13.3  HTTP and FTP scanning

As for HTTP and FTP traffic, objects (files) of selected types are scanned.

The file just transmitted is saved in a temporary file on the local disk of the firewall. WinRoute caches the last part of the transmitted file (segment of the data transferred) and performs an antivirus scan of the temporary file. If a virus is detected in the file, the last segment of the data is dropped. This means that the client receives an incomplete (damaged) file which cannot be executed so that the virus cannot be activated. If no virus is found, WinRoute sends the client the rest of the file and the transmission is completed successfully.

Optionally, a warning message informing about a virus detected can be sent to the user who tried to download the file (see the Notify user by email option).

Warning

  1. The purpose of the antivirus check is only to detect infected files, it is not possible to heal them!

  2. If the antivirus check is disabled in HTTP and FTP filtering rules, objects and files matching corresponding rules are not checked. For details, refer to chapters 12.2  URL Rules and 12.6  FTP Policy).

  3. Full functionality of HTTP scanning is not guaranteed if any non-standard extensions to web browsers (e.g. download managers, accelerators, etc.) are used!

To set parameters of HTTP and FTP antivirus check, open the HTTP, FTP scanning tab in Configuration → Content Filtering → Antivirus.

Settings for HTTP and FTP scanning

Figure 13.7. Settings for HTTP and FTP scanning


Use the If a virus is found... entry to specify actions to be taken whenever a virus is detected in a transmitted file:

In the If the transferred file cannot be scanned section, actions to be taken when the antivirus check cannot be applied to a file (e.g. the file is compressed and password-protected, damaged, etc.):

HTTP and FTP scanning rules

These rules specify when antivirus check will be applied. By default (if no rule is defined), all objects transmitted by HTTP and FTP are scanned.

WinRoute contains a set of predefined rules for HTTP and FTP scanning. By default, all executable files as well as all Microsoft Office files are scanned. The WinRoute administrator can change the default configuration.

Scanning rules are ordered in a list and processed from the top. Arrow buttons on the right can be used to change the order. When a rule which matches the object is found, the appropriate action is taken and rule processing is stopped.

New rules can be created in the dialog box which is opened after clicking the Add button.

Definition of an HTTP/FTP scanning rule

Figure 13.8. Definition of an HTTP/FTP scanning rule


Description

Description of the rule (for reference of the WinRoute administrator only)

Condition

Condition of the rule:

  • HTTP/FTP filename

    — this option filters out certain filenames (not entire URLs) transmitted by FTP or HTTP (e.g. *.exe, *.zip, etc.).

    If only an asterisk is used for the specification, the rule will apply to any file transmitted by HTTP or FTP.

The other two conditions can be applied only to HTTP:

  • MIME type

    — MIME types can be specified either by complete expressions (e.g. image/jpeg) or using a wildcard matching (e.g. application/*).

  • URL — URL of the object (e.g. www.kerio.com/img/logo.gif), a string specified by a wildcard matching (e.g. *.exe) or a server name (e.g. www.kerio.com). Server names represent any URL at a corresponding server (www.kerio.com/*).

If a MIME type or a URL is specified only by an asterisk, the rule will apply to any HTTP object.

Action

Settings in this section define whether or not the object will be scanned.

If the Do not scan alternative is selected, antivirus control will not apply to transmission of this object.

The new rule will be added after the rule which had been selected before Add was clicked. You can use the arrow buttons on the right to move the rule within the list.

Checking the box next to the rule can be used to disable the rule. Rules can be disabled temporarily so that it is not necessary to remove rules and create identical ones later.

If the object does not match with any rule, it will be scanned automatically. If only selected object types are to be scanned, a rule disabling scanning of any URL or MIME type must be added to the end of the list (the Skip all other files rule is predefined for this purpose).