Explanation

SnapGear provides antivirus capabilities for POP, SMTP, HTTP and FTP services. Only these services will work with AV scanning. The SnapGear uses proxies for these services and can interpret the application data to identify the file/data to be scanned.

The AV functionality does not require any additional licensing or subscriptions because it uses embedded open source software. If you are using a supported SnapGear appliance, you can run AV scanning. The AV engine is Clamav which is open source software that uses a general public license. The AV definitions are updated from the Clamav database servers free of charge (See www.clamav.net for more information)

SG transparently takes inbound packets for services to be scanned and redirects to the appropriate proxy

• Port 21 traffic is redirected to the FTP proxy
• Port 80 traffic is redirected to the Web proxy

Enabling AV automatically enables Access Controls. Antivirus can also be used in conjunction with authentication and access controls and can work with a browser transparently or non-transparently

Important Notes

• Enabling AV requires a fair amount of system resources. If you have a lot of traffic that is being scanned it may impact the performance of your SnapGear and may not be recommended for very busy or lower end firewalls.

   

• AV scanning uses a lot of memory for the storage of the AV database and for temporary space needed by AV scanners. It is highly advisable to use a network share or local share if running Antivirus.

   

• SG cannot scan encrypted content. If the files are encrypted, they will not be scanned. Notice that HTTPS is not support for AV scanning because all the traffic is encrypted. There is a configurable option to reject or allow all encrypted files.

Troubleshooting Tips

• If you have a high volume of files that need to be scanned, you may want to adjust the number of processes available for scanning. This is a configurable value that defaults to 150 simultaneous checks. To increase the number of processes, edit the ‘Maximum number of simultaneous virus checks’ in the GUI to be the desired number. It is not recommended to increase this number too high because it can decrease the performance of other processes.

   

• Process table will show ‘clamd’ running when scanning is enabled. One Clamd process will initially start and spawn additional processes as needed.

   

• SG stores AV databases in /var/clamav. To verify that the AV files are being updated look at the following files:
  /var/clamav/daily.cvd – incremental database of AV updates
  /var/clamav/main.cvd – complete AV database
  

   

• Enabling AV for a service enables the appropriate proxy
  Web - /bin/proxy80 – listens on default port 81
  FTP - /bin/frox – listens on default port 2121
  SMTP - /bin/clamsmtpd – listens on default port 25
  POP - listens on default port 110
  

   

• Clamd scanner listens for TCP port 3310 by default SG clamd process sends scanning request to the loopback address on port 3310. To verify that the process is running you can at the command line type ‘netstat –na |grep 3310’ and look to see if the process has a listen on this port.