Anti-Virus
Overview
Use the Zyxel Device’s anti-virus feature to protect your connected network from virus/spyware infection. The Zyxel Device checks traffic going in the direction(s) you specify for signature matches.
• Use the
Profile screens (
Anti-Virus Screen) to turn anti-virus on or off, set up anti-virus policies and custom service port rules. You can also check the anti-virus license and signature status.
• Use the
Black/White List screen (
Anti-Virus Black List) to set up anti-virus black (blocked) and white (allowed) lists of virus file patterns.
• Use the
Signature screen (
AV Signature Searching) to search for particular signatures and get more information about them.
What You Need to Know
Anti-Virus Signatures
After the anti-virus trial expires, you need to purchase an iCard for the anti-virus signatures you want to use and register it in the Registration > Service screen.
Virus and Worm
A computer virus is a small program designed to corrupt and/or alter the operation of other legitimate programs. A worm is a self-replicating virus that resides in active memory and duplicates itself. The effect of a virus attack varies from doing so little damage that you are unaware your computer is infected to wiping out the entire contents of a hard drive to rendering your computer inoperable.
Zyxel Device Anti-Virus Scanner
The Zyxel Device has a built-in signature database. Setting up the Zyxel Device between your local network and the Internet allows the Zyxel Device to scan files transmitting through the enabled interfaces into your network. As a network-based anti-virus scanner, the Zyxel Device helps stop threats at the network edge before they reach the local host computers.
You can set the Zyxel Device to examine files received through the following protocols:
• FTP (File Transfer Protocol)
• HTTP (Hyper Text Transfer Protocol)
• SMTP (Simple Mail Transfer Protocol)
• POP3 (Post Office Protocol version 3)
• IMAP4 (Internet Message Access Protocol version 4)
How the Zyxel Device Anti-Virus Scanner Works
The following describes the virus scanning process on the Zyxel Device.
1 The Zyxel Device first identifies SMTP, POP3, IMAP4, HTTP and FTP packets through standard ports.
2 If the packets are not session connection setup packets (such as SYN, ACK and FIN), the Zyxel Device records the sequence of the packets.
3 The scanning engine checks the contents of the packets for virus.
Note: If a virus pattern is matched, the Zyxel Device removes the infected portion of the file along with the rest of the file. The uninfected portion of the file before a virus pattern was matched still goes through. Since the Zyxel Device erases the infected portion of the file before sending it, you may not be able to open the file.
Notes About the Zyxel Device Anti-Virus
The following lists important notes about the anti-virus scanner:
1 The Zyxel Device anti-virus scanner can detect polymorphic viruses.
2 When a virus is detected, an alert message is displayed in Microsoft Windows computers.
3 Changes to the Zyxel Device’s anti-virus settings affect new sessions (not the sessions that already existed before you applied the changed settings).
4 The Zyxel Device does not scan the following file/traffic types:
• Simultaneous downloads of a file using multiple connections. For example, when you use FlashGet to download sections of a file simultaneously.
• Encrypted traffic. This could be password-protected files or VPN traffic where the Zyxel Device is not the endpoint (pass-through VPN traffic).
• Traffic through custom (non-standard) ports. The only exception is FTP traffic. The Zyxel Device scans whatever port number is specified for FTP in the ALG screen.
• ZIP file(s) within a ZIP file.
• Traffic a server or client compressed or encoded using a method the Zyxel Device does not support.
Anti-Virus Screen
Configuration > UTM Profile > Anti-Virus > Profile
label | description |
General Setting | |
Scan and detect EICAR test virus | Select this option to have the Zyxel Device check for the EICAR test file and treat it in the same way as a real virus file. The EICAR test file is a standardized test file for signature based anti-virus scanners. When the virus scanner detects the EICAR file, it responds in the same way as if it found a real virus. Besides straightforward detection, the EICAR file can also be compressed to test whether the anti-virus software can detect it in a compressed file. The test string consists of the following human-readable ASCII characters. X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* |
Profile Management | |
Add | Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. |
Edit | Select an entry and click this to be able to modify it. |
Remove | Select an entry and click this to delete it. |
References | Select an entry and click References to open a screen that shows which settings use the entry.Click Refresh to update information in this screen. |
# | This displays the index number of the rule. |
Name | This displays the name for the anti-virus rule. |
Description | This displays the description of the anti-virus rule. |
Reference | This displays the number of times an Object Reference is used in a rule. |
Service | The following fields display information about the current state of your subscription for virus signatures. |
Service Status | This field displays whether a service license is enabled at myZyxel (Activated) or not (Not Activated) or expired (Expired). It displays the remaining Grace Period if your license has Expired. It displays Not Licensed if there isn’t a license to be activated for this service. If you need a license or a trial license has expired, click Buy to buy a new one. If a Standard license has expired, click Renew to extend the license. Then, click Activate to connect with the myZyxel server to activate the new license. |
Service Type | This field displays whether you applied for a trial application (Trial) or registered a service with your iCard’s PIN number (Standard). None displays when the service is not activated. |
Expiration Date | This field displays the date your service license expires. |
Signature Information | The following fields display information on the current signature set that the Zyxel Device is using. |
Current Version | This field displays the anti-virus signature set version number. This number gets larger as the set is enhanced. |
Signature Number | This field displays the number of anti-virus signatures in this set. |
Released Date | This field displays the date and time the set was released. |
Update Signatures | Click this link to go to the screen you can use to download signatures from the update server. |
Apply | Click Apply to save your changes. |
Reset | Click Reset to return the screen to its last-saved settings. |
Anti-Virus Profile Add or Edit
Configuration > UTM > Anti-Virus > Profile: Profile Management > Add
label | description |
Configuration | |
Name | Enter a descriptive name for this anti-virus rule. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.Enter the name of the anti-virus policy. |
Description | Enter a descriptive name for this anti-virus rule. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. |
Actions When Matched | |
Destroy infected file | When you select this check box, if a virus pattern is matched, the Zyxel Device overwrites the infected portion of the file (and the rest of the file) with zeros. The uninfected portion of the file before a virus pattern was matched goes through unmodified. |
Log | These are the log options: no: Do not create a log when a packet matches a signature(s). log: Create a log on the Zyxel Device when a packet matches a signature(s). log alert: An alert is an e-mailed log for more serious events that may need more immediate attention. Select this option to have the Zyxel Device send an alert when a packet matches a signature(s). |
Check White List | Select this check box to check files against the white list. |
Check Black List | Select this check box to check files against the black list. |
File decompression | |
Enable file decompression (ZIP and RAR) | Select this check box to have the Zyxel Device scan a ZIP file (the file does not have to have a “zip” or “rar” file extension). The Zyxel Device first decompresses the ZIP file and then scans the contents for viruses.  The Zyxel Device decompresses a ZIP file once. The Zyxel Device does NOT decompress any ZIP file(s) within a ZIP file. |
Destroy compressed files that could not be decompressed | When you select this check box, the Zyxel Device deletes ZIP files that use password encryption. Select this check box to have the Zyxel Device delete any ZIP files that it is not able to unzip. The Zyxel Device cannot unzip password protected ZIP files or a ZIP file within another ZIP file. There are also limits to the number of ZIP files that the Zyxel Device can concurrently unzip. The Zyxel Device’s firmware package cannot go through the Zyxel Device with this check box enabled. The Zyxel Device classifies the firmware package as not being able to be decompressed and deletes it. Clear this check box when you download a firmware package from the Zyxel website. It’s OK to upload a firmware package to the Zyxel Device with the check box selected. |
OK | Click OK to save your changes. |
Cancel | Click Cancel to exit this screen without saving your changes. |
Anti-Virus Black List
Use the Black List screen to set up the Anti-Virus black (blocked) list of virus file patterns. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order.
Configuration > UTM Profile > Anti-Virus > Black/White List > Black List
label | description |
Enable Black List | Select this check box to log and delete files with names that match the black list patterns. Use the black list to log and delete files with names that match the black list patterns. |
Add | Click this to create a new entry. |
Edit | Select an entry and click this to be able to modify it. |
Remove | Select an entry and click this to delete it. |
Activate | To turn on an entry, select it and click Activate. |
Inactivate | To turn off an entry, select it and click Inactivate. |
Status | The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. |
# | This is the entry’s index number in the list. |
File Pattern | This is the file name pattern. If a file’s name that matches this pattern, the Zyxel Device logs and deletes the file. |
Apply | Click Apply to save your changes. |
Reset | Click Reset to return the screen to its last-saved settings. |
Anti-Virus Black List or White List Add/Edit
• For a black list entry, enter a file pattern that should cause the Zyxel Device to log and delete a file.
• For a white list entry, enter a file pattern that should cause the Zyxel Device to allow a file.
Configuration > UTM Profile > Anti-Virus > Black/White List > Black List (or White List) > Add
label | description |
Enable | If this is a black list entry, select this option to have the Zyxel Device apply this entry when using the black list. If this is a white list entry, select this option to have the Zyxel Device apply this entry when using the white list. |
File Pattern | For a black list entry, specify a pattern to identify the names of files that the Zyxel Device should log and delete. For a white list entry, specify a pattern to identify the names of files that the Zyxel Device should not scan for viruses. • Use up to 80 characters. Alphanumeric characters, underscores (_), dashes (-), question marks (?) and asterisks (*) are allowed. • A question mark (?) lets a single character in the file name vary. For example, use “a?.zip” (without the quotation marks) to specify aa.zip, ab.zip and so on. • Wildcards (*) let multiple files match the pattern. For example, use “*a.zip” (without the quotation marks) to specify any file that ends with “a.zip”. A file named “testa.zip would match. There could be any number (of any type) of characters in front of the “a.zip” at the end and the file name would still match. A file named “test.zipa” for example would not match. • A * in the middle of a pattern has the Zyxel Device check the beginning and end of the file name and ignore the middle. For example, with “abc*.zip”, any file starting with “abc” and ending in “.zip” matches, no matter how many characters are in between. • The whole file name has to match if you do not use a question mark or asterisk. • If you do not use a wildcard, the Zyxel Device checks up to the first 80 characters of a file name. |
Source | Select a source address or address group for whom this policy applies. You can configure a new one in the Object > Address > Add screen. Select any if the policy is effective for every source. |
Destination | Select a destination address or address group for whom this policy applies. You can configure a new one in the Object > Address > Add screen. Select any if the policy is effective for every destination. |
OK | Click OK to save your changes. |
Cancel | Click Cancel to exit this screen without saving your changes. |
Anti-Virus White List
Use the Black/White List screen to set up Anti-Virus black (blocked) and white (allowed) lists of virus file patterns. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order.
Configuration > UTM Profile > Anti-Virus > Black/White List > White List
label | description |
Enable White List | Select this check box to have the Zyxel Device not perform the anti-virus check on files with names that match the white list patterns. Use the white list to have the Zyxel Device not perform the anti-virus check on files with names that match the white list patterns. |
Add | Click this to create a new entry. |
Edit | Select an entry and click this to be able to modify it. |
Remove | Select an entry and click this to delete it. |
Activate | To turn on an entry, select it and click Activate. |
Inactivate | To turn off an entry, select it and click Inactivate. |
Status | The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. |
# | This is the entry’s index number in the list. |
File Pattern | This is the file name pattern. If a file’s name matches this pattern, the Zyxel Device does not check the file for viruses. |
Source | This is the source address or address group for whom this policy applies. |
Destination | This is the destination address or address group for whom this policy applies. |
Apply | Click Apply to save your changes. |
Reset | Click Reset to return the screen to its last-saved settings. |
AV Signature Searching
Use this screen to locate signatures and display details about them.
If Internet Explorer opens a warning screen about a script making Internet Explorer run slowly and the computer maybe becoming unresponsive, just click No to continue. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order.
Configuration > UTM > Anti-Virus > Signature
LABEL | Description |
Signatures Search | Enter the name, part of the name or keyword of the signature(s) you want to find. This search is not case-sensitive and accepts numerical strings. |
Query all signatures and export | Click Export to have the Zyxel Device save all of the anti-virus signatures to your computer in a .txt file. |
Query Result | |
# | This is the entry’s index number in the list. |
Name | This is the name of the anti-virus signature. Click the Name column heading to sort your search results in ascending or descending order according to the signature name. Click a signature’s name to see details about the virus. |