Symantec™ Security Gateways Reference Guide - Sawmill

Preventing attacksAntivirus (appliance only)115Occasionally, a new virus or class of viruses emerges that is not detected by existing scan engines. Theseviruses require new algorithms for detection—and consequently a new scan engine. With the NAVEXtechnology, Symantec engineers can quickly upgrade the fundamental scan engines, with no extra cost oreffort required on the part of the customer.Antivirus scanningSymantec Striker technologySymantec Striker technology identifies polymorphic computer viruses, which are the most complex anddifficult viruses to detect. Like an encrypted virus, a polymorphic virus includes a scrambled virus body anda decryption routine that first gains control of the computer, and then decrypts the virus body. However, apolymorphic virus also adds a mutation engine that generates randomized decryption routines that changeeach time a virus infects a new program. As a result, no two polymorphic viruses are the same.Each time Symantec Striker scans a new program file, it loads the file into a self-contained virtualcomputer. The program executes in this virtual computer as if it were running on a real computer. Insidethis virtual computer, the polymorphic virus runs and decrypts itself. Symantec Striker then scans, detects,and repairs the virus.Antivirus scanning is implemented as a client/server relationship between the supported applicationproxies (FTP, HTTP, and SMTP) and the antivirus component. The appliance is most often configured toissue scan requests to its local scan engine, however you can configure the appliance or another softwarebasedsecurity gateway to direct antivirus scan requests to another appliance. Directing requests toanother appliance is referred to as off-box scanning.Antivirus scanning is enabled when a rule is created that allows FTP, HTTP, or SMTP traffic, and therespective proxy has antivirus scanning enabled. Both uploaded and downloaded files are scanned. Prior toscanning a new file, the configured scan policies and exclude list (if selected) is checked. The optionsinclude scan all but exclude, or scan all files not on the excluded extension list. Actions taken include scanand repair infected files and delete files that cannot be repaired, or scan and delete all infected files. Thislets the administrator set scanning policies per protocol instead of having just one global policy, andprovides the infrastructure to support off-box scanning.Using the scan policies requested by the proxies and configured mail policies, the antivirus componentscans files for viruses and mail policy violations. Normally, files that have unrepairable infections, or thatviolate the established mail policy are blocked; clean files and repairable infected files are allowed through.To comply with European Union (EU) privacy laws, which state that virus-infected eamils cannot bemodified or repaired, you can configure the security gateway to add an x-virus header to the email, whichprevents the email from being repaired or deleted. For a complete list of directions to configure x-virussupport, consult the Symantec Gateway Security 5400 Series Administrator’s Guide.When the proxy determines that scanning is necessary for a particular file, it passes the entire message,including the file to be scanned, to the antivirus component. Once the entire message is received, theantivirus component begins the scan. After scanning is complete, the antivirus component returns one ofthree things to the proxy:■■■The original message and fileThe original message and a cleaned fileAn error code and possibly a message indicating that file contained a virus and could not be cleanedMessages are sent to client processes (FTP client, mail client, or Web Browser) which inform the user whenviruses are found and cleaned, or when files are found to be unrepairable; The proxies also send virusdetected messages to the log file.