GAM FAQs
- What analysis methods are used by the Gateway Anti-Malware engine during inspection?
- Controls virus and malware filtering using virus signatures and proactive methods.
|
Option |
Definition |
|---|---|
|
Full Skyhigh Security coverage: The recommended high-performance configuration |
When selected, the Skyhigh Security Gateway Anti-Malware engine and the Skyhigh Security Anti-Malware engine are active. Web objects are then scanned using: Proactive methods + Virus signatures If you are running Secure Web Gateway with a license for Skyhigh Security Gateway Anti-Malware in addition to the one for Secure Web Gateway itself, this option is selected by default. |
|
Layered coverage: Full Skyhigh Security coverage plus specific Avira engine features — minor performance impact |
When selected, the Skyhigh Security Gateway Anti-Malware engine, the Skyhigh Security Anti-Malware engine, and, for some web objects, also the third-party Avira engine are active. Web objects are then scanned using: Proactive methods + Virus signatures + Third-party engine functions for some web objects |
|
Duplicate coverage: Full Skyhigh Security coverage and Avira engine — less performance and more false positives |
When selected, the Skyhigh Security Gateway Anti-Malware engine, the Skyhigh Security Anti-Malware engine, and the third-party Avira engine are active. Web objects are then scanned using: Proactive methods + Virus signatures + Third-party engine functions |
|
Skyhigh Security Anti-Malware without mobile code scanning and emulation |
When selected, only the Skyhigh Security Anti-Malware engine is active. Web objects are then scanned using: Virus signatures This is the option that you must select when running Secure Web Gateway with a license for Secure Web Gateway only, but without a license for Skyhigh Security Gateway Anti-Malware. The Skyhigh Security Gateway Anti-Malware license includes a license for Avira. |
|
Avira only: Only uses Avira engine — not recommended |
When selected, only the Avira engine is active. Web objects are then scanned using: Third-party engine functions |
|
Skyhigh Security Advanced Threat Defense only: Send files to an MATD appliance for deep analysis through sandboxing |
When selected, only scanning by Advanced Threat Defense is active. |
|
Stop virus scanning right after an engine detected a virus |
When selected, all engines stop scanning a web object as soon as one of them has detected an infection by a virus or other malware. |
- What’s the maximum file size that can be inspected by Gateway Anti-Malware? how much free disk space on the /opt partition to extract the files to temp space during an unarchive and scan all files job.
- What are the inspection time for the files? Do you have an average of these times? It can vary a lot depending on what is being scanned, like an iso file can take 30 minutes to an hour depending on the number of CPUs, Memory, and how busy the SWG already is.
- What are the amount of data extracted from a file to do the malware inspection? It's all based on number of extracted files and available disk space within the above settings configured for tuning.
- What are the best environment dimension to inspect 10k files of 50GB per day? Is this a forward proxy configuration or ICAP server? We have a sizing calculator online used by the SEs to determine this.
There is certain configuration which plays a major role for above questions:
There are two settings which come into play here.
The first is the enable opener, as in what it can unarchive and how many layers deep to unarchive zips within zips. The default is 100 layers, and the maximum unarchived file size is 4GB.
The next part are there any rules configured to bypass the enable opener based on the file size of the archive. There's default rule in the Enable Opener rule set to bypass if the file size is greater than 100MiB.
We also have a default setting in the Gateway Anti-Malware rule set to bypass scanning of files larger than 200MiB.
Then as far as Anti-Malware Daemons we have 25 AV threads waiting for scan jobs per appliance configuration. These run serially, meaning one archive to scan, and all the unarchived files are assigned one AV thread to keep track of malware detected within an archive file.
We also have a setting to adjust the maximum file download size per appliance, per session. A transfer volume of 10GiB per connection may need to be adjusted up, especially when the appliance is configured as an ICAP Server to scan very large files.
