CacheGuard-OSUser's Guide - Version UF-2.3.5
Antivirus
The antivirus detects malware (viruses, trojans, worms) in Web traffic incoming from the external zone and blocks them at the gateway before they can enter your networks. The antivirus can operate in forwarding/browsing (web) mode as well as in reverse (rweb) mode. In forwarding mode, it blocks all attempts to access malware in Web traffic, while in reverse mode, all attempts to upload malware to protected Web servers are prevented (in rweb mode, the CacheGuard appliance is deployed in front of Web servers). To activate the antivirus, use the mode antivirus on command followed by the apply command.
- PE files compressed or obfuscated using tools such as Aspack (2.12), UPX (all versions), FSG (1.3, 1.31, 1.33, 2.0), Petite (2.x), PeSpin (1.1), NsPack, wwpack32 (1.20), MEW, Upack, and Y0da Cryptor (1.3).
- Almost every mail file format, including TNEF (winmail.dat) attachments.
- The most popular file formats such as MS Office and MacOffice files, RTF, PDF, and HTML.
- Various obfuscators, encoders, and files vulnerable to security risks, such as JPEG (exploit detection), RIFF (exploit detection), uuencode, and ScrEnc obfuscation.
Automatic Updating
The CacheGuard appliance periodically checks the malware signature database and, if necessary, downloads updates. Updates are retrieved from a public service named database.clamav.net on the Internet. It is important to note that excessive or abusive download activity can result in temporary blocking by that service, which is outside the CacheGuard appliance’s control. To avoid being banned, it is recommended to allow the CacheGuard appliance to automatically update the signature database and to avoid manual updates unless absolutely necessary.To complement the standard malware signature database provided by database.clamav.net, additional malware signatures are available as an optional service from CacheGuard Technologies. You can easily subscribe to this service. After subscribing, simply activate it on your CacheGuard appliance by setting the provided password and file server name (using the access file and password file commands).
Antivirus and WAF
When the CacheGuard appliance is deployed as a WAF in front of your Web servers (both rweb and waf modes activated), the antivirus scans all attempts to upload files to your protected or cloaked Web servers. If malware is detected in an uploaded file, the CacheGuard appliance immediately blocks the upload before the file can reach the Web servers. Note that the only upload method supported by the antivirus is the POST method with an encoding type of multipart/form-data. The following commands activate and configure the antivirus to scan file upload attempts on the Web server with the IP address 10.20.0.100, protected by the CacheGuard appliance:- rweb site add www.example.com http
- rweb host www.example.com add rweb http 10.20.0.100
- mode rweb on
- mode waf on
- mode antivirus on
- apply
Antivirus and MTA
The antivirus is natively used by the integrated Web proxy to block malware in Web traffic. However, it can also be used as a service offered to external clients or services such as an MTA (Mail Transfer Agent). For instance, to grant access to a remote exim4 MTA with the IP address 10.20.0.200 communicating with the CacheGuard appliance via its internal network interface, use the following commands:- ip internal 10.20.0.254 255.255.0.0
- port antivirus 8083
- access antivirus add internal 10.0.20.200 255.255.255.255
- apply