Table of ContentsPreviousNextIndex

SonicWALL, Inc.


Security_Services/Gateway_Anti_Virus.htm

SonicWALL's Unified Threat Management Solution

SonicWALL Gateway Anti-Virus is included in SonicWALL's unified threat management solution that integrates Gateway Anti-Virus, Anti-Spyware and Intrusion Prevention Service into an intelligent,
real-time network security solution. SonicWALL Gateway Anti-Virus, Anti-Spyware and Intrusion Prevention Service delivers unified threat management directly on the SonicWALL security appliance gateway.

Utilizing a configurable, high-performance deep packet inspection architecture, SonicWALL Gateway Anti-Virus, Anti-Spyware and Intrusion Prevention Service secures the network from the core to the perimeter against a comprehensive array of dynamic threats including viruses, spyware, worms, Trojans, and software vulnerabilities, such as buffer overflows, as well as peer-to-peer and instant messenger applications, backdoor exploits, and other mailicious code. Because new threats emerge daily and are often unpredictable, the deep packet inspection architecture is constantly updated to deliver the highest protection against an ever-changing threat landscape.

SonicWALL Gateway Anti-Virus, Anti-Spyware, and Intrusion Prevention Service inspects e-mail, Web traffic, file transfers, a multitude of stream-based protocols, as well as instant messaging and peer-to-peer applications. Because files containing malicious code, viruses and worms can be compressed and therefore inaccessible to conventional solutions, SonicWALL Gateway Anti-Virus, Anti-Spyware and Intrusion Prevention Service integrates advanced decompression technology that automatically decompresses and scans files on a per packet basis. Supported compression formats include ZIP, Deflate and GZIP. As an added layer of security, SonicWALL Gateway Anti-Virus, Anti-Spyware and Intrusion Prevention Service provides application layer attack protection not only against external threats, but also against those originating inside the network.

Unlike other threat management solutions, SonicWALL Gateway Anti-Virus, Anti-Spyware and Intrusion Prevention Service has the capacity to analyze files of any size in real-time without the need to add expensive hardware drive or extra memory. SonicWALL Gateway Anti-Virus, Anti-Spyware and Intrusion Prevention Service includes a pro-active alerting mechanism that notifies network administrators when a new threat is discovered. Granular policy tools and an intuitive user interface enable administrators to configure a custom set of detection or prevention policies tailored to their specific network environment. Network administrator's can create global policies between security zones and group attacks by priority, simplifying deployment and management across a distributed network.

SonicWALL Gateway Anti-Virus, Anti-Spyware, and Intrusion Prevention Service Features

SonicWALL GAV Enhancements in SonicOS 3.2 Enhanced

The following enhancements have been added to GAV for SonicOS 3.2 Enhanced:

SonicWALL Gateway Anti-Virus Overview

SonicWALL GAV delivers real-time virus protection directly on the SonicWALL security appliance by using SonicWALL's IPS-Deep Packet Inspection v2.0 engine to inspect all traffic that traverses the SonicWALL gateway. Building on SonicWALL's reassembly-free architecture, SonicWALL GAV inspects multiple application protocols, as well as generic TCP streams, and compressed traffic. Because SonicWALL GAV does not have to perform reassembly, there are no file-size limitations imposed by the scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also performed on a single-pass, per-packet basis.

SonicWALL GAV delivers threat protection directly on the SonicWALL security appliance by matching downloaded or e-mailed files against an extensive and dynamically updated database of threat virus signatures. Virus attacks are caught and suppressed before they travel to desktops. New signatures are created and added to the database by a combination of SonicWALL's SonicAlert Team, third-party virus analysts, open source developers and other sources.

SonicWALL GAV can be configured to protect against internal threats as well as those originating outside the network. It operates over a multitude of protocols including SMTP, POP3, IMAP, HTTP, FTP, NetBIOS, instant messaging and peer-to-peer applications and dozens of other stream-based protocols, to provide administrators with comprehensive network threat prevention and control. Because files containing malicious code and viruses can also be compressed and therefore inaccessible to conventional anti-virus solutions, SonicWALL GAV integrates advanced decompression technology that automatically decompresses and scans files on a per packet basis.

SonicWALL GAV delivers real-time virus protection directly on the SonicWALL security appliance by using SonicWALL's IPS-Deep Packet Inspection v2.0 engine to inspect all traffic that traverses the SonicWALL gateway. Building on SonicWALL's reassembly-free architecture, SonicWALL GAV inspects multiple application protocols, as well as generic TCP streams, and compressed traffic. Because SonicWALL GAV does not have to perform reassembly, there are no file-size limitations imposed by the scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also performed on a single-pass, per-packet basis.

SonicWALL GAV delivers threat protection directly on the SonicWALL security appliance by matching downloaded or e-mailed files against an extensive and dynamically updated database of threat virus signatures. Virus attacks are caught and suppressed before they travel to desktops. New signatures are created and added to the database by a combination of SonicWALL's SonicAlert Team, third-party virus analysts, open source developers and other sources.

SonicWALL GAV can be configured to protect against internal threats as well as those originating outside the network. It operates over a multitude of protocols including SMTP, POP3, IMAP, HTTP, FTP, NetBIOS, instant messaging and peer-to-peer applications and dozens of other stream-based protocols, to provide administrators with comprehensive network threat prevention and control. Because files containing malicious code and viruses can also be compressed and therefore inaccessible to conventional anti-virus solutions, SonicWALL GAV integrates advanced decompression technology that automatically decompresses and scans files on a per packet basis.

SonicWALL GAV Multi-Layered Approach

SonicWALL GAV delivers comprehensive, multi-layered anti-virus protection for networks at the desktop, the network, and at remote sites. SonicWALL GAV enforces anti-virus policies at the gateway to ensure all users have the latest updates and monitors files as they come into the network.

Remote Site Protection

  1. Users send typical e-mail and files between remote sites and the corporate office.
  2. SonicWALL GAV scans and analyses files and e-mail messages on the SonicWALL security appliance.
  3. Viruses are found and blocked before infecting remote desktop.
  4. Virus is logged and alert is sent to administrator.

Internal Network Protection

  1. Internal user contracts a virus and releases it internally.
  2. All files are scanned at the gateway before being received by other network users.
  3. If virus is found, file is discarded.
  4. Virus is logged and alert is sent to administrator.

HTTP File Downloads

  1. Client makes a request to download a file from the Web.
  2. File is downloaded through the Internet.
  3. File is analysed the SonicWALL GAV engine for malicious code and viruses
  4. If virus found, file discarded.
  5. Virus is logged and alert sent to administrator.

Server Protection

  1. Outside user sends an incoming e-mail.
  2. E-mail is analysed the SonicWALL GAV engine for malicious code and viruses before received by e-mail server.
  3. If virus found, threat prevented.
  4. E-mail is returned to sender, virus is logged, and alert sent to administrator.

SonicWALL GAV Architecture

SonicWALL GAV is based on SonicWALL's high performance DPIv2.0 engine (Deep Packet Inspection version 2.0) engine, which performs all scanning directly on the SonicWALL security appliance. SonicWALL GAV includes advanced decompression technology that can automatically decompress and scan files on a per packet basis to search for viruses and malware. The SonicWALL GAV engine can perform base64 decoding without ever reassembling the entire base64 encoded mail stream. Because SonicWALL's GAV does not have to perform reassembly, there are no file-size limitations imposed by the scanning engine. Base64 decoding and ZIP, LHZ, and GZIP (LZ77) decompression are also performed on a single-pass, per-packet basis. Reassembly free virus scanning functionality of the SonicWALL GAV engine is inherited from the Deep Packet Inspection engine, which is capable of scanning streams without ever buffering any of the bytes within the stream.

Building on SonicWALL's reassembly-free architecture, GAV has the ability to inspect multiple application protocols, as well as generic TCP streams, and compressed traffic. SonicWALL GAV protocol inspection is based on high performance state machines which are specific to each supported protocol. SonicWALL GAV delivers protection by inspecting over the most common protocols used in today's networked environments, including SMTP, POP3, IMAP, HTTP, FTP, NetBIOS, instant messaging and peer-to-peer applications and dozens of other stream-based protocols. This closes potential backdoors that can be used to compromise the network while also improving employee productivity and conserving Internet bandwidth.

SonicWALL Gateway Anti-Virus, Anti-Spyware, and Intrusion Prevention Service Activation

If you do not have SonicWALL Gateway Anti-Virus, Anti-Spyware, and Intrusion Prevention Service installed on your SonicWALL security appliance, the Security Services > Anti-Spyware page indicates an upgrade is required and includes a link to activiate it from your SonicWALL security appliance management interface.

Because SonicWALL Gateway Anti-Virus is part of the unified SonicWALL Gateway Anti-Virus,
Anti-Spyware, and Intrusion Prevention Service, you will have a single License Key to activate all three services on your SonicWALL security appliance.

You must activate the SonicWALL Gateway Anti-Virus, Anti-Spyware, and Intrusion Prevention Service license from the Security Services > Intrusion Prevention page first. Once you have activated Intrusion Prevention Service, you can then activate SonicWALL Gateway Anti-Virus and SonicWALL Anti-Spyware.

To activate a SonicWALL Gateway Anti-Virus, Anti-Spyware, and Intrusion Prevention Service on your SonicWALL security appliance, you need the following:

Creating a mySonicWALL.com Account

Creating a mySonicWALL.com account is fast, simple, and FREE. Simply complete an online registration form in the SonicWALL security appliance management interface.

Note: If you already have a mysonicWALL.com account, go to Registering Your SonicWALL Security Appliance on page 516.
  1. Log into the SonicWALL security appliance management interface.
  2. If the System > Status page is not displayed in the management interface, click System in the left-navigation menu, and then click Status.
  3. On the System > Status page, in the Security Services section, click the Register link in Your SonicWALL is not registered. Click here to Register your SonicWALL.
  4. In the mySonicWALL.com Login page, click the here link in If you do not have a mySonicWALL account, please click here to create one.
  5. In the MySonicWall Account page, enter in your information in the Account Information, Personal Information and Preferences fields. All fields marked with an asterisk (*) are required fields.
  6. Note: Remember your username and password to access your mySonicWALL.com account.
  7. Click Submit after completing the MySonicWALL Account form.
  8. When the mySonicWALL.com server has finished processing your account, you will see a page saying that your account has been created. Click Continue.

Congratulations. Your mySonicWALL.com account is activated.

Now you need to log into mySonicWALL.com to register your SonicWALL security appliance.

Note: mySonicWALL.com registration information is not sold or shared with any other company.

Registering Your SonicWALL Security Appliance

  1. Log into the SonicWALL security appliance management interface.
  2. If the System > Status page is not displaying in the management interface, click System in the left-navigation menu, and then click Status.
  3. On the System > Status page, in the Security Services section, click the Register link. The mySonicWALL.com Login page is displayed.
  4. Enter your mySonicWALL.com account username and password in the User Name and Password fields, then click Submit.
  5. The next several pages inform you about the free trials available to you for SonicWALL's Security Services:
    • Gateway Anti-Virus - Delivers real-time virus protection for your entire network.
    • Network Anti Virus - Provides desktop and server anti-virus protection with software running on each computer.
    • Premium Content Filtering Service - Enhances productivity by limiting access to objectionable Web content.
    • Intrusion Prevention Service - Protects your network against worms, Trojans, and application layer attacks.
    • Anti-Spyware - Protects your network from malicious spyware by blocking spyware installations at the gateway and disrupts.
    • Click Continue on each page.

      Note: Clicking on the Continue button does not activate the FREE TRIAL versions of these SonicWALL Security Services.
  6. At the top of the Product Survey page, Enter a "friendly name" for your SonicWALL content security appliance in the Friendly Name field. The friendly name allows you to easily identify your SonicWALL content security appliance in your mySonicWALL.com account.
  7. Please complete the Product Survey. SonicWALL uses this information to further tailor services to fit your needs.
  8. Click Submit.
  9. When the mySonicWALL.com server has finished processing your registration, a page is displayed informing you that the SonicWALL security appliance is registered. Click Continue, and the System > Licenses page is displayed showing you the available services. You can activate the service from this page or the specific service page under the Security Services left-navigation menu in the management interface.

Activating the SonicWALL Gateway Anti-Virus,
Anti-Spyware, and Intrusion Prevention Service License

Because SonicWALL Anti-Spyware is part of SonicWALL Gateway Anti-Virus, Anti-Spyware, and Intrusion Prevention Service. The Activation Key you receive is for all three services on your SonicWALL security appliance.

If you do not have a SonicWALL Gateway Anti-Virus, Anti-Spyware, and Intrusion Prevention Service. license activated on your SonicWALL security appliance, you must purchase it from a SonicWALL reseller or through your mySonicWALL.com account (limited to customers in the USA and Canada).

If you have an Activation Key for SonicWALL Gateway Anti-Virus, Anti-Spyware, and Intrusion Prevention Service, perform these steps to activate the combined services:

  1. On the Security Services > Gateway Anti--Virus page, click the SonicWALL Gateway
    Anti-Virus Subscription
    link. The mySonicWALL.com Login page is displayed.
  2. Enter your mySonicWALL.com account username and password in the User Name and Password fields, then click Submit. If your SonicWALL security appliance is already registered to your mySonicWALL.com account, the System > Licenses page appears.
  3. Click Activate or Renew in the Manage Service column in the Manage Services Online table.
  4. Type in the Activation Key in the New License Key field and click Submit. SonicWALL Intrusion Prevention Service is activated. The System > Licenses page is displayed with the Anti-Spyware and Gateway Anti-Virus links displayed at the bottom of the Manage Services Online table with the child Activation Keys.
  5. Click on the Anti-Spyware link. The child Activation Key is automatically entered in the New License Key field. The child Activation Key is a different key than the parent key for the SonicWALL Gateway Anti-Virus, Anti-Spyware, and Intrusion Prevention Service.
  6. Click Submit. If you have activated a FREE TRIAL version or are renewing a license, the renew screen is displayed that shows the expiration date of the current license and the expiration date of the updated license. Click Renew.
  7. Click on the SonicWALL Gateway Anti-Virus link. The child Activation Key is automatically entered in the New License Key field. The child Activation Key is a different key than the parent key for the SonicWALL Gateway Anti-Virus, Anti-Spyware, and Intrusion Prevention Service.
  8. Click Submit. If you have activated a FREE TRIAL version or are renewing a license, the renew screen is displayed that shows the expiration date of the current license and the expiration date of the updated license. Click Renew.

Congratulations! You have activated the SonicWALL Gateway Anti-Virus, Anti-Spyware, and Intrusion Prevention Service.

If you activate the SonicWALL Gateway Anti-Virus, Anti-Spyware, and Intrusion Prevention Service subscription on mySonicWALL.com, the activation is automatically enabled on your SonicWALL security appliance within 24-hours or you can click the Synchronize button on the
Security Services > Summary page to immediately update your SonicWALL security appliance.

Activating FREE TRIALs

You can try FREE TRIAL versions of SonicWALL Gateway Anti-Virus, SonicWALL Anti-Spyware, and SonicWALL Intrusion Prevention Service. You must activate each service separately from the Manage Services Online table on the System > Licenses page or by clicking the FREE TRIAL link on the respective Security Services page (i.e. Security Services > Gateway Anti-Virus).

To try a FREE TRIAL of SonicWALL Gateway Anti-Virus, SonicWALL Anti-Spyware, or SonicWALL Intrusion Prevention Service, perform these steps:

  1. Click the FREE TRIAL link on the Security Services > Gateway Anti-Virus,
    Security Services > Anti-Spyware
    , or Security Services > Intrusion Prevention page. The mySonicWALL.com Login page is displayed.
  2. Enter your mySonicWALL.com account username and password in the User Name and Password fields, then click Submit. If your SonicWALL security appliance is already connected to your mySonicWALL.com account, the System > Licenses page appears after you click the FREE TRIAL link.
  3. Click Try in the FREE TRIAL column in the Manage Services Online table. The service is enabled on your security appliance.

Setting Up SonicWALL Gateway Anti-Virus Protection

Activating the SonicWALL Gateway Anti-Virus license on your SonicWALL security appliance does not automatically enable the protection. To configure SonicWALL Gateway Anti-Virus to begin protecting your network, you need to perform the following steps:

  1. Enable SonicWALL Gateway Anti-Virus
  2. Apply SonicWALL Gateway Anti-Virus Protection to Zones
  3. Note: For complete instructions on setting up SonicWALL Gateway Anti-Virus, refer to the SonicWALL Gateway Anti-Virus Administrator's Guide available on the SonicWALL documentation Web site <http://www.sonicwall.com/support/documentation.html>.

The Security Services > Gateway Anti-Virus page provides the settings for configuring SonicWALL GAV on your SonicWALL security appliance.

Enabling SonicWALL GAV

You must select Enable Gateway Anti-Virus check box in the Gateway Anti-Virus Global Settings section to enable SonicWALL GAV on your SonicWALL security appliance. If your SonicWALL security appliance is running SonicOS Standard 3.0, you must also specify the interfaces you want to apply SonicWALL GAV protection. If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you must specify the Zones you want SonicWALL GAV protection on the Network > Zones page.

Applying SonicWALL GAV Protection on Interfaces

If your SonicWALL security appliance is running SonicOS Standard 3.0, you also need to specify the interface that you want enabled for SonicWALL GAV protection. Depending on the SonicWALL security appliance model you are using, you can choose the WAN, LAN, DMZ, OPT or WLAN port. After selecting the interface(s), click Apply. It is recommended you select the WAN and LAN interfaces.

If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you apply SonicWALL GAV to Zones on the Network > Zones page.

Applying SonicWALL GAV Protection on Zones

If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you can enforce SonicWALL GAV not only between each network zone and the WAN, but also between internal zones. For example, enabling SonicWALL GAV on the LAN zone enforces anti-virus protection on all incoming and outgoing LAN traffic.

  1. In the SonicWALL security appliance management interface, select Network > Zones or from the Gateway Anti-Virus Status section, on the Security Services > Gateway Anti-Virus page, click the Network > Zones link. The Network > Zones page is displayed.
  2. In the Configure column in the Zone Settings table, click the edit icon . The Edit Zone window is displayed.
  3. Click the Enable Gateway Anti-Virus Service checkbox. A checkmark appears. To disable Gateway
    Anti-Virus Service, uncheck the box.
  4. Click OK.
  5. Note: You also enable SonicWALL GAV protection for new zones you create on the Network > Zones page. Clicking the Add button displays the Add Zone window, which includes the same settings as the Edit Zone window.

Viewing SonicWALL GAV Status Information

The Gateway Anti-Virus Status section shows the state of the anti-virus signature database, including the database's timestamp, and the time the SonicWALL signature servers were last checked for the most current database version. The SonicWALL security appliance automatically attempts to synchronize the database on startup, and once every hour.

The Gateway Anti-Virus Status section displays the following information:

If your SonicWALL security appliance you are running SonicOS Standard 3.0 and no interfaces are specified in the Gateway Anti-Virus Global Settings section, the message: Warning: No interfaces have Gateway Anti-Virus enabled is displayed in the Gateway Anti-Virus Status section. You must check the Enable Gateway Anti-Virus on Interface and specify the interface(s) you want to apply anti-virus scanning.

If your SonicWALL security appliance you are using SonicOS Enhanced 3.0, the Gateway Anti-Virus Status section displays Note: Enable the Gateway Anti-Virus per zone from the Network > Zones page. Clicking on the Network > Zones link displays the Network > Zones page for applying SonicWALL GAV on Zones.

Updating SonicWALL GAV Signatures

By default, the SonicWALL security appliance running SonicWALL GAV automatically checks the SonicWALL signature servers once an hour. There is no need for an administrator to constantly check for new signature updates. You can also manually update your SonicWALL GAV database at any time by clicking the Update button located in the Gateway Anti-Virus Status section.

SonicWALL GAV signature updates are secured. The SonicWALL security appliance must first authenticate itself with a pre-shared secret, created during the SonicWALL Distributed Enforcement Architecture licensing registration. The signature request is transported through HTTPS, along with full server certificate verification.

Specifying Protocol Filtering

Application-level awareness of the type of protocol that is transporting the violation allows SonicWALL GAV to perform specific actions within the context of the application to gracefully handle the rejection of the payload.

By default, SonicWALL GAV inspects all inbound HTTP, FTP, IMAP, SMTP and POP3 traffic. Generic TCP Stream can optionally be enabled to inspect all other TCP based traffic, such as
non-standard ports of operation for SMTP and POP3, and IM and P2P protocols.

Enabling Inbound Inspection

Within the context of SonicWALL GAV, the Enable Inbound Inspection protocol traffic handling refers to the following:

The Enable Inbound Inspection protocol traffic handling represented as a table:

Enabling Outbound SMTP Inspection

The Enable Outbound Inspection feature is available for SMTP traffic, such as for a mail server that might be hosted on the DMZ. Enabling outbound inspection for SMTP scans mail that is delivered to the internally hosted SMTP server for viruses.

Restricting File Transfers

For each protocol you can restrict the transfer of fils with specific attributes by clicking on the Settings button under the protocol in the Gateway Anti-Virus Global Settings section.

These restrict transfer settings include:

Configuring Gateway AV Settings

Clicking the Configure Gateway AV Settings button at the bottom of the Gateway Anti-Virus Global Settings section displays the Gateway AV Settings window, which allows you to configure clientless notification alerts and create a SonicWALL GAV exclusion list.

If you want to suppress the sending of e-mail messages (SMTP) to clients from SonicWALL GAV when a virus is detected in an e-mail or attachment, check the Disable SMTP Responses box.

Configuring HTTP Clientless Notification

The HTTP Clientless Notification feature notifies users when GAV detects an incoming threat from an HTTP server. To configure this feature, check the Enable HTTP Clientless Notification Alerts box and enter a message in the Message to Display when Blocking field, as shown below.

With this option disabled, when GAV detects an incoming threat from an HTTP server, GAV blocks the threat and the user receives a blank HTTP page. Typically, users will attempt to reload the page because they are not aware of the threat. The HTTP Clientless Notification feature informs the user that GAV detected a threat from the HTTP server.

Tip! The HTTP Clientless Notification feature is also available for SonicWALL Anti-Spyware.

Optionally, you can configure the timeout for the HTTP Clientless Notification on the Security Services > Summary page under the Security Services Summary heading.

Configuring a SonicWALL GAV Exclusion List

Any IP addresses listed in the exclusion list bypass virus scanning on their traffic.The Gateway AV Exclusion List section provides the ability to define a range of IP addresses whose traffic will be excluded from SonicWALL GAV scanning.

To add an IP address range for exclusion, perform these steps:

  1. Click the Enable Gateway AV Exclusion List checkbox to enable the exclusion list.
  2. Click the Add button. The Add GAV Range Entry window is displayed.
  3. Enter the IP address range in the IP Address From and IP Address To fields, then click OK. You IP address range appears in the Gateway AV Exclusion List table. Click the edit icon in the Configure column to change an entry or click the trashcan icon to delete an entry.
  4. Click OK to exit the Gateway AV Config View window.

Viewing SonicWALL GAV Signatures

The Gateway Anti-Virus Signatures section allows you to view the contents of the SonicWALL GAV signature database. All the entries displayed in the Gateway Anti-Virus Signatures table are from the SonicWALL GAV signature database downloaded to your SonicWALL security appliance.

Note:  Signature entries in the database change over time in response to new threats.

Displaying Signatures

You can display the signatures in a variety of views using the View Style menu.

Navigating the Gateway Anti-Virus Signatures Table

The SonicWALL GAV signatures are displayed fifty to a page in the Gateway Anti-Virus Signatures table. The Items field displays the table number of the first signature. If you're displaying the first page of a signature table, the entry might be Items 1 to 50 (of 58). Use the navigation buttons to navigate the table.

Searching the Gateway Anti-Virus Signature Database

You can search the signature database by entering a search string in the Lookup Signatures Containing String field, then clicking the edit (Notepad) icon.

The signatures that match the specified string are displayed in the Gateway Anti-Virus Signatures table.


www.SonicWALL.com
SonicWALL, Inc.
http://www.sonicwall.com
1160 Bordeaux Drive
Sunnyvale, CA 94089-1209
Table of ContentsPreviousNextIndex