Overview
|
|
The McAfee Anti-Virus filter scans incoming HTTP requests and their
attachments for viruses and exploits. For example, if a virus is detected in a MIME
attachment or in the XML message body, the Enterprise Gateway can reject the entire message
and return a SOAP Fault to the client. In addition, this filter supports cleaning of
messages from infections such as viruses and exploits. It also provides scan type
presets for different detection levels, and reports overall message status after scanning.
Important: This filter is currently available on Windows and Linux only.
|
Prerequisites
|
|
McAfee virus scanner integration requires the McAfee 5400 Scan Engine.
Enterprise Gateway
When adding third-party binaries to the Enterprise Gateway, you must perform the
following steps:
-
Add the binary files as follows:
-
Add
.dat files from the McAfee 5400 Scan Engine to
the InstallDir/conf/plugin/mcafee/datv2
directory, except for config.dat which must be added to
InstallDir/platform/lib or
InstallDir\win32\lib.
- Add
.jar files to the
InstallDir/ext/lib directory.
- Add
.dll files to the
InstallDir\win32\lib directory.
- Add
.so files to the
InstallDir/platform/lib directory.
- Restart the Enterprise Gateway.
Policy Studio
When adding third-party binaries to the Policy Studio, you must perform the
following steps:
- Add
.jar files to the
InstallDir/plugins/thirdparty.runtime.dependencies_6.0.3
directory.
- Restart the Policy Studio.
|
Configuring a McAfee Anti-Virus Filter
|
|
To configure the McAfee Anti-Virus filter,
perform the following steps:
- Enter an appropriate name in the Name field.
- Select a Scan type from the drop-down box. The available
options are as follows:
|
Normal
|
Processes the entire message detecting exploits and viruses in the message headers,
macros, multi-file archives, executables, MIME-encoded/UU-encoded/XX-encoded/BinHex
and TNEF/IMC format files. Performs heuristic analysis to find new viruses and potentially
unwanted programs. This is the default scan type.
|
|
Fast
|
Detects infections in the top level of each message part, such as exploits that
use headers and multiple bodies. The detection is less precise, but the performance
is better if the top-level object is infected.
|
|
Multi-pass
|
Combines the Normal and Fast scan types. The
Fast scan (pass 1) runs first on the whole message with no cleaning.
The scanner stops if it finds an infected object, and if the clean type is set to
No cleaning, the scanner reports the infection, or otherwise deletes
the message. If pass 1 does not detect any virus or exploit, the Normal
scan (pass 2) runs with the specified clean type and provides more precise detection.
|
|
Custom
|
Enables you to set the Custom options described in the next section.
This provides compatibility with previous Enterprise Gateway versions.
Note: When existing circuits are upgraded to the current Enterprise Gateway version,
the McAfee Anti-Virus filter scan type is set to Custom
and the clean type is set to No cleaning for backward compatibility.
|
- Select a Clean type from the drop-down box. The available
options are as follows:
|
No cleaning
|
Fails if any infection is detected.
This is the default clean type.
|
|
Always remove infected parts
|
Removes the infected message part,
and does not try to repair it.
|
|
Attempt to repair infected parts
|
Attempts to repair the found infection (if repairable),
otherwise deletes the infected message part.
|
|
Configuring Custom Options
|
|
When you configure a custom scan type, the following Custom options
are available:
Decompress Archives:
This instructs the filter to scan each file in an archive for viruses.
Types of archived files include the ZIP, JAR, TAR, ARJ, LHA, PKARC, PKZIP,
RAR, WinACE, BZip, and Zcompress formats.
Decompress Executables:
Executables are sometimes compressed to decrease overall message size.
In such cases, any embedded viruses are also compressed and may be
missed by conventional scans. If this option is selected, the filter
decompresses the executable before scanning it for viruses.
Fail Any Macros:
A macro is a series of commands that can be invoked
in a single command or keystroke. While calling the macro can appear to be
harmless, the initiated command sequence may be harmful. Macros are usually
configured to run automatically when the host document is opened. When this option
is selected, the Enterprise Gateway fails if any macro is detected in a compound document
(whether it matches a virus signature or not). An appropriate SOAP Fault
is returned to the client.
Heuristic Program Analysis:
A heuristic virus detection algorithm runs a series of probing tests on a
file in an attempt to solicit virus-like behavior from it. Based on the
results of these tests, the algorithm can then make an educated guess
on whether the file represents a potential threat or not. For example,
programs that attempt to modify or delete files, invoke email clients, or
replicate themselves all display virus-like behavior and so may be
treated as viruses by the scanner.
The major advantage of this type of analysis is that new viruses can be
detected. With the signature detection method, the scanner attempts to
find a fixed number of known virus signatures in a file. Because the
number of known signatures is fixed, new or unknown viruses can not be
detected. If this option is selected, the filter runs heuristic
analysis on executables only.
Heuristic Macro Analysis:
When this option is enabled, the filter runs heuristic detection
analysis on macros contained in any body parts of the message. If
any viruses are detected, the message is blocked.
If this option is selected, the Enterprise Gateway searches for virus signatures
in the respective body parts of a MIME message. However, it can only
search for known viruses using this method. It is
important to note that macros embedded in MIME parts are also scanned
for virus signatures.
Scan Embedded Scripts:
The Enterprise Gateway can scan MIME parts, such as HTML documents, for embedded
scripts. If this option is selected, the filter scans for embedded scripts.
Scan for Test Files:
When this option is selected, the Enterprise Gateway fails if it encounters
an anti-virus test file (for example, eicar.com). This
is a convenient way to check that the anti-virus filter successfully detects
known viruses.
|
Reporting Message Status
|
|
When the scan is complete, the McAfee Anti-Virus filter reports the
overall message status in the mcafee.status message attribute, which is
generated by the filter. This reflects the overall status of the scan for all message
parts, and includes one of the following values:
NOVIRUS
|
No virus or exploit detected in the message.
|
INFECTED
|
Infection detected in the message.
|
REPAIRED
|
Message repaired.
|
REMOVED
|
Some or all message parts successfully removed.
|
REPAIRED, REMOVED
|
Some message parts successfully repaired and some others removed.
|
|
Loading McAfee Updates
|
|
When the McAfee Anti-Virus filter has been loaded, it searches for virus
definitions in the conf\plugin\mcafee\datv2 directory under the
Enterprise Gateway root directory. When these have been loaded, it periodically checks for
the presence of a conf\plugin\mcafee\datv2.new directory, also
under the Enterprise Gateway root directory.
If the datv2.new directory is found, the scanner is stopped and the
datv2 directory is renamed to datv2.0.
If a datv2.0 directory already exists from a previous rollover,
a datv2.1 directory is created instead, and so on, until an unused
index is used. This means that the server never deletes the old files, and rolls them out
of the way.
When the engine is stopped and restarted, any messages that require scanning are suspended
until the restart completes. In addition, an initiated reload is suspended until all currently
active scans are completed.
Important Note
Like all file system scanning approaches, there is an inherent ordering problem. If you
create the datv2.new directory before copying the files into the
directory, the scanner may pick up the new directory before it is ready to be used. For
example, on Windows, you may experience problems if you enter the following commands
from the install-dir\conf\plugin\mcafee directory:
|
| | |
|
mkdir datv2.new
copy c:\mcafee\newfiles\*.dat datv2.new
| |
| | |
|
You can use the following commands to prevent this problem:
|
| | |
|
mkdir datv2.tmp
copy c:\mcafee\newfiles\*.dat datv2.tmp
rename datv2.tmp datv2.new
| |
| | |
|
In other words, create a temporary folder, copy the files into this folder, and then
rename the temporary folder to datv2.new. In this way, the scanner
is guaranteed to pick up the virus definition files when it detects the new directory.
On Linux and Solaris, the same approach applies, but the location of the file and
the commands used are different. For example, enter the following commands from the
install-dir/conf/plugin/mcafee directory:
|
| | |
|
mkdir datv2.tmp
cp /var/tmp/mcafee/newfiles/*.dat datv2.tmp
mv datv2.tmp datv2.new
| |
| | |
|
|
|