Gateway Anti-Spyware Training Guide - eSoft, Inc.

esoft.com

Gateway Anti-Spyware Training Guide - eSoft, Inc.

ESOFT GATEWAY ANTI-SPYWARE


COPYRIGHT NOTICES

©eSoft Inc. 2011. eSoft, InstaGate, and ThreatWall are registered trademarks, and SoftPak and SoftPak Director are trademarks of

eSoft, Inc. Microsoft and Windows are registered trademarks of Microsoft Corporation. Netscape and Netscape Navigator are

registered trademarks of Netscape Communications Corporation. Adobe, the Adobe logo, and Acrobat are registered trademarks of

Adobe Systems Inc. UNIX is a registered trademark of UNIX Systems Laboratories, Inc. All other brand and/or product names are the

property of their respective holders.

Portions of this software are covered under the GNU General Public License. You may freely obtain source code versions of the

software covered by the GNU General Public License through the Internet at http://www.redhat.com. However, some applications

remain the property of their owners, and require their permission to redistribute. For more information, access the eSoft web site at

http://www.esoft.com.

Portions of this software are Copyright © The Regents of the University of California. A complete copy of the copyright notice follows:

Copyright © The Regents of the University of California. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions

are met:

Redistribution of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

Redistribution in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the

documentation and/or other materials provided with the distribution.

All advertising materials mentioning features or use of this software must display the following acknowledgment:

“This product includes software developed by the University of California, Berkeley and its contributors.”

Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this

software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS “AS IS”' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING,

BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.

IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR

CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,

DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN

IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Portions of this software are Copyright © The Apache Group. A complete copy of the copyright notice follows:

Copyright © 1995-1997 The Apache Group. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions

are met:

Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the

documentation and/or other materials provided with the distribution.

All advertising materials mentioning features or use of this software must display the following acknowledgment:

“This product includes software developed by the Apache Group for use in the Apache HTTP server project (http://www.apache.org/).”

The names “Apache Server” and “Apache Group” must not be used to endorse or promote products derived from this software

without prior written permission.

Redistributions of any form whatsoever must retain the following acknowledgment:

“This product includes software developed by the Apache Group for use in the Apache HTTP server project (http://www.apache.org/).”


INTRODUCTION

Gateway Anti-Spyware is a powerful tool for scanning email and web traffic that passes through an

InstaGate or ThreatWall. Gateway Anti-Spyware is part of the Email and Web ThreatPaks. This guide will

walk through the configuration, maintenance and troubleshooting of Gateway Anti-Spyware. If there are

any questions or situations not covered in this guide please contact technical support for assistance.

CONFIGURATION

When Gateway Anti-Spyware is installed a new menu option will appear in the left-hand main menu.

Under this menu are four options, Settings, Custom Source Rules, Custom Destination Rules and

Updates. Please note that all of the images in this document show the configuration for a unit with both

Email and Web ThreatPaks installed.

1.1 Settings

The main configuration area for Gateway Anti-Spyware is under the Settings option. It is in this section

that a network administrator can configure which protocols are scanned, what do to when an infection

is found, and the maximum file size to scan. The image below shows the main page of Gateway Anti-

Spyware.


1.2 Advanced

The Advanced section of the Gateway Anti-Spyware configuration allows a system administrator to add

other protocols to be scanned and dictate the maximum file size to scan. Below is a screen shot of the

“Advanced Settings” page.

The first configuration area sets the maximum scan limits and how to handles emails over that limit.

Since most malware is relatively small, and large downloads tend to be from secure sources it is

recommended that the Maximum Size be set to no more than 20MB and the Above Maximum Size

Action be set to Allow. This will greatly improve the system performance, freeing resources for more

important processes.

The Protocol Settings section identifies what other protocols Gateway Anti-Spyware will scan. Simply

checking the appropriate boxes and clicking apply will enable scanning on each protocol.

The final area under Advanced is the Block IP Address. This setting is needed for the DNS scanning of

Gateway Anti-Spyware. It is recommended to not change the default value.

1.3 Custom Source & Destination Rules

By default Gateway Anti-Spyware scans all traffic on enabled protocols for malware. Therefore settings

have been included that allow traffic from certain IP addresses and URL’s to be exempt from scanning.

The Custom Source and Custom Destination rules allow for the entry of those exemptions.


Custom Source Rules

allow network

administrators to

enter LAN IP and

subnets that will not

be scanned for

malware. To enter a

LAN IP or subnet click

on Custom Source

Rules under the

Gateway Anti-

Spyware menu, then

enter the source

address or range that

will not be scanned. It should be noted that IP’s should be entered as a single IP such as 192.168.1.1 or

as a subnet range 10.10.10.0/24 and that each entry should appear on separate line. See the image to

the left for an example. Custom Source Rules should be used for LAN clients only; no Public IP addresses

should be entered here.

Custom destination rules are used to allow traffic to specific IP’s and URL’s on the Internet to bypass

Anti-Spyware scanning. Once Custom Destination Rules has been selected under the Gateway Anti-

Spyware menu, the current rules will be displayed. See below for an example showing two custom

destination rules, for www.esoft.com and 199.45.143.1.

On this screen a system administrator can choose to modify or delete an existing rule, or add a new one.

When Add is clicked a new page will appear that will ask for the IP or URL to be entered and for the

action to be selected.


The action can be Block, Allow or Trust. Block prevents all access to the address. Allow permits

connections to the address, but content will still be scanned. Trust permits connection to the address

and content will not be scanned. In most cases Trust will be the only option used as the other two

options won’t change the behavior of Gateway Anti-Spyware if content is already being blocked. For

example if a download from Symantec is being blocked, the only way to bypass Anti-Spyware would be

to add the URL or IP for Symantec and setting the Action to Trust.

1.4 Updates

The Updates section under Gateway Anti-Spyware allows system administrators to set the update

interval or to force the unit to update immediately. By default all eSoft devices are set to update Anti-

Spyware every 30 minutes. This page will also display the last successful update time.

THREATMONITOR

2.1 Overview

The ThreatMonitor is the main reporting tool on all eSoft appliances and there is one tab just for

Gateway Anti-Virus and Gateway Anti-Spyware. This tab will give you a breakdown of how many, what

kind and when viruses /malware were found and stopped. Below is a screen shot example of the

Malware Attempts tab in the ThreatMonitor.


2.2 Notes on HTTP and FTP Scanning

When HTTP or FTP scanning are enabled, all HTTP or FTP downloads will be scanned by Gateway Anti-

Spyware, unless exempted using Custom Source or Destination rules. If a download file matches a

signature, the file's contents will be 'elided' by Gateway Anti-Spyware. You can see the results with a hex

editor (http://www.hhdsoftware.com) or by opening the file with WordPad. The file will contain a

message telling you a Spyware or a Virus signature was found. The rest of the file will be filled with null

characters and the file will be unusable.

With HTTP or FTP scanning, file downloads may appear to be slower than normal. With these features

enabled, all files are first downloaded to your InstaGate or ThreatWall. While a file is being downloaded,

we only “trickle” a little bit through so the browser doesn’t time out. This appears as the 1 b/s download

rate. The reason we do this is for security. For some file types, Windows will try to execute a file even if

it has not been downloaded completely or correctly.

After the file has been downloaded to your unit, it is scanned for virus/spyware. Depending on the file, it

may or may not need to be processed further to scan the individual files which can increase the

download time, but usually not by a lot. After scanning the file will then be sent to the client at LAN

speeds which is usually faster than the browser will see. Overall, download time is usually not much

longer, despite the 1 b/s speed that initially shows in the browser.


TROUBLESHOOTING

One of the most common issues when using Gateway Anti-Spyware is the blocking of certain content

that end user’s need for work related activities. This includes email attachments, websites and website

downloads. To determine if Gateway Anti-Spyware is blocking content eSoft recommends using the

ThreatMonitor Malware Attempts tab. In the previous section an example of the ThreatMonitor was

shown, including where to look for critical information. Using this tool will allow system administrators

to determine if and why Gateway Anti-Spyware is blocking needed content. To allow access to a certain

attachment or download it will be necessary to enter a Custom Source or Destination Rule. For details

on how to enter a custom rule please refer to that section above. If the custom rule does not help, try

temporarily disabling the virus scanning for the affected protocol.

For assistance for any problems with the Gateway Anti-Spyware please contact eSoft Technical Support

at 877-754-2986 or online at http://support.esoft.com.

8

More magazines by this user
Similar magazines