Cyberoam Anti Virus Implementation Guide Anti Virus... · Cyberoam Anti Virus Implementation Guide 6 Overview Welcome to Cyberoam’s – Anti Virus User guide. Cyberoam is an Identity-based

Cyberoam Anti Virus Implementation Guide Version 9

Document version 9402 -1.0-18/10/2006

Cyberoam Anti Virus Implementation Guide

2

IMPORTANT NOTICE Elitecore has supplied this Information believing it to be accurate and reliable at the time of printing, but is presented without warranty of any kind, expressed or implied. Users must take full responsibility for their application of any products. Elitecore assumes no responsibility for any errors that may appear in this document. Elitecore reserves the right, without notice to make changes in product design or specifications. Information is subject to change without notice. USER’S LICENSE The Appliance described in this document is furnished under the terms of Elitecore’s End User license agreement. Please read these terms and conditions carefully before using the Appliance. By using this Appliance, you agree to be bound by the terms and conditions of this license. If you do not agree with the terms of this license, promptly return the unused Appliance and manual (with proof of payment) to the place of purchase for a full refund. LIMITED WARRANTY Software: Elitecore warrants for a period of ninety (90) days from the date of shipment from Elitecore: (1) the media on which the Software is furnished will be free of defects in materials and workmanship under normal use; and (2) the Software substantially conforms to its published specifications except for the foregoing, the software is provided AS IS. This limited warranty extends only to the customer as the original licenses. Customers exclusive remedy and the entire liability of Elitecore and its suppliers under this warranty will be, at Elitecore or its service center’s option, repair, replacement, or refund of the software if reported (or, upon, request, returned) to the party supplying the software to the customer. In no event does Elitecore warrant that the Software is error free, or that the customer will be able to operate the software without problems or interruptions. Elitecore hereby declares that the anti virus and anti spam modules are powered by Kaspersky Labs and the performance thereof is under warranty provided by Kaspersky Labs. It is specified that Kaspersky Lab does not warrant that the Software identifies all known viruses, nor that the Software will not occasionally erroneously report a virus in a title not infected by that virus. Hardware: Elitecore warrants that the Hardware portion of the Elitecore Products excluding power supplies, fans and electrical components will be free from material defects in workmanship and materials for a period of One (1) year. Elitecore's sole obligation shall be to repair or replace the defective Hardware at no charge to the original owner. The replacement Hardware need not be new or of an identical make, model or part; Elitecore may, in its discretion, replace the defective Hardware (or any part thereof) with any reconditioned product that Elitecore reasonably determines is substantially equivalent (or superior) in all material respects to the defective Hardware. DISCLAIMER OF WARRANTY Except as specified in this warranty, all expressed or implied conditions, representations, and warranties including, without limitation, any implied warranty or merchantability, fitness for a particular purpose, non-infringement or arising from a course of dealing, usage, or trade practice, and hereby excluded to the extent allowed by applicable law. In no event will Elitecore or its supplier be liable for any lost revenue, profit, or data, or for special, indirect, consequential, incidental, or punitive damages however caused and regardless of the theory of liability arising out of the use of or inability to use the product even if Elitecore or its suppliers have been advised of the possibility of such damages. In the event shall Elitecore’s or its supplier’s liability to the customer, whether in contract, tort (including negligence) or otherwise, exceed the price paid by the customer. The foregoing limitations shall apply even if the above stated warranty fails of its essential purpose. In no event shall Elitecore or its supplier be liable for any indirect, special, consequential, or incidental damages, including, without limitation, lost profits or loss or damage to data arising out of the use or inability to use this manual, even if Elitecore or its suppliers have been advised of the possibility of such damages.

RESTRICTED RIGHTS Copyright 2000 Elitecore Technologies Ltd. All rights reserved. Cyberoam, Cyberoam logo are trademark of Elitecore Technologies Ltd. Information supplies by Elitecore Technologies Ltd. Is believed to be accurate and reliable at the time of printing, but Elitecore Technologies assumes no responsibility for any errors that may appear in this documents. Elitecore Technologies reserves the right, without notice, to make changes in product design or specifications. Information is subject to change without notice

CORPORATE HEADQUARTERS Elitecore Technologies Ltd. 904 Silicon Tower, Off. C.G. Road, Ahmedabad – 380015, INDIA Phone: +91-79-26405600 Fax: +91-79-26407640 Web site: www.elitecore.com , www.cyberoam.com

http://www.elitecore.com/

http://www.cyberoam.com/


3

Guide Sets

Guide Describes

User Guide Console Guide Console Management Windows Client Guide Installation & configuration of Cyberoam Windows

Client Linux Client Guide Installation & configuration of Cyberoam Linux

Client HTTP Client Guide Installation & configuration of Cyberoam HTTP

Client Analytical Tool Guide Using the Analytical tool for diagnosing and

troubleshooting common problems LDAP Integration Guide Configuration for integrating LDAP with Cyberoam

for external authentication ADS Integration Guide Configuration for integrating ADS with Cyberoam

for external authentication PDC Integration Guide Configuration for integrating PDC with Cyberoam

for authentication RADIUS Integration Guide Configuration for integrating RADIUS with

Cyberoam for external authentication High Availability Configuration Guide

Configuration of High Availability (HA)

Multi Link Manager User Guide Configuration of Multiple Gateways, load balancing and failover

VPN Management Implementing and managing VPN Cyberoam IDP Implementation Guide

Configuring, implementing and managing Intrusion Detection and Prevention


Configuring and implementing anti virus solution

Cyberoam Anti Spam Implementation Guide

Configuring and implementing anti spam solution


4

Technical Support

You may direct all questions, comments, or requests concerning the software you purchased, your registration status, or similar issues to Customer care/service department at the following address: Corporate Office eLitecore Technologies Ltd. 904, Silicon Tower Off C.G. Road Ahmedabad 380015 Gujarat, India. Phone: +91-79-26405600 Fax: +91-79-26407640 Web site: www.elitecore.com Cyberoam contact: Technical support (Corporate Office): +91-79-26400707 Email: [email protected] Web site: www.cyberoam.com Visit www.cyberoam.com for the regional and latest contact information.

http://www.elitecore.com/

mailto:[email protected]




5

Typographic Conventions

Material in this manual is presented in text, screen displays, or command-line notation.

Item Convention Example

Server Machine where Cyberoam Software - Server component is installed

Client Machine where Cyberoam Software - Client component is installed

User The end user Username Username uniquely identifies the user of the system Part titles Bold and

shaded font typefaces Report

Topic titles Shaded font typefaces Introduction

Subtitles Bold & Black typefaces Notation conventions

Navigation link Bold typeface Group Management → Groups → Create it means, to open the required page click on Group management then on Groups and finally click Create tab

Name of a particular parameter / field / command button text

Lowercase italic type

Enter policy name, replace policy name with the specific name of a policy Or Click Name to select where Name denotes command button text which is to be clicked

Cross references

Hyperlink in different color

refer to Customizing User database Clicking on the link will open the particular topic

Notes & points to remember

Bold typeface between the black borders

Note

Prerequisites Bold typefaces between the black borders

Prerequisite Prerequisite details


6

Overview Welcome to Cyberoam’s – Anti Virus User guide. Cyberoam is an Identity-based UTM Appliance. Cyberoam’s solution is purpose-built to meet the security needs of corporates, government organizations, and educational institutions. Cyberoam’s perfect blend of best-of-breed solutions includes user based Firewall, Content filtering, Anti Virus, Anti Spam, Intrusion Detection and Prevention (IDP), and VPN. Cyberoam provides increased LAN security by providing separate port for connecting to the publicly accessible servers like Web server, Mail server, FTP server etc. hosted in DMZ which are visible the external world and still have firewall protection. Cyberoam Anti Virus as a part of unified solution along with Anti Spam and IDP (Intrusion Detection and Prevention), provides real time virus scanning that protects all network nodes – workstations, files servers, mail system from known and unknown attacks by worms and viruses, trojans, spyware, adware, spam, hackers and all other cyber threats. Cyberoam appliance at the perimeter of your network analyzes the complete traffic and prevents attacks from reaching your network. Whether it is a worm, a suspicious web request, a hacker targeting your mail server or any other attack - it simply does not get through. Gateway Anti Virus module is an add-on module, which needs to be subscribed before use. Refer to Licensing for more details on registration.

Virus Virus is a self-replicating malicious code that spreads by attaching itself to an application program, any executable system component, or documents and leaves no obvious signs of its presence. Viruses are hard to detect, easy to propagate, and difficult to remove. With the number of computer users growing and the exchange of information via the Internet and email increases in volume, virus scares are becoming an almost everyday occurrence. Real mass attacks have become commonplace, and the consequences are serious, resulting in financial loss for individuals and corporations alike. The number of threats and frequency and speed of attacks is increasing every day. Antivirus protection is therefore a priority for anyone who uses a computer. Although viruses are transmitted mainly through emails or attachments to an e-mail note and Internet downloads, a diskette or CD can also be a source of infection. Therefore, the task of comprehensive protection against potential threats now extends beyond simple regular virus scans to real time anti virus protection.

Cyberoam Gateway Anti Virus


7

Cyberoam Gateway Anti Virus provides you with powerful tools for scanning and detecting infection and spam in the incoming e-mail traffic. For detecting virus, Cyberoam uses its built-in signature database. Cyberoam Anti Virus scans: • HTTP • FTP • SMTP • POP3 • IMAP

traffic as it passes through the Cyberoam. For extra protection, you can configure to block specified file types from passing through the Cyberoam. You can use this feature to stop files that might contain new viruses. Additional filtration of messages from configured IP address and URL decreases the load on the server when scanning email traffic for viruses. Cyberoam Anti Virus allows to: • Scan email messages for viruses • Detect infected, suspicious, and password-protected attachments and message • Stop users from sending/receiving messages with any type of attachments • Perform anti-virus processing of infection revealed in email messages by scanning • Define policies to take appropriate action based on the protocol i.e. define action policy on

how to handle for SMTP, POP3, FTP traffic and HTTP traffic if infection is detected • Limit HTTP download file size • Notify senders, recipients, and the administrator about messages containing infected,

suspicious, or password protected attachments • Quarantine messages - Quarantine feature allows to isolate and move infected and

suspicious mails in a quarantine directory defined by a network administrator. Cyberoam Gateway Anti Virus is fully compatible with all the mail systems and therefore can be easily integrated into the existing network.

Enable Anti Virus scanning Enable anti-virus scanning using firewall rules. While anti-virus settings can be configured for system-wide use, they can also be implemented with specific settings on a per user basis. Refer to Cyberoam User Guide, Firewall section for creating firewall rules for enabling the anti-virus scanning. You can enable anti virus scanning by creating firewall rule for: • Zone • User/User Group • Host/Host Group


8

SMTP Scan Policy As soon as you register Cyberoam Gateway Anti Virus, default SMTP policy is applicable to the all inbound and outbound email traffic. Default policy is the general policy and not fit-for-all policy and hence might not fit in your network requirement. Cyberoam allows you to define multiple policies instead of one global policy, as per your requirements. Fine tuning the policies means reducing the virus attacks. Create Scanning rules to apply policy as the requirement. SMTP Scan policy defines: • whether to quarantine the message or not • what action is to be taken if mail is infected • whether to block the message containing the specific file type or with any type of file

attachment • whether sender, receiver and Administrator are to be notified or not

Create Custom Scan policy Select Anti Virus SMTP Create Custom Scan policy to open the create page

Screen - Create Custom Virus Scan policy


9

Screen Elements Description

Virus Scan policy details Name Specify policy name. Choose a name that best describes the policy

Can be any combination of A – Z, a – z, ‘_’, 0 - 9

Policy Description Specify full description of the policy Allows maximum of 255 characters Can be any combination of A – Z, a – z, ‘_’, 0 - 9

Enable Scanning If enabled, policy will be used for virus scanning and blocking the attachments of specified file types.

Action Specify what action is to be taken for the mails received. 1. Quarantine – Does not deliver mail but copies the mail to the quarantine file list. You can view the mail details like sender and receiver of the mail in the quarantined file list. You can configure to automatically delete the Quarantined mails after a specified time. Refer to General Configuration for more details. 2. Notify Sender - Sends the notification to the sender that the mail was infected

Block File Types

Specify which file types are to be blocked to remove the all files that are a potential threat and to prevent virus attacks. More than one file type can be selected using ctrl/shift keys. The block file types list is preconfigured with a default list of file extensions. Refer to Default File types categories to view the list of file extensions which will be blocked under each category. Selected Blocked file types will not be scanned. Instead of creating individual policies to block the message with different file types, you can simply create a single policy and select ‘ALL’ in block file types to block messages with any type of file attachment. Using Block File Types, you can also stop users from sending/receiving the messages with attachments. Refer to refer to Create policy to stop users from sending/receiving messages with attachment.

Receiver Action Message Type Receiver will be notified according to the action specified for each message type.

Specify the type of action to be taken on the each message type Actions: Don’t Deliver – Receiver will not be delivered the message and will not be notified that the mail was infected Remove and Deliver – Will remove the infected part of the mail before delivery. Receiver will also receive the notification stating that the mail was infected and infected portion of the mail is removed.


10


Deliver Original – Will deliver the original mail and the receiver will receive the notification along with the mail stating that mail is infected but not cured or removed. Cyberoam will not scan the protected attachment. Hence mails with the protected attachments can be delivered without scanning or after removing the attachment. In both the cases, receiver will be notified if not specified otherwise. In case, Cyberoam is not able to cure the infection, it will remove the infected portion/attached file and then deliver.

Notify Administrator Message Type Administrator will be notified according to the action specified for each message type.

Specify the type of action to be taken on the each message type Actions: Don’t Notify – Administrator will not be notified that the mail was infected on delivery Remove Attachment – Will remove the attachment from the mail before delivery. Administrator will also receive the notification stating that the mail attachment was infected and removed. Send Original – Will deliver the original mail with curing or removing infected portion. Administrator will receive the notification stating mail is infected but not cured or removed. Cyberoam will not scan the protected attachment. Hence mails with the protected attachments can be delivered without scanning or after removing the attachment. In both the cases, receiver will be notified if not specified otherwise. In case, Cyberoam is not able to cure the infection, it will remove the infected portion/attached file and then deliver.

Create button Creates policy Cancel button Cancels the current operation and returns to Manage Virus Scan

Policy page

Table – Create Custom Virus Scan policy screen elements

Sample messages Blocked file type message (send to receiver) Subject: ALARM! Message to you was filtered Cyberoam Anti-Virus filtered the following message sent to you: From: <Sender address> To: <Receiver address> Sent on: Date & Time File name Blocked file type message (send to sender)


11

Subject: Your message was filtered Cyberoam Anti-Virus filtered a message from you: From: <Sender address> To: <Receiver address> Sent on: Date & Time Virus message (send to receiver) Subject: Virus found in message to you Cyberoam Anti-Virus reports a virus the following message: From: <Sender address> To: <Receiver address> Sent on: Date & Time Virus name Virus message (send to sender) Subject: Virus found in message from you Cyberoam Anti-Virus reports a problem: you sent a message with a virus in the following message: From: <Sender address> To: <Receiver address> Sent on: Date & Time Virus name

Create Policy to stop users from sending/receiving messages with attachment

You can also create a policy to block users from sending or receiving messages with any type of file attachment using block file types. This policy will block message with attachment even if message is not infected. For example, To prevent user - John from sending messages with any type of files as attachment, create a scanning policy name ‘Block John mails with attachments’ with Block file type as ‘ALL’ and create an email scanning rule with sender email address of John and attach policy ‘Block John mails with attachments’. This will not allow John to send messages with any attachment even if the message is not infected. According to the notification set in the policy John and the receiver will receive message with or without notification.

Manage Custom Scan policy Select Anti Virus SMTP Manage Custom Scan policy to view the list of policies


12

created. Click the policy to be modified.

Screen – Manage Custom Virus Scan policy


Virus Scan policy details Name Displays policy name. Policy Description Displays policy description, modify if required Enable Scanning If enabled, policy will be used for virus scanning and blocking the

attachments of specified file types. Disable if you do not want to use the policy for scanning. Click to enable/disable


13


Action Displays what action will be taken on the all the mails received. Modify, if required. 1. Quarantine – Does not deliver mail but copies the mail to the quarantine file list. You can view the mail details like sender and receiver of the mail in the quarantined file list. You can configure to automatically delete the Quarantined mails after a specified time. Refer to General Configuration for more details. 2. Notify Sender - Sends the notification to the sender that the mail was infected

Block File Types Specify which file types are to be blocked to remove the all files that are a potential threat and to prevent virus attacks. More than one file type can be selected using ctrl/shift keys. The block file types list is preconfigured with a default list of file extensions. Refer to Default File types categories to view the list of file extensions which will be blocked under each category. Selected Block file types will not be scanned Instead of creating different policies to block the message with different file types, you can simply create a single policy and select ‘ALL’ in block file types to block messages with any type of file attachment. Using Block File Types, you can also stop users from sending/receiving the messages with attachments. Refer to Create policy to stop users from sending/receiving messages with attachment.

Receiver Action Message Type Receiver will be notified according to the action specified for each message type.

Displays what action will be taken on the each message type. Modify, if required. Actions: Don’t Deliver – Receiver will not be delivered the message and will not be notified that the mail was infected Remove and Deliver – Will remove the infected part of the mail before delivery. Receiver will also receive the notification stating that the mail was infected and infected portion of the mail is removed. Deliver Original – Will deliver the original mail and the receiver will receive the notification along with the mail stating that mail is infected but not cured or removed. Cyberoam will not scan the protected attachment. Hence mails with the protected attachments can be delivered without scanning or after removing the attachment. In both the cases, receiver will be notified if not specified otherwise. In case, Cyberoam is not able to cure the infection, it will


14


remove the infected portion/attached file on delivery. For Blocked Attachments (Block File Type) only: ‘Remove and Deliver’ option will not be applicable. In case ‘Don’t Deliver’ option is selected, message will not be delivered at all In case ‘Deliver Original’ option is selected, message will be delivered without attachments but recipient will be notified that mail was delivered without attachment

Notify Administrator Message Type Administrator will be notified according to the action specified for each message type.

Displays what action will be taken on the each message type. Modify, if required. Actions: Don’t Deliver – Administrator will not be delivered the message and will not be notified that the mail was infected Remove Attachment – Will remove the attachment from the mail before delivery. Administrator will also receive the notification stating that the mail attachment was infected and removed. Send Original – Will deliver the original mail with curing or removing infected portion. Administrator will receive the notification stating mail is infected but not cured or removed. Cyberoam will not scan the protected attachment. Hence mails with the protected attachments can be delivered without scanning or after removing the attachment. In both the cases, receiver will be notified if not specified otherwise. In case, Cyberoam is not able to cure the infection, it will remove the infected portion/attached file on delivery. For Blocked Attachments (Block File Type) only: ‘Remove and Deliver’ option will not be applicable. In case ‘Don’t Deliver’ option is selected, message will not be delivered at all In case ‘Deliver Original’ option is selected, message will be delivered without attachments but recipient will be notified that mail was delivered without attachment

Update button Updates and saves the policy Cancel button Cancels the current operation and returns to Manage Virus Scan

Policy page

Table – Manage Custom Virus Scan policy screen elements


15

Delete Custom Scan policy

Prerequisite • Not assigned any Rule

Select Anti Virus SMTP Manage Custom Scan policy to view the list of policies created

Screen – Delete Custom Virus Scan policy


Del Select policy for deletion Click Del to select More than one policy can also be selected

Select All Select all the policies for deletion Click Select All to select all the policies

Delete button Deletes all the selected policy/policies

Table – Delete Custom Virus Scan policy screen elements


16

Creating Address Groups Scanning rule can be defined for individual or group of • Email address • IP address (can be applied to anti spam rule only) • RBL (Real time black hole List) (applied to anti spam rule only)

Address group is the group of email addresses, IP addresses, or RBLs. When the policy is applied to the address group, policy is applied to all the addresses included in the group. Select Anti Virus Mail Address Groups to open the Address group page. Click Create to open the create page.


17

Screen – Create Email Address Group


Address Group details Name Specify group name. Description Specify full description Create button Creates group and allows adding email address

Click Add Type all the email addresses to be grouped specified by comma e.g. [email protected],,[email protected]

Cancel button Cancels the current operation

Table – Create Email Address Group screen elements


18

Delete Address Groups Select Anti Virus Mail Address Group to view the list of groups created

Screen – Delete Email Address Group


Del Select address group for deletion Click Del to select More than one address group can also be selected

Select All Select all the address group for deletion Click Select All to select all the address groups

Delete button Deletes all the selected address groups

Table – Delete Email Address Group screen elements

Delete email address from Group Select Anti Virus Mail Address Group to view the list of groups created. Click the group from which the address is to be deleted.


19

Screen – Delete Email Address from Group


Delete Select address for deletion Click Delete to select More than one address can also be selected

Select All Select all the address for deletion Click Select All to select all the address

Delete button Deletes all the selected address

Table – Delete Email Address from the Group screen elements


20

Protect Mails from Virus Scanning rules defines which scanning policy is to be applied to which pair of sender-recipient email address i.e. map scanning policy with the email address. Cyberoam provides the default email scanning rule which cannot be deleted. Select Anti Virus SMTP Email Scanning Rule and click Create to open the create page

Screen - Create Email Scanning Rule


Virus Rule Details Name Specify rule name. Virus Policy Specify policy to be applied. Mail will be quarantined or delivered

according to the action specified in the policy.


21


Sender Type Select whether the rule is for individual email address or group Specify email address or select the Address Group Specify * , if you want to apply rule for all the addresses Specify domain name if you want to apply rule to all the addresses of the specific domain. e.g. if you want to apply the rule to all the addresses of ‘elitecore’ domain, specify @elitecore

Recipient Type Select whether the rule is for individual email address or group Specify email address or select the Address Group Specify * , if you want to apply rule for all the addresses Specify domain name if you want to apply rule to all the addresses of the specific domain. e.g. if you want to apply the rule to all the addresses of ‘elitecore’ domain, specify @elitecore

Create button Creates rule Rule will be applied when the matching combination of the sender/recipient addresses is found.

Cancel button Cancels the current operation

Table – Create Email Scanning rule screen elements

Change Email Scanning Rule Order With Email scanning rules, you can customize levels of protection. A rule allows to apply: • single policy for a email address or group of addresses • multiple policies for a particular email address or group of addresses

Rules are ordered by their priority. When the rules are applied, they are processed from the top downwards and the first suitable rule found is applied. Hence, while adding multiple rules, it is necessary to put strict rules before moderate and general rules. Select Anti Virus SMTP Email Scanning rules Click the rule whose order is to be changed Click Move Up to move the selected rule one-step up Click Move Down to move the selected rule one-step down Click Update Order to save the order

Delete Email Scanning rule Select Anti Virus SMTP Email Scanning Rule to view the list of rules created. Default Rule cannot be deleted.


22

Screen - Delete Email Scanning rule


Del Select rule for deletion Click Del to select More than one rule can also be selected

Select All Select all the rules for deletion Click Select All to select all the rules

Delete button Deletes all the selected rules

Table – Delete Email Scanning rule screen elements


23

POP3 Scanning Cyberoam allows to define the individual action policy for POP3, SMTP, IMAP and HTTP traffic. POP3 policy is applied to the POP3 traffic only i.e. when the virus is detected in POP3 traffic, POP3 policy is applied. When the message containing virus is detected, depending on POP3 policy, Cyberoam deletes message from the POP3 server or simply sends the notification to the receiver stating that mail was not delivered because it was infected. POP3 configuration allows you to enable or disable the deletion of the infected message from the POP3 server. Go to Anti Virus POP3 Configuration to configure POP3 policy Sample Message (send to the receiver) Subject: **VIRUS FOUND MAIL REJECTED** Virus infected attachment(s) have been removed from this mail. Virus Name(s): "Virus name list" Attachment Name(s): "File names list" [From > sender name] [Date]

IMAP Scanning Cyberoam allows defining the individual action policy for POP3, SMTP, IMAP and HTTP traffic. IMAP policy is applied to the IMAP traffic only. When the message containing virus is detected, infected message is replaced with a message notifying the receiver that mail was not delivered because it was infected. Sample Message (send to the receiver) Original Subject: Calculating staffing needs Subject: **VIRUS FOUND MAIL REJECTED** Virus infected attachment(s) have been removed from this mail. Virus Name(s): "Virus name list" Attachment Name(s): "File names list" [From > sender name] [Date]

FTP Scanning Cyberoam detects a virus and removes the infected file from FTP download or from an email message. You can configure the maximum file size for scanning. The mails greater then the specified size will not be scanned.


24


25

Scan HTTP traffic Apart from mails, virus can infect your network through HTTP downloads also. Define HTTP scanning rules to protect against this. Cyberoam can be configured for real time or batch mode scanning for HTTP traffic. You can configure the maximum file size that can be buffered to the memory for scanning. This will also prevent the unintentional download of virus file hidden in the fragmented files. By default, Cyberoam will not scan any HTTP traffic i.e. you have to enable HTTP traffic scanning by defining HTTP rule. Define HTTP rule specifying from which source and destination IP address HTTP traffic should not be allowed to pass without scanning. If virus scanning is enabled and virus is detected, receiver will receive a notifying message. Sample message

Enable HTTP Scanning Select Anti Virus HTTP Configuration

Screen - Configure HTTP Scanning


26


HTTP Configuration Scan mode Cyberoam can be configured for real time or batch mode scanning

for HTTP traffic. In batch mode, virus scanning will start only after the complete file will be downloaded. As complete file is to be downloaded before scanning can start, if the size of the file is large it will take some time. To avoid the delay, configure scanning in real mode if you have to download bulky files.

File Size Threshold Specify the file size threshold Files that exceed configured threshold will not be scanned

Enable Direct Proxy Scanning

Enable to scan HTTP traffic when HTTP proxy is configured through browser

Update button Click update to save any changes Add button Click to add the HTTP rule

Refer to Add rule for more details

Table – Configure HTTP Scanning screen elements

Add HTTP Rule Select Anti Virus HTTP Configuration

Screen - Add HTTP Rule


Source IP Address Specify source IP address Destination IP Address Specify destination IP address URL Regex Specify URL

You can use regular expression for matching the pattern in URL

Rule Action Specify whether you want to enable scanning or not for the specified source/destination IP address and URL


27


OK button Click to save the rule Cancel button Cancels the current operation

Table – Add HTTP Rule screen elements

Change HTTP Rule Order With HTTP scanning rules, you can customize levels of protection. For example, while traffic between internal and external IP addresses might need strict protection, traffic between trusted internal addresses might need moderate protection. Rules are ordered by their priority. When the rules are applied, they are processed from the top downwards and the first suitable rule found is applied. Hence, while adding multiple rules, it is necessary to put strict rules before moderate and general rules. Select Anti Virus HTTP Configuration Click the rule whose order is to be changed Click Move Up to move the selected rule one-step up Click Move Down to move the selected rule one-step down Click Update to save the order

Delete HTTP Rule Select Anti Virus HTTP Configuration to view the list of rules


28


Delete Select rule for deletion Click Delete to select More than one rule can also be selected

Select All Select all the rules for deletion Click Select All to select all the rules

Delete button Deletes all the selected rules

Anti Virus General Configuration Select Anti Virus Mail General Configuration to open the configuration page


29


Anti Virus Engine Information Displays the Anti Virus Engine and Anti Virus Definitions data base

version installed and being used. It also displays when it was last updated. Cyberoam detects viruses and disinfects using the antivirus definition database that contains definitions of all currently known viruses. It is extremely important to update your anti-virus definition database periodically because new viruses appear every day. By default, database updates are automatically downloaded and installed on your computer every 30 minutes. You can update database manually also.

Notification Settings From Email Address Specify email address which will be used to send the action

notification messages to mail receiver/sender Administrator Email Address

Specify administrator email address

Mail server IP/Port Cyberoam will use specified IP address for sending notifications


30


Quarantine Area Delete quarantined messages automatically after

Specify number of days after which the quarantined messages will get automatically deleted

Utilization Displays the number of messages quarantined Click to view the list of quarantined messages

File Size Restriction SMTP Mails greater than size

Specify file size for scanning. The SMTP mails greater then the specified size will not be scanned. Specify zero, if you do not want to restrict scanning based on file size.

SMTP Mails greater than size

Specify maximum file size for delivery. The SMTP mails greater then the specified size will not be delivered. Specify zero, if you do not want to restrict scanning based on file size.

POP3/IMAP Mails greater than size

Specify file size for scanning. The POP/IMAP mails greater then the specified size will not be scanned. Specify zero, if you do not want to restrict scanning based on file size.

Add Signature/Disclaimer to outgoing emails

Enable to add signature that will automatically be added to the end of an outgoing e-mail message. Only text signatures are allowed.

Update button Click to save the above mentioned details

Bypass Reporting By default, Cyberoam Anti Virus generates reports for all the Internal Domains and Email Ids. To bypass reporting of certain domains and email ids, Administrator has to create an Exclusion domain list and email id list. All the domains and email ids included in the exclusion list will not be included in the Anti Virus reports. To define the exclusion list, select Reports Configure Local Domains or select Reports Configure Bypass Email Ids Refer to Reports Guide for the details.

Documents

Cyberoam Anti Virus Implementation Guide Anti Virus... · Cyberoam Anti Virus Implementation Guide 6 Overview Welcome to Cyberoam’s – Anti Virus User guide. Cyberoam is an Identity-based