Anti-Virus

See the Anti-Virus section for related information on these screens.

Anti-Virus Overview

A computer virus is a small program designed to corrupt and/or alter the operation of other legitimate programs. A worm is a self-replicating virus that resides in active memory and duplicates itself. The effect of a virus attack varies from doing so little damage that you are unaware your computer is infected to wiping out the entire contents of a hard drive to rendering your computer inoperable.

Introduction to the ZyWALL Anti-Virus Scanner

The ZyWALL has a built-in signature database. Setting up the ZyWALL between your local network and the Internet allows the ZyWALL to scan files transmitting through the enabled interfaces into your network. As a network-based anti-virus scanner, the ZyWALL helps stop threats at the network edge before they reach the local host computers.

You can set the ZyWALL to examine files received through the following protocols:

The ZyWALL checks traffic going in the direction(s) you specify for signature matches.

Notes About the ZyWALL Anti-Virus

The following lists important notes about the anti-virus scanner:

  • Simultaneous downloads of a file using multiple connections. For example, when you use FlashGet to download sections of a file simultaneously.
  • Encrypted traffic. This could be password-protected files or VPN traffic where the ZyWALL is not the endpoint (pass-through VPN traffic).
  • Traffic through custom (non-standard) ports. The only exception is FTP traffic. The ZyWALL scans whatever port number is specified for FTP in the ALG screen.
  • ZIP file(s) within a ZIP file.
  • Anti-Virus Summary

    Note: You must register for the anti-virus service (at least the trial) before you can use it.

    See Registration for how to register.

    Anti-X > Anti-Virus > Summary 

    label
    description
    Enable Anti-Virus and Anti-Spyware
    Select this check box to check traffic for viruses and spyware. The following table lists rules that define which traffic the ZyWALL scans and the action it takes upon finding a virus.
    Priority
    This is the position of an anti-virus rule in the list. The ordering of your anti-virus rules is important as the ZyWALL applies them in sequence. Once traffic matches an anti-virus rule, the ZyWALL applies that rule and does not check the traffic against any more rules.
    From
    The anti-virus rule has the ZyWALL scan traffic coming from this zone and going to the To zone.
    To
    The anti-virus rule has the ZyWALL scan traffic going to this zone from the From zone.
    Protocol
    These are the protocols of traffic to scan for viruses.
    FTP applies to traffic using the TCP port number specified for FTP in the ALG screen.
    HTTP applies to traffic using TCP ports 80, 8080 and 3128.
    SMTP applies to traffic using TCP port 25.
    POP3 applies to traffic using TCP port 110.
    IMAP4 applies to traffic using TCP port 143.
    Add icon
    Click the Add icon in the heading row to add a new first entry.
    The Active displays whether the entry is enabled or not. Click it to activate or deactivate the entry.
    Click the Edit icon to go to the screen where you can edit the entry on the ZyWALL.
    Click the Add icon in an entry to add a rule below the current entry.
    Click the Remove icon to delete an existing entry from the ZyWALL. A window displays asking you to confirm that you want to delete the entry. Note that subsequent entries move up by one when you take this action.
    In a numbered list, click the Move to N icon to display a field to type an index number for where you want to put that entry and press [ENTER] to move the entry to the number that you typed. For example, if you type 6, the rule you are moving becomes number 6 and the previous rule 6 (if there is one) gets pushed up (or down) one.
    The ordering of your rules is important as they are applied in order of their numbering.
    Registration
    The following fields display information about the current state of your subscription for virus signatures.
    Registration Status
    This field displays whether a service is activated (Licensed) or not (Not Licensed) or expired (Expired).
    Registration Type
    This field displays whether you applied for a trial application (Trial) or registered a service with your iCard's PIN number (Standard). None displays when the service is not activated.
    Apply new Registration
    This link appears if you have not registered for the service or only have the trial registration. Click this link to go to the screen where you can register for the service.
    Signature Information
    The following fields display information on the current signature set that the ZyWALL is using.
    Current Version
    This field displays the anti-virus signature set version number. This number gets larger as the set is enhanced.
    Signature Number
    This field displays the number of anti-virus signatures in this set. This number usually gets larger as the set is enhanced. Older signatures and rules may be removed if they are no longer applicable or have been supplanted by newer ones.
    Released Date
    This field displays the date and time the set was released.
    Update Signatures
    Click this link to go to the screen you can use to download signatures from the update server.
    Apply
    Click Apply to save your changes.
    Reset
    Click Reset to start configuring this screen again.

    Anti-Virus Policy Edit

    Anti-X > Anti-Virus > Summary > Edit 

    label
    description
    Enable
    Select this check box to have the ZyWALL apply this anti-virus rule to check traffic for viruses.
    From
    To
    Select source and destination zones for traffic to scan for viruses. The anti-virus rule has the ZyWALL scan traffic coming from the From zone and going to the To zone.
    Protocols to Scan
    Select which protocols of traffic to scan for viruses.
    FTP applies to traffic using the TCP port number specified for FTP in the ALG screen.
    HTTP applies to traffic using TCP ports 80, 8080 and 3128.
    SMTP applies to traffic using TCP port 25.
    POP3 applies to traffic using TCP port 110.
    IMAP4 applies to traffic using TCP port 143.
    Actions When Matched
     
    Destroy infected file
    When you select this check box, if a virus pattern is matched, the ZyWALL overwrites the infected portion of the file (and the rest of the file) with zeros. The un-infected portion of the file before a virus pattern was matched goes through unmodified.
    Send Windows Message
    Select this check box to set the ZyWALL to send a message alert to files' intended user(s) using Microsoft Windows computers connected to the to interface.
    Log
    These are the log options:
    no: Do not create a log when a packet matches a signature(s).
    log: Create a log on the ZyWALL when a packet matches a signature(s).
    log alert: An alert is an e-mailed log for more serious events that may need more immediate attention. Select this option to have the ZyWALL send an alert when a packet matches a signature(s).
    White List / Black List
     
    Bypass white list checking
    Select this check box to not check files against the white list. This disables the white list for traffic that matches this anti-virus rule.
    Bypass black list checking
    Select this check box to not check files against the black list. This disables the black list for traffic that matches this anti-virus rule.
    File decompression
     
    Enable file decompression (ZIP and RAR)
    Select this check box to have the ZyWALL scan a ZIP file (the file does not have to have a "zip" or "rar" file extension). The ZyWALL first decompresses the ZIP file and then scans the contents for viruses.

    Note: The ZyWALL decompresses a ZIP file once. The ZyWALL does NOT decompress any ZIP file(s) within a ZIP file.

    Destroy compressed files that could not be decompressed

    Note: When you select this option, the ZyWALL deletes ZIP files that use password encryption.

    Select this check box to have the ZyWALL delete any ZIP files that it is not able to unzip. The ZyWALL cannot unzip password protected ZIP files or a ZIP file within another ZIP file. There are also limits to the number of ZIP files that the ZyWALL can concurrently unzip.

    Note: The ZyWALL's firmware package cannot go through the ZyWALL with this option enabled. The ZyWALL classifies the firmware package as not being able to be decompressed and deletes it.

    You can upload the firmware package to the ZyWALL with the option enabled, so you only need to clear this option while you download the firmware package.
    OK
    Click OK to save your changes.
    Cancel
    Click Cancel to exit this screen without saving your changes.

    Anti-Virus Setting

    Anti-X > Anti-Virus > Setting 

    label
    description
    Scan EICAR
    Select this option to have the ZyWALL check for the EICAR test file and treat it in the same way as a real virus file. The EICAR test file is a standardized test file for signature based anti-virus scanners. When the virus scanner detects the EICAR file, it responds in the same way as if it found a real virus. Besides straightforward detection, the EICAR file can also be compressed to test whether the anti-virus software can detect it in a compressed file. The test string consists of the following human-readable ASCII characters.
    X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
    White List
    Use the white list to have the ZyWALL not perform the anti-virus check on files with names that match the white list patterns.
    Enable White List
    Select this check box to have the ZyWALL not perform the anti-virus check on files with names that match the white list patterns.
    Total Rule
    This is the number of entries configured.
    rules per page
    Select how many entries you want to display on each page.
    Page x of x
    This is the number of the page of entries currently displayed and the total number of pages of entries. Type a page number to go to or use the arrows to navigate the pages of entries.
    #
    This is the entry's index number in the list.
    File Pattern
    This is the file name pattern. If a file's name matches this pattern, the ZyWALL does not check the file for viruses.
    Add icon
    This column provides icons to add, activate / deactivate, edit, and remove entries.
    To add an entry, click the Add icon at the top of the column.
    Click an entry's Active icon to activate or deactivate the entry.
    Click an entry's Edit icon to edit the entry.
    To delete an entry, click the entry's Remove icon. The web configurator confirms that you want to delete the entry.
    Black List
    Use the black list to log and delete files with names that match the black list patterns.
    Enable Black List
    Select this check box to log and delete files with names that match the black list patterns.
    Total Rule
    This is the number of entries configured.
    rules per page
    Select how many entries you want to display on each page.
    Page x of x
    This is the number of the page of entries currently displayed and the total number of pages of entries. Type a page number to go to or use the arrows to navigate the pages of entries.
    #
    This is the entry's index number in the list.
    File Pattern
    This is the file name pattern. If a file's name that matches this pattern, the ZyWALL logs and deletes the file.
    Add icon
    This column provides icons to add, activate / deactivate, edit, and remove entries.
    To add an entry, click the Add icon at the top of the column.
    Click an entry's Active icon to activate or deactivate the entry.
    Click an entry's Edit icon to edit the entry.
    To delete an entry, click the entry's Remove icon. The web configurator confirms that you want to delete the entry.
    Apply
    Click Apply to save your changes.
    Reset
    Click Reset to start configuring this screen again.

    Anti-Virus White List Add/Edit

    Use this screen to create an anti-virus white list entry for a file pattern that should cause the ZyWALL to not scan a file for viruses.

    Anti-X > Anti-Virus > Setting > White List Add 

    label
    description
    Enable
    Select this option to have the ZyWALL apply this white list entry when using the white list.
    File Pattern
    Specify a pattern to identify the names of files that the ZyWALL should not scan for viruses.
    Use up to 80 characters. Alphanumeric characters, underscores (_), dashes (-), question marks (?) and asterisks (*) are allowed.
    A question mark (?) lets a single character in the file name vary. For example, use "a?.zip" (without the quotation marks) to specify aa.zip, ab.zip and so on.
    Wildcards (*) let multiple files match the pattern. For example, use "*a.zip" (without the quotation marks) to specify any file that ends with "a.zip". A file named "testa.zip would match. There could be any number (of any type) of characters in front of the "a.zip" at the end and the file name would still match. A file named "test.zipa" for example would not match.
    A * in the middle of a pattern has the ZyWALL check the beginning and end of the file name and ignore the middle. For example, with "abc*.zip", any file starting with "abc" and ending in ".zip" matches, no matter how many characters are in between.
    The whole file name has to match if you do not use a question mark or asterisk.
    If you do not use a wildcard, the ZyWALL checks up to the first 80 characters of a file name.
    OK
    Click OK to save your changes.
    Cancel
    Click Cancel to exit this screen without saving your changes.

    Anti-Virus Black List Add/Edit

    Use this screen to create an anti-virus black list entry for a file pattern that should cause the ZyWALL to log and delete a file.

    Anti-X > Anti-Virus > Setting > Black List Add 

    label
    description
    Enable
    Select this option to have the ZyWALL apply this black list entry when using the black list.
    File Pattern
    Specify a pattern to identify the names of files that the ZyWALL should log and delete.
    Use up to 80 characters. Alphanumeric characters, underscores (_), dashes (-), question marks (?) and asterisks (*) are allowed.
    A question mark (?) lets a single character in the file name vary. For example, use "a?.zip" (without the quotation marks) to specify aa.zip, ab.zip and so on.
    Wildcards (*) let multiple files match the pattern. For example, use "*a.zip" (without the quotation marks) to specify any file that ends with "a.zip". A file named "testa.zip would match. There could be any number (of any type) of characters in front of the "a.zip" at the end and the file name would still match. A file named "test.zipa" for example would not match.
    A * in the middle of a pattern has the ZyWALL check the beginning and end of the file name and ignore the middle. For example, with "abc*.zip", any file starting with "abc" and ending in ".zip" matches, no matter how many characters are in between.
    The whole file name has to match if you do not use a question mark or asterisk.
    If you do not use a wildcard, the ZyWALL checks up to the first 80 characters of a file name.
    OK
    Click OK to save your changes.
    Cancel
    Click Cancel to exit this screen without saving your changes.

    Signature Searching

    Use this screen to locate signatures and display details about them.

    If Internet Explorer opens a warning screen about a script making Internet Explorer run slowly and the computer maybe becoming unresponsive, just click No to continue.

    Anti-X > Anti-Virus > Signature 

    LABEL
    Description
    Signatures Search
    Select the criteria on which to perform the search.
    Select By Name from the drop down list box and type the name or part of the name of the signature(s) you want to find. This search is not case-sensitive.
    Select By ID from the drop down list box and type the ID or part of the ID of the signature you want to find.
    Select By Severity from the drop down list box and select the severity level of the signatures you want to find.
    Select By Category from the drop down list box and select whether you want to see virus signatures or spyware signatures.
    Click Search to have the ZyWALL search the signatures based on your specified criteria.
    Query Signatures and Export
    Click Export to have the ZyWALL save all of the anti-virus signatures to your computer in a .txt file.
    Query Result
     
    Total Signature
    This is the number of signatures that matched your search criteria.
    signatures per page
    Select how many entries you want to display on each page.
    Page x of x
    This is the number of the page of entries currently displayed and the total number of pages of entries. Type a page number to go to or use the arrows to navigate the pages of entries.
    Name
    This is the name of the anti-virus signature. Click the Name column heading to sort your search results in ascending or descending order according to the signature name.
    Click a signature's name to see details about the virus.
    ID
    This is the IDentification number of the anti-virus signature. Click the ID column header to sort your search results in ascending or descending order according to the ID.
    Severity
    This is the severity level of the anti-virus signature. Click the severity column header to sort your search results by ascending or descending severity.
    Category
    This column displays whether the signature is for identifying a virus or spyware. Click the column heading to sort your search results by category.