Complete rules of the Gateway Anti-Malware rule set

When working with the complete rules of the Gateway Anti-Malware rule set, all rules and rule elements of this rule set can be viewed and configured.

Default rule set – Gateway Anti-Malware
Criteria – Always
Cycles – Requests (and IM), Responses, Embedded Objects

The rule set contains the following rules.

Allow if user agent matches User Agent Whitelist
Header.Request.Get (“User-Agent”) matches in list User Agent WhiteList –> Stop Rule Set
The rule uses the Header.Request.Get property to check the user agent information that is sent with the header of a request.
If the user agent in question is on the specified whitelist, processing of the rule set stops, so the blocking rule at the end of the rule set is not processed.
A parameter of the property specifies that it is the user agent information that must be checked when the rule is processed.
This rule is not enabled by default.
Note: Using this rule alone for whitelisting will cause a security problem because usually a client can set whatever user agent it prefers.
Allow URL host that matches in list Anti-Malware URL Whitelist
URL.Host matches in list Anti-Malware URL Whitelist –> Stop Rule Set
The rule uses the URL.Host property to check whether a given URL matches one of the entries on the specified whitelist.
If it does, processing of the rule set stops and the blocking rule at the end of the rule set is not processed.
You can use this rule to exempt web traffic from filtering when the hosts of the URLs involved are well-known web servers for which it is safe to assume that they spread no viruses and other malware.
Whitelisting increases performance because it avoids the effort of scanning the respective web objects.
Remove partial content for HTTP requests
Cycle.TopName equals “Request” AND (Connection.Protocol equals “http” OR Connection.Protocol equals “https”) –> Continue – Header.RemoveAll (“Range”)
The rule uses the Cycle.TopName and Connection.Protocol properties to check whether the current processing cycle is the request cycle and whether a request is sent in HTTP or HTTPS mode.
If this is the case, the Header.RemoveAll event modifies the request by removing the specification that only partial content is requested. A request for complete content is then forwarded to the relevant web server and eventually received from there, so that the complete content of a web object can be processed on the appliance.
For example, a complete archive can be opened and scanned for viruses and other malware. Malicious content that is distributed over several parts of a file can be detected by scanning the complete file, while it could go unnoticed if only parts of the file were scanned.
The Continue action lets processing continue with the next rule.
Block partial content for FTP requests
Cycle.TopName equals “Request” AND Connection.Protocol equals “ftp” AND Command.Categories contains “Partial” –> Block<Partial Content Not Allowed>
The rule uses the Cycle.TopName, Connection.Protocol, and Command.Categories properties to check whether the current processing cycle is the request cycle, the request is sent in FTP mode, and the command category used for the FTP transfer contains Partial as a string.
This allows Web Gateway to detect an FTP request for partial content and block it.
Unlike with HTTP or HTTPS requests, an FTP request for partial content cannot be modified to make it a request for complete content. However, security problems would arise if partial content was accepted on the appliance, which are the same as the ones that were explained in the comment on the rule for blocking HTTP and HTTPS requests.
The action settings specify a message to the requesting user.
Start Media Stream Scanner on streaming media and skip anti-malware scanning
Cycle.Name equals "Response" AND StreamDetector.IsMediaStream<Default Streaming Detection> equals true –> Stop Rule Set – Enable Media Stream Scanner
The rule uses the Cycle.Name property to check whether processing is in the response cycle and the StreamDetector.IsMediaStream property to check whether the web object that is sent in response to Web Gateway is streaming media.
If both are the case, processing of the rule set stops, so the remaining rule is not processed, and an event is used to start the Media Stream Scanner.
Block if virus was found
Antimalware.Infected<Gateway Anti-Malware> equals true –> Block<Virus Found> – Statistics.Counter.Increment (“BlockedByAntiMalware”,1)<Default>
The rule uses the Antimalware.Infected property to check whether a given web object is infected by a virus or other malware.
When the Anti-Malware module is called to scan the object, it runs with the Gateway Anti-Malware settings, as specified with the property. These settings let the module use all its three submodules and their methods to scan web objects.
If the module finds that a web object is infected, processing of all rules stops and the object is not passed on further. Access to it is blocked this way.
In a request cycle, the infected web object is not passed on to the web. In the response and embedded object cycles, it is not passed on to the user who requested it.
The action settings specify a message to this user.
The rule also uses an event to count blocking due to virus and malware infections.
The event parameters specify the counter that is incremented and the size of the increment. The event settings specify the settings of the Statistics module, which executes the counting.