Is there a way to code round the proactive scanner without bypassing AV totally. Under V6 you could whitelist the site from the scanner using the common whitelist?
We get a few cases similar to where we have to allow the user access.
[03/Oct/2012:09:02:37 +0100] MGW: Heuristic.BehavesLike.JS.Unwanted" "220.127.116.11" https://sl.bpsvlab.com/DSTCore/src/minimized/dstcore-min.js
There is many ways you can do this, see screenshots of examples:
You will need to create a rule (depending on your version) like the one in the screenshot called "Fill AV attributes". This will fill all of the AV properties such as the virus name, such that you are able to exempt it.
The last rule (more complex) uses properties I've never used before (but it works). Basically it compares two lists side by side (so you must make sure it is one to one!!!!), and if it finds the virus name in the list, it returns the corresponding item in the other list (in this case, the domain).
Let me know if this helps,
JonMessage was edited by (corrected "complex" rule): jscholte on 10/3/12 3:52:32 PM CDT
If you want to bypass specific features of the Anti Malware Engine you can go to Policy->Settings and create a new Anti-Malware Engine setting. In there you can completely choose which features should be applied. To turn off heuristics you can remove the "Enable heuristic scanning" checkbox. If you want to turn off Proactive Scanning you could remove the "Enable mobile code scanning" and leave all other settings in place.
By doing so you can create a less restrictive Anti Malware filtering setting. Now you just create a rule based on URL or Client IP or whatever you like and apply the AntiMalware.IsInfected property not with the default setting, but with the setting you just created (and make sure you don´t call the default rule for the same URL again).
I believe Jons solution is more secure, I just wanted to show an alternative since you explicitly asked how to whitelist a Gateway Anti-Malware feature.
Do not use the "more complex" method. There is a possibility such that the list will never match correct if a virus is observed with the same name the wrong site will be returned from the second list.
I have a question. I understand why you need to have the "Antimalware.Infected<Gateway Ant-Malware> equals true" there twice (one with a continue action, the other with a block action) but could this cause the antimalware engine to scan the same object twice?
That's a popular misconception.
The property only gets filled the first time per setting.
So if i have multiple rules in a row that refer to :
The first one is the one that does the scan in that cycle. The subsequent ones use the results of the first instance.
If I had different settings like:
Then it would scan 3 times unless there was another condition that told it not to like:
If Low is infected, it's blocked.
If Low isn't infected, then it scans again on Medium and blocks if Medium is infected.
If Medium isn't infected, it scan's on High and blocks if High is infected.
However, that's just a logic example. Don't scan things twice.
In practice you want to decide based on some other other factor like reputation:
URL.IsMinimalRisk<Default> equals true AND
Antimalware.Infected<Anti-Malware: Standard Setting> equals true
URL.IsMinimalRisk<Default> equals false AND
Antimalware.Infected<Anti-Malware: High Setting> equals true
The URL.IsMinimalRisk will always be true or false, so you will always get one or the other.