As for HTTP and FTP traffic, objects (files) of selected types are scanned.
The file just transmitted is saved in a temporary file on the local disk of the firewall. WinRoute caches the last part of the transmitted file (segment of the data transferred) and performs an antivirus scan of the temporary file. If a virus is detected in the file, the last segment of the data is dropped. This means that the client receives an incomplete (damaged) file which cannot be executed so that the virus cannot be activated. If no virus is found, WinRoute sends the client the rest of the file and the transmission is completed successfully.
Optionally, a warning message informing about a virus detected can be sent to the user who tried to download the file (see the Notify user by email option).
The purpose of the antivirus check is only to detect infected files, it is not possible to heal them!
If the antivirus check is disabled in HTTP and FTP filtering rules, objects and files matching corresponding rules are not checked. For details, refer to chapters 12.2 URL Rules and 12.6 FTP Policy).
Full functionality of HTTP scanning is not guaranteed if any non-standard extensions to web browsers (e.g. download managers, accelerators, etc.) are used!
To set parameters of HTTP and FTP antivirus check, open the HTTP, FTP scanning tab in Configuration → Content Filtering → Antivirus.
Use the If a virus is found... entry to specify actions to be taken whenever a virus is detected in a transmitted file:
Move the file to quarantine — the file will be saved in a special directory on the WinRoute host. WinRoute administrators can later try to heal the file using an antivirus program and if the file is recovered successfully, the administrator can provide it to the user who attempted to download it.
The quarantine
subdirectory under the WinRoute directory is used for the quarantine
(the typical path is C:\Program Files\Kerio\WinRoute Firewall\quarantine
)
Infected files (files which are suspected of being infected) are saved into this directory with names which are generated automatically. Name of each file includes information about protocol, date, time and connection number used for the transmission.
When handling files in the quarantine
directory, please consider carefully each action you take, otherwise a virus might be activated and the WinRoute host could be attacked by the virus!
Alert the client — WinRoute alerts the user who attempted to download the file by an email message warning that a virus was detected and download was stopped for security reasons.
WinRoute sends alert messages under the following circumstances: The user is authenticated and connected to the firewall, a valid email address is set in a corresponding user account (see chapter 15.1 Viewing and definitions of user accounts) and the SMTP server used for mail sending is configured correctly (refer to chapter 18.3 Relay SMTP server).
Note: Regardless of the fact whether the Alert the client option is used, alerts can be sent to specified addresses (e.g. addresses of network administrators) whenever a virus is detected. For details, refer to chapter 19.4 Alerts.
In the If the transferred file cannot be scanned section, actions to be taken when the antivirus check cannot be applied to a file (e.g. the file is compressed and password-protected, damaged, etc.):
Deny transmission of the file — WinRoute will consider these files as infected and deny their transmission.
It is recommended to combine this option with the Move the file to quarantine function — the WinRoute administrator can extract the file and perform manual antivirus check in response to user requests.
Allow the file to be transferred — WinRoute will treat compressed password-protected files and damaged files as trustful (not infected).
Generally, use of this option is not secure. However, it can be helpful for example when users attempt to transmit big volume of compressed password-protected files and the antivirus is installed on the workstations.
These rules specify when antivirus check will be applied. By default (if no rule is defined), all objects transmitted by HTTP and FTP are scanned.
WinRoute contains a set of predefined rules for HTTP and FTP scanning. By default, all executable files as well as all Microsoft Office files are scanned. The WinRoute administrator can change the default configuration.
Scanning rules are ordered in a list and processed from the top. Arrow buttons on the right can be used to change the order. When a rule which matches the object is found, the appropriate action is taken and rule processing is stopped.
New rules can be created in the dialog box which is opened after clicking the
button.Description of the rule (for reference of the WinRoute administrator only)
Condition of the rule:
HTTP/FTP filename
— this option filters out certain filenames (not entire URLs) transmitted by FTP or HTTP (e.g. *.exe
, *.zip
, etc.).
If only an asterisk is used for the specification, the rule will apply to any file transmitted by HTTP or FTP.
The other two conditions can be applied only to HTTP:
MIME type
— MIME types can be specified either by complete expressions (e.g. image/jpeg
) or using a wildcard matching (e.g. application/*
).
URL — URL of the object (e.g. www.kerio.com/img/logo.gif
), a string specified by a wildcard matching (e.g. *.exe
) or a server name (e.g. www.kerio.com
). Server names represent any URL at a corresponding server (www.kerio.com/*
).
If a MIME type or a URL is specified only by an asterisk, the rule will apply to any HTTP object.
Settings in this section define whether or not the object will be scanned.
If the Do not scan alternative is selected, antivirus control will not apply to transmission of this object.
The new rule will be added after the rule which had been selected before
was clicked. You can use the arrow buttons on the right to move the rule within the list.Checking the box next to the rule can be used to disable the rule. Rules can be disabled temporarily so that it is not necessary to remove rules and create identical ones later.
If the object does not match with any rule, it will be scanned automatically. If only selected object types are to be scanned, a rule disabling scanning of any URL or MIME type must be added to the end of the list (the Skip all other files rule is predefined for this purpose).