Configuring HTTP and FTP scanning

In HTTPHypertext Transfer Protocol - protocol for exchange of hypertext documents in HTML. and FTPFile Transfer Protocol - Protocol for transferring computer files from a server. traffic, Kerio Control can scanned the selected types of files.

The transmitted file is saved in a temporary file on the local disk of the firewall. Kerio Control caches the last part of the transmitted file (segment of the data transferred) and performs an antivirus scan of the temporary file.

If it detects a virus, the last segment of the data is dropped. The client then receives an incomplete (damaged) file which cannot be executed and the virus cannot be activated. If no virus is found, Kerio Control sends also the rest of the file and the transmission is completed successfully.

  1. The purpose of the antivirus check is only to detect infected files, it is not possible to heal them!
  2. If the antivirus check is disabled in HTTP Policy and FTP Policy, objects and files matching corresponding rules are not checked.
  3. Full functionality of HTTP scanning is not guaranteed if any non-standard extensions to web browsers (e.g. download managers, accelerators, etc.) are used.

Configuring scanning

  1. In the administration interface, go to Antivirus > Antivirus Engine.
  2. Verify that antivirus control is enabled and select options Enable HTTP scanning and Enable FTP scanning.
  3. On the HTTP, FTP Scanning tab, select Alert the client. Kerio Control sends an email messages warning to the user who attempts to download the file that a virus was detected and download was stopped for security reasons. Kerio Control sends alert messages when:
  • The user is authenticated and connected to the firewall
  • A valid email address is set in a corresponding user account
  • The SMTP server used for mail sending is configured
  1. In the If a transferred file cannot be scanned section, select the action for when the antivirus check cannot be applied (e.g. the file is compressed and password-protected, damaged, etc.):
  • Deny transmission of the fileKerio Control considers the file as infected and denies the transmission.
  • Allow transmission of the fileKerio Control treats the file as not infected. Use this option only if, for example, users transmit a big volume of compressed password-protected files and the antivirus is installed on the workstations.

HTTP and FTP scanning rules

Kerio Control contains a set of predefined rules for HTTP and FTP scanning. The firewall administrator can change the default configuration.

Scanning rules are ordered and processed from the top. When Kerio Control finds a rule which matches the object, the appropriate action is taken and other rules are stopped.

If the object does not match any rule, Kerio Control does not scan the object. If you want to scan object types other than in the predefined rules, add a rule which enables scanning of any URL or MIME type to list.

To add new rules, follow these instructions:

  1. On the HTTP, FTP Scanning tab, click Add.
  2. Select Condition type:
  • HTTP URL — URL of the object (for example, www.kerio.com/img/logo.gif), a string specified by a wildcard matching (for example, *.exe) or a server name (for example, www.kerio.com). Server names represent any URL at a corresponding server (www.kerio.com/*).
  • HTTP MIME type — MIME types can be specified either by complete expressions (e.g. image/jpeg) or using a wildcard matching (for example, application/*).
  • Filename — this option filters out certain filenames (not entire URLs) transmitted by FTP or HTTP (for example, *.exe, *.zip, and so on). If only an asterisk is used, the rule applies to any file transmitted by HTTP or FTP.
  • File type — select a group of predefined file extensions.

NOTE

If a MIME type or a URL is specified only by an asterisk, the rule will apply to any HTTP object.

  1. Select Action to scan the objects for viruses.
  2. Type a description.
  3. Save the settings.