Configuring worm protection for your internal network
When configured for worm scanning, the virus scanning engine checks HTTP requests by scanning their
originating web page for known worm patterns. For example, Code Red attempts to gain entry to MS IIS
servers by trying to exploit a known buffer overflow bug in these servers.
To scan SMTP, POP3, and IMAP email attachments for worms, the virus scanning engine looks for
filenames known to be used by worms. For example, the Nimda worm uses files named readme.exe and
sample.exe.
If the virus scanning engine detects a worm, the file is deleted and replaced with an alert message.
To protect your internal network from worms:
•
Go to
Anti-Virus > HTTP
> Outgoing.
•
Click Worm Protection to scan content from Internet web pages for worms.
•
Click Apply.
•
Repeat these steps for SMTP, POP3, and IMAP if these services are allowed to send traffic through
the DFL-1000.
Virus and worm protection for incoming connections
You can prevent the spread of viruses and worms from servers on your internal and DMZ networks by
configuring
incoming
virus protection. Incoming virus protection can be configured for the following
services:
•
HTTP, if you have an Internet web server installed on your internal or DMZ network
•
SMTP, to prevent users on your internal network from sending email attachments that contain viruses
to addresses on the Internet
•
POP3, if you allow users on the Internet to connect to a POP3 server on your internal or DMZ
network
•
IMAP, if you allow users on the Internet to connect to an IMAP server on your internal or DMZ
network
Even though viruses and worms are distributed from your internal and DMZ networks by being uploaded
through your firewall, an incoming connection to a server on your DMZ or internal network must first be started.
It is this incoming connection that triggers DFL-1000 incoming virus protection.
This section describes:
•
High level virus protection for incoming connections
•
Medium level virus protection for incoming connections
•
Low level virus protection for incoming connections
•
Worm protection for incoming connections
High level virus protection for incoming connections
High level protection removes target files in web transfers and in email attachments before they pass
through the firewall.
You can switch on high level data protection separately for the HTTP, SMTP, POP3, and IMAP content
protocols. For each content type, you can also select target file types to be removed. The virus scanner
replaces deleted files with an alert message that is forwarded to the external user.
To configure high level virus protection to prevent the distribution of viruses from your internal and DMZ
networks:
•
Go to
Anti-Virus > HTTP
> Incoming.
DFL-1000 User’s Manual
74