMTP, and TCP traffic.
  8. Set the APPLICATION PROTOCOL SETTINGS options.

    Restrict Transfer of password-protected Zip files To restrict the transfer of password protected ZIP files over any enabled protocol. This option only functions on protocols (for example, HTTP, FTP, SMTP) that are enabled for inspection.
    Restrict Transfer of MS-Office type files containing macros (VBA 5 and above) To restrict the transfer of any MS-Office 97 and above files that contain VBA macros.
    Restrict Transfer of packed executable files (UPX, FSG, etc.)

    To restrict the transfer of packed executable files.

    Packers are utilities that compress and sometimes encrypt executables. Although there are legitimate applications for these, they are also sometimes used with the intent of obfuscation, so as to make the executables less detectable by anti-virus applications. The packer adds a header that expands the file in memory, and then executes that file.

    SonicWall Gateway Anti-Virus currently recognizes the most common packed formats: UPX, FSG, PKLite32, Petite, and ASPack. Additional formats are dynamically added along with SonicWall Gateway Anti-Virus signature updates.

    Disable SMTP Responses To suppress the sending of e-mail messages (SMTP) to clients from SonicWall Gateway Anti-Virus when a virus is detected in an e-mail or attachment.
    Disable detection of EICAR Test Virus

    To suppress the detection of the EICAR.

    The EICAR Standard Anti-Virus Test file is a special virus simulator file that checks and confirms the correct operation of the SonicWall Gateway Anti-Virus service.

    Enable HTTP Byte-Range requests with Gateway AV

    To allow the sending of byte serving, the process of sending only a portion of an HTTP message or file.

    The SonicWall Gateway Anti-Virus security service, by the default, suppresses the use of HTTP Byte-Range requests to prevent the sectional retrieval and reassembly of potentially malicious content. This is done by terminating the connection and thus preventing the user from receiving the malicious payload. By enabling this setting you can override the default behavior.

    This option is selected by the default.

    Enable FTP 'REST' requests with Gateway AV

    To allow the use of the FTP REST request to retrieve and reassemble sectional messages and files.

    The Gateway Anti-Virus service, by the default, suppresses the use of the FTP REST (restart) request to prevent the sectional retrieval and reassembly of potentially malicious content. This is done by terminating the connection and thus preventing the user from receiving the malicious payload. By enabling this setting you override this default behavior.

    Do not scan parts of files with high compression rates

    To suppress the scanning of files, or parts of files, that have high compression rates.

  9. Click Save.

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

  • Hidden
  • Hidden

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.
  • Hidden
  • Hidden