Anti-Malware
Overview
Use the Zyxel Device’s anti-malware feature to protect your connected network from malware (malicious software) infection, such as computer virus, worms, and spyware. The Zyxel Device scans traffic going in both directions for malware signature matches.
The anti-malware matches a file with those in a malware database. This is done as files go through the Zyxel Device.
Virus, Worm, and Spyware
A computer virus is a type of malicious software designed to corrupt and/or alter the operation of other legitimate programs. A worm is a self-replicating virus that resides in active memory and duplicates itself. The effect of a virus attack varies from doing so little damage that you are unaware your computer is infected to wiping out the entire contents of a hard drive to rendering your computer inoperable. Spyware infiltrate your device and secretly gathers information about you, such as your network activity, passwords, bank details, and so on.
Hash Value
A hash function is an algorithm that maps data of arbitrary size to data of fixed size. The value returned by a hash function is a hash value. Hash values can be used to identify if the contents of a file have changed. At the time of writing, the MD5 (Message Digest 5) hash algorithm is supported.
Local Signature Databases
The Zyxel Device downloads the signature(s) after it is registered and the anti-malware license is activated at myZyxel. A signature is a unique string of bits, or binary pattern, of a malware. A signature acts as a fingerprint that can be used to detect and identify specific malware. The Zyxel Device downloads the following signatures:
• Anti-malware signature
• Threat Intelligence Machine Learning
These signatures are periodically updated if you have a valid license. See Anti-Malware Screen for how the Zyxel Device updates these signatures for the anti-malware license.
Anti-Malware Licensing
Having extensive, up-to-date signature with the most common malware is critical to making the anti-malware service work effectively. Signature Update shows licensing information for the different signature databases that can be used by the Zyxel Device.
After the anti-malware license expires, you need to purchase an iCard to update your local signature database and use cloud query. Extend your license in the Registration > Service screen.
Anti-Malware Scan Process
Before going through the Anti-Malware scan, the Zyxel Device first identifies the packets sent by the following four major protocols with corresponding standard ports:
• FTP (File Transfer Protocol)
• HTTP (Hyper Text Transfer Protocol)
• SMTP (Simple Mail Transfer Protocol)
• POP3 (Post Office Protocol version 3)
The Zyxel Device records the order of packets in TCP connection-oriented sessions to check for matching malware signatures. The order of non-setup packets such as SYN, ACK and FIN is ignored.
Anti-Malware Scanning Procedure:
1 The Zyxel Device checks every packet of the file for matches with the local signature databases.
If a malware pattern signature is matched, the actions you specify for identified malware will be applied. If Destroy infected file is enabled, the file will be modified. Logs/alerts will be sent according to your settings.
Note: The receiver is not notified if a file is modified by the Zyxel Device. If the file cannot be used, the receiver should contact the Zyxel Device administrator to confirm if the Zyxel Device modified the file by checking the logs.
2 If no match is found with the local databases, the Zyxel Device uses Cloud Query to forward the file’s hash value to Defend Center.
3 Defend Center checks its database for malware signature matches and sends the results back to the Zyxel Device.
If a malware signature is matched, the actions you specify for identified malware will be applied. If Destroy infected file is enabled, the file will be modified. Logs/alerts will be sent according to your settings.
File Scanning Cloud Query Supported File Types
At the time of writing, the following file types are supported:
• 7z Archive (7z) | • AVI Video (avi) | • BMP Image (bmp) | • BZ2 Archive (bz2) |
• Executables (exe) | • Macromedia Flash Data (swf) | • GIF Image (gif) | • GZ Archive (gz) |
• JPG Image (jpg) | • MOV Video (mov) | • MP3 Audio (mp3) | • MPG Video (mpg) |
• MS Office Document (doc...) | • PDF Document (pdf) | • PNG Image (png) | • RAR Archive (rar) |
• RM Video (rm) | • RTF Document (rtf) | • TIFF Image (tif) | • WAV Audio (wav) |
• ZIP Archive (zip) |
Notes About the Zyxel Device Anti-Malware
The following lists important notes about the Zyxel Device’s anti-malware feature:
1 Zyxel’s anti-malware feature can detect polymorphic malware (see Anti-Malware Signature Searching).
2 When malware is detected, a log is created or an alert message is sent to the administrator depending on your log settings.
3 Changes to the Zyxel Device’s anti-malware settings only affect new sessions, not sessions that already existed before you applied the changed settings.
4 Enabling Cloud Query may affect file transfer speeds.
5 The Zyxel Device does not scan the following file/traffic types:
• Simultaneous downloads of a file using multiple connections. For example, when you use FlashGet to download sections of a file simultaneously.
• Encrypted traffic. This could be password-protected files or VPN traffic where the Zyxel Device is not the endpoint (pass-through VPN traffic).
• Traffic through custom (non-standard) ports. The Zyxel Device scans whatever port number is specified for FTP in the ALG screen.
• All compressed files within a compressed file. Note that a single file can still be decompressed and scanned if you select Enable file decompression (ZIP and RAR).
• Traffic compressed or encoded using a method the Zyxel Device does not support.
Anti-Malware Screen
Click the Anti-Malware icon for more information on the Zyxel Device’s security features.
Note: Threat Intelligence Machine Learning (TIML) is not available if the gold security pack has expired.
See Subscription Services Available for more information on the subscription services for the two types of security packs.
Note: If Destroy infected file is disabled and log is set to no, the Zyxel Device will still perform the scan but will not do anything else. It is recommended to enable at least one of the two functions.
If Destroy infected file is disabled, any malicious file found can still be executed by the end user after it is forwarded. The administrator would have to inform the user if there is an infected file.
The following table describes the labels in this screen.
label | description |
|---|---|
General Setting | |
Enable | Select this checkbox to activate the anti-malware feature to protect your connected network from infection and the installation of malicious software. Selecting this checkbox also activates Threat Intelligence Machine Learning (TIML). TIML signatures come from the sandboxing inspection results and helps the Zyxel Device block possible malicious or suspicious files. |
Scan and detect EICAR test virus | Select this option to have the Zyxel Device check for an EICAR test file and treat it in the same way as a real malware file. The EICAR test file is a standardized test file for signature based anti-malware scanners. When the scanner detects the EICAR file, it responds in the same way as if it found real malware. The EICAR file can also be compressed to test whether the anti-malware software can detect it in a compressed file.EICAR |
Scan Mode | |
Express Mode | In this mode you can define which types of files are scanned using the File Type For Scan fields. The Zyxel Device then scans files by sending each file’s hash value to a cloud database using cloud query. This is the fastest scan mode. |
Stream Mode | In this mode the Zyxel Device scans all files for viruses using anti-malware signatures to detect known virus pattens, and Threat Intelligence Machine Learning. Threat Intelligence Machine Learning is a master cloud database containing malware patterns learned from all Zyxel Devices. This is the deepest scan mode. |
Hybrid Mode | In this mode you can define which types of files are scanned using the File Type For Scan fields. The Zyxel Device then scans files by sending each file’s hash value to a cloud database using cloud query. It also scans files using anti-malware signatures, and Threat Intelligence Machine Learning. This mode combines Express mode and Stream mode to offers a balance of speed and security. |
File Type For Scan | |
Available File Types | File types that can be checked by the Zyxel Device are listed here. Note that the files on this list are currently bypassed. To use this feature on a specific file type, click this file type and then click the right arrow button. See available file types in File Scanning Cloud Query Supported File Types. |
Applied File Types | File types that will be checked are listed here. If you don’t want a file type to be checked, click this file type and then click the left arrow button. |
Destroy infected file | When you select this check box, if a malware signature is matched, the Zyxel Device overwrites the infected portion of the file with zeros before being forwarded to the user. The uninfected portion of the file will pass through unmodified. |
Log | These are the log options: • no: Do not create a log when a packet matches a signature. • log: Create a log on the Zyxel Device when a packet matches a signature. • log alert: An alert is an emailed log for more serious events that may need more immediate attention. Select this option to have the Zyxel Device send an alert when a packet matches a signature(s). |
Check White List | Select this check box to have the Zyxel Device not perform the anti-malware check on files with names that match the white list patterns. |
Add | Click this to create a new entry. |
Edit | Select an entry and click this to be able to modify it. |
Remove | Select an entry and click this to delete it. |
Activate | To turn on an entry, select it and click Activate. |
Inactivate | To turn off an entry, select it and click Inactivate. |
Status | The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. |
# | This is the entry’s index number in the list. |
File Pattern | This is the file name pattern. If a file’s name matches this pattern, the Zyxel Device does not check the file for malware. |
Check Black List | Select this check box to log and delete files with names that match the black list patterns. |
Add | Click this to create a new entry. |
Edit | Select an entry and click this to be able to modify it. |
Remove | Select an entry and click this to delete it. |
Activate | To turn on an entry, select it and click Activate. |
Inactivate | To turn off an entry, select it and click Inactivate. |
Status | The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. |
# | This is the entry’s index number in the list. |
File Pattern | This is the file name pattern. If a file’s name that matches this pattern, the Zyxel Device logs and then destroys the file. |
File decompression | |
Enable file decompression (ZIP and RAR) | Select this check box to have the Zyxel Device scan a compressed file (the file does not need to have a “zip” or “rar” file extension). The Zyxel Device first decompresses the file and then scans the contents for malware.  The Zyxel Device decompresses a compressed file once. The Zyxel Device does NOT decompress any file(s) within a compressed file. |
Destroy compressed files that could not be decompressed | When you select this check box, the Zyxel Device deletes compressed files that use password encryption. Select this check box to have the Zyxel Device delete any compressed files that it cannot decompress. The Zyxel Device cannot decompress password protected files or a file within another compressed file. There are also limits to the number of compressed files that the Zyxel Device can concurrently decompress. The Zyxel Device’s firmware package cannot go through the Zyxel Device with this check box enabled. The Zyxel Device classifies the firmware package as a file that cannot be decompressed and then deletes it. Clear this check box when you download a firmware package from the Zyxel website. It’s OK to upload a firmware package to the Zyxel Device with the check box selected. |
Signature Information | The following fields display information on the current signature set that the Zyxel Device is using. |
Current Version | This field displays the signature set version number currently used by the Zyxel Device. This number gets larger as the set is enhanced. |
Released Date | This field displays the date and time the set was released. |
Threat Intelligence Machine Learning | The following fields display information on the Threat Intelligence Machine Learning signatures that the Zyxel Device is using. |
Current Version | This field displays the TIML version number currently used by the Zyxel Device. |
Released Date | This field displays the date and time this version was released. |
Update Signatures | Click this link to go to the screen you can use to download signatures from the update server. |
Apply | Click Apply to save your changes. |
Reset | Click Reset to return the screen to its last-saved settings. |
The White List Screen
A white list allows you to specify the file or encryption pattern to allow in order to avoid false positives. False positives occur when a non-infected file matches a malware signature.
Enter a file or encryption pattern that would cause the Zyxel Device to allow this file.
Use Add to put a new entry in the list or Edit to change an existing one or Remove to delete an existing entry.
The following table describes the fields in this screen.
LABEL | Description |
|---|---|
Check White List | Select this check box to have the Zyxel Device not perform the anti-malware check on files with names or algorithm (MD5 Hash) that match the white list patterns. |
Add | Click this to create a new entry. |
Edit | Select an entry and click this to be able to modify it. |
Remove | Select an entry and click this to delete it. |
Activate | To turn on an entry, select it and click Activate. |
Inactivate | To turn off an entry, select it and click Inactivate. |
# | This is the entry’s index number in the list. |
Status | The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. |
Type | This field displays the type (MD5 Hash or File Pattern) used to distinguish whether a file should be allowed. Select the type (MD5 Hash or File Pattern) that you want to use to distinguish whether a file should be allowed. |
Value | This field displays the file or encryption pattern of the entry. Enter the file or encryption pattern for this entry. Specify a pattern to identify the names of files that the Zyxel Device should not scan for viruses. • Use up to 80 characters. Alphanumeric characters, underscores (_), dashes (-), question marks (?) and asterisks (*) are allowed. • A question mark (?) lets a single character in the file name vary. For example, use “a?.zip” (without the quotation marks) to specify aa.zip, ab.zip and so on. • Wildcards (*) let multiple files match the pattern. For example, use “*a.zip” (without the quotation marks) to specify any file that ends with “a.zip”. A file named “testa.zip would match. There could be any number (of any type) of characters in front of the “a.zip” at the end and the file name would still match. A file named “test.zipa” for example would not match. • A * in the middle of a pattern has the Zyxel Device check the beginning and end of the file name and ignore the middle. For example, with “abc*.zip”, any file starting with “abc” and ending in “.zip” matches, no matter how many characters are in between. • The whole file name has to match if you do not use a question mark or asterisk. • If you do not use a wildcard, the Zyxel Device checks up to the first 80 characters of a file name. |
Apply | Click Apply to save your changes back to the Zyxel Device. |
Reset | Click Reset to return the screen to its last-saved settings. |
The Black List Screen
A black list allows you to specify the file or encryption pattern that you want to block.
Enter a file or encryption pattern that would cause the Zyxel Device to log and then destroy this file.
Use Add to put a new entry in the list or Edit to change an existing one or Remove to delete an existing entry.
The following table describes the fields in this screen.
LABEL | Description |
|---|---|
Check Black List | Select this check box to log and delete files with names or encryption algorithm (MD5 Hash) that match the black list patterns. |
Add | Click this to create a new entry. |
Edit | Select an entry and click this to be able to modify it. |
Remove | Select an entry and click this to delete it. |
Activate | To turn on an entry, select it and click Activate. |
Inactivate | To turn off an entry, select it and click Inactivate. |
# | This is the entry’s index number in the list. |
Status | The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. |
Type | This field displays the type (MD5 Hash or File Pattern) used to distinguish whether a file should be blocked. Select the type (MD5 Hash or File Pattern) that you want to use to distinguish whether a file should be blocked. |
Value | This field displays the file or encryption pattern of the entry. Enter a file pattern that would cause the Zyxel Device to log and modify this file. • Use up to 80 characters. Alphanumeric characters, underscores (_), dashes (-), question marks (?) and asterisks (*) are allowed. • A question mark (?) lets a single character in the file name vary. For example, use “a?.zip” (without the quotation marks) to specify aa.zip, ab.zip and so on. • Wildcards (*) let multiple files match the pattern. For example, use “*a.zip” (without the quotation marks) to specify any file that ends with “a.zip”. A file named “testa.zip would match. There could be any number (of any type) of characters in front of the “a.zip” at the end and the file name would still match. A file named “test.zipa” for example would not match. • A * in the middle of a pattern has the Zyxel Device check the beginning and end of the file name and ignore the middle. For example, with “abc*.zip”, any file starting with “abc” and ending in “.zip” matches, no matter how many characters are in between. • The whole file name has to match if you do not use a question mark or asterisk. • If you do not use a wildcard, the Zyxel Device checks up to the first 80 characters of a file name. |
Apply | Click Apply to save your changes back to the Zyxel Device. |
Reset | Click Reset to return the screen to its last-saved settings. |
Anti-Malware Signature Searching
Use this screen to locate signatures and display details about them.
If your web browser opens a warning screen about a script making the web browser run slowly and the computer unresponsive, just click No to continue.
Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order.
The following table describes the labels in this screen.
LABEL | Description |
|---|---|
Signatures Search | Enter the name, part of the name or keyword of the signature(s) you want to find and click Search. This search is not case-sensitive and accepts numerical strings. |
Query Result | |
# | This is the entry’s index number in the list. |
Name | This is the name of the anti-malware signature. Click the Name column heading to sort your search results in ascending or descending order according to the signature name. Click a signature’s name to see details about the malware. |
Anti-Malware Profile
To use multiple profiles for this feature, run the following commands in the Zyxel Device Command Line Interface (CLI).
Router# configure terminal Router(config)# secure-policy-style advance Router(config)# show secure-policy-style status secure-policy-style: advance |
After you run these command, go to the feature screen again in the web configurator. You will be prompted to log out and then log in again.
After you log in again, you will see the new profile screen for this feature.
The following table describes the labels in this screen.
Label | Description |
|---|---|
Add | Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. |
Edit | Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. |
Remove | Select an entry and click Remove to delete the selected entry. |
# | This field is a sequential value showing the number of the profile. The profile order is not important. |
Name | This displays the name of the profile created. |
Description | This displays the description of the profile. |
Add or Edit an Anti-Malware Profile
Click Add to create a new entry or select an existing entry and click Edit to open the following screen where you can create or modify the entry’s settings.
The following table describes the labels in this screen.
label | description |
|---|---|
General Setting | |
Name | Type the name of the profile. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. These are valid, unique profile names: • MyProfile • mYProfile • Mymy12_3-4 These are invalid profile names: • 1mYProfile • My Profile • MyProfile? • Whatalongprofilename123456789012 |
Description | Type a description for the profile rule to help identify the purpose of rule. You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. This field is optional. |
Actions When Matched | |
Destroy infected file | When you select this check box, if a malware signature is matched, the Zyxel Device overwrites the infected portion of the file with zeros before being forwarded to the user. The uninfected portion of the file will pass through unmodified. |
Log | These are the log options: • no: Do not create a log when a packet matches a signature. • log: Create a log on the Zyxel Device when a packet matches a signature. • log alert: An alert is an emailed log for more serious events that may need more immediate attention. Select this option to have the Zyxel Device send an alert when a packet matches a signature(s). |
Scan Options | |
Check White List | Select this check box to have the Zyxel Device not perform the anti-malware check on files with names that match the white list patterns. |
Check Black List | Select this check box to log and delete files with names that match the black list patterns. |
File decompression | |
Enable file decompression (ZIP and RAR) | Select this check box to have the Zyxel Device scan a compressed file (the file does not need to have a “zip” or “rar” file extension). The Zyxel Device first decompresses the file and then scans the contents for malware. The Zyxel Device decompresses a compressed file once. The Zyxel Device does NOT decompress any file(s) within a compressed file. |
Destroy compressed files that could not be decompressed | When you select this check box, the Zyxel Device deletes compressed files that use password encryption. Select this check box to have the Zyxel Device delete any compressed files that it cannot decompress. The Zyxel Device cannot decompress password protected files or a file within another compressed file. There are also limits to the number of compressed files that the Zyxel Device can concurrently decompress. The Zyxel Device’s firmware package cannot go through the Zyxel Device with this check box enabled. The Zyxel Device classifies the firmware package as a file that cannot be decompressed and then deletes it. Clear this check box when you download a firmware package from the Zyxel website. It’s OK to upload a firmware package to the Zyxel Device with the check box selected. |
OK | Click OK to save your changes back to the Zyxel Device. |
Cancel | Click Cancel to exit this screen without saving. |
Link a Profile
To link a profile to a policy, go to the Configuration > Security Policy > Policy Control screen, select a policy, and then click Edit. In the Edit Policy screen under Profile, select which profile you want to use for each security service.
Anti-Malware Advance Screen
The Security Service > Anti-Malware > Anti-Malware screen changes when using profiles.
The following table describes the labels in this screen.
label | description |
|---|---|
General Setting | |
Enable | Select this checkbox to activate the anti-malware feature to protect your connected network from infection and the installation of malicious software. Selecting this checkbox also activates Threat Intelligence Machine Learning (TIML). TIML signatures come from the sandboxing inspection results and helps the Zyxel Device block possible malicious or suspicious files. |
Inspect all traffic, setting: | Select this to have all traffic inspected by the default_profile. You cannot rename or delete the default_profile profile, but you can edit it by clicking the link here. |
Inspect by policy | If you configured a specific profile in the Profile tab for this service, select this to have specific traffic inspected by that profile. You must bind the profile to a policy in Security Policy > Policy Control. |
Scan and detect EICAR test virus | Select this option to have the Zyxel Device check for an EICAR test file and treat it in the same way as a real malware file. The EICAR test file is a standardized test file for signature based anti-malware scanners. When the scanner detects the EICAR file, it responds in the same way as if it found real malware. The EICAR file can also be compressed to test whether the anti-malware software can detect it in a compressed file.EICAR |
Scan Mode | |
Express Mode | In this mode you can define which types of files are scanned using the File Type For Scan fields. The Zyxel Device then scans files by sending each file’s hash value to a cloud database using cloud query. This is the fastest scan mode. |
Stream Mode | In this mode the Zyxel Device scans all files for viruses using anti-malware signatures to detect known virus pattens, and Threat Intelligence Machine Learning. Threat Intelligence Machine Learning is a master cloud database containing malware patterns learned from all Zyxel Devices. This is the deepest scan mode. |
Hybrid Mode | In this mode you can define which types of files are scanned using the File Type For Scan fields. The Zyxel Device then scans files by sending each file’s hash value to a cloud database using cloud query. It also scans files using anti-malware signatures, and Threat Intelligence Machine Learning. This mode combines Express mode and Stream mode to offers a balance of speed and security. |
File Type For Scan | |
Available File Types | File types that can be checked by the Zyxel Device are listed here. Note that the files on this list are currently bypassed. To use this feature on a specific file type, click this file type and then click the right arrow button. See available file types in File Scanning Cloud Query Supported File Types. |
Applied File Types | File types that will be checked are listed here. If you don’t want a file type to be checked, click this file type and then click the left arrow button. |
Signature Information | The following fields display information on the current signature set that the Zyxel Device is using. |
Current Version | This field displays the signature set version number currently used by the Zyxel Device. This number gets larger as the set is enhanced. |
Released Date | This field displays the date and time the set was released. |
Threat Intelligence Machine Learning | The following fields display information on the Threat Intelligence Machine Learning signatures that the Zyxel Device is using. |
Current Version | This field displays the TIML version number currently used by the Zyxel Device. |
Released Date | This field displays the date and time this version was released. |
Update Signatures | Click this link to go to the screen you can use to download signatures from the update server. |
Apply | Click Apply to save your changes. |
Reset | Click Reset to return the screen to its last-saved settings. |
Remove Profiles
To remove profiles and revert to the default general security policy style, you must first make sure to change Inspect by policy to Inspect all traffic in the following security services: Anti-Malware, DNS Filter, URL Threat Filter, IDP, Email Security.
Note: All profiles that you created will be removed from Security Policy > Policy Control.
Run the following commands in the Zyxel Device Command Line Interface (CLI).
Router# configure terminal Router(config)# secure-policy-style general Router(config)# show secure-policy-style status secure-policy-style: general |
Wait a minute and then go to the feature screen again in the web configurator. You will be prompted to log out and then log in again.
After you log in again, you will not see the profile screen for this feature.