Anti-Virus - D-Link NetDefend SOHO DFL-160 User Manual

4.7. Anti-Virus

4.7. Anti-Virus
Overview
The NetDefendOS Anti-Virus module protects against malicious code carried in file downloads.
Files may be downloaded as part of a web-page in an HTTP transfer or in an FTP download or
perhaps as an attachment to an email delivered through SMTP. Malicious code in such downloads
can have different intents ranging from programs that merely cause annoyance to more sinister aims
such as sending back passwords, credit card numbers and other sensitive information. The term
"Virus" can be used as a generic description for all forms of malicious code carried in files.
Combining with Client Virus Scanning
Unlike IDP, which is primarily directed at attacks against servers, Anti-Virus scanning is focused on
downloads by clients. NetDefendOS Anti-Virus is designed to be a complement to the standard
antivirus scanning normally carried out locally by specialized software installed on client
computers. IDP is not intended as a complete substitute for local scanning but rather as an extra
shield to boost client protection. Most importantly, it can act as a backup for when local client
antivirus scanning is not available.
The Scanning Mechanism
As a file transfer is streamed through the DFL-160, NetDefendOS will scan the data stream for the
presence of viruses if the Anti-Virus module is enabled. Since files are being streamed and not being
read completely into memory, a minimum amount of memory is required and there is minimal effect
on overall throughput.
The inspection process is based on pattern matching against a database of known virus patterns and
can determine, with a high degree of certainty, if a virus is in the process of being downloaded to a
user behind the DFL-160. Once a virus is recognized in the contents of a file, the download can be
terminated before it completes.
Types of File Downloads Scanned
Anti-Virus scanning can scan file downloads associated with the HTTP, FTP, SMTP and POP3
protocols. More specifically:
• Any uncompressed file type transferred for these protocols can be scanned.
• If the file has been compressed, ZIP and GZIP file downloads will be scanned although the
maximum allowed compression ratio is 1:20 (if the ratio exceeds this, the file will be dropped
and logged).
The reason for the compression ratio limit is that when scanning compressed files, NetDefendOS
must apply decompression to examine the file's contents. Some types of data can result in very
high compression ratios where the compressed file is a small fraction of the original
uncompressed file size. This can mean that a comparatively small compressed file attachment
might need to be uncompressed into a much larger file which can place an excessive load on
NetDefendOS resources and noticeably slowdown throughput.
The Virus Signature Database
NetDefendOS Anti-Virus scanning is implemented by pattern matching against a virus signature
database maintained locally in the DFL-160's memory. This database is the "SafeStream" virus
signature database which is created and maintained by Kaspersky, a company which is a world
65
Chapter 4. The Firewall Menu