cancel
Showing results for 
Search instead for 
Did you mean: 
McAfee Employee

Enhanced Gateway Anti-malware Ruleset

I had booth duty at FOCUS this year and a couple customers were asking questions about the Gateway Anti-Malware Ruleset used in our demonstration. I have attached it here.

A few interesting features are 1)Use of smartmatch for the bypass site list 2) an easy way to select the size at which you would like to bypass anti-malware scanning (works from a list of numbers and you just select the index for the appropriate size) and 3) Use of different settings based on the trust level of the site.4) Some nice logging features

Number
#Anti-Malware: Bypass Files Over X BytesOnly the FIRST entry in this list used. Move/Add the proper value to the top. Common Values: 1 MB = 1048576 bytes 5 MB: 5242880 bytes 10 MB: 10485760 bytes 20 MB: 20971520 bytes 30 MB: 31457280 bytes 100 MB: 104857600 bytes 500 MB: 524288000 bytes 1 GB: 1073741824 bytes
NumberComment
13145728030 Meg: Only FIRST entry is used
210485761 MB
352428805 MB
41048576010 MB
52097152020 MB
6104857600100 MB
7524288000500 MB
810737418241 GB

Rule Sets
Gateway Anti-Malware

[Scan content for malware using the Gateway Anti-Malware engine, McAfee Anti-Virus, GTI File Reputation, and 3rd-Party AV.]

Enabled
Applies to Requests: True / Responses: True / Embedded Objects: True
Always
EnabledRuleActionEventsComments
DisabledAnti-Malware: Bypass Sites
1: URL.SmartMatch(Anti-Malware: Bypass Sites°) equals true
Stop Rule SetIf url host is in list of hosts, Anti-Malware scanning will be bypassed.
DisabledAnti-Malware: Bypass User Agents
1: Header.Request.Get("User-Agent") matches in list Anti-Malware: Bypass User Agents°
Stop Rule SetA list of user agents used to bypass Anti-Malware scanning
EnabledAnti-Malware: Bypass Files Over X Bytes
1: Body.Size greater than List.OfNumber.Get(Anti-Malware: Bypass Files Over X Bytes,0)
Stop Rule Set
EnabledRemove Partial Content for HTTP(s) Requests
1: Cycle.TopName equals "Request"
2: AND (Connection.Protocol equals "http"
3: OR Connection.Protocol equals "https")
ContinueHeader.RemoveAll("Range")
EnabledBlock Partial Content for FTP Requests
1: Connection.Protocol equals "ftp"
2: AND Cycle.TopName equals "Request"
3: AND Command.Categories contains "Partial"
Block<Partial Content Not Allowed>Statistics.Counter.Increment("BlockedByMediaFilter",1)<Default>
EnabledAnti-Malware: Enable Stream Scanner
1: Cycle.Name equals "Response"
2: AND StreamDetector.IsMediaStream<Streaming Detector: Default> equals true
Stop Rule SetEnable Media Stream ScannerStarts the media stream scanner on streaming media and skip antivirus checking when Streaming Media is detected.
DisabledAnti-Malware: Standard Setting for Trusted Sites
1: URL.IsMinimalRisk<URL Filter: Default> equals true
2: AND Antimalware.Infected<Anti-Malware: Trusted Sites> equals true
ContinueHeader.Block.RemoveAll("X-Hash-MD5")
Header.Block.Add("X-Hash-MD5",Body.Hash("md5"))
Header.Block.RemoveAll("X-GAM-IsInfected")
Header.Block.Add("X-GAM-IsInfected",Boolean.ToString(Antimalware.Infected<Anti-Malware: Trusted Sites>))
Header.Block.RemoveAll("X-GAM-Probability")
Header.Block.Add("X-GAM-Probability",Number.ToString(Antimalware.Proactive.Probability<Anti-Malware: Trusted Sites>))
Slightly less aggressive scanning for Trusted Sites
DisabledAnti-Malware: High Setting for Un-Trusted Sites
1: URL.IsMinimalRisk<URL Filter: Default> equals false
2: AND Antimalware.Infected<Anti-Malware: Un-Trusted Sites> equals true
ContinueHeader.Block.RemoveAll("X-Hash-MD5")
Header.Block.Add("X-Hash-MD5",Body.Hash("md5"))
Header.Block.RemoveAll("X-GAM-IsInfected")
Header.Block.Add("X-GAM-IsInfected",Boolean.ToString(Antimalware.Infected<Anti-Malware: Un-Trusted Sites>))
Header.Block.RemoveAll("X-GAM-Probability")
Header.Block.Add("X-GAM-Probability",Number.ToString(Antimalware.Proactive.Probability<Anti-Malware: Un-Trusted Sites>))
Slightly more agressive scanning for unknown sites.
EnabledAnti-Malware: Default
1: Antimalware.Infected<Anti-Malware: Default> equals true
ContinueHeader.Block.RemoveAll("X-Hash-MD5")
Header.Block.Add("X-Hash-MD5",Body.Hash("md5"))
Header.Block.RemoveAll("X-GAM-IsInfected")
Header.Block.Add("X-GAM-IsInfected",Boolean.ToString(Antimalware.Infected<Anti-Malware: Default>))
Header.Block.RemoveAll("X-GAM-Probability")
Header.Block.Add("X-GAM-Probability",Number.ToString(Antimalware.Proactive.Probability<Anti-Malware: Default>))
If this rule is enabled, then disable the Trusted and Un-trusted rules above.
EnabledAnti-Malware: Block Infected
1: Header.Block.Exists("X-GAM-IsInfected") equals true
2: AND Header.Block.Get("X-GAM-IsInfected") equals "true"
Block<Virus Found>Statistics.Counter.Increment("BlockedByAntiMalware",1)<Default>This performs the actual block if a file is infected based on the scans performed.
EnabledAnti-Malware: Scan Complete
Always
ContinueValidate that Antimalware scanning occured for logs. If it gets to here, it passed the Antimalware rules and is clean. Body.Modified indicates if a page was cleaned of mobile code.

0 Kudos