Gateway Anti-Malware with TIE rule set

The Gateway Anti-Malware with TIE rule set is a library rule set for integrating anti-malware flitering on Web Gateway with information retrieved from a TIE server.

Library rule set – Gateway Anti-Malware with TIE
Criteria – Always
Cycles – Requests (and IM), Responses, Embedded Objects

The rule set contains the rules that are also contained in the default Gateway Anti-Malware rule set, as well the following rules, which are needed to enable the integrated filtering.

Note: This rule set is provided only in the complete rules view.
TIE - Trusted reputations
MediaType.EnsuredTypes at least one in list Executables AND TIE.Filereputation<TIE Reputations> greater than or equals 70 AND TIE.Filereputation<TIE Reputations> less than or equals 99 –> Stop Rule Set
The rule uses the MediaType.EnsuredTypes property to check whether a given web object is an executable file by looking it up in a list.
It also uses the TIE.Filereputation property to check whether the file reputation score for this object, which is retrieved from a TIE server, is between 70 and 99. This score means that the object is not considered malicious.
When the TIE.Filter module is called to retrieve the file reputation, it runs with the TIE.Reputation settings, as specified with the property.
If all parts of the criteria match, processing of the rule set stops and the rules that follow this rule in the rule set are skipped.
Skipping these rules means that the object is not scanned and filtered by the submodules of the Anti-Malware module on Web Gateway, which include the Gateway Anti-Malware (GAM) and Avira engines.
TIE - Unknown reputations
TIE.Filereputation<TIE Reputations> equals 50 AND TIE.Filereputation<TIE Reputations> greater than 0 –> Continue
The rule uses the TIE.Filereputation property to check whether the file reputation score for this object, which is retrieved from a TIE server, equals 50, which means the reputation is not known.
When the TIE.Filter module is called to retrieve the file reputation, it runs with the TIE.Reputation settings, as specified with the property.
If the criteria matches, processing continues, which means the rule does not take any particular action on objects with unknown reputations.
This rule is not enabled by default.
TIE - Malicious reputations
TIE.Filereputation<TIE Reputations> less than or equals 30 AND TIE.Filereputation<TIE Reputations> greater than 0 –> Block<TIE Reputation>
The rule uses the TIE.Filereputation property to check whether the file reputation score for this object, which is retrieved from a TIE server, is between 30 and 0, which means it is considered malicious.
When the TIE.Filter module is called to retrieve the file reputation, it runs with the TIE.Reputation settings, as specified with the property.
If both parts of the criteria match, processing of all rules stops and the object is not passed on further. Access to it is blocked this way.
In a request cycle, the infected web object is not passed on to the web. In the response and embedded object cycles, it is not passed on to the user who requested it. The action settings specify a message to this user.
This rule is not enabled by default.
Block if virus was found
MediaType.EnsuredTypes at least one in list Executables AND Antimalware.Infected<Gateway Anti-Malware with TIE> equals true AND Antimalware.Proactive.Probability<Gateway Anti-Malware with TIE> greater than or equals 60 AND Antimalware.Proactive.Probability<Gateway Anti-Malware with TIE> less than 80 –> Block<Virus Found> – Statistics.Counter.Increment (“BlockedByAntiMalware”,1)<Default> – TIE: Report File Reputation (30)
The rule uses the MediaType.EnsuredTypes property to check whether a given web object is an executable file by looking it up in a list.
It also uses the Antimalware.Infected and Antimalware.Proactive.Probability properties to find out whether this object is infected by a virus or other malware and whether the probability that it is infected is between 60 and 80, which means it is likely that it is malicious.
When the Anti-Malware module is called to scan the object and rate its malware probability, it runs with the Gateway Anti-Malware with TIE settings, as specified with the properties.
These settings let the module use both its submodules, the Gateway Anti-Malware (GAM) engine and the Avira engine, and their methods to scan web objects.
If all parts of the criteria match, processing of all rules stops and the object is not passed on further. Access to it is blocked this way.
In a request cycle, the infected web object is not passed on to the web. In the response and embedded object cycles, it is not passed on to the user who requested it. The action settings specify a message to this user.
The rule also uses an event to count blocking due to virus and malware infections. The event parameters specify the counter that is incremented and the size of the increment. The event settings specify the settings of the Statistics module, which executes the counting.
The rule uses another event to notify the TIE server that there is a high probability that the scanned object is malicious. Corresponding to this high probability grade, a low reputation score is sent to the TIE server.
Block if virus was found
MediaType.EnsuredTypes at least one in list Executables AND Antimalware.Infected<Gateway Anti-Malware with TIE> equals true AND Antimalware.Proactive.Probability<Gateway Anti-Malware with TIE> greater than or equals 80 AND Antimalware.Proactive.Probability<Gateway Anti-Malware with TIE> less than 90 –> Block<Virus Found> – Statistics.Counter.Increment (“BlockedByAntiMalware”,1)<Default> – TIE: Report File Reputation (15)
The rule uses the MediaType.EnsuredTypes property to check whether a given web object is an executable file by looking it up in a list.
It also uses the Antimalware.Infected and Antimalware.Proactive.Probability properties to find out whether this object is infected by a virus or other malware and whether the probability that is infected is between 80 and 90, which means it is very likely that it is malicious.
When the Anti-Malware module is called to scan the object and rate its malware probability, it runs with the Gateway Anti-Malware with TIE settings, as specified with the properties.
These settings let the module use both its submodules, the Gateway Anti-Malware (GAM) engine and the Avira engine, and their methods to scan web objects.
If all parts of the criteria match, processing of all rules stops and the object is not passed on further. Access to it is blocked this way.
In a request cycle, the infected web object is not passed on to the web. In the response and embedded object cycles, it is not passed on to the user who requested it. The action settings specify a message to this user.
The rule also uses an event to count blocking due to virus and malware infections. The event parameters specify the counter that is incremented and the size of the increment. The event settings specify the settings of the Statistics module, which executes the counting.
The rule uses another event to notify the TIE server that there is a very high probability that the scanned object is malicious. Corresponding to this very high probability grade, a very low reputation score is sent to the TIE server.
Block if virus was found
MediaType.EnsuredTypes at least one in list Executables AND Antimalware.Infected<Gateway Anti-Malware with TIE> equals true AND Antimalware.Proactive.Probability<Gateway Anti-Malware with TIE> greater than or equals 90 –> Block<Virus Found> – Statistics.Counter.Increment (“BlockedByAntiMalware”,1)<Default> – TIE: Report File Reputation (1)
The rule uses the MediaType.EnsuredTypes property to check whether a given web object is an executable file by looking it up in a list.
It also uses the Antimalware.Infected and Antimalware.Proactive.Probability properties to find out whether this object is infected by a virus or other malware and whether the probability that is infected is greater than or equals 90, which means it is almost sure that it is malicious.
When the Anti-Malware module is called to scan the object and rate its malware probability, it runs with the Gateway Anti-Malware with TIE settings, as specified with the properties.
These settings let the module use both its submodules, the Gateway Anti-Malware (GAM) engine and the Avira engine, and their methods to scan web objects.
If all parts of the criteria match, processing of all rules stops and the object is not passed on further. Access to it is blocked this way.
In a request cycle, the infected web object is not passed on to the web. In the response and embedded object cycles, it is not passed on to the user who requested it. The action settings specify a message to this user.
The rule also uses an event to count blocking due to virus and malware infections. The event parameters specify the counter that is incremented and the size of the increment. The event settings specify the settings of the Statistics module, which executes the counting.
The rule uses another event to notify the TIE server that it is almost sure that the scanned object is malicious. Corresponding to this extremely high probability grade, an extremely low reputation score is sent to the TIE server.
Block if virus was found
Antimalware.Infected<Gateway Anti-Malware with TIE> equals true –> Block<Virus Found> – Statistics.Counter.Increment (“BlockedByAntiMalware”,1)<Default>
The rule uses the Antimalware.Infected property to check whether a given web object is infected by a virus or other malware.
When the Anti-Malware module is called to scan the object, it runs with the Gateway Anti-Malware with TIE settings, as specified with the property.
These settings let the module use both its submodules, the Gateway Anti-Malware (GAM) engine and the Avira engine, and their methods to scan web objects.
If the module finds that a web object is infected, processing of all rules stops and the object is not passed on further. Access to it is blocked this way.
In a request cycle, the infected web object is not passed on to the web. In the response and embedded object cycles, it is not passed on to the user who requested it. The action settings specify a message to this user.
The rule also uses an event to count blocking due to virus and malware infections. The event parameters specify the counter that is incremented and the size of the increment. The event settings specify the settings of the Statistics module, which executes the counting.
Note: The rule does not notify the TIE server of any scanning results.