cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Making Bypasses for Antimalware programs using Maintained Lists

In my last discussion listed here;

We started a discussion on how to make bypass rules for programs which cannot function or might not work with the SSL Scanner.  In this discussion, I would like to bring up the topic of false detections in the Antimalware engine.  Since the Web Gateway is running Antimalware processes to scan for possible threats or "Virus Signatures" you might run into issues with client Antimalware programs.

Why would this be an issue;

  • Clients can have Antimalware programs like "F-Secure, Symantec, Trendmicro, etc..." running on them which will try to update through the Web Gateway.
  • These client endpoint Antimalware solutions can pass virus signature data through the Web Gateway Antimalware engine triggering false detections.
  • Due to updates getting blocked, the clients might not be able to get their Antimalware update definitions.

Log File Location

If you believe this is occurring on your Web Gateway, you might want to check the "Found Viruses" log for more information on these detections.  This log file can be found in the WebUI under;

"Troubleshooting > **MyApplianceName** > Log files > user-defined-logs > foundViruses.log"

Prevention

In the instance this is occurring on your Web Gateway or if you would like to be proactive, here are some example rules you can put in place to keep these updates out of the Antimalware engine on the Web Gateway;

If you have the Web Gateway Antimalware Rule Set in place on your Web Gateway, you will want to look for something named like the following;

Here are some example rules:

(NOTE - Please make sure these rules are before the "Block If Virus Was Found" rule or any other rule that could be calling the "Antimalware.Infected" property as this property triggers the Web Gateway Antimalware scanning process.)

I am going to leave this as an open discussion once again for developer and user collaborative input like my last discussion.

1 Reply
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: Making Bypasses for Antimalware programs using Maintained Lists

Hello!

Some notes:

- I personally recommend to only enable those rules which match the AV solution/vendor that is in place on the client to limit the amount of allow list entries to a minimum. Enabling all rules would only make sense for some kind of a "BYOD" network segment where users are allowed to bring laptops which do not run a corporate controlled AV solution

- The lists are based on KB articles of the AV solution/vendor and are updated manually on a regular basis. They are not explicitly tested with specific client solutions but we allow all update servers a vendor mentions assuming that all client solutions will use those update servers. Any feedback that could help improving the lists would be appreciated.

Best,

Andre

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community