Virus scanning filters
10 minute read
Scan with McAfee antivirus filter
The McAfee antivirus filter scans incoming HTTP requests and their attachments for viruses and exploits. For example, if a virus is detected in a MIME attachment or in the XML message body, the API Gateway can reject the entire message and return a SOAP Fault to the client. In addition, this filter supports cleaning of messages from infections such as viruses and exploits. It also provides scan type presets for different detection levels, and reports overall message status after scanning.
Prerequisites for McAfee antivirus
McAfee virus scanner integration requires the McAfee Scan Engine and a valid McAfee license. The required third-party binaries are included in your API Gateway installation.
Add third-party binaries to API Gateway
To add third-party binaries to API Gateway, perform the following steps:
Add the binary files as follows:
.jarfiles to the
.sofiles to the
Restart API Gateway.
Add third-party binaries to Policy Studio
To add third-party binaries to Policy Studio, perform the following steps:
Select Window > Preferences > Runtime Dependencies in the Policy Studio main menu.
Click Add to select a JAR file to add to the list of dependencies.
Click Apply when finished. A copy of the JAR file is added to the
pluginsdirectory in your Policy Studio installation.
Restart Policy Studio with the
-cleanoption. For example:
cd INSTALL_DIR/policystudio/ policystudio -clean
Configure McAfee antivirus
To configure the McAfee antivirus filter, perform the following steps:
Enter a name that indicates the role of this filter in the Name field.
Select a Scan type from the list. The available options are as follows:
- Custom: Enables you to set the Custom options described in Custom options. This provides backwards compatibility with earlier API Gateway versions.
- Normal: Processes the entire message detecting exploits and viruses in the message headers, macros, multi-file archives, executables, MIME-encoded/UU-encoded/XX-encoded/BinHex and TNEF/IMC format files. Performs heuristic analysis to find new viruses and potentially unwanted programs. This is the default scan type.
- Fast: Detects infections in the top level of each message part, such as exploits that use headers and multiple bodies. The detection is less precise, but the performance is better if the top-level object is infected.
- Multi-pass: Combines the Normal and Fast scan types. The Fast scan (pass 1) runs first on the whole message with no cleaning. The scanner stops if it finds an infected object, and if the clean type is set to No cleaning, the scanner reports the infection, or otherwise deletes the message. If pass 1 does not detect any virus or exploit, the Normal scan (pass 2) runs with the specified clean type and provides more precise detection.
Select a Clean type from the list. The available options are as follows:
- No cleaning: Fails if any infection is detected. This is the default clean type.
- Always remove infected parts: Removes the infected message part, and does not try to repair it.
- Attempt to repair infected parts: Attempts to repair the found infection (if repairable), otherwise deletes the infected message part.
When existing policies are upgraded to the current API Gateway version, the McAfee antivirus filter scan type is set to Custom and the clean type is set to No cleaning for backwards compatibility.
When you configure a custom scan type, the following Custom options are available:
Decompress Archives: This instructs the filter to scan each file in an archive for viruses. Types of archived files include the ZIP, JAR, TAR, ARJ, LHA, PKARC, PKZIP, RAR, WinACE, BZip, and Zcompress formats.
Decompress Executables: Executables are sometimes compressed to decrease overall message size. In such cases, any embedded viruses are also compressed and may be missed by conventional scans. If this option is selected, the filter decompresses the executable before scanning it for viruses.
Fail Any Macros: A macro is a series of commands that can be invoked in a single command or keystroke. While calling the macro can appear to be harmless, the initiated command sequence may be harmful. Macros are usually configured to run automatically when the host document is opened. When this option is selected, the API Gateway fails if any macro is detected in a compound document (whether it matches a virus signature or not). An appropriate SOAP Fault is returned to the client.
Heuristic Program Analysis: A heuristic virus detection algorithm runs a series of probing tests on a file in an attempt to solicit virus-like behavior from it. Based on the results of these tests, the algorithm can then make an educated guess on whether the file represents a potential threat or not. For example, programs that attempt to modify or delete files, invoke email clients, or replicate themselves all display virus-like behavior and so may be treated as viruses by the scanner.
The major advantage of this type of analysis is that new viruses can be detected. With the signature detection method, the scanner attempts to find a fixed number of known virus signatures in a file. Because the number of known signatures is fixed, new or unknown viruses can not be detected. If this option is selected, the filter runs heuristic analysis on executables only.
Heuristic Macro Analysis: When this option is enabled, the filter runs heuristic detection analysis on macros contained in any body parts of the message. If any viruses are detected, the message is blocked. If this option is selected, the API Gateway searches for virus signatures in the respective body parts of a MIME message. However, it can only search for known viruses using this method.
NoteMacros embedded in MIME parts are also scanned for virus signatures.
Scan Embedded Scripts: The API Gateway can scan MIME parts, such as HTML documents, for embedded scripts. If this option is selected, the filter scans for embedded scripts.
Scan for Test Files: When this option is selected, the API Gateway fails if it encounters an antivirus test file (for example,
eicar.com). This is a convenient way to check that the antivirus filter successfully detects known viruses.
Custom options for normal or fast scans
The custom options are disabled when you select the normal or fast scan types. The custom options used for these options (where applicable) are as follows:
|Options||Normal scan type||Fast scan type|
|Decompress Executables||On||N/A (instead, ignore certain compressed executables)|
|Fail Any Macros||N/A (instead, all macros are scanned)||N/A (instead, ignore macros in compound documents)|
|Heuristic Program Analysis||On||Off|
|Heuristic Macro Analysis||On||Off|
|Scan Embedded Scripts||On||Off|
|Scan for Test Files||Off||Off|
When the scan is complete, the McAfee antivirus filter reports the overall message status in the
mcafee.status message attribute, which is generated by the filter. This reflects the overall status of the scan for all message parts, and includes one of the following values:
||No virus or exploit detected in the message|
||Infection detected in the message|
||Some or all message parts successfully removed|
||Some message parts successfully repaired and some others removed|
Load McAfee updates
When the McAfee antivirus filter has been loaded, it searches for virus definitions in the following directory:
When these have been loaded, it periodically checks for the presence of a directory named as follows:
datv2.new directory is found, the scanner is stopped and the
datv2 directory is renamed to
datv2.0. If a
datv2.0 directory already exists from a previous rollover, a
datv2.1 directory is created instead, and so on, until the limit of 50 is reached (
datv2.50). When the limit of 50 is reached you must remove the old files. This means that the server never deletes the old files, and rolls them out of the way.
When the engine is stopped and restarted, any messages that require scanning are suspended until the restart completes. In addition, an initiated reload is suspended until all currently active scans are completed.
Like all file system scanning approaches, there is an inherent ordering problem. If you create the
datv2.new directory before copying the files into the directory, the scanner may pick up the new directory before it is ready to be used. For example, you might experience problems if you enter the following commands from the
mkdir datv2.new cp /var/tmp/mcafee/newfiles/*.* datv2.new
You can use the following commands to prevent this problem:
mkdir datv2.tmp cp /var/tmp/mcafee/newfiles/*.* datv2.tmp mv datv2.tmp datv2.new
These create a temporary folder, copy the files into this folder, and rename the temporary folder to
datv2.new. In this way, the scanner is guaranteed to pick up the virus definition files when it detects the new directory.
Scan with ClamAV antivirus filter
You can use the ClamAV antivirus filter to check messages for viruses by connecting to a ClamAV daemon running on network. The ClamAV daemon inspects the message and if the daemon finds a virus, it returns a corresponding response to the API Gateway, which can then block the message, if necessary.
Complete the following fields to configure the ClamAV antivirus filter:
- Name: Enter an appropriate name for this filter to display in a policy.
- ClamAV Daemon Host: Enter the host name of the machine on which the ClamAV daemon is running.
- ClamAV Daemon Port Number: Enter the port on which the ClamAV daemon is listening.
Scan with Sophos antivirus filter
The Sophos antivirus filter uses the Sophos antivirus Interface (SAVI) to screen messages for viruses. You can configure the behavior of the Sophos library using configuration options available in the Sophos antivirus filter.
NoteBecause the API Gateway does not ship with any Sophos binaries, the API Gateway must be installed on the same machine as the Sophos AV distribution. On Linux, before starting the API Gateway, ensure that the Sophos AV
libdirectory is on your
Prerequisites for Sophos antivirus
Integration with Sophos requires Sophos SAV Interface version 4.8. You must add the required third-party binaries to your API Gateway and Policy Studio installations.
Configure Sophos antivirus
All SAVI configuration options take the form of a name-value pair. Each name is unique and its corresponding value controls specific behavior in the Sophos antivirus library (for example, decompress
.zip files to examine their content). You can specify these SAVI configuration settings in the Sophos configuration settings section:
Name: The Sophos antivirus filter ships with two sets of default configuration settings: one for UNIX-based platforms, and the other for Windows platforms. Select the Linux configuration settings for your target platform from the list.
You can create a new set of configuration options by clicking the Add button, and adding the name-value pairs to the table provided. For convenience, you can base a new configuration set on a previously existing one, including the default Linux set. In this way, you can create a new configuration set that inherits from the default set, and then adds more configuration options.
To add a new configuration name-value pair, click the Add button under the table, and configure the following fields in the dialog:
Name: Enter a name for the SAVI configuration option. This name must be available in the version of the SAVI library that is used by the API Gateway. See your SAVI documentation for a complete reference on available options.
Value: Enter an appropriate value for the SAVI configuration option entered above. See your SAVI documentation for more information on acceptable values for this configuration option.
Type: Select the appropriate type of this configuration option from the list. See your SAVI documentation for more information on the type of the value for this configuration option.
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.