Symantec™ Security Gateways Reference Guide - Sawmill

116 Preventing attacksIntrusion detection and prevention (appliance only)Client comfortingIn some instances, clients that wait for a response from the proxy, especially when scanning a large filefrom a download manager, can exceed their default timeout values. If the client does not see datatransferred within a default length of time, the client resets or terminates the connection. In addition,when scanning FTP or HTTP connections, the client’s user may get concerned when they do not see anyevidence of the requested file. The user may attempt to restart the transfer several times, or attempt toabort the connection completely.You can enable client comforting, also known as antivirus comforting, on files to alleviate applicationtimeouts and user confusion. SGMI lets you define both a file size and buffer size for use with clientcomforting. By default, the buffer is set at 256 KB and the file length is set at 15000 KB. The value definedfor each of these determines when the security gateway uses client comforting. Client comforting operatesat a minimum of the buffer size, even if the file size is defined to be smaller. You should use the file size todefine values larger than the standard buffer size.For files smaller than the defined file size (or buffer size if it is larger than the file size), the normalscanning process takes place, and should finish well before any timeout period kicks in. If client comfortingis configured, files larger than the defined file size are partially sent, indicating to the client that activity istaking place. If the antivirus component detects a virus in the file, the proxy attempts to remove the partialfile, and aborts the connection. The user sees that the connection aborted, and for FTP sessions, is told whyover the control connection. The proxy also logs the fact that a virus was detected.If the antivirus component determines that the file is clean, the connection continues as normal. This keepsa steady flow of data going between the client and server, keeping the connection alive and the user aware.It also improves the speed of the file transfer when scanning is on in a rule.There are two limitations to proxy comforting:■■Container policyThe antivirus component cannot delete a partial file on the client once the file leaves the securitygateway.When client comforting is active, the proxy cannot take advantage of the scan and repair optionbecause part of the file is already at the destination.Attachments in email messages are a common method that attackers use to send viruses. Sometimes, theseattachments are compressed files that hide the virus nested inside. Symantec’s antivirus component canscan these compressed files for viruses. However, there is overhead introduced because the entireattachment must be read in, expanded in a protected environment, scanned, and then either approved ordenied. If the file is within another compressed file inside the original compressed file (called nesting), theprocess again adds some additional overhead to process.SGMI lets you determine exactly how many layers deep that you would like the scan engine to process. Thedefault value is 10 layers, and you can configure this number to be as large as 50. You can also set themaximum attachment size, with the default being 100 MB. Carefully consider maximum values, bearing inmind that the larger the values are set, the more time it may take to process mail. If an attachment exceedsany of the defined limits, the attachment is not scanned, and the email is blocked.Intrusion detection and prevention (appliance only)The intrusion detection and prevention (IDS/IPS) component works with the driver, analyzing packets, andsending alerts back to the driver for any suspicious traffic it detects. The driver calls the IDS/IPScomponent just after checking for any blacklisted addresses or interface filters. If the IDS/IPS componentdetects something suspicious, an event is sent back to the driver. The driver then determines the nextcourse of action for the packet.