Support Doc: Using the Stream Detector

Version 17

     

     

    Introduction

     

    Have you had problems accessing streaming media (online video or audio streams) through the McAfee Web Gateway? The Stream Detector makes it easy. If you want to allow streaming media and you are running version 7.1.6 or newer but are not yet using the Stream Detector, there’s no time like the present to give it a try.

     

     

    What is it?

     

    The Stream Detector is a property that evaluates response traffic, determining whether or not it is streaming media. It evaluates to "true" or "false". In a typical configuration, once detected, a stream is bypassed from anti-virus and anti-malware scanning.

     

     

    Why Is It Important to Bypass Streaming Media from Anti-Virus/Anti-Malware Scanning?

     

    Files are scanned for viruses and malware after they are downloaded. It is necessary to see the whole file before we can determine whether or not it is infected. Therefore, McAfee Web Gateway downloads the file, scans it, and if not infected, will then pass it on to the client. By a stream's nature, it has no "end". If the Web Gateway scans a stream, it continues downloading the file, never gets to the end, never scans the file and never releases it to the client. Therefore, to view streaming media through the Web Gateway, it must bypass anti-virus and anti-malware scanning.

     

     

    History of the Stream Detector (and Why You Might Not Have It)

     

    The Stream Detector was introduced in McAfee Web Gateway version 7.1.6 as a simplified method to identify and allow streaming media to bypass anti-malware and anti-virus scanning. In earlier versions of McAfee Web Gateway version 7, this was typically done by evaluating traffic's URL Categorization, looking for categories such as "Streaming Media" or "Internet Radio/TV", as well as by evaluating its media type ("audio/mpeg" or "video/quicktime" for example).
    If you have been using McAfee Web Gateway since before version 7.1.6 and have upgraded to or beyond it, the upgrade process would not have added the Stream Detector to your rule sets: you must do so manually. If your McAfee Web Gateway had a fresh installation of v7.1.6 or newer and you are using the default "Gateway Antimalware" rule set, you are probably already using the Stream Detector.

     

     

    The Rule and How to Get It

     

    You must be running McAfee Web Gateway v7.1.6 or later to use the Stream Detector. There are two ways you can add it to your current anti-malware rule set:

      1. You can import the default "Gateway Antimalware" rule set from the Rule Set Library, copy and paste the rule "Skip on Streaming Media" into your existing Antimalware/Antivirus rule set, then delete the remaining portion of the freshly imported rule set.
      2. Or, you can manually build the rule in your Antimalware/Antivirus rule set. It should look like this:

     

     

        • Name: "Skip on Streaming Media"
        • Criteria: Cycle.Name equals "Response" AND StreamDetector.IsMediaStream<Default_Streaming_Detection> equals true
        • Action: Stop Rule Set
        • Event: none

     

     

    01b.jpg

     

     

    Placement of the Stream Detector Rule

     

    The recommended placement of the Stream Detector is immediately above your rule that blocks infected files. In the default "Gateway Anti-Malware" rule set, this would put the Stream Detector just above the rule "Block If Virus was Found" (see image above).

     

    Stream Detector Settings

     

    Once you have the Stream Detector installed, it has only one setting that can be modified: "Minimal probability" that it has detected a stream. The default setting of 60% works well and we recommend you not modify it unless advised to do so by Technical Support.