Activating Anti-Virus Scanning; The Signature Database - D-Link NetDefend DFL-210 User Manual

6.4.3. Activating Anti-Virus Scanning

As described above, Anti-Virus scanning is enabled on a per ALG basis and can scan file downloads
associated with the HTTP, FTP, SMTP and POP3 ALGs. More specifically:
• Any uncompressed file type transferred through these ALGs can be scanned.
• If the download has been compressed, ZIP and GZIP file downloads can be scanned.
The administrator has the option to always drop specific files as well as the option to specify a size
limit on scanned files. If no size limit is specified then there is no default upper limit on file sizes.
Simultaneous Scans
There is no fixed limit on how many Anti-Virus scans can take place simultaneously in a single
D-Link Firewall. However, the available free memory can place a limit on the number of concurrent
scans that can be initiated.
Protocol Specific behavior
Since Anti-Virus scanning is implemented through an Application Level Gateway (ALG), specific
protocol specific features are implemented in NetDefendOS. With FTP, for example, scanning is
aware of the dual control and data transfer channels that are opened and can send a request via the
control connection to stop a download if a virus in the download is detected.
Relationship with IDP
A question that is often posed is the "ordering" of Anti-virus scanning in relation to IDP scanning.
In fact, the concept of ordering is not relevant since the two scanning processes can occur
simultaneously and operate at different protocol levels.
If IDP is enabled, it scans all packets designated by a defined IDP rule and does not take notice of
the higher level protocol, such as HTTP, that generate the packet streams. Anti-virus is, however,
aware of the higher level protocol and only looks at the data involved in file transfers. Anti-virus
scanning is a function that therefore logically belongs in an ALG, whereas IDP does not belong
there.
6.4.3. Activating Anti-Virus Scanning
Association with an ALG
Activation of Anti-Virus scanning is achieved through an ALG associated with the targeted
protocol. An ALG object must first exist with the Anti-Virus option enabled. As always, an ALG
must then be associated with an appropriate Service object for the protocol to be scanned. The
Service object is then associated with a rule in the IP rule set which defines the origin and
destination of the traffic to which the ALG is to be applied.
Creating Anti-Virus Policies
Since IP rule set rules are the means by which the Anti-Virus feature is deployed, the deployment
can be policy based. IP rules can specify that the ALG and its associated Anti-Virus scanning can
apply to traffic going in a given direction and between specific source and destination IP addresses
and/or networks. Scheduling can also be applied to virus scanning so that it takes place only at
specific times.

6.4.4. The Signature Database

SafeStream
260
Chapter 6. Security Mechanisms