Amer Networks E5Web GUI User Manual

specified in Appendix C, Verified MIME filetypes) then the filetype in the file's name is used when
the excluded list is checked.

3. Compression Ratio Limit

When scanning compressed files, cOS Core must apply decompression to examine the file's
contents. Some types of data can result in very high compression ratios where the compressed
file is a small fraction of the original uncompressed file size. This can mean that a comparatively
small compressed file attachment might need to be uncompressed into a much larger file which
can place an excessive load on cOS Core resources and noticeably slowdown throughput.

To prevent this situation, the administrator should specify a Compression Ratio limit. If the limit of
the ration is specified as 10 then this will mean that if the uncompressed file is 10 times larger
than the compressed file, the specified Action should be taken. The Action can be one of:

•

Allow - The file is allowed through without virus scanning

•

Scan - Scan the file for viruses as normal

•

Drop - Drop the file

In all three of the above cases the event is logged.

Verifying the MIME Type

The ALG File Integrity options can be utilized with anti-virus scanning to check that the file's
contents matches the MIME type it claims to be.

The MIME type identifies a file's type. For instance a file might be identified as being of type .gif
and therefore should contain image data of that type. Some viruses can try to hide inside files by
using a misleading file type. A file might pretend to be a .gif file but the file's data will not match
that type's data pattern because it is infected with a virus.

Enabling of this function is recommended to make sure this form of attack cannot allow a virus to
get through. The possible MIME types that can be checked are listed in Appendix C, Verified MIME
filetypes.

Setting the Correct System Time

It is important that a cOS Core has the correct system time set if the auto-update feature in the
anti-virus module can function correctly. An incorrect time can mean the auto-updating is
disabled.

The console command

Device:/> updatecenter -status

will show the current status of the auto-update feature.

Updating in High Availability Clusters

Updating the anti-virus databases for both the Clavister Security Gateways in an HA Cluster is
performed automatically by cOS Core. In a cluster there is always an active unit and an inactive
unit. Only the active unit in the cluster will perform regular checking for new database updates. If
a new database update becomes available the sequence of events will be as follows:

1.

The active unit determines there is a new update and downloads the required files for the
update.

Chapter 6: Security Mechanisms

467