7 Replies Latest reply on Apr 3, 2013 7:49 PM by cscoup8

    WGV7.2 Coding round Proactive Scanner

    iain.gardiner

      Is there a way to code round the proactive scanner without bypassing AV totally. Under V6 you could whitelist the site from the scanner using the common whitelist?

       

      We get a few cases similar to where we have to allow the user access.

       

      Thx

       

       

      [03/Oct/2012:09:02:37 +0100] MGW: Heuristic.BehavesLike.JS.Unwanted" "79.125.103.243" https://sl.bpsvlab.com/DSTCore/src/minimized/dstcore-min.js

       

       

        • 1. Re: WGV7.2 Coding round Proactive Scanner
          Jon Scholten

          There is many ways you can do this, see screenshots of examples:

           

          hostlist-fixed.png

           

          You will need to create a rule (depending on your version) like the one in the screenshot called "Fill AV attributes". This will fill all of the AV properties such as the virus name, such that you are able to exempt it.

           

          The last rule (more complex) uses properties I've never used before (but it works). Basically it compares two lists side by side (so you must make sure it is one to one!!!!), and if it finds the virus name in the list, it returns the corresponding item in the other list (in this case, the domain).

           

          viruslist.png hostlist.png

           

          Let me know if this helps,

          Jon

           

          Message was edited by (corrected "complex" rule): jscholte on 10/3/12 3:52:32 PM CDT
          • 2. Re: WGV7.2 Coding round Proactive Scanner
            Jon Scholten

            I have corrected a mistake I made with the "more complex" rule.

            • 3. Re: WGV7.2 Coding round Proactive Scanner
              asabban

              If you want to bypass specific features of the Anti Malware Engine you can go to Policy->Settings and create a new Anti-Malware Engine setting. In there you can completely choose which features should be applied. To turn off heuristics you can remove the "Enable heuristic scanning" checkbox. If you want to turn off Proactive Scanning you could remove the "Enable mobile code scanning" and leave all other settings in place.

               

              By doing so you can create a less restrictive Anti Malware filtering setting. Now you just create a rule based on URL or Client IP or whatever you like and apply the AntiMalware.IsInfected property not with the default setting, but with the setting you just created (and make sure you don´t call the default rule for the same URL again).

               

              I believe Jons solution is more secure, I just wanted to show an alternative since you explicitly asked how to whitelist a Gateway Anti-Malware feature.

               

              Best,

              Andre

              • 4. Re: WGV7.2 Coding round Proactive Scanner
                Jon Scholten

                Do not use the "more complex" method. There is a possibility such that the list will never match correct if a virus is observed with the same name the wrong site will be returned from the second list.

                • 5. Re: WGV7.2 Coding round Proactive Scanner

                  I have a question.  I understand why you need to have the "Antimalware.Infected<Gateway Ant-Malware> equals true" there twice (one with a continue action, the other with a block action) but could this cause the antimalware engine to scan the same object twice?

                  • 6. Re: WGV7.2 Coding round Proactive Scanner

                    That's a popular misconception.

                    The property only gets filled the first time per setting.

                    So if i have multiple rules in a row that refer to :

                    • Antimalware.Infected<Setting1>
                    • Antimalware.Infected<Setting1>
                    • Antimalware.Infected<Setting1>
                    • Antimalware.Infected<Setting1>

                     

                    The first one is the one that does the scan in that cycle. The subsequent ones use the results of the first instance.

                     

                    If I had different settings like:

                    • Antimalware.Infected<LowSetting1>
                    • Antimalware.Infected<MediumSetting2>
                    • Antimalware.Infected<HighSetting3>

                     

                    Then it would scan 3 times unless there was another condition that told it not to like:

                    • Antimalware.Infected<LowSetting1> = true then Block
                    • Antimalware.Infected<LowSetting1> =  false AND Antimalware.Infected<MediumSetting2> = true then Block
                    • Antimalware.Infected<MediumSetting2> = false AND Antimalware.Infected<HighSetting3> = true

                     

                    If Low is infected, it's blocked.

                    If Low isn't infected, then it scans again on Medium and blocks if Medium is infected.

                    If Medium isn't infected, it scan's on High and blocks if High is infected.

                     

                    However, that's just a logic example. Don't scan things twice.

                    In practice you want to decide based on some other other factor like reputation:

                     

                    Rule Criteria:

                    URL.IsMinimalRisk<Default> equals true AND

                    Antimalware.Infected<Anti-Malware: Standard Setting> equals true

                     

                    Rule Criteria:

                    URL.IsMinimalRisk<Default> equals false AND

                    Antimalware.Infected<Anti-Malware: High Setting> equals true

                     

                    The URL.IsMinimalRisk will always be true or false, so you will always get one or the other.

                    • 7. Re: WGV7.2 Coding round Proactive Scanner

                      Thank you for that great answer.  Very helpful.