D-Link NetDefend DFL-210 User Manual page 185

6.4.6. Anti-Virus Options
1. General options
Mode
Fail mode behaviour
2. File Type Blocking/Allowing
Action
File types
If a filetype is on the allowed list then it should be noted that MIME matching will still take place
even if MIME matching is switched off (providing the filetype is part of the list in Appendix C,
Checked MIME filetypes). This is done to guard against an attack that tries to exploit the fact the
filetype is on the allowed list.
3. Scan Exclude Option
Certain filetypes may be explicitly excluded from virus-scanning if that is desirable. This can
increase overall throughput if an excluded filetype is a type which is commonly encountered in a
particular scenario.
4. Compression Ratio Limit
When scanning compressed files, NetDefendOS must apply decompression to examine the file's
contents. Some types of data can result in very high compression ratios where the compressed file is
a small fraction of the original uncompressed file size. This can mean that a comparatively small
compressed file attachment might need to be uncompressed into a much larger file which can place
an excessive load on NetDefendOS resources and noticeably slowdown throughput.
To prevent this situation, the administrator should specify a Compression Ratio limit. If the limit of
the ration is specified as 10 then this will mean that if the uncompressed file is 10 times larger than
the compressed file, the specified Action should be taken. The Action can be one of:
• Allow - The file is allowed through without virus scanning
• Scan - Scan the file for viruses as normal
• Drop - Drop the file
In all three of the above cases the event is logged.
Verifying the MIME Type
The ALG File Integrity options can be utilized with Anti-Virus scanning to check that the file's
contents matches the MIME type it claims to be
The MIME type identifies a file's type. For instance a file might be identified as being of type .gif
and therefore should contain image data of that type. Some viruses can try to hide inside files by
using a misleading file type. A file might pretend to be a .gif file but the file's data will not match
that type's data pattern because it is infected with a virus.
This must be one of:
A. Enabled which means Anti-Virus is active.
B. Audit which means it is active but logging will be the only action.
If a virus scan fails for any reason then the transfer can be dropped or
allowed, with the event being logged.
When a particular download file type is encountered, the administrator can
explicitly state if the file is to be allowed or blocked as a download.
The file type to be blocked or allowed can be added into the list. For example
"GIF" could be added.
185
Chapter 6. Security Mechanisms