1 Reply Latest reply on Dec 15, 2014 1:42 AM by asabban

    Making Bypasses for Antimalware programs using Maintained Lists

      In my last discussion listed here;

      Making Bypasses for SSL Scanner using Maintained Lists

       

      We started a discussion on how to make bypass rules for programs which cannot function or might not work with the SSL Scanner.  In this discussion, I would like to bring up the topic of false detections in the Antimalware engine.  Since the Web Gateway is running Antimalware processes to scan for possible threats or "Virus Signatures" you might run into issues with client Antimalware programs.

       

       

      Why would this be an issue;

      • Clients can have Antimalware programs like "F-Secure, Symantec, Trendmicro, etc..." running on them which will try to update through the Web Gateway.
      • These client endpoint Antimalware solutions can pass virus signature data through the Web Gateway Antimalware engine triggering false detections.
      • Due to updates getting blocked, the clients might not be able to get their Antimalware update definitions.

       

       

      Log File Location

      If you believe this is occurring on your Web Gateway, you might want to check the "Found Viruses" log for more information on these detections.  This log file can be found in the WebUI under;

      "Troubleshooting > **MyApplianceName** > Log files > user-defined-logs > foundViruses.log"

       

       

      Prevention

      In the instance this is occurring on your Web Gateway or if you would like to be proactive, here are some example rules you can put in place to keep these updates out of the Antimalware engine on the Web Gateway;

       

      If you have the Web Gateway Antimalware Rule Set in place on your Web Gateway, you will want to look for something named like the following;

       

      Here are some example rules:

       

      (NOTE - Please make sure these rules are before the "Block If Virus Was Found" rule or any other rule that could be calling the "Antimalware.Infected" property as this property triggers the Web Gateway Antimalware scanning process.)

       

      I am going to leave this as an open discussion once again for developer and user collaborative input like my last discussion.

        • 1. Re: Making Bypasses for Antimalware programs using Maintained Lists
          asabban

          Hello!

           

          Some notes:

           

          - I personally recommend to only enable those rules which match the AV solution/vendor that is in place on the client to limit the amount of allow list entries to a minimum. Enabling all rules would only make sense for some kind of a "BYOD" network segment where users are allowed to bring laptops which do not run a corporate controlled AV solution

           

          - The lists are based on KB articles of the AV solution/vendor and are updated manually on a regular basis. They are not explicitly tested with specific client solutions but we allow all update servers a vendor mentions assuming that all client solutions will use those update servers. Any feedback that could help improving the lists would be appreciated.

           

          Best,

          Andre