cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 2

Anti-Malware scanning workflow

Jump to solution

Hello,

I want to understand how Anti-Malware engine works...

Sometimes i see a message:

 

WSG_portable_FF_download.jpg

 

What policy (Rule) regulates Anti-Malware scanning  proccess?

How can I enable scanning only for certain extensions? (exe, pdf, etc.)

 

1 Solution

Accepted Solutions
aloksard
Employee
Employee
Report Inappropriate Content
Message 2 of 2

Re: Anti-Malware scanning workflow

Jump to solution

Hi Alex,

Hope you are doing well.

The message you see is of progress page.

Progress Page:-

Progress Pages are particularly important when the Web Gateway is configured to do anti-virus/anti-malware scanning. The scanning of large or "dense" files can take significant periods of time. A "dense" file might be relatively small in size, but contain many sub-files that are archives or executables such as: .dll, .exe, .zip, .rar, .jar, .iso, .xap. All of which must be individually unarchived and scanned.

 

A file that is large and dense, such as a 200MB ZIP file containing software developer tools, can take 30+ minutes to be fully scanned by the anti-virus/anti-malware engine. If progress indication is not provided to the user with Progress Pages, most users become impatient, or worse, believe there is a network or server problem. The impatient user will relaunch their download multiple times, causing the anti-virus/anti-malware engine to scan redundant copies concurrently, adding additional load to the Web Gateway.

 

Progress Pages give the user visual feedback, indicating that their file is being downloaded and anti-virus/anti-malware scanned, reducing helpdesk calls.

 

When a user downloads a non-text/html file that takes more than five seconds to be processed by the Web Gateway, the Web Gateway will redirect the client to a Progress Page, which will display dynamic progress indication while the download is occurring. The Progress Page shows the amount of data downloaded, total size of the file being downloaded and a progress bar.

 Once the Gateway has finished downloading the requested file, it will begin anti-virus/anti-malware scanning. During this phase, the Progress Page counts the elapsed seconds during scanning. There is also an animated progress bar.

 

Please refer below link for detailed information on progress page:-

https://community.mcafee.com/t5/Documents/Web-Gateway-Understanding-Progress-Indication-Methods/ta-p...

 

The we have cmposite opener event which causes MWG to start extracting the current body, if possible. If you are going through the rule engine in the response cycle and have a Zip file in the body, calling the composite opener causes MWG to start extracting the Zip file, sending all archive members as individual "embedded cycles" through the rule engine.

 

Rules for Anti Malware filtering:-

 

The rules that control anti-malwarefiltering are usually contained in one rule set. The key rule in this rule set is the one that blocks access to web objects if they are infected by viruses and other malware. To find out whether an object is infected, the rule calls the Anti-Malware module, which scans the object and lets the rule know about the result. Whitelisting rules can be placed and processed in this rule set before the blocking rule. If any of them applies, the blocking rule is skipped and the whitelisted objects are not scanned. When the default rule set system is implemented, a rule set for virus and malware filtering is included. Its name is Gateway Anti-Malware.

 

Block if Virus was found:-

Antimalware.Infected equals true –> Block – Statistics.Counter.Increment (“BlockedByAntiMalware”,1) The rule uses the Antimalware.Infected property to check whether a given web object is infected by a virus or other malware. When the Anti-Malware module is called to scan the object, it runs with the Gateway Anti-Malware settings, as specified with the property. These settings let the module use all its three submodules and their methods to scan web objects. If the module finds that a web object is infected, processing of all rules stops and the object is not passed on further. Access to it is blocked this way. In a request cycle, the infected web object is not passed on to the web. In the response and embedded object cycles, it is not passed on to the user who requested it. The action settings specify a message to this user. The rule also uses an event to count blocking due to virus and malware infections. The event parameters specify the counter that is incremented and the size of the increment. The event settings specify the settings of the Statistics module, which executes the counting.

 

Please refer below link for more details on Anti Malware filtering:-

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27276/en_US/...

 

Page 169

 

Request you to make sure SSL inspectio is being done for below URL in order for MWG to look inside the body for filtering:-

 

You can create rules in your Anti Malware rule set wherein you can skip malware scanning for files above 20 MB ( an example), skip malware scanning for any particular media type/URL/Category etc as per your requirement.

 

Regards

Alok Sarda

View solution in original post

1 Reply
aloksard
Employee
Employee
Report Inappropriate Content
Message 2 of 2

Re: Anti-Malware scanning workflow

Jump to solution

Hi Alex,

Hope you are doing well.

The message you see is of progress page.

Progress Page:-

Progress Pages are particularly important when the Web Gateway is configured to do anti-virus/anti-malware scanning. The scanning of large or "dense" files can take significant periods of time. A "dense" file might be relatively small in size, but contain many sub-files that are archives or executables such as: .dll, .exe, .zip, .rar, .jar, .iso, .xap. All of which must be individually unarchived and scanned.

 

A file that is large and dense, such as a 200MB ZIP file containing software developer tools, can take 30+ minutes to be fully scanned by the anti-virus/anti-malware engine. If progress indication is not provided to the user with Progress Pages, most users become impatient, or worse, believe there is a network or server problem. The impatient user will relaunch their download multiple times, causing the anti-virus/anti-malware engine to scan redundant copies concurrently, adding additional load to the Web Gateway.

 

Progress Pages give the user visual feedback, indicating that their file is being downloaded and anti-virus/anti-malware scanned, reducing helpdesk calls.

 

When a user downloads a non-text/html file that takes more than five seconds to be processed by the Web Gateway, the Web Gateway will redirect the client to a Progress Page, which will display dynamic progress indication while the download is occurring. The Progress Page shows the amount of data downloaded, total size of the file being downloaded and a progress bar.

 Once the Gateway has finished downloading the requested file, it will begin anti-virus/anti-malware scanning. During this phase, the Progress Page counts the elapsed seconds during scanning. There is also an animated progress bar.

 

Please refer below link for detailed information on progress page:-

https://community.mcafee.com/t5/Documents/Web-Gateway-Understanding-Progress-Indication-Methods/ta-p...

 

The we have cmposite opener event which causes MWG to start extracting the current body, if possible. If you are going through the rule engine in the response cycle and have a Zip file in the body, calling the composite opener causes MWG to start extracting the Zip file, sending all archive members as individual "embedded cycles" through the rule engine.

 

Rules for Anti Malware filtering:-

 

The rules that control anti-malwarefiltering are usually contained in one rule set. The key rule in this rule set is the one that blocks access to web objects if they are infected by viruses and other malware. To find out whether an object is infected, the rule calls the Anti-Malware module, which scans the object and lets the rule know about the result. Whitelisting rules can be placed and processed in this rule set before the blocking rule. If any of them applies, the blocking rule is skipped and the whitelisted objects are not scanned. When the default rule set system is implemented, a rule set for virus and malware filtering is included. Its name is Gateway Anti-Malware.

 

Block if Virus was found:-

Antimalware.Infected equals true –> Block – Statistics.Counter.Increment (“BlockedByAntiMalware”,1) The rule uses the Antimalware.Infected property to check whether a given web object is infected by a virus or other malware. When the Anti-Malware module is called to scan the object, it runs with the Gateway Anti-Malware settings, as specified with the property. These settings let the module use all its three submodules and their methods to scan web objects. If the module finds that a web object is infected, processing of all rules stops and the object is not passed on further. Access to it is blocked this way. In a request cycle, the infected web object is not passed on to the web. In the response and embedded object cycles, it is not passed on to the user who requested it. The action settings specify a message to this user. The rule also uses an event to count blocking due to virus and malware infections. The event parameters specify the counter that is incremented and the size of the increment. The event settings specify the settings of the Statistics module, which executes the counting.

 

Please refer below link for more details on Anti Malware filtering:-

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27276/en_US/...

 

Page 169

 

Request you to make sure SSL inspectio is being done for below URL in order for MWG to look inside the body for filtering:-

 

You can create rules in your Anti Malware rule set wherein you can skip malware scanning for files above 20 MB ( an example), skip malware scanning for any particular media type/URL/Category etc as per your requirement.

 

Regards

Alok Sarda

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community