Overview
In HTTP and FTP traffic, Kerio Control Bitdefender Antivirus can scan the selected types of files. If different offending files are detected, the default option is to deny the transmission of such files. Kerio Control can also generate notification emails to alert users.
The transmitted file is saved in a temporary file on the local disk of the firewall. Kerio Control caches the last part of the transmitted file (a segment of the data transferred) and performs an antivirus check of the temporary file.
Diagnosis
If Kerio Control detects a virus, the last segment of the data is dropped. The client then receives an incomplete (damaged) file that cannot be executed and the virus cannot be activated. If no virus is found, Kerio Control sends also the rest of the file, and the transmission is completed successfully.
- The purpose of the antivirus check is only to detect infected files, it is not possible to heal them.
- If the antivirus check is disabled in HTTP Policy and FTP Policy, objects, and files matching corresponding rules are not checked.
- Full functionality of HTTP scanning is not guaranteed if any non-standard extensions to web browsers (e.g. download managers, accelerators, etc.) are used.
Solution
- In the administration interface, go to Antivirus > Antivirus Engine.
- Verify that antivirus control is enabled and select options Enable HTTP scanning and Enable FTP scanning.
- On the HTTP, FTP Scanning tab, select Alert the client.
Kerio Control sends email messages warning to the user who attempts to download the file that a virus was detected and download was stopped for security reasons.
Kerio Control sends alert messages when:
- The user is authenticated and connected to the firewall
- A valid email address is set in a corresponding user account
- The SMTP server used for mail sending is configured
- In If a transferred file cannot be scanned section, select the action for when the antivirus check cannot be applied (e.g. the file is compressed and password-protected, damaged, corrupted, etc.):
- Deny transmission of the file — Kerio Control considers the file as infected and denies the transmission. In such cases, the alert email about the Antivirus check of file failed is being generated.
- Allow transmission of the file — Kerio Control treats the file as not infected. Use this option only if, for example, users transmit a big volume of compressed password-protected files and the antivirus is installed on the workstations.
HTTP and FTP scanning rules
Kerio Control contains a set of predefined rules for HTTP and FTP scanning. The firewall administrator can change the default configuration.
Scanning rules are ordered and processed from the top. When Kerio Control finds a rule which matches the object, the appropriate action is taken and other rules are stopped.
If the object does not match any rule, Kerio Control does not scan the object. If you want to scan object types other than in the predefined rules, add a rule which enables scanning of any URL or MIME type to list.
To add new rules, follow these instructions:
- On the HTTP, FTP Scanning tab, click Add.
- Select Condition type:
- HTTP URL — URL of the object (for example,
www.kerio.com/img/logo.gif), a string specified by a wildcard matching (for example,*.exe) or a server name (for example,www.kerio.com). Server names represent any URL at a corresponding server (www.kerio.com/*). - HTTP MIME type — MIME types can be specified either by complete expressions (e.g.
image/jpeg) or using a wildcard matching (for example,application/*). - Filename — this option filters out certain filenames (not entire URLs) transmitted by FTP or HTTP (for example,
*.exe,*.zip, and so on). If only an asterisk is used, the rule applies to any file transmitted by HTTP or FTP. - File type — select a group of predefined file extensions.
Note: If a MIME type or a URL is specified only by an asterisk, the rule will apply to any HTTP object.
- Select Action to scan the objects for viruses.
- Type a description.
- Save the settings by clicking OK.