Activating Anti-Virus Scanning - D-Link NetDefendOS User Manual

when the excluded list is checked.
Maximum Compression Ratio
When scanning compressed files, NetDefendOS must apply decompression to examine the file's
contents. Some types of data can result in very high compression ratios where the compressed
file is a small fraction of the original uncompressed file size. This can mean that a comparatively
small compressed file attachment might need to be uncompressed into a much larger file which
can place an excessive load on NetDefendOS resources and noticeably slow down throughput.
To prevent this situation, the administrator should specify a Compression Ratio limit. If the limit of
the ration is specified as 10 then this will mean that if the uncompressed file is 10 times larger
than the compressed file, the specified Action should be taken. The Action can be one of:
• Allow - The file is allowed through without virus scanning
• Scan - Scan the file for viruses as normal
• Drop - Drop the file
In all three of the above cases the event is logged.
Maximum Archive Depth
NetDefendOS can perform virus scanning on compressed files within other compressed files. The
level of nesting which is allowed is controlled by the Maximum archive depth setting. If this is
set to zero then any compressed file will always cause a fail condition. If set to a value of one,
compressed files will be scanned but any compressed files containing other compressed files will
cause a fail condition. A value of two allows a single nesting level of compressed files within
compressed files, with both levels being scanned.
The Maximum archive depth setting can have a maximum value of 10 but increasing the
setting should be done with caution. A denial-of-service attack might consist of sending a
compressed file with a high level of nesting. If the maximum archive depth specified does not
reject the file, large amounts of firewall resources could be consumed to uncompress and scan
the hierarchy of files.
Verifying the MIME Type
The ALG File Integrity options can be utilized with anti-virus scanning to check that the file's
contents matches the MIME type it claims to be.
The MIME type identifies a file's type. For instance a file might be identified as being of type .gif
and therefore should contain image data of that type. Some viruses can try to hide inside files by
using a misleading file type. A file might pretend to be a .gif file but the file's data will not match
that type's data pattern because it is infected with a virus.
Enabling of this function is recommended to make sure this form of attack cannot allow a virus to
get through. The possible MIME types that can be checked are listed in Appendix C, Verified MIME
filetypes.

6.5.4. Activating Anti-Virus Scanning

Anti-virus scanning is activated in one of two ways:
• Via an ALG that is associated with a service used in an IP rule. The ALG must be one that
allows anti-virus scanning.
546
Chapter 6: Security Mechanisms