ANTIVIRUS GUIDE

Antivirus – Concept Overview

Antivirus scanning is designed to detect, prevent, and remove malicious programs such as viruses, worms, and trojans from computers and connected devices. In the zWAN Standalone system, antivirus protection is integrated into the security appliance using the SquidClamav engine. It continuously scans network traffic, including decrypted HTTPS data (when SSL Inspection is enabled), to identify and block threats before it reach the client.

Core Concept

SSL Inspection decrypts secure HTTPS traffic, enabling antivirus scanning of encrypted content.When a virus or malware signature is detected in a web page or file, the system blocks access and returns an custom alert page to the client instead of the infected resource.Clean traffic is re-encrypted and forwarded securely, maintaining privacy while ensuring protection.

Trusted Sites in Antivirus Settings

The Trusted URL/Domain List allows administrators to specify domains or URLs that are exempt from antivirus scanning. This helps reduce false positives or allows trusted internal resources to bypass scanning.

1) The Trusted Sites configuration is only editable when the Antivirus feature is enabled.

2) When Antivirus is enabled, you can add, remove, or modify trusted URLs/domains.

3) When Antivirus is disabled, the page remains visible, but the option to add new trusted sites is grayed out or inactive, preventing changes to the trusted list until antivirus protection is active again.

4) This ensures trusted sites settings remain consistent with the antivirus scanning state and avoids conflicting configurations.

Antivirus Blocking and Trusted URL/Domain Behavior

When the antivirus engine detects a virus or unsafe content in a requested web page or file, it blocks access to protect the user and the network.

Virus Detection and Blocking Workflow

1) The antivirus detection software, SquidClamav, scans all traffic passing through the security appliance.

2) To inspect HTTPS traffic, the packets are decrypted using the SSL bump feature, scanned for virus signatures, then re-encrypted and forwarded if clean.

3) If a virus or malware signature is detected on a page or file that is not in the Trusted URL/Domain List, access to that resource is blocked.

4) Instead of loading the infected content, the client receives an alert page notifying them of the virus or unsafe browsing attempt.

Skip Scan Behavior in Antivirus

The Skip Scan feature allows administrators to exclude specific file types or file content types from antivirus scanning. This is particularly useful for improving performance and avoiding unnecessary scans of known safe files while maintaining overall network security.

Workflow of skip scan

Excluded File Types:

Administrators can specify file extensions (e.g., .pdf, .txt, .jpg) that should be bypassed by antivirus scanning.

o A dropdown list is available with commonly used file extensions for quick selection.

o Custom file extensions can also be manually entered if not listed in the dropdown.

Excluded File Content-Types:

MIME types (e.g., application/pdf, text/plain) can be added to skip scanning based on the file’s content type.

o A predefined dropdown list is available for commonly used MIME types.

o Custom MIME types can also be entered manually to meet specific use cases.

• Files matching any of the specified extensions or content types will be allowed without antivirus scanning and permitted for download or access.
• This functionality helps optimize system resource usage, especially in environments with frequent large file transfers or known safe file types.
• After making any changes on this page, it is mandatory to click "Activate Changes" to apply the new configuration.