Anti-Malware
Overview
Malware is short for malicious software, such as computer viruses, worms and spyware. The Zyxel Device anti-malware feature protects your connected network from malware by scanning traffic coming in from the WAN and going out from the WAN. The traffic scanned by the Zyxel Device may include FTP traffic and email with attachments.
Viruses, Worms, and Spyware
A computer virus is a type of malicious software designed to corrupt and/or alter the operation of other legitimate programs. A worm is a self-replicating virus. Spyware infiltrates your device to secretly gather information, such as your network activity, passwords, bank details, and so on.
The following describes a simple life cycle of malware.
1 A computer gets a copy of malware from a source such as the Internet, email, file sharing or any removable storage media. The malware is harmless until the execution of an infected program.
2 The malware spreads to other files and programs on the computer.
3 The infected files are unintentionally sent to another computer thus starting the spread of the malware.
4 Once the malware is spread through the network, the number of infected networked computers can grow exponentially.
Types of Malware
The following table describes some of the common malware.
type | description |
|---|---|
File Infector | This is a small program that embeds itself in a legitimate program. A file infector is able to copy and attach itself to other programs that are executed on an infected computer. |
Boot Sector Virus | This type of virus infects the area of a hard drive that a computer reads and executes during startup. The virus causes computer crashes and to some extend renders the infected computer inoperable. |
Macro Virus | Macro viruses or Macros are small programs that are created to perform repetitive actions. Macros run automatically when a file to which they are attached is opened. Macros spread more rapidly than other types of viruses as data files are often shared on a network. |
Email Virus | Email viruses are malicious programs that spread through email. |
Polymorphic Virus | A polymorphic virus (also known as a mutation virus) tries to evade detection by changing a portion of its code structure after each execution or self replication. This makes it harder for an anti-malware scanner to detect or intercept it. A polymorphic virus can also belong to any of the virus types discussed above. |
Hash Value
A hash function is an algorithm that maps data of arbitrary size to data of fixed size. The value returned by a hash function is a hash value. Hash values can be used to identify if the contents of a file have changed. At the time of writing, the MD5 (Message Digest 5) hash algorithm is supported.
Anti-Malware Scan Process
Before going through the Anti-Malware scan, the Zyxel Device first identifies the packets sent by the following four major protocols with corresponding standard ports:
• FTP (File Transfer Protocol)
• HTTP (Hyper Text Transfer Protocol)
• SMTP (Simple Mail Transfer Protocol)
• POP3 (Post Office Protocol version 3)
The Zyxel Device records the orders of packets in TCP connection-oriented sessions to check for matching malware signatures. The order of non-setup packets such as SYN, ACK and FIN is ignored.
Anti-Malware Scanning Procedure:
1 The Zyxel Device uses Cloud Query to forward the file’s MD5 hash value to Defend Center.
2 If the MD5 hash value is incorrect, then the last packet of the file is removed. The file is still forwarded to the receiver, but they will not be able to open it. You can configure to receive an alert or log when this happens.
The receiver is not notified if a file is modified by the Zyxel Device. If the file cannot be used, the receiver should contact the Zyxel Device administrator to confirm if the Zyxel Device modified the file by checking the logs.File Scanning Cloud Query Supported File Types
At the time of writing, the following file types are supported:
• 7z Archive (7z) | • AVI Video (avi) | • BMP Image (bmp) | • BZ2 Archive (bz2) |
• Executables (exe) | • Macromedia Flash Data (swf) | • GIF Image (gif) | • GZ Archive (gz) |
• JPG Image (jpg) | • MOV Video (mov) | • MP3 Audio (mp3) | • MPG Video (mpg) |
• MS Office Document (doc...) | • PDF Document (pdf) | • PNG Image (png) | • RAR Archive (rar) |
• RM Video (rm) | • RTF Document (rtf) | • TIFF Image (tif) | • WAV Audio (wav) |
• ZIP Archive (zip) |
Notes About the Zyxel Device Anti-Malware
The following lists important notes about the Zyxel Device’s anti-malware feature:
1 Zyxel’s anti-malware feature can detect polymorphic malware (see Overview).
2 When malware is detected, a log is created or an alert message is sent to the administrator depending on your log settings.
3 Changes to the Zyxel Device’s anti-malware settings only affect new sessions, not sessions that already existed before you applied the changed settings.
4 Enabling Cloud Query may affect file transfer speeds.
5 The Zyxel Device does not scan the following file/traffic types:
• Simultaneous downloads of a file using multiple connections. For example, when you use FlashGet to download sections of a file simultaneously.
• Encrypted traffic. This could be password-protected files or VPN traffic where the Zyxel Device is not the endpoint (pass-through VPN traffic).
• Traffic through custom (non-standard) ports. The Zyxel Device scans whatever port number is specified for FTP in the ALG screen.
Anti-Malware Screen
If a license has expired, you will see a reminder in this screen. You need to renew the license in order to keep using the feature. Click Buy Now to go to Marketplace to purchase a new license. Click See Details to go to the Zyxel web page to find more information on licenses for your Zyxel Device. 
Click the Anti-Malware icon for more information on the Zyxel Device’s security features.
See Subscription Services Available for more information on the subscription services for the two types of security packs.If Destroy infected file is disabled and log is set to no, the Zyxel Device will still perform the scan but will not do anything else. It is recommended to enable at least one of the two functions.If Destroy infected file is disabled, any malicious file found can still be executed by the end user after it is forwarded. The administrator would have to inform the user if there is an infected file.
The following table describes the labels in this screen.
label | description |
|---|---|
General Setting | |
Enable | Click to activate the anti-malware feature to protect your connected network from infection and the installation of malicious software. |
Collect Statistics | Click to have the Zyxel Device collect anti-malware statistics. All of the statistics are erased if you restart the Zyxel Device or click Flush Data in Security Statistics > Anti-Malware. |
Scan and detect EICAR test virus | Click to have the Zyxel Device check for an EICAR test file and treat it in the same way as a real malware file. The EICAR test file is a standardized test file for signature based anti-malware scanners. When the scanner detects the EICAR file, it responds in the same way as if it found real malware. The EICAR file can also be compressed to test whether the anti-malware software can detect it in a compressed file. |
File size limit | Set the limit of the file size the Zyxel Device anti-malware will scan. A file that exceeds the file size you set here will pass without been scanned by the Zyxel Device anti-malware. |
Destroy infected file | When you select this check box, if a malware signature is matched, the Zyxel Device overwrites the infected portion of the file with zeros before being forwarded to the user. The uninfected portion of the file will pass through unmodified. |
Log | These are the log options: • no: Do not create a log when a packet matches a signature. • log: Create a log on the Zyxel Device when a packet matches a signature. • log alert: An alert is an emailed log for more serious events that may need more immediate attention. Select this option to have the Zyxel Device send an alert when a packet matches a signature(s). |
File Type for Scan | File types that can be checked by the Zyxel Device are listed here. Note that the files on this list are currently bypassed. To use this feature on a specific file type, click this file type and then click the right arrow button. See available file types in File Scanning Cloud Query Supported File Types. |
Search | Type an item in the search box, then click this to display all file types in the table below according to the item you typed. |
Select All | Select this to select all file types in the table. |
Apply | Click Apply to save your changes. |
Cancel | Click Cancel to return the screen to its last-saved settings. |
The Allow List Screen
A allow list allows you to specify an MD5 hash or file pattern to ignore in order to avoid false positives. False positives occur when a non-infected file matches a malware signature.
Enter a file or encryption pattern that would cause the Zyxel Device to allow this file.
Use Add to put a new entry in the list or Edit to change an existing one or Remove to delete an existing entry.
The following table describes the fields in this screen.
LABEL | Description |
|---|---|
Enable Allow List | Select this to bypass checking by this feature (if enabled) and automatically allow incoming files with names or hash value (MD5 Hash) that match the white list patterns. |
Log | These are the log options: • no: Do not create a log when a packet matches a signature. • log: Create a log on the Zyxel Device when a packet matches a signature. |
MD5 Hash | Configure the settings to automatically allow incoming files with MD5 Hash value that match the patterns you set. An MD5 hash can consist of 32 alpha-numerical characters. |
Add | Click this to create a new entry. |
Remove | Select an entry and click this to delete it. |
Active | To turn on an entry, select it and click Active. |
Inactive | To turn off an entry, select it and click Inactive. |
Column (  ) | Click the column icon to select the fields you want to show in the table. Uncheck the checkbox if you want to hide a field in the table. |
Status | The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. |
Value | This field displays the hash pattern of the entry. Enter the hash pattern for this entry. Specify a pattern to identify the names of files that the Zyxel Device should not scan for viruses. |
Edit | Select an entry and click this icon to modify it.  |
Remove | Select an entry and click this icon to delete it.  |
Save Changes | Click this icon to save the changes in this row.  |
Cancel Changes | Click this icon to cancel the changes in this row.  |
File Name Pattern | Configure the settings to automatically allow incoming files with names that match the patterns you set. |
Add | Click this to create a new entry. |
Remove | Select an entry and click this to delete it. |
Active | To turn on an entry, select it and click Active. |
Inactive | To turn off an entry, select it and click Inactive. |
Column (  ) | Click the column icon to select the fields you want to show in the table. Uncheck the checkbox if you want to hide a field in the table. |
Status | The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. |
Name | This field displays the file pattern of the entry. Enter the file pattern for this entry. Specify a pattern to identify the names of files that the Zyxel Device should not scan for viruses. • Use up to 80 characters. Alphanumeric characters, underscores (_), dashes (-), question marks (?) and asterisks (*) are allowed. • A question mark (?) lets a single character in the file name vary. For example, use “a?.zip” (without the quotation marks) to specify aa.zip, ab.zip and so on. • Wildcards (*) let multiple files match the pattern. For example, use “*a.zip” (without the quotation marks) to specify any file that ends with “a.zip”. A file named “testa.zip would match. There could be any number (of any type) of characters in front of the “a.zip” at the end and the file name would still match. A file named “test.zipa” for example would not match. • A * in the middle of a pattern has the Zyxel Device check the beginning and end of the file name and ignore the middle. For example, with “abc*.zip”, any file starting with “abc” and ending in “.zip” matches, no matter how many characters are in between. • The whole file name has to match if you do not use a question mark or asterisk. • If you do not use a wildcard, the Zyxel Device checks up to the first 80 characters of a file name. |
Edit | Select an entry and click this icon to modify it.  |
Remove | Select an entry and click this icon to delete it.  |
Save Changes | Click this icon to save the changes in this row.  |
Cancel Changes | Click this icon to cancel the changes in this row.  |
The Block List Screen
A block list allows you to specify a specific MD5 hash or file pattern that you want to block.
Enter a file or encryption pattern that would cause the Zyxel Device to log and then destroy this file.
Use Add to put a new entry in the list or Edit to change an existing one or Remove to delete an existing entry.
The following table describes the fields in this screen.
LABEL | Description |
|---|---|
Enable Block List | Select this to bypass checking by this feature (if enabled) and automatically block incoming files with names or hash value (MD5 Hash) that match the block list patterns. |
Log | These are the log options: • no: Do not create a log when a packet matches a signature. • log: Create a log on the Zyxel Device when a packet matches a signature. |
MD5 Hash | Configure the settings to automatically block incoming files with MD5 Hash value that match the patterns you set. An MD5 hash can consist of 32 alpha-numerical characters. |
Add | Click this to create a new entry. |
Remove | Select an entry and click this to delete it. |
Active | To turn on an entry, select it and click Active. |
Inactive | To turn off an entry, select it and click Inactive. |
Column (  ) | Click the column icon to select the fields you want to show in the table. Clear the check box if you want to hide a field in the table. |
Status | The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. |
Value | This field displays the hash pattern of the entry. Enter the hash pattern for this entry. Specify a pattern to identify the names of files that the Zyxel Device should not scan for viruses. |
Edit | Select an entry and click this icon to modify it.  |
Remove | Select an entry and click this icon to delete it.  |
Save Changes | Click this icon to save the changes in this row.  |
Cancel Changes | Click this icon to cancel the changes in this row.  |
File Name Pattern | Configure the settings to automatically block incoming files with names that match the patterns you set. |
Add | Click this to create a new entry. |
Remove | Select an entry and click this to delete it. |
Active | To turn on an entry, select it and click Active. |
Inactive | To turn off an entry, select it and click Inactive. |
Column (  ) | Click the column icon to select the fields you want to show in the table. Uncheck the checkbox if you want to hide a field in the table. |
Status | The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. |
Value | This field displays the file pattern of the entry. Enter the file pattern for this entry. Specify a pattern to identify the names of files that the Zyxel Device should not scan for viruses. • Use up to 80 characters. Alphanumeric characters, underscores (_), dashes (-), question marks (?) and asterisks (*) are allowed. • A question mark (?) lets a single character in the file name vary. For example, use “a?.zip” (without the quotation marks) to specify aa.zip, ab.zip and so on. • Wildcards (*) let multiple files match the pattern. For example, use “*a.zip” (without the quotation marks) to specify any file that ends with “a.zip”. A file named “testa.zip would match. There could be any number (of any type) of characters in front of the “a.zip” at the end and the file name would still match. A file named “test.zipa” for example would not match. • A * in the middle of a pattern has the Zyxel Device check the beginning and end of the file name and ignore the middle. For example, with “abc*.zip”, any file starting with “abc” and ending in “.zip” matches, no matter how many characters are in between. • The whole file name has to match if you do not use a question mark or asterisk. • If you do not use a wildcard, the Zyxel Device checks up to the first 80 characters of a file name. |
Edit | Select an entry and click this icon to modify it.  |
Remove | Select an entry and click this icon to delete it.  |
Save Changes | Click this icon to save the changes in this row.  |
Cancel Changes | Click this icon to cancel the changes in this row.  |