1 2 Previous Next 11 Replies Latest reply on Sep 7, 2014 2:43 PM by SafeBoot

    Gateway-Antimalware Rule placing in Webgateway

    Haaris Faizan

      I have placed Gateway-Antimalware rule at the top(can be seen in screenshot) but I think its recommended that it should b placed at the bottom....

      But when I placed it at the bottom then it will not be triggered as the client for which a particular URL is alllowed is above Gateway-Antimalware Rule so that URL is accessed by user without any blockage(if it contains a virus) as Antimalware rule is at the bottom so it will not b processed..

       

      Tell me where exactly it should be placed & how it will be processed????

        • 1. Re: Gateway-Antimalware Rule placing in Webgateway
          asabban

          Hello,

           

          since Anti Malware is the feature that requires most of the available performance the idea is to put it at the end to prevent AV from being called for URLs which are blocked by "cheap" filters, such as URL Filter. There is no need to filter a porn site if you block it anyway.

           

          I think you will have to review the whitelist configuration you made. The "Global Whitelist" usually is at the top and it is used to whitelist EVERYTHING, including Anti Virus. If that is not desired the "Global Whitelist" is the wrong place to whitelist. I cannot see any URL Filter or Media Type rules... what rule requires you to make the whitelist entry?

           

          You should definitely set Anti Malware to the bottom of your policy to save performance. The default policy the product comes with has the recommended order of rule sets.

           

          Best,

          Andre

          • 2. Re: Gateway-Antimalware Rule placing in Webgateway
            Haaris Faizan

            Thanks for your response......

            But Suppose I have allowed a site like www.eicar.org for a client & when client try to download files(Shown in red rectangle) which contains virus it should be blocked.So,when i tried that on my webgateway after allowing this URL to the user and placing Anti-Malware Rule at the bottom ,user is able to access that URL which is fine since its been allowed but when he tries to download virus infected file he is able to successfully download that file but it should be blocked.If i try this by placing the Anti-Malware rule at the top its working fine

            thats why I am confused!!!!!

             

             

            eicar.jpg

            • 3. Re: Gateway-Antimalware Rule placing in Webgateway
              asabban

              Hello,

               

              I think the question is what "allowing this URL" means. There is no "allow" in MWG! You could either use a "Stop Rule Set" which will only leave the current rule set or "Stop Cycle", which causes all the following rule sets to not apply. I assume you have a rule that calls "Stop Cycle" when you "Allow" something... when you call Stop Cycle before you call AV then AV will not be applied (as you explicitly told MWG to not apply any further rules...).

               

              Can you show the rule which you use to "allow" a user to access a specific URL?

               

              Best,

              Andre

              • 4. Re: Gateway-Antimalware Rule placing in Webgateway
                Haaris Faizan

                I have attached two screenshots below:

                1)This will give you the idea of how the URLs are allowed to user.Suppose www.eicar.org is allowed to one of the user but since Gateway-Antimalware ruleset is placed at the top it will allow the user to open site & when user try to download any malicious file it will block it(as mentioned in above screenshots) whereas when I place Gateway-Antimalware ruleset at the bottom it will not block those malicious file and user will be able to download.Plz reply m as i m confuse

                Proxy.jpgproxy2.jpg

                • 5. Re: Gateway-Antimalware Rule placing in Webgateway
                  Jon Scholten

                  Hi Haaris,

                   

                  I think it would be beneficial to answer this question in two parts 1) speaking to how MWG works -- repeating what Andre stated and 2) speaking to your rules.

                   

                  1:

                  As Andre stated, there is no "allow". MWG consists of rules which execute in a top-down manner, depending on the action you have defined in the rule, corresponds to the behavior you get.

                   

                  The actions in MWG are:

                  Continue - MWG will continue through the proceeding rules.

                  Block - MWG will stop the transaction and display a block page.

                  Redirect - not important for this thread

                  Authenticate - not important for this thread

                  Stop Ruleset - MWG will stop processing rules in the current ruleset, and proceed onto the next ruleset.

                  Stop Cycle - MWG will stop processing *all* proceeding rules in the current cycle.

                   

                  Now that you know the actions, I will describe the cycles.

                  Request - Example of this would be when a browser sends a GET or POST, this will include the URL, User-Agent, etc...

                  Response - Example of this would be the response that the server sends. Like an HTTP 200 OK with body content (html, css, js, iso, exe, xls, etc..)

                  Embedded - Example of this would be if a user was attempting to upload a zip file, then MWG looks inside of the zip file. Same applies for download of a zip file (or any format MWG can "open").

                   

                   

                  2:

                  Given what I described above, the reason why a user can download the eicar virus when you "allow" a user to a specific URL, is because you are allowing them in all cycles (request, response, embedded). As a result, when they are allowed, MWG is not hitting the anti-malware rules to scan the download.

                  The "Stop Cycle" action you have defined is preventing the MWG from hitting later rules (like anti-malware). More or less you really just want MWG to skip over other URL filtering rules, instead of Anti-Malware. You can follow this guide to achieve what you want with URL filtering:

                  How To: Creating a "Policy Assignment" ruleset (formerly "Web Mapping")

                   

                  Best,

                  Jon

                  • 6. Re: Gateway-Antimalware Rule placing in Webgateway
                    Haaris Faizan

                    Thanks for sharing all the information....

                    See we have assigned URLs on the basis of Client IPs and divided those clients in different groups.Could you please suggest us how we can modify our ruleset so that we can place Gateway-Antimalware ruleset at the bottom to make it work....

                    • 7. Re: Gateway-Antimalware Rule placing in Webgateway
                      Haaris Faizan

                      As u said that stop cycle action is preventing the MWG from hitting the later rules,that's fine but if we don't define stop cycle action then how  the user will be able to access the URL allowed to them.Is there any other way which we can edit this rule?????

                      • 8. Re: Gateway-Antimalware Rule placing in Webgateway
                        Jon Scholten

                        Read the link I sent over. It will give you an idea of how to organize your rules differently.

                         

                        Best,

                        Jon

                        • 9. Re: Gateway-Antimalware Rule placing in Webgateway
                          Haaris Faizan

                          I read the link..bt couldnt get much

                          1 2 Previous Next