Scan with McAfee anti-virus

Overview

The McAfee Anti-Virus filter scans incoming HTTP requests and their attachments for viruses and exploits. For example, if a virus is detected in a MIME attachment or in the XML message body, the API Gateway can reject the entire message and return a SOAP Fault to the client. In addition, this filter supports cleaning of messages from infections such as viruses and exploits. It also provides scan type presets for different detection levels, and reports overall message status after scanning.

Prerequisites

McAfee virus scanner integration requires the McAfee Scan Engine and a valid McAfee license. The required third-party binaries are included in your API Gateway installation.

Configuration

To configure the McAfee Anti-Virus filter, perform the following steps:

  1. Enter an appropriate name in the Name field.
  2. Select a Scan type from the list. The available options are as follows:
    • Normal
      Processes the entire message detecting exploits and viruses in the message headers, macros, multi-file archives, executables, MIME-encoded/UU-encoded/XX-encoded/BinHex and TNEF/IMC format files. Performs heuristic analysis to find new viruses and potentially unwanted programs. This is the default scan type.
    • Fast
      Detects infections in the top level of each message part, such as exploits that use headers and multiple bodies. The detection is less precise, but the performance is better if the top-level object is infected.
    • Multi-pass
      Combines the Normal and Fast scan types. The Fast scan (pass 1) runs first on the whole message with no cleaning. The scanner stops if it finds an infected object, and if the clean type is set to No cleaning, the scanner reports the infection, or otherwise deletes the message. If pass 1 does not detect any virus or exploit, the Normal scan (pass 2) runs with the specified clean type and provides more precise detection.
    • Custom
      Enables you to set the Custom options described in the next section. This provides compatibility with previous API Gateway versions.
  3. Select a Clean type from the list. The available options are as follows:
    • No cleaning
      Fails if any infection is detected. This is the default clean type.
    • Always remove infected parts
      Removes the infected message part, and does not try to repair it.
    • Attempt to repair infected parts
      Attempts to repair the found infection (if repairable), otherwise deletes the infected message part.
Note   When existing policies are upgraded to the current API Gateway version, the McAfee Anti-Virus filter scan type is set to Custom and the clean type is set to No cleaning for backward compatibility.

Custom options

When you configure a custom scan type, the following Custom options are available:

Decompress Archives:
This instructs the filter to scan each file in an archive for viruses. Types of archived files include the ZIP, JAR, TAR, ARJ, LHA, PKARC, PKZIP, RAR, WinACE, BZip, and Zcompress formats.

Decompress Executables:
Executables are sometimes compressed to decrease overall message size. In such cases, any embedded viruses are also compressed and may be missed by conventional scans. If this option is selected, the filter decompresses the executable before scanning it for viruses.

Fail Any Macros:
A macro is a series of commands that can be invoked in a single command or keystroke. While calling the macro can appear to be harmless, the initiated command sequence may be harmful. Macros are usually configured to run automatically when the host document is opened. When this option is selected, the API Gateway fails if any macro is detected in a compound document (whether it matches a virus signature or not). An appropriate SOAP Fault is returned to the client.

Heuristic Program Analysis:
A heuristic virus detection algorithm runs a series of probing tests on a file in an attempt to solicit virus-like behavior from it. Based on the results of these tests, the algorithm can then make an educated guess on whether the file represents a potential threat or not. For example, programs that attempt to modify or delete files, invoke email clients, or replicate themselves all display virus-like behavior and so may be treated as viruses by the scanner.

The major advantage of this type of analysis is that new viruses can be detected. With the signature detection method, the scanner attempts to find a fixed number of known virus signatures in a file. Because the number of known signatures is fixed, new or unknown viruses can not be detected. If this option is selected, the filter runs heuristic analysis on executables only.

Heuristic Macro Analysis:
When this option is enabled, the filter runs heuristic detection analysis on macros contained in any body parts of the message. If any viruses are detected, the message is blocked. If this option is selected, the API Gateway searches for virus signatures in the respective body parts of a MIME message. However, it can only search for known viruses using this method.

Note   Macros embedded in MIME parts are also scanned for virus signatures.

Scan Embedded Scripts:
The API Gateway can scan MIME parts, such as HTML documents, for embedded scripts. If this option is selected, the filter scans for embedded scripts.

Scan for Test Files:
When this option is selected, the API Gateway fails if it encounters an anti-virus test file (for example, eicar.com). This is a convenient way to check that the anti-virus filter successfully detects known viruses.

Message status

When the scan is complete, the McAfee Anti-Virus filter reports the overall message status in the mcafee.status message attribute, which is generated by the filter. This reflects the overall status of the scan for all message parts, and includes one of the following values:

NOVIRUS No virus or exploit detected in the message.
INFECTED Infection detected in the message.
REPAIRED Message repaired.
REMOVED Some or all message parts successfully removed.
REPAIRED, REMOVED Some message parts successfully repaired and some others removed.

Load McAfee updates

When the McAfee Anti-Virus filter has been loaded, it searches for virus definitions in the following directory:

INSTALL_DIR\apigateway\conf\plugin\mcafee\datv2

When these have been loaded, it periodically checks for the presence of a directory named as follows:

INSTALL_DIR\apigateway\conf\plugin\mcafee\datv2.new

If the datv2.new directory is found, the scanner is stopped and the datv2 directory is renamed to datv2.0. If a datv2.0 directory already exists from a previous rollover, a datv2.1 directory is created instead, and so on, until an unused index is used. This means that the server never deletes the old files, and rolls them out of the way.

When the engine is stopped and restarted, any messages that require scanning are suspended until the restart completes. In addition, an initiated reload is suspended until all currently active scans are completed.

Note   Like all file system scanning approaches, there is an inherent ordering problem. If you create the datv2.new directory before copying the files into the directory, the scanner may pick up the new directory before it is ready to be used. For example, on Windows, you might experience problems if you enter the following commands from the INSTALL_DIRapigateway\conf\plugin\mcafee directory:
mkdir datv2.newcopy c:\mcafee\newfiles\*.* datv2.new

You can use the following commands to prevent this problem:

mkdir datv2.tmpcopy c:\mcafee\newfiles\*.* datv2.tmp rename datv2.tmp datv2.new

These create a temporary folder, copy the files into this folder, and rename the temporary folder to datv2.new. In this way, the scanner is guaranteed to pick up the virus definition files when it detects the new directory.

On Linux, the same approach applies, but the location of the file and the commands used are different. For example, enter the following commands from the INSTALL_DIR/apigateway/conf/plugin/mcafee directory:

mkdir datv2.tmpcp /var/tmp/mcafee/newfiles/*.* datv2.tmpmv datv2.tmp datv2.new

Related Links