Best Practices - Configure Streaming Media Scanning
You can perform a special kind of scanning when the Stream Detector has found that a web object is streaming media.
Anti-malware filtering on Web Gateway usually requires that web objects are completely downloaded and scanned by the Anti-Malware module. But completeness can never be achieved for streaming media, so the usual scanning method will not deliver results, but delay processing of this media type endlessly.
Streaming media must therefore be handled in a special way. Two modules on Web Gateway are available for this:
- The Stream Detector module detects that a web object is streaming media.
- The Media Stream Scanner, which is a component of the Anti-Malware module scans streaming media chunk-by-chunk.
Compared to the usual method, the Media Stream Scanner performs a less intensive way of scanning.
Following the progress made by the Media Stream Scanner, streaming media is delivered chunk-by-chunk to the client that requested its download. If an infection is detected in a chunk, the process is stopped, and this chunk and the rest of the streaming media are not delivered.
A suitable rule calls both components to perform their jobs. It is contained in the default Gateway Anti-Malware rule set.
The rule is not available in older versions of Skyhigh Security Web Gateway. So we recommend the following:
- Inspect your rule set system.
- If the rule is not included in the default Gateway Anti-Malware rule set or any other rule set you are using for anti-malware filtering, create the rule in one of these rule sets.
Make sure you place it immediately before the rule that triggers the usual anti-malware scanning.
Rule for detecting and scanning streaming media
The following rule of the default Gateway Anti-Malware rule set detects streaming media and enables the Media Stream Scanner for scanning this media:
|Start Media Stream Scanner on streaming media and skip anti-malware scanning|
|Cycle.Name equals "Response" AND||Action||Event|
|StreamDetector.IsMediaStream<Default Streaming Detection> equals true||–> Stop Ruleset||– Enable Media Stream
In its rule set, this rule is placed immediately before the rule that triggers the usual anti-malware scanning.
When the Stream Detector finds that a web object is streaming media, the rule stops processing for this rule set and starts the Media Stream Scanner, so the special method of scanning streaming media is performed and the rule for the usual scanning is skipped.
The criteria part with the Cycle.Name property ensures that the rule only applies in the response cycle of processing when web objects are received on Web Gateway from the web, in response to a request that was forwarded.
Settings for the Stream Detector
The settings for the Stream Detector module can be accessed on the settings tree under Stream Detector. The name of the default settings is Default Streaming Detection.
The default settings include only this option:
Minimal probability — Sets the probability of being streaming media that is sufficient for recognizing a web object as streaming media.
- The probability is measured in percent and configured as a number from 1 to 100.
- The probability is found by the Stream Detector. If the minimal probability is reached, the StreamDetector.IsMediaStream property, which is used in the default rule for streaming media filtering, is set to true.
- The default minimal probability is 60. We recommend leaving this value unchanged.