when the excluded list is checked.
Maximum Compression Ratio
When scanning compressed files, NetDefendOS must apply decompression to examine the file's
contents. Some types of data can result in very high compression ratios where the compressed
file is a small fraction of the original uncompressed file size. This can mean that a comparatively
small compressed file attachment might need to be uncompressed into a much larger file which
can place an excessive load on NetDefendOS resources and noticeably slow down throughput.
To prevent this situation, the administrator should specify a
Compression Ratio
limit. If the limit of
the ration is specified as 10 then this will mean that if the uncompressed file is 10 times larger
than the compressed file, the specified Action should be taken. The Action can be one of:
•
Allow - The file is allowed through without virus scanning
•
Scan - Scan the file for viruses as normal
•
Drop - Drop the file
In all three of the above cases the event is logged.
Maximum Archive Depth
NetDefendOS can perform virus scanning on compressed files within other compressed files. The
level of nesting which is allowed is controlled by the Maximum archive depth setting. If this is
set to zero then any compressed file will always cause a fail condition. If set to a value of one,
compressed files will be scanned but any compressed files containing other compressed files will
cause a fail condition. A value of two allows a single nesting level of compressed files within
compressed files, with both levels being scanned.
The Maximum archive depth setting can have a maximum value of 10 but increasing the
setting should be done with caution. A denial-of-service attack might consist of sending a
compressed file with a high level of nesting. If the maximum archive depth specified does not
reject the file, large amounts of firewall resources could be consumed to uncompress and scan
the hierarchy of files.
Verifying the MIME Type
The ALG File Integrity options can be utilized with anti-virus scanning to check that the file's
contents matches the MIME type it claims to be.
The MIME type identifies a file's type. For instance a file might be identified as being of type
.gif
and therefore should contain image data of that type. Some viruses can try to hide inside files by
using a misleading file type. A file might pretend to be a
.gif
file but the file's data will not match
that type's data pattern because it is infected with a virus.
Enabling of this function is recommended to make sure this form of attack cannot allow a virus to
get through. The possible MIME types that can be checked are listed in
.
6.5.4. Activating Anti-Virus Scanning
Anti-virus scanning is activated in one of two ways:
•
Via an ALG that is associated with a service used in an IP rule. The ALG must be one that
allows anti-virus scanning.
Chapter 6: Security Mechanisms
546
Summary of Contents for NetDefendOS
Page 30: ...Figure 1 3 Packet Flow Schematic Part III Chapter 1 NetDefendOS Overview 30 ...
Page 32: ...Chapter 1 NetDefendOS Overview 32 ...
Page 144: ...Chapter 2 Management and Maintenance 144 ...
Page 284: ...Chapter 3 Fundamentals 284 ...
Page 392: ...Chapter 4 Routing 392 ...
Page 419: ... Host 2001 DB8 1 MAC 00 90 12 13 14 15 5 Click OK Chapter 5 DHCP Services 419 ...
Page 420: ...Chapter 5 DHCP Services 420 ...
Page 573: ...Chapter 6 Security Mechanisms 573 ...
Page 607: ...Chapter 7 Address Translation 607 ...
Page 666: ...Chapter 8 User Authentication 666 ...
Page 775: ...Chapter 9 VPN 775 ...
Page 819: ...Chapter 10 Traffic Management 819 ...
Page 842: ...Chapter 11 High Availability 842 ...
Page 866: ...Default Enabled Chapter 13 Advanced Settings 866 ...
Page 879: ...Chapter 13 Advanced Settings 879 ...