Anti-Virus
Overview
Use the Zyxel Device’s anti-virus feature to protect your connected network from virus/spyware infection. The Zyxel Device checks traffic going in the direction(s) you specify for signature matches.
The anti-virus matches a file with those in a virus database. This is done as files go through the Zyxel Device.
Virus, Worm, and Spyware
A computer virus is a type of malicious software designed to corrupt and/or alter the operation of other legitimate programs. A worm is a self-replicating virus that resides in active memory and duplicates itself. The effect of a virus attack varies from doing so little damage that you are unaware your computer is infected to wiping out the entire contents of a hard drive to rendering your computer inoperable. Spyware infiltrate your device and secretly gathers information about you, such as your network activity, passwords, bank details, and so on.
Anti-Virus Licensing
The Zyxel Device downloads signature sets after it is registered and the anti-virus license is activated at myZyxel. A signature is a unique string of bits, or binary pattern, of a virus. A signature acts as a fingerprint that can be used to detect and identify a specific virus. These signatures are periodically updated if you have a valid license.
Having extensive, up-to-date signatures with the most common virus is critical to making the anti-virus service work effectively. Signature Update shows licensing information for the different signature databases that can be used by the Zyxel Device.
After the anti-virus license expires, you need to purchase an iCard to update your local signature database. Extend your license in the Registration > Service screen.
Anti-Virus Scan Process
1 Before going through the Anti-Virus file scan, the Zyxel Device first identifies the packets sent by the following four major protocols with corresponding standard ports:
• FTP (File Transfer Protocol)
• HTTP (Hyper Text Transfer Protocol)
• SMTP (Simple Mail Transfer Protocol)
• POP3 (Post Office Protocol version 3)
The Zyxel Device records the order of packets in TCP connection-oriented sessions to check for matching virus signatures. The order of non-setup packets such as SYN, ACK and FIN is ignored.
2 The Zyxel Device checks every packet of the file for matches with the local signature databases.
If a virus pattern signature is matched, the actions you specify for identified virus will be applied. If Destroy infected file is enabled, the file will be modified. Logs/alerts will be sent according to your settings.
Note: The receiver is not notified if a file is modified by the Zyxel Device. If the file cannot be used, the receiver should contact the Zyxel Device administrator to confirm if the Zyxel Device modified the file by checking the logs.
Notes About the Zyxel Device Anti-Virus
The following lists important notes about the Zyxel Device’s anti-virus feature:
1 Zyxel’s anti-virus feature can detect polymorphic virus (see Anti-Virus Technical Reference).
2 When a virus is detected, a log is created or an alert message is sent to the administrator depending on your log settings.
3 Changes to the Zyxel Device’s anti-virus settings only affect new sessions, not sessions that already existed before you applied the changed settings.
4 The Zyxel Device does not scan the following file/traffic types:
• Simultaneous downloads of a file using multiple connections. For example, when you use FlashGet to download sections of a file simultaneously.
• Encrypted traffic. This could be password-protected files or VPN traffic where the Zyxel Device is not the endpoint (pass-through VPN traffic).
• Traffic through custom (non-standard) ports. The Zyxel Device scans whatever port number is specified for FTP in the ALG screen.
• All compressed files within a compressed file. Note that a single file can still be decompressed and scanned if you select Enable file decompression (ZIP and RAR).
• Traffic compressed or encoded using a method the Zyxel Device does not support.
What You Can Do in this Chapter
• Use the Profile screens (Anti-Virus Screen) to turn anti-virus on or off, set up anti-virus policies and custom service port rules. You can also check the anti-virus license and signature status.
• Use the Black/White List screen (Anti-Virus Black List) to set up anti-virus black (blocked) and white (allowed) lists of virus file patterns.
• Use the Signature screen (AV Signature Searching) to search for particular signatures and get more information about them.
Anti-Virus Screen
Click on the icons to go to the OneSecurity website where there is guidance on configuration walkthroughs, troubleshooting and other information.
label | description |
|---|---|
General Setting | |
Scan and detect EICAR test virus | Select this option to have the Zyxel Device check for the EICAR test file and treat it in the same way as a real virus file. The EICAR test file is a standardized test file for signature based anti-virus scanners. When the virus scanner detects the EICAR file, it responds in the same way as if it found a real virus. Besides straightforward detection, the EICAR file can also be compressed to test whether the anti-virus software can detect it in a compressed file. |
Scan Mode | |
Express Mode | In this mode you can define which types of files are scanned using the File Type For Scan fields. The Zyxel Device then scans files by sending each file’s hash value to a cloud database using cloud query. This is the fastest scan mode. |
Stream Mode | In this mode the Zyxel Device scans all files for viruses using anti-malware signatures to detect known virus pattens, and Threat Intelligence Machine Learning. Threat Intelligence Machine Learning is a master cloud database containing malware patterns learned from all Zyxel Devices. This is the deepest scan mode. |
Profile Management | |
Add | Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. |
Edit | Select an entry and click this to be able to modify it. |
Remove | Select an entry and click this to delete it. |
References | Select an entry and click References to open a screen that shows which settings use the entry.Click Refresh to update information in this screen. |
# | This displays the index number of the rule. |
Name | This displays the name for the anti-virus rule. |
Description | This displays the description of the anti-virus rule. |
Reference | This displays the number of times an Object Reference is used in a rule. |
Service | The following fields display information about the current state of your subscription for virus signatures. |
Service Status | This field displays whether a service license is enabled at myZyxel (Activated) or not (Not Activated) or expired (Expired). It displays the remaining Grace Period if your license has Expired. It displays Not Licensed if there isn’t a license to be activated for this service. If you need a license or a trial license has expired, click Buy to buy a new one. If a Standard license has expired, click Renew to extend the license. Then, click Activate to connect with the myZyxel server to activate the new license. |
Service Type | This field displays whether you applied for a trial application (Trial) or registered a service with your iCard’s PIN number (Standard). None displays when the service is not activated. |
Expiration Date | This field displays the date your service license expires. |
Signature Information | The following fields display information on the current signature set that the Zyxel Device is using. |
Current Version | This field displays the anti-virus signature set version number. This number gets larger as the set is enhanced. |
Signature Number | This field displays the number of anti-virus signatures in this set. |
Released Date | This field displays the date and time the set was released. |
Update Signatures | Click this link to go to the screen you can use to download signatures from the update server. |
Apply | Click Apply to save your changes. |
Reset | Click Reset to return the screen to its last-saved settings. |
Anti-Virus Profile Add or Edit
Note: If “Destroy infected file” is disabled and “log” is set to “no”, the Zyxel Device will still perform the scan but will not do anything else. It is recommended to enable at least one of the two functions.
If “Destroy infected file” is disabled, any malicious file found can still be executed by the end user after it is forwarded. The administrator would have to inform the user if there is an infected file.
label | description |
|---|---|
Configuration | |
Name | Enter a descriptive name for this anti-virus rule. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.Enter the name of the anti-virus policy. |
Description | Enter a descriptive name for this anti-virus rule. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. |
Actions When Matched | |
Destroy infected file | When you select this check box, if a virus signature is matched, the Zyxel Device overwrites the infected portion of the file with zeros before being forwarded to the user. The uninfected portion of the file will pass through unmodified. |
Log | These are the log options: no: Do not create a log when a packet matches a signature(s). log: Create a log on the Zyxel Device when a packet matches a signature(s). log alert: An alert is an e-mailed log for more serious events that may need more immediate attention. Select this option to have the Zyxel Device send an alert when a packet matches a signature(s). |
Check White List | Select this check box to check files against the white list. |
Check Black List | Select this check box to check files against the black list. |
File decompression | |
Enable file decompression (ZIP and RAR) | Select this check box to have the Zyxel Device scan a compressed file (the file does not need to have a “zip” or “rar” file extension). The Zyxel Device first decompresses the file and then scans the contents for malware.  The Zyxel Device decompresses a compressed file once. The Zyxel Device does NOT decompress any file(s) within a compressed file. |
Destroy compressed files that could not be decompressed | When you select this check box, the Zyxel Device deletes compressed files that use password encryption. Select this check box to have the Zyxel Device delete any compressed files that it cannot decompress. The Zyxel Device cannot decompress password protected files or a file within another compressed file. There are also limits to the number of compressed files that the Zyxel Device can concurrently decompress. The Zyxel Device’s firmware package cannot go through the Zyxel Device with this check box enabled. The Zyxel Device classifies the firmware package as a file that cannot be decompressed and then deletes it. Clear this check box when you download a firmware package from the Zyxel website. It’s OK to upload a firmware package to the Zyxel Device with the check box selected. |
OK | Click OK to save your changes. |
Cancel | Click Cancel to exit this screen without saving your changes. |
Anti-Virus Black List
Use the Black List screen to set up the Anti-Virus black (blocked) list of virus file patterns. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order.
label | description |
|---|---|
Enable Black List | Select this check box to log and delete files with names that match the black list patterns. Use the black list to log and delete files with names that match the black list patterns. |
Add | Click this to create a new entry. |
Edit | Select an entry and click this to be able to modify it. |
Remove | Select an entry and click this to delete it. |
Activate | To turn on an entry, select it and click Activate. |
Inactivate | To turn off an entry, select it and click Inactivate. |
Status | The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. |
# | This is the entry’s index number in the list. |
File Pattern | This is the file name pattern. If a file’s name that matches this pattern, the Zyxel Device logs and deletes the file. |
Apply | Click Apply to save your changes. |
Reset | Click Reset to return the screen to its last-saved settings. |
Anti-Virus Black List or White List Add/Edit
A black list allows you to specify signatures that you want to block. A white list allows you to specify signatures to allow in order to avoid false positives. False positives occur when a non-infected file matches a virus signature.
• For a black list entry, enter a file pattern that would cause the Zyxel Device to log and modify this file.
• For a white list entry, enter a file pattern that would cause the Zyxel Device to allow this file.
label | description |
|---|---|
Enable | If this is a black list entry, select this option to have the Zyxel Device apply this entry when using the black list. If this is a white list entry, select this option to have the Zyxel Device apply this entry when using the white list. |
File Pattern | For a black list entry, specify a pattern to identify the names of files that the Zyxel Device should log and delete. For a white list entry, specify a pattern to identify the names of files that the Zyxel Device should not scan for viruses. • Use up to 80 characters. Alphanumeric characters, underscores (_), dashes (-), question marks (?) and asterisks (*) are allowed. • A question mark (?) lets a single character in the file name vary. For example, use “a?.zip” (without the quotation marks) to specify aa.zip, ab.zip and so on. • Wildcards (*) let multiple files match the pattern. For example, use “*a.zip” (without the quotation marks) to specify any file that ends with “a.zip”. A file named “testa.zip would match. There could be any number (of any type) of characters in front of the “a.zip” at the end and the file name would still match. A file named “test.zipa” for example would not match. • A * in the middle of a pattern has the Zyxel Device check the beginning and end of the file name and ignore the middle. For example, with “abc*.zip”, any file starting with “abc” and ending in “.zip” matches, no matter how many characters are in between. • The whole file name has to match if you do not use a question mark or asterisk. • If you do not use a wildcard, the Zyxel Device checks up to the first 80 characters of a file name. |
Source | Select a source address or address group for whom this policy applies. You can configure a new one in the Object > Address > Add screen. Select any if the policy is effective for every source. |
Destination | Select a destination address or address group for whom this policy applies. You can configure a new one in the Object > Address > Add screen. Select any if the policy is effective for every destination. |
OK | Click OK to save your changes. |
Cancel | Click Cancel to exit this screen without saving your changes. |
Anti-Virus Black/White List
Use the Black/White List screen to set up Anti-Virus black (blocked) and white (allowed) lists of virus file patterns. You can set them if you are avoiding specific kinds of viruses or reducing false positives. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order.
label | description |
|---|---|
Enable White List | Select this check box to have the Zyxel Device not perform the anti-virus check on files with names that match the white list patterns. Use the white list to have the Zyxel Device not perform the anti-virus check on files with names that match the white list patterns. |
Add | Click this to create a new entry. |
Edit | Select an entry and click this to be able to modify it. |
Remove | Select an entry and click this to delete it. |
Activate | To turn on an entry, select it and click Activate. |
Inactivate | To turn off an entry, select it and click Inactivate. |
Status | The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. |
# | This is the entry’s index number in the list. |
File Pattern | This is the file name pattern. If a file’s name matches this pattern, the Zyxel Device does not check the file for viruses. |
Source | This is the source address or address group for whom this policy applies. |
Destination | This is the destination address or address group for whom this policy applies. |
Apply | Click Apply to save your changes. |
Reset | Click Reset to return the screen to its last-saved settings. |
AV Signature Searching
Use this screen to locate signatures and display details about them.
If opens a warning screen about a script making it run slowly and the computer unresponsive, just click No to continue. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order.
LABEL | Description |
|---|---|
Signatures Search | Enter the name, part of the name or keyword of the signature(s) you want to find. This search is not case-sensitive and accepts numerical strings. |
Query all signatures and export | Click Export to have the Zyxel Device save all of the anti-virus signatures to your computer in a .txt file. |
Query Result | |
# | This is the entry’s index number in the list. |
Name | This is the name of the anti-virus signature. Click the Name column heading to sort your search results in ascending or descending order according to the signature name. Click a signature’s name to see details about the virus. |