ZoneAlarm Z100G Router Manual PDF (Setup & Configuration Guide)

Page 261 / 428 Scroll up to view Page 256 - 260

Overview

Chapter 12: Using VStream Antivirus

247

Chapter 12

This chapter explains how to use the VStream Antivirus engine to block security threats

before they reach your network.

This chapter includes the following topics:

Overview

..................................................................................................

247

Enabling/Disabling VStream Antivirus

....................................................

249

Viewing VStream Antivirus Signature Database Information

.................

250

Configuring VStream Antivirus

...............................................................

251

Updating VStream Antivirus

....................................................................

265

Overview

The ZoneAlarm router includes VStream Antivirus, an embedded stream-based antivirus

engine based on Check Point Stateful Inspection and Application Intelligence technologies,

that performs virus scanning at the kernel level.

VStream Antivirus scans files for malicious content on the fly, without downloading the

files into intermediate storage. This means minimal added latency and support for

unlimited file sizes; and since VStream Antivirus stores only minimal state information per

connection, it can scan thousands of connections concurrently. In order to scan archive

files on the fly, VStream Antivirus performs real-time decompression and scanning of ZIP,

TAR, and GZ archive files, with support for nested archive files.

When VStream Antivirus detects malicious content, the action it takes depends on the

protocol in which the virus was found. See the following table. In each case, VStream

Antivirus blocks the file and writes a log to the Event Log.

Using VStream Antivirus

Page 262 / 428

Overview

248

Check Point ZoneAlarm User Guide

Table 66: VStream Antivirus Actions

If a virus if found in

this protocol...

VStream Antivirus does this...

The protocol is detected

on this port...

HTTP

•

Terminates the

connection

All ports on which VStream

Antivirus is enabled by the

policy, not only port 80

POP3

•

Terminates the

connection

•

Deletes the virus-

infected email from the

server

The standard TCP port 110.

IMAP

•

Terminates the

connection

•

Replaces the virus-

infected email with a

message notifying the

user that a virus was

found

The standard TCP port 143

SMTP

•

Rejects the virus-

infected email with error

code 554

•

Sends a "Virus

detected" message to

the sender

The standard TCP port 25

FTP

•

Terminates the data

connection

•

Sends a "Virus detected"

message to the FTP

client

The standard TCP port 21

TCP and UDP

•

Terminates the

connection

Generic TCP and UDP ports,

other than those listed above

Note:

In protocols that are not listed in this table, VStream Antivirus uses a "best

effort" approach to detect viruses. In such cases, detection of viruses is not

guaranteed and depends on the specific encoding used by the protocol.

Page 263 / 428

Enabling/Disabling VStream Antivirus

Chapter 12: Using VStream Antivirus

249

If you are subscribed to the VStream Antivirus subscription service, VStream Antivirus

virus signatures are automatically updated, so that security is always up-to-date, and your

network is always protected.

Note:

VStream Antivirus differs from the Email Antivirus subscription service (part of

the Email Filtering service) in the following ways:

•

Email Antivirus is centralized, redirecting traffic through the Service

Center for scanning, while VStream Antivirus scans for viruses in the

ZoneAlarm gateway itself.

•

Email Antivirus is specific to email, scanning incoming POP3 and

outgoing SMTP connections only, while VStream Antivirus supports

additional protocols, including incoming SMTP and outgoing POP3

connections.

You can use either antivirus solution or both in conjunction. For information on

Email Antivirus, see

Email Filtering

on page 282.

Enabling/Disabling VStream Antivirus

To enable/disable VStream Antivirus

1.

Click

Antivirus

in the main menu, and click the

Antivirus

tab.

The

VStream Antivirus

page appears.

Page 264 / 428

Viewing VStream Antivirus Signature Database Information

250

Check Point ZoneAlarm User Guide

2.

Drag the

On/Off

lever upwards or downwards.

VStream Antivirus is enabled/disabled for all internal network computers.

Viewing VStream Antivirus Signature Database

Information

VStream Antivirus maintains two databases: a daily database and a main database. The

daily database is updated frequently with the newest virus signatures. Periodically, the

contents of the daily database are moved to the main database, leaving the daily database

empty. This system of incremental updates to the main database allows for quicker updates

and saves on network bandwidth.

You can view information about the VStream Antivirus signature databases currently in

use, in the

VStream Antivirus

page.

Table 67: VStream Antivirus Page Fields

This field…

Displays…

Main database

The date and time at which the main database was last updated,

followed by the version number.

Daily database

The date and time at which the daily database was last updated, followed

by the version number.

Next update

The next date and time at which the ZoneAlarm router will check for

updates.

Status

The current status of the database. This includes the following statuses:

•

Database Not Installed

•

OK

Page 265 / 428

Configuring VStream Antivirus

Chapter 12: Using VStream Antivirus

251

Configuring VStream Antivirus

You can configure VStream Antivirus in the following ways:

•

Configuring the VStream Antivirus Policy

on page 251

•

Configuring VStream Antivirus Advanced Settings

on page 261

Configuring the VStream Antivirus Policy

VStream Antivirus includes a flexible mechanism that allows the user to define exactly

which traffic should be scanned, by specifying the protocol, ports, and source and

destination IP addresses.

VStream Antivirus processes policy rules in the order they appear in the

Antivirus Policy

table, so that rule 1 is applied before rule 2, and so on. This enables you to define

exceptions to rules, by placing the exceptions higher up in the

Rules

table.

For example, if you want to scan all outgoing SMTP traffic, except traffic from a specific

IP address, you can create a rule scanning all outgoing SMTP traffic and move the rule

down in the

Antivirus Policy

table. Then create a rule passing SMTP traffic from the

desired IP address and move this rule to a higher location in the

Antivirus Policy

table than

the first rule. In the figure below, the general rule is rule number 2, and the exception is

rule number 1.

Rate

Popular ZoneAlarm Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share