Making Bypasses for Antimalware programs using Maintained Lists
In my last discussion listed here;
We started a discussion on how to make bypass rules for programs which cannot function or might not work with the SSL Scanner. In this discussion, I would like to bring up the topic of false detections in the Antimalware engine. Since the Web Gateway is running Antimalware processes to scan for possible threats or "Virus Signatures" you might run into issues with client Antimalware programs.
Why would this be an issue;
Clients can have Antimalware programs like "F-Secure, Symantec, Trendmicro, etc..." running on them which will try to update through the Web Gateway.
These client endpoint Antimalware solutions can pass virus signature data through the Web Gateway Antimalware engine triggering false detections.
Due to updates getting blocked, the clients might not be able to get their Antimalware update definitions.
Log File Location
If you believe this is occurring on your Web Gateway, you might want to check the "Found Viruses" log for more information on these detections. This log file can be found in the WebUI under;
In the instance this is occurring on your Web Gateway or if you would like to be proactive, here are some example rules you can put in place to keep these updates out of the Antimalware engine on the Web Gateway;
If you have the Web Gateway Antimalware Rule Set in place on your Web Gateway, you will want to look for something named like the following;
Here are some example rules:
(NOTE - Please make sure these rules are before the "Block If Virus Was Found" rule or any other rule that could be calling the "Antimalware.Infected" property as this property triggers the Web Gateway Antimalware scanning process.)
I am going to leave this as an open discussion once again for developer and user collaborative input like my last discussion.
Re: Making Bypasses for Antimalware programs using Maintained Lists
- I personally recommend to only enable those rules which match the AV solution/vendor that is in place on the client to limit the amount of allow list entries to a minimum. Enabling all rules would only make sense for some kind of a "BYOD" network segment where users are allowed to bring laptops which do not run a corporate controlled AV solution
- The lists are based on KB articles of the AV solution/vendor and are updated manually on a regular basis. They are not explicitly tested with specific client solutions but we allow all update servers a vendor mentions assuming that all client solutions will use those update servers. Any feedback that could help improving the lists would be appreciated.
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.