HTTP and FTP scanning

As for HTTP and FTP traffic, objects (files) of selected types are scanned. Transmitted data are cached and checked by the antivirus program. If a virus is found, WinRoute does not send the last cached part of the file to the client and drops it. This means that the client receives an incomplete (damaged) file which cannot be executed so that the virus cannot be activated.

Warning:

  1. The purpose of the antivirus check is only to detect infected files, it is not possible to heal them!

  2. If the antivirus check is disabled in HTTP and FTP filtering rules, objects and files matching corresponding rules are not checked. For details, refer to chapters  URL Rules and FTP Policy).

To set parameters of HTTP and FTP antivirus check, open the HTTP, FTP scanning tab in Configuration / Content Filtering / Antivirus.

Use the If a virus is found... entry to specify actions to be taken whenever a virus is detected in a transmitted file:

  • Move the file to quarantine the file will be saved in a special directory on the WinRoute host. WinRoute administrators can later try to heal the file using an antivirus program and if the file is recovered successfully, the administrator can provide it to the user who attempted to download it.

    The quarantine subdirectory under the WinRoute directory is used for the quarantine

    (C:\Program Files\Kerio\WinRoute Firewall\quarantine by default). Infected files (files which are suspected of being infected) are saved into this directory with names which are generated automatically. Name of each file includes information about protocol, date, time and connection number used for the transmission.

    Warning: When handling files in the quarantine directory, please consider carefully each action you take, otherwise a virus might be activated and the WinRoute host could be attacked by the virus!

  • Alert the client WinRoute alerts the user who attempted to download the file by an email message including information that a virus was detected and download was stopped for security reasons.

    Alert messages can be sent under the following circumstances: the user is authenticated and connected to the firewall, a valid email address is set in a corresponding user account (see chapter User Accounts) and the SMTP server used for mail sending is configured correctly (refer to chapter SMTP Relay).

    Note: Regardless of the fact whether the Alert the client option is used, alerts can be sent to specified addresses (e.g. addresses of network administrators) whenever a virus is detected. For details, refer to chapter Alerts.

In the If the transferred file cannot be scanned section, actions to be taken when the antivirus check cannot be applied to a file (e.g. the file is compressed and password-protected, damaged, etc.):

  • Deny transmission of the file WinRoute will consider these files as infected and deny their transmission.

    TIP: It is recommended to combine this option with the Move the file to quarantine function the WinRoute administrator can extract the file and perform manual antivirus check if a user asks him/her

  • Allow the file to be transferred WinRoute will treat compressed password-protected files and damaged files as trustful (not infected).

    Generally, use of this option is not secure. However, it can be helpful for example when users attempt to transmit big volume of compressed password-protected files and the antivirus is installed on the workstations.

HTTP and FTP scanning rules

These rules specify when antivirus check will be applied. By default (if no rule is defined), all objects transmitted by HTTP and FTP are scanned.

Note: WinRoute contains a set of predefined rules for HTTP and FTP scanning. By default, all executable files as well as all Microsoft Office files are scanned. The WinRoute administrator can change the default configuration.

Scanning rules are ordered in a list and processed from the top. Arrow buttons on the right can be used to change the order. When a rule which matches the object is found, the appropriate action is taken and rule processing is stopped.

New rules can be created in the dialog box which is opened after clicking the Add button.


Description

Description of the rule (for reference of the WinRoute administrator only)

Condition

Condition of the rule:

  • HTTP/FTP filename this option filters out certain filenames (not entire URLs) transmitted by FTP or HTTP (e.g. *.exe, *.zip, etc.).

    If only an asterisk is used for the specification, the rule will apply to any file transmitted by HTTP or FTP.

The other two conditions can be applied only to HTTP:

  • MIME type MIME types can be specified either by complete expressions (e.g. image/jpeg) or using a wildcard matching (e.g. application/*).

  • URL URL of the object (e.g. www.kerio.com/img/logo.gif), a string specified by a wildcard matching (e.g. *.exe) or a server name (e.g. www.kerio.com). Server names represent any URL at a corresponding server (www.kerio.com/*).

Note: If a MIME type or a URL is specified only by an asterisk, the rule will apply to any HTTP object.

Action

Settings in this section define whether or not the object will be scanned.

If the Do not scan alternative is selected, antivirus control will not apply to transmission of this object.

The new rule will be added after the rule which had been selected before Add was clicked. You can use the arrow buttons on the right to move the rule within the list.

Checking the box next to the rule can be used to disable the rule. Rules can be disabled temporarily so that it is not necessary to remove rules and create identical ones later.

Note: If the object does not match with any rule, it will be scanned automatically. If only selected object types are to be scanned, a rule disabling scanning of any URL or MIME type must be added to the end of the list (the Skip all other files rule is predefined for this purpose).

Additional Links

Search

Support

Documentation

Authorization

 
Forgot your password?
Register

Subscribe

Subscribe to company news