About Virus Blocker
Virus Blocker transparently scans your HTTP, FTP and SMTP traffic to protect your network from viruses, trojans and other malware. It scans within archives such as zip, rar, tar, gzip, bzip2 (and more).
Settings
This section reviews the different settings and configuration options available for the virus scanners.
Web
This section reviews the different settings and configuration options for web traffic.
- Scan HTTP: This enables or disables HTTP scanning.
- File Types: The File Types section allows you to scan files by file extension - just select (or add) your chosen file extension, check your preferred action (scan or not), and save.
- MIME Types: The MIME Types section allows you to scan files by MIME types - just select (or add) your chosen file extension, check your preferred action (scan or not), and save.
This section reviews the different settings and configuration options for email traffic.
- Scan SMTP: This option enables scanning of SMTP messages with attachments.
- Action: The selected action will be taken on a message if a virus is found.
- Setting Action to Remove Infection will remove the infection and wrap the original email for delivery to the intended recipient. If set to Pass Message, the original message will be wrapped and delivered with the attachment intact. In both cases, the subject line is prepended with "[VIRUS]". Due to protocol limitations, only SMTP can be set to Block, which will stop the message from being delivered at all.
FTP
This section reviews the different settings and configuration options for FTP traffic.
- Scan FTP: This enables or disables scanning of FTP downloads.
Pass Sites
This section allows you to specify sites that are not scanned. The list uses the Glob Matcher syntax.
- NOTE: Use caution when adding sites to this list!
For each protocol, the behavior is as follows:
- HTTP. Match the HTTP Host header.
- FTP. Match the server IP address or domain address (if a reverse DNS address exists).
- Email. Match the client or server IP address or domain address (if a reverse DNS address exists).
Event Logs
Use the following terms and definitions to understand the Event Logs:
Web Event Log
Name | Description |
---|---|
Timestamp | The time the event took place. |
Client | The IP address of the client that made the request. |
Username | The username of the client that made the request, if available. |
Host | The Host portion of the request. |
URI | The URI portion of the request. |
Virus Name | If found, this is the common name of the virus. |
Server | The IP address of the server that received the request. |
Email Event Log
Name | Description |
---|---|
Timestamp | The time the event took place. |
Client | The IP address of the client that made the request. |
Receiver | The email address of the recipient. |
Sender | The email address of the sender. |
Subject | The subject of the email. |
Virus Name | If found, this is the common name of the virus. |
Server | The IP address of the server that received the request. |
FTP Event Log
Name | Description |
---|---|
Timestamp | The time the event took place. |
Client | The IP address of the client that made the request. |
Username | The username of the client that made the request, if available. |
Filename | The FTP file name |
Virus Name | If found, this is the common name of the virus. |
Server | The IP address of the server that received the request. |
Related Topics
Virus Blocker FAQs
If I use Untangle, do I need to install virus software on individual network computers?
When your Untangle's Virus Blockers running they are scanning inbound and outbound HTTP, FTP and Email traffic that goes through it. This is your first layer of protection. Imagine this scenario:
Angela is a Resume Writer at Angelic Resumes, Inc. One day she works from a remote location, and downloads an infected file from the Internet to her personal laptop, then to her USB drive. She returns to the office the next day, and, using the USB drive, saves the infected file directly to her desktop computer. Her desktop computer is now infected with a virus. To make matters worse, she emails that file to her coworkers. Her coworkers download the file, and now their desktops are also infected.
In this scenario the file was transferred without going through Untangle. If Angela had emailed the file to her coworkers work email accounts from her personal email account, that email would have passed through the Untangle, which would prevent the virus from entering your protected network. Because of situations like this, we always recommend an additional layer of protection on the desktop.
If I have Virus Blocker and Virus Blocker Lite installed, are one or both used and in which order?
If you have both virus scanners installed, Virus Blocker is applied to a message first: if a message passes Virus Blocker, then and only then is Virus Blocker Lite applied to the message (there's no point in scanning the message twice if the first scanner has rejected it). This is not to say one scanner is inherently better than the another: note that Virus Blocker is complemented by Virus Blocker Lite and in the case of a virus-free message, the computational overhead of the virus scan includes both scanners. A message that would be rejected by both scanners incurs the computational and time cost of just Virus Blocker. To perform a valid comparison, you should run test messages through the Untangle with no scanners installed, Virus Blocker by itself, Virus Blocker Lite by itself and lastly both scanners installed together and compare the results.
How can I test that viruses are being blocked?
An easy way to test HTTP virus scanning is to download the eicar test from a machine behind Untangle. If virus scanning is not working the file will download successfully (it is harmless). If it is working a block page will be displayed.
Why do emails with larger attachments sometimes "disappear" or are not delivered?
While Untangle is scanning the attachments your email server is still waiting for the message, most likely triggering a timeout setting. If you're using MS Exchange, you'll want to increase the ConnectionInactivityTimeout setting.
Why does the Event Log say a file is blocked, but I can still download it?
When downloading over the web small files are blocked with a block page. Larger files are treated differently. They are fed to the client at a slower rate than they are actually downloaded so the client does not time out while the download happens. After Untangle scans the complete file it will either refuse to send the rest if there is a virus or immediately send the rest. This means for large files the Event Log says the file is "blocked", but checking the file size on the client will show that you do not actually have the complete file.
What happens to virus hoaxes?
Spam Blocker, not Virus Blocker or Kaspersky Virus Blocker, blocks virus hoaxes because this type of email is spam and does not carry an actual virus.