cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Web Gateway: Streaming Media and how the Streaming detector helps

Introduction

Have you had problems accessing streaming media (online video or audio streams) through the McAfee Web Gateway? The Stream Detector makes it easy. If you want to allow streaming media and you are running version 7.1.6 or newer but are not yet using the Stream Detector, there’s no time like the present to give it a try.

 

What is it?

The Stream Detector is a property that evaluates response traffic, determining whether or not it is streaming media. It evaluates to "true" or "false". In a typical configuration, once detected, a stream is bypassed from anti-virus and anti-malware scanning.

 

Why Is It Important to Bypass Streaming Media from Anti-Virus/Anti-Malware Scanning?

Files are scanned for viruses and malware after they are downloaded. It is necessary to see the whole file before we can determine whether or not it is infected. Therefore, McAfee Web Gateway downloads the file, scans it, and if not infected, will then pass it on to the client. By a stream's nature, it has no "end". If the Web Gateway scans a stream, it continues downloading the file, never gets to the end, never scans the file and never releases it to the client. Therefore, to view streaming media through the Web Gateway, it must bypass anti-virus and anti-malware scanning.

 

History of the Stream Detector (and Why You Might Not Have It)

The Stream Detector was introduced in McAfee Web Gateway version 7.1.6 as a simplified method to identify and allow streaming media to bypass anti-malware and anti-virus scanning. In earlier versions of McAfee Web Gateway version 7, this was typically done by evaluating traffic's URL Categorization, looking for categories such as "Streaming Media" or "Internet Radio/TV", as well as by evaluating its media type ("audio/mpeg" or "video/quicktime" for example).
If you have been using McAfee Web Gateway since before version 7.1.6 and have upgraded to or beyond it, the upgrade process would not have added the Stream Detector to your rule sets: you must do so manually. If your McAfee Web Gateway had a fresh installation of v7.1.6 or newer and you are using the default "Gateway Antimalware" rule set, you are probably already using the Stream Detector.

 

The Rule and How to Get It

You must be running McAfee Web Gateway v7.1.6 or later to use the Stream Detector. There are two ways you can add it to your current anti-malware rule set:

    1. You can import the default "Gateway Antimalware" rule set from the Rule Set Library, copy and paste the rule "Skip on Streaming Media" into your existing Antimalware/Antivirus rule set, then delete the remaining portion of the freshly imported rule set.
    2. Or, you can manually build the rule in your Antimalware/Antivirus rule set. It should look like this:
      • Name: "Skip on Streaming Media"
      • Criteria: Cycle.Name equals "Response" AND StreamDetector.IsMediaStream<Default_Streaming_Detection> equals true
      • Action: Stop Rule Set
      • Event: none

 

 

Placement of the Stream Detector Rule

The recommended placement of the Stream Detector is immediately above your rule that blocks infected files. In the default "Gateway Anti-Malware" rule set, this would put the Stream Detector just above the rule "Block If Virus was Found" (see image above).

 

Stream Detector Settings

Once you have the Stream Detector installed, it has only one setting that can be modified: "Minimal probability" that it has detected a stream. The default setting of 60% works well and we recommend you not modify it unless advised to do so by Technical Support.

Labels (1)
Comments

Hi

Just few comments:

  • until MWG 7.3.0 & 7.2.0.4 we had some problems with RTMP streams that are often used in flash-based streaming solutions...
  • streaming detection is also necessary for media type detection, because in many cases, especially for MP3 & RTMP-based streams, we aren't able to find signature, and trying to download some amount of data for type detection. But this is amount is big enough to cause a timeout in stream player. Right now, this information is implicitly shared between filters, but in 7.1.6 you were need to call streaming filter explicitly before doing media type detection

Qucik question. With MWG 7.4.1.3.0 there is a rule in the libarary "Start Media Stream Scanner on Streaming Media and Skip Anti-Malware Scanning" that under events has "Enable Media Stream Scanner". However I have found that when this event is enabled it does not work correctly with streaming audio. Is there goign to be a fix for that?  Or is it still best to just leave the event as "None?

The rule & event you refer to detect common types of streaming video and audio. I would guess that the audio you are sending through the Web Gateway is not one of these typical typesor there is somethin unique about the stream that is preventing detection. I would suggest opening a ticket with technical support for further investigation.

Contributors
Version history
Revision #:
2 of 2
Last update:
‎03-20-2018 01:25 PM
Updated by:
 

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community