since Anti Malware is the feature that requires most of the available performance the idea is to put it at the end to prevent AV from being called for URLs which are blocked by "cheap" filters, such as URL Filter. There is no need to filter a porn site if you block it anyway.
I think you will have to review the whitelist configuration you made. The "Global Whitelist" usually is at the top and it is used to whitelist EVERYTHING, including Anti Virus. If that is not desired the "Global Whitelist" is the wrong place to whitelist. I cannot see any URL Filter or Media Type rules... what rule requires you to make the whitelist entry?
You should definitely set Anti Malware to the bottom of your policy to save performance. The default policy the product comes with has the recommended order of rule sets.
Thanks for your response......
But Suppose I have allowed a site like www.eicar.org for a client & when client try to download files(Shown in red rectangle) which contains virus it should be blocked.So,when i tried that on my webgateway after allowing this URL to the user and placing Anti-Malware Rule at the bottom ,user is able to access that URL which is fine since its been allowed but when he tries to download virus infected file he is able to successfully download that file but it should be blocked.If i try this by placing the Anti-Malware rule at the top its working fine
thats why I am confused!!!!!
I think the question is what "allowing this URL" means. There is no "allow" in MWG! You could either use a "Stop Rule Set" which will only leave the current rule set or "Stop Cycle", which causes all the following rule sets to not apply. I assume you have a rule that calls "Stop Cycle" when you "Allow" something... when you call Stop Cycle before you call AV then AV will not be applied (as you explicitly told MWG to not apply any further rules...).
Can you show the rule which you use to "allow" a user to access a specific URL?
I have attached two screenshots below:
1)This will give you the idea of how the URLs are allowed to user.Suppose www.eicar.org is allowed to one of the user but since Gateway-Antimalware ruleset is placed at the top it will allow the user to open site & when user try to download any malicious file it will block it(as mentioned in above screenshots) whereas when I place Gateway-Antimalware ruleset at the bottom it will not block those malicious file and user will be able to download.Plz reply m as i m confuse
I think it would be beneficial to answer this question in two parts 1) speaking to how MWG works -- repeating what Andre stated and 2) speaking to your rules.
As Andre stated, there is no "allow". MWG consists of rules which execute in a top-down manner, depending on the action you have defined in the rule, corresponds to the behavior you get.
The actions in MWG are:
Continue - MWG will continue through the proceeding rules.
Block - MWG will stop the transaction and display a block page.
Redirect - not important for this thread
Authenticate - not important for this thread
Stop Ruleset - MWG will stop processing rules in the current ruleset, and proceed onto the next ruleset.
Stop Cycle - MWG will stop processing *all* proceeding rules in the current cycle.
Now that you know the actions, I will describe the cycles.
Request - Example of this would be when a browser sends a GET or POST, this will include the URL, User-Agent, etc...
Response - Example of this would be the response that the server sends. Like an HTTP 200 OK with body content (html, css, js, iso, exe, xls, etc..)
Embedded - Example of this would be if a user was attempting to upload a zip file, then MWG looks inside of the zip file. Same applies for download of a zip file (or any format MWG can "open").
Given what I described above, the reason why a user can download the eicar virus when you "allow" a user to a specific URL, is because you are allowing them in all cycles (request, response, embedded). As a result, when they are allowed, MWG is not hitting the anti-malware rules to scan the download.
The "Stop Cycle" action you have defined is preventing the MWG from hitting later rules (like anti-malware). More or less you really just want MWG to skip over other URL filtering rules, instead of Anti-Malware. You can follow this guide to achieve what you want with URL filtering:
Thanks for sharing all the information....
See we have assigned URLs on the basis of Client IPs and divided those clients in different groups.Could you please suggest us how we can modify our ruleset so that we can place Gateway-Antimalware ruleset at the bottom to make it work....
As u said that stop cycle action is preventing the MWG from hitting the later rules,that's fine but if we don't define stop cycle action then how the user will be able to access the URL allowed to them.Is there any other way which we can edit this rule?????
Read the link I sent over. It will give you an idea of how to organize your rules differently.
I read the link..bt couldnt get much