0 Replies Latest reply on Nov 4, 2015 11:07 AM by jebeling

    Enhanced Gateway Anti-malware Ruleset

    jebeling

      I had booth duty at FOCUS this year and a couple customers were asking questions about the Gateway Anti-Malware Ruleset used in our demonstration. I have attached it here.

       

      A few interesting features are 1)Use of smartmatch for the bypass site list 2) an easy way to select the size at which you would like to bypass anti-malware scanning (works from a list of numbers and you just select the index for the appropriate size) and 3) Use of different settings based on the trust level of the site.4) Some nice logging features

       

      Number
      #Anti-Malware: Bypass Files Over X BytesOnly the FIRST entry in this list used. Move/Add the proper value to the top. Common Values: 1 MB = 1048576 bytes 5 MB: 5242880 bytes 10 MB: 10485760 bytes 20 MB: 20971520 bytes 30 MB: 31457280 bytes 100 MB: 104857600 bytes 500 MB: 524288000 bytes 1 GB: 1073741824 bytes
      NumberComment
      13145728030 Meg: Only FIRST entry is used
      210485761 MB
      352428805 MB
      41048576010 MB
      52097152020 MB
      6104857600100 MB
      7524288000500 MB
      810737418241 GB

       

      Rule Sets
      Gateway Anti-Malware

      [Scan content for malware using the Gateway Anti-Malware engine, McAfee Anti-Virus, GTI File Reputation, and 3rd-Party AV.]

      Enabled
      Applies to Requests: True / Responses: True / Embedded Objects: True
      Always
      EnabledRuleActionEventsComments
      DisabledAnti-Malware: Bypass Sites
      1: URL.SmartMatch(Anti-Malware: Bypass Sites°) equals true
      Stop Rule SetIf url host is in list of hosts, Anti-Malware scanning will be bypassed.
      DisabledAnti-Malware: Bypass User Agents
      1: Header.Request.Get("User-Agent") matches in list Anti-Malware: Bypass User Agents°
      Stop Rule SetA list of user agents used to bypass Anti-Malware scanning
      EnabledAnti-Malware: Bypass Files Over X Bytes
      1: Body.Size greater than List.OfNumber.Get(Anti-Malware: Bypass Files Over X Bytes,0)
      Stop Rule Set
      EnabledRemove Partial Content for HTTP(s) Requests
      1: Cycle.TopName equals "Request"
      2: AND (Connection.Protocol equals "http"
      3: OR Connection.Protocol equals "https")
      ContinueHeader.RemoveAll("Range")
      EnabledBlock Partial Content for FTP Requests
      1: Connection.Protocol equals "ftp"
      2: AND Cycle.TopName equals "Request"
      3: AND Command.Categories contains "Partial"
      Block<Partial Content Not Allowed>Statistics.Counter.Increment("BlockedByMediaFilter",1)<Default>
      EnabledAnti-Malware: Enable Stream Scanner
      1: Cycle.Name equals "Response"
      2: AND StreamDetector.IsMediaStream<Streaming Detector: Default> equals true
      Stop Rule SetEnable Media Stream ScannerStarts the media stream scanner on streaming media and skip antivirus checking when Streaming Media is detected.
      DisabledAnti-Malware: Standard Setting for Trusted Sites
      1: URL.IsMinimalRisk<URL Filter: Default> equals true
      2: AND Antimalware.Infected<Anti-Malware: Trusted Sites> equals true
      ContinueHeader.Block.RemoveAll("X-Hash-MD5")
      Header.Block.Add("X-Hash-MD5",Body.Hash("md5"))
      Header.Block.RemoveAll("X-GAM-IsInfected")
      Header.Block.Add("X-GAM-IsInfected",Boolean.ToString(Antimalware.Infected<Anti-Malware: Trusted Sites>))
      Header.Block.RemoveAll("X-GAM-Probability")
      Header.Block.Add("X-GAM-Probability",Number.ToString(Antimalware.Proactive.Proba bility<Anti-Malware: Trusted Sites>))
      Slightly less aggressive scanning for Trusted Sites
      DisabledAnti-Malware: High Setting for Un-Trusted Sites
      1: URL.IsMinimalRisk<URL Filter: Default> equals false
      2: AND Antimalware.Infected<Anti-Malware: Un-Trusted Sites> equals true
      ContinueHeader.Block.RemoveAll("X-Hash-MD5")
      Header.Block.Add("X-Hash-MD5",Body.Hash("md5"))
      Header.Block.RemoveAll("X-GAM-IsInfected")
      Header.Block.Add("X-GAM-IsInfected",Boolean.ToString(Antimalware.Infected<Anti-Malware: Un-Trusted Sites>))
      Header.Block.RemoveAll("X-GAM-Probability")
      Header.Block.Add("X-GAM-Probability",Number.ToString(Antimalware.Proactive.Proba bility<Anti-Malware: Un-Trusted Sites>))
      Slightly more agressive scanning for unknown sites.
      EnabledAnti-Malware: Default
      1: Antimalware.Infected<Anti-Malware: Default> equals true
      ContinueHeader.Block.RemoveAll("X-Hash-MD5")
      Header.Block.Add("X-Hash-MD5",Body.Hash("md5"))
      Header.Block.RemoveAll("X-GAM-IsInfected")
      Header.Block.Add("X-GAM-IsInfected",Boolean.ToString(Antimalware.Infected<Anti-Malware: Default>))
      Header.Block.RemoveAll("X-GAM-Probability")
      Header.Block.Add("X-GAM-Probability",Number.ToString(Antimalware.Proactive.Proba bility<Anti-Malware: Default>))
      If this rule is enabled, then disable the Trusted and Un-trusted rules above.
      EnabledAnti-Malware: Block Infected
      1: Header.Block.Exists("X-GAM-IsInfected") equals true
      2: AND Header.Block.Get("X-GAM-IsInfected") equals "true"
      Block<Virus Found>Statistics.Counter.Increment("BlockedByAntiMalware",1)<Default>This performs the actual block if a file is infected based on the scans performed.
      EnabledAnti-Malware: Scan Complete
      Always
      ContinueValidate that Antimalware scanning occured for logs. If it gets to here, it passed the Antimalware rules and is clean. Body.Modified indicates if a page was cleaned of mobile code.