COMPREHENSIVE INTERNET SECURITY™
S o n i c WALL Internet Security Ap p l i a n c e s
SonicWALL PRO 5060
Getting Started Guide
Page 1
Table of Contents
Introduction ................................................................................3
Introduction to the Example Network .................................................... 4
Network Elements ............................................................................... 4
Network Deployment Planning .............................................................. 6
ISP Connection Information ................................................................ 6
Network Information ............................................................................ 6
VPN Information.................................................................................. 6
Configuration Flowchart ........................................................................ 7
Zones Overview .................................................................................... 7
Pre-Defined Zones .............................................................................. 8
Security Types .................................................................................... 8
Setting Up the PRO 5060.........................................................11
Before You Begin ................................................................................ 11
Check Package Contents.................................................................. 11
What You Need to Get Connected...................................................... 11
ISP Connection Information ................................................................ 12
IP Addressing using DHCP............................................................... 12
IP Addressing using PPPoE.............................................................. 12
IP Addressing using a Single, Static Public IP Address.................... 12
SonicWALL PRO 5060c Front View.................................................... 13
SonicWALL PRO 5060f Front View..................................................... 14
SonicWALL PRO 5060 Rear View...................................................... 15
Applying Power to the PRO 5060........................................................ 15
Connecting the Network Cables.......................................................... 16
Configuring Your Management Station ............................................... 17
Windows XP...................................................................................... 17
Windows 2000................................................................................... 17
Windows NT...................................................................................... 18
Windows 98....................................................................................... 18
Accessing the PRO 5060 Management Interface ............................... 19
Troubleshooting ................................................................................ 20
Configuring the WAN (Internet) and LAN Connectivity ............21
Configuring WAN and LAN Connectivity with the Setup Wizard ......... 21
Using the Setup Wizard .................................................................... 21
Page 2 SonicWALL PRO 5060 Getting Started Guide
Configuring Access to Public Servers ......................................25
Creating the DMZ for Public Servers................................................... 25
Creating Access to the Server with the Public Server Wizard............. 27
What the Public Server Wizard Configures....................................... 28
Testing the Public Server .................................................................. 29
Creating a Custom Security Zone ............................................31
Creating and Configuring the Zone ..................................................... 31
Creating the Zone and Assigning an Interface.................................. 31
Configuring the DHCP Server ........................................................... 33
Configuring Access Rules for the Zone............................................. 34
Testing Access from the New Zone .................................................. 35
Configuring GroupVPN for SonicWALL Global VPN Clients....37
Configuring GroupVPN using the VPN Policy Wizard......................... 37
Using the VPN Policy Wizard............................................................ 38
Connecting the Global VPN Clients .................................................. 40
Configuring a Site-to-Site VPN.................................................41
Configuring a Site-to-Site VPN using the VPN Policy Wizard ............. 41
Using the VPN Policy Wizard to Configure Preshared Secret .......... 41
Registering the PRO 5060 and
Activating Security Services.....................................................45
mySonicWALL.com............................................................................. 45
Registering Your SonicWALL.............................................................. 46
Creating Your mySonicWALL.com Account...................................... 46
Registering Your SonicWALL from the Management Interface ........ 47
Activating SonicWALL Security Services ............................................ 48
Page 3 SonicWALL PRO 5060 Getting Started Guide
1 Introduction
This guide explains how to configure your SonicWALL PRO 5060 running SonicOS
Enhanced as the central security appliance for your corporate network. The network diagram
shows a typical PRO 5060 deployment scenario where the PRO 5060 protects multiple
networks at the corporate Headquarters (HQ). The PRO 5060 also acts as a VPN gateway
for a remote satellite office, telecommuter, and mobile users using the SonicWALL Global
VPN Client.
Your network may include different elements but you can use specific parts of this guide to
configure your custom scenario. This scenario involves setting up your SonicWALL PRO
5060 and configuring SonicOS Enhanced management interface.
Note: See the SonicWALL PRO 5060 Resource CD that ships with your security appliance for an
interactive PDF version of this Getting Started Guide and the SonicOS Enhanced
Administrator’s Guide. Also included on the Resource CD are Administrator’s Guides for all
SonicWALL Security Services, such as SonicWALL Intrusion Prevention Service.
Page 4 SonicWALL PRO 5060 Getting Started Guide
Introduction to the Example Network
The example network shows most common network design elements in a single example. It
demonstrates a common setup scenario for deploying your SonicWALL PRO 5060.
Network Elements
The following network elements together make up the deployment scenario used as the basis
of this guide. Your network may include all or some of the elements. For example, after setting
up your security appliance and configuring it for Internet (WAN) and LAN connectivity, you
may only need to create Internet access to a public server on your network and a VPN policy
to support SonicWALL Global VPN Clients.
TZ 170 Wireless
Site-to-site VPN
Global VPN
Clients
X0 X1 X2 X3 X4 X5
PRO 5060
Internet
LAN X0
192.168.168.168/24
Accounting X4
172.22.3.1/24
DMZ X2
172.22.2.1/24
Connects to: WAN
X1: 64.56.191.114/24
Server
Server
Mail
Server
172.22.2.33
WWW
Server
Accounting
Server
Corporate HQ
Satellite
Office
Remote Employees
Introduction Page 5
PRO 5060
The SonicWALL PRO 5060 is the central security appliance of the example network. It is
running SonicOS Enhanced. This guide focuses on configuring the PRO 5060 security
appliance and assumes all other devices and servers are already configured.
• The X0 interface is configured to the LAN Zone.
• The X1 interface is configured to the WAN zone. The site-to-site VPN and remote VPN
clients use this interface.
• The X2 interface is set up as the DMZ. E-mail and Web servers communicate through
this zone to protect your LAN.
• The X4 interface is set up as a separate “Accounting” zone in this example, which
provides restricted access to sensitive company information.
WAN
The WAN zone is the connection to the Internet. Two sets of protected resources
communicate with the PRO 5060 via the WAN using VPNs:
• SonicWALL TZ 170 Wireless: The SonicWALL TZ 170 Wireless is running SonicOS
Standard and is located at the other end of a site-to-site VPN tunnel. It is located in a
small remote office with multiple PCs connected to it. The office has a DSL Internet
connection using PPPoE.
• SonicWALL Global VPN Clients: SonicWALL Global VPN Clients are used by mobile
users or telecommuters with dial-up or broadband Internet access scattered across the
country. The Global VPN Clients are automatically configured from the SonicWALL PRO
5060 with a GroupVPN policy.
Note: For more product information on the SonicWALL Global VPN Client, please visit
http://www.sonicwall.com. Product documentation is available on your PRO 5060
Resource CD or at http://www.sonicwall.com/services/documentation.html.
LAN
The LAN is the internal corporate network. It has a Windows 2000 network server, an internal
Web server, and a wide variety of user desktop stations. All traffic to and from the LAN goes
through the X0 interface.
DMZ
The DMZ is a special zone for traffic you don’t necessarily want to trust. The corporate e-mail
server and external Web server are in the DMZ, and access from the DMZ to the rest of the
network is tightly controlled with access policies. The DMZ uses the X2 interface.
Page 6 SonicWALL PRO 5060 Getting Started Guide
Accounting
Accounting is a separate protected network similar to the LAN but needs access tightly
controlled via firewall access rules between the zones. It uses the X4 interface.
Network Deployment Planning
ISP Connection Information
IP Addressing using DHCP
No information necessary. The security appliance automatically detects the presence of a
DHCP server during setup.
IP Addressing using PPPoE
User Name:________________________
Password:_________________________
IP Addressing using a Single, Static Public IP Address
IP Address:________________________
Subnet Mask:______________________
Default Gateway:___________________
Primary DNS:______________________
Secondary DNS:___________________
Network Information
WAN - Network Mode:______________ IP Address:____________
Subnet Mask:____________
Router IP Address:_______________ DNS Server 1 IP Address:______________
DNS Server 2 IP Address:_________________
LAN - IP Address:____________ Subnet Mask:____________DHCP Enabled: Yes__ No__
DHCP IP Address Range:______________________
VPN Information
The IP addressing information of the remote SonicWALL appliances for setting up site-to-site
VPN tunnels.
Introduction Page 7
Configuration Flowchart
Configuring this example network encompasses the following steps:
1. Setting Up the PRO 5060: Set up the physical connections to the SonicWALL PRO 5060
and configure the Management Station for access to the security appliance Management
Interface.
2. Configuring the WAN (Internet) and LAN Connectivity: Configure your Internet
connection and LAN using the Setup Wizard.
3. Configuring Access to Public Servers: Configure the DMZ zone to allow access from
inside and outside the LAN using the Pubic Server Wizard.
4. Creating a Custom Security Zone: Configure a custom Accounting zone to tightly
control access to sensitive information.
5. Configuring GroupVPN for SonicWALL Global VPN Clients: Configure a GroupVPN
on the PRO 5060 using the VPN Wizard to allow remote users to connect to your network
with the SonicWALL Global VPN Client or SonicWALL Global Security Client.
6. Configuring a Site-to-Site VPN: Configure a site-to-site VPN to connect a SonicWALL
TZ 170 Wireless at a remote office using the VPN Wizard to allow the users at the remote
office to connect to the corporate network.
7. Registering the PRO 5060 and Activating Security Services: Register your
SonicWALL PRO 5060 and activate SonicWALL Security Services directly from the
SonicWALL security appliance Management Interface.
Zones Overview
A security zone is simply a logical method of grouping one or more interfaces or subinterfaces
with friendly, user configurable names, and applying security rules as traffic passes from one
zone to another zone. This concept of multiple segments, or interfaces, logically grouped
together is called security zones. Configuration by security zones provides an additional,
more flexible layer of security for the security appliance.
The security zone permits the administrator to name the zone in a user-friendly way and to
write security rules that apply to all the segments in a zone, without needing to address each
physical interface individually. This greatly simplifies the firewall rule base. Security zones
also allow you to group multiple physical segments together as well as selectively apply
SonicWALL Security Service across zones, such as Intrusion Prevention Service.
The SonicWALL PRO 5060 has six user-definable interfaces. The first two interfaces (X0 and
X1) are fixed interfaces, permanently bound to the LAN and WAN zones, respectively. The
remaining four interfaces, X2-X5 on the PRO 5060c, X2, X3, F0, and F1 on the PRO 5060f,
can be configured and bound to any zone.
Page 8 SonicWALL PRO 5060 Getting Started Guide
Pre-Defined Zones
The pre-defined security zones on the SonicWALL PRO 5060 are not modifiable and are
defined as follows:
• WAN: The WAN zone is usually connected to the internet, and has the lowest level of
trust. This zone can consist of either one or two interfaces.
• LAN: This zone can consist of one to five interfaces, depending on your network design.
Even though each interface will have a different network subnet attached to it, when
grouped together they can be managed as a single entity.
• DMZ: This zone is normally used for publicly accessible servers. This zone can consist of
one to four interfaces, depending on you network design.
• VPN: This virtual zone is used for simplifying secure, remote connectivity. It does not
have an assigned physical interface.
• WLAN: This zone provides support to SonicWALL SonicPoints.
• MULTICAST: This zone provides support for IP multicasting, which is a method for
sending IN packets from a single source simultaneously to multiple hosts.
Note: Even though you may group interfaces together into one security zone, you may still
address an individual interface within the Zone.
Security Types
Each zone has a security type. The security type defines the of trust given to that zone. There
are five security types:
• Trusted: Trusted is a security type that provides the highest level of trust--meaning that
the least amount of scrutiny is applied to traffic coming from trusted zones. Trusted
security can be thought of as being on the LAN (protected) side of the security appliance.
The LAN zone is always Trusted.
• Encrypted: Encrypted is a security type used exclusively by the VPN Zone. All traffic to
and from an Encrypted zone is encrypted.
• Wireless: Wireless is a security type applied to the WLAN zone or any zone where the
only interface to the network consists of SonicWALL SonicPoint devices. You typically
use WiFiSec to secure traffic in a Wireless zone. The Wireless security type is designed
specifically for use with SonicPoint devices. Placing an interface in a Wireless Zone
activates SDP (SonicWALL Discovery Protocol) and SSPP (SonicWALL Simple
Provisioning Protocol) on that interface for automatic discovery and provisioning of
SonicPoint devices. Only traffic that passes through a SonicPoint is allowed through a
Wireless zone; all other traffic is dropped.
Introduction Page 9
• Public: A Public security type offers a higher level of trust than an Untrusted zone, but a
lower level of trust than a Trusted zone. Public zones can be thought of as being a
secure area between the LAN (protected) side of the security appliance and the WAN
(unprotected) side. The DMZ, for example, is a Public zone because traffic flows from it
to both the LAN and the WAN, but it will only have default access to the WAN, not the
LAN.
• Untrusted: The Untrusted security type represents the lowest level of trust. It is used by
both the WAN and the virtual Multicast zone. An Untrusted zone can be thought of as
being on the WAN (unprotected) side of the security appliance.By default, traffic from
Untrusted zones is not permitted to enter any other zone type without explicit rules, but
traffic from every other zone type is permitted to Untrusted zones.
Page 10 SonicWALL PRO 5060 Getting Started Guide
Page 11 SonicWALL PRO 5060 Getting Started Guide
2 Setting Up the PRO 5060
This chapter explains the physical setup of your PRO 5060 and setting up your Management
Station to access the SonicWALL Management Interface. The Management Station is the
computer you use to access the PRO 5060 Management Interface.
After you physically set up the security appliance and configure the Management Station,
use the Setup Wizard to configure the LAN and WAN (Internet) connections.
Before You Begin
Check Package Contents
• One SonicWALL PRO 5060
• One SonicWALL PRO 5060 Getting Started Guide
• One PRO 5060 Resource CD (Includes product documentation and utilities)
• One Ethernet cable
• One Crossover cable
• One Console Port cable
• One Power cord
• One Mounting Kit including brackets and screws
Alert! If any items are missing from your package, contact SonicWALL, Inc.
Web: Phone: (888) 777-1476
What You Need to Get Connected
• SonicWALL PRO 5060 Internet Security Appliance
• Broadband Internet connection
• PC or Macintosh computer
• A Web browser (Microsoft Internet Explorer v5.0 or later, or Netscape Navigator v4.7 or
later--your Web browser must support Java and HTTP uploads in order to fully manage
the security appliance.)
• Internet Service Provider (ISP) connection information
• Network addressing information
Page 12 SonicWALL PRO 5060 Getting Started Guide
ISP Connection Information
Before you can begin installing your security appliance, determine how your ISP distributes
IP addresses. The most common instances include the following connection methods:
• A range of public, static IP addresses
• A single static IP address
• A dynamic IP address using DHCP
• A dynamic IP address using PPPoE
Alert! If you are not using one of the network configurations above, step-by-step installation
instructions for additional networking methods are found in the SonicWALL
Administrator’s Guide on the PRO 5060 Resource CD. The SonicWALL Administrator’s
Guide requires Acrobat Reader to view it. Acrobat Reader is also provided on the Resource
CD.
Record all of your networking information in the checklist below:
IP Addressing using DHCP
No action necessary. The security appliance automatically detects the presence of a DHCP
server during setup.
IP Addressing using PPPoE
User Name:________________________
Password:_________________________
IP Addressing using a Single, Static Public IP Address
IP Address:________________________
Subnet Mask:______________________
Default Gateway:___________________
Primary DNS:______________________
Secondary DNS:___________________
Setting Up the PRO 5060 Page 13
SonicWALL PRO 5060c Front View
• Console Port: DB-9 RS-232 Console port for Command Line Interface support.
• Power: Lights up when power is applied to the security appliance.
• Test: Lights when the security appliance is powered up and performing diagnostic tests
to check for proper operation. These tests take about 90 seconds. If the Test LED
remains lit after this time, turn the security appliance off and back on again after a few
seconds.
If the security appliance fails to restart, contact SonicWALL Tech. Support at
http://www.sonicwall.com/support/ or (888) 777-1476
• Alarm: Lights when the firmware is reset and when certain network traffic conditions
occur.
There are six Ethernet ports: one for the LAN port, one for the WAN port, and four userdefined
ports:
• Link: Lights up when a Twisted Pair connection is made to another Ethernet device on
the port. Note that the device connected to the security appliance must support the
standard Link Integrity test.
• 100/1000: Lights orange when the connection is a 100 Mbps connection. Lights green
when the connection is a 1 Gbps connection.
• Activity: Lights up when the security appliance transmits or receives a packet through
the Twisted Pair port.
Test
LAN
link, 100/1000, act link, 100/1000, act
WAN
Alarm
Console Port
Power
User-defined
(X0)
Ports
(X2 - X5)
(X1)
Page 14 SonicWALL PRO 5060 Getting Started Guide
SonicWALL PRO 5060f Front View
• Console Port: DB-9 RS-232 Console port for Command Line Interface support.
• Power: Lights up when power is applied to the security appliance.
• Test: Lights when the security appliance is powered up and performing diagnostic tests
to check for proper operation. These tests take about 90 seconds. If the Test LED
remains lit after this time, turn the security appliance off and back on again after a few
seconds.
If the security appliance fails to restart, contact SonicWALL Tech. Support at
http://www.sonicwall.com/support/ or (888) 777-1476
• Alarm: Lights when the firmware is reset and when certain network traffic conditions
occur.
There are six Ethernet ports: one for the LAN port, one for the WAN port, and four userdefined
ports:
• Link: Lights up when a Twisted Pair connection is made to another Ethernet device on
the port. Note that the device connected to the security appliance must support the
standard Link Integrity test.
• 100/1000: Lights orange when the connection is a 100 Mbps connection. Lights green
when the connection is a 1 Gbps connection.
• Activity: Lights up when the security appliance transmits or receives a packet through
the Twisted Pair port.
Test
LAN
link, 100/1000, act
link, 100/1000, act
WAN
Alarm
Console Port
Power
User-defined
(X0)
Ports
(X2 - X3)
(X1)
User-defined
Ports
(F0 - F1)
Setting Up the PRO 5060 Page 15
SonicWALL PRO 5060 Rear View
• Power Input: Connects to the external power supply that is provided with the security
appliance. The use of an Uninterruptible Power Supply (UPS) is recommended to protect
the security appliance against damage or loss of data due to electrical storms, power
failures, or power surges.
• Internal Fans: Four chassis fans and one power supply fan maintain the temperature of
the security appliance and prevent overheating.
Alert! Obstructing the airflow or blocking the fans causes the security appliance to overheat.
Be sure to allow enough room for air circulation around the appliance.
Applying Power to the PRO 5060
Plug the power cord into the security appliance and the other end into an appropriate power
outlet. Turn on the security appliance using the On/Off switch located on the back of the
appliance.
The Power light turns green when power is applied to the security appliance and the Test
light remains lit for approximately one minute while the security appliance performs a series
of diagnostic tests. When the Test light is no longer lit, the security appliance is ready for
configuration.
Power Input
100-240VAC
Internal Fans
Power
Switch 50-60Hz
1.5A
Page 16 SonicWALL PRO 5060 Getting Started Guide
Connecting the Network Cables
Connect one end of the gray Ethernet cable to your DSL modem, cable modem, or Internet
router. Connect the other end of the gray Ethernet cable to the WAN (X1) port of the PRO
5060. When you connect the cable, the link LED lights either orange or green indicating an
active connection. If the LED does not light, try connecting the red crossover cable.
On the SonicWALL PRO 5060c:
On the SonicWALL PRO 5060f.
Connect one end of the provided Crossover cable to the Ethernet port of your computer.
Connect the other end of the cable to the LAN(X0) port of your PRO 5060. The link LED lights
indicating an active connection. If the LED does not light, try the Ethernet cable.
PRO 5060c
PRO 5060f
Setting Up the PRO 5060 Page 17
Configuring Your Management Station
The management station is the computer you use to access the SonicWALL PRO 5060
Management Interface. The management station must have Windows XP, 2000, NT, or 98
and must have a web browser that supports HTTP upload, such as Microsoft Internet
Explorer 6.0 or Netscape 7.0.
To configure your management station to connect to the Management Interface, use the
following instructions that match the operating system of your computer:
Windows XP
1. On your desktop, right-click the My Network Places icon and select Properties.
2. Right-click on the Local Area Connection icon and select Properties.
3. Open the Local Area Connection Properties window.
4. Double-click Internet Protocol (TCP/IP) to open the Internet Protocol (TCP/IP)
Properties window.
5. Select Use the following IP address and type 192.168.168.200 in the IP address field.
6. Enter 255.255.255.0 in the Subnet Mask field.
7. Enter the DNS IP address in the Preferred DNS Server field. If you have more than one
address, type the second one in the Alternate DNS server field.
8. Click OK for the settings to take effect on the computer.
Windows 2000
1. From your Windows task bar, click Start.
2. Then click Settings.
3. Click Network and Dial-up Connections.
4. Double-click the network icon to open the connection window.
5. Click Properties.
6. Highlight Internet Protocol (TCP/IP) and click Properties.
7. Select Use the following IP address.
8. Enter 192.168.168.200 in the IP address field.
9. Enter 255.255.255.0 in the Subnet field.
10. If you have a DNS Server IP address from your ISP, enter it in the Preferred DNS
Server field.
11. Click OK.
Page 18 SonicWALL PRO 5060 Getting Started Guide
Windows NT
1. From the Start list, highlight Settings and then select Control Panel.
2. Double-click the Network icon in the Control Panel window.
3. Double-click TCP/IP in the TCP/IP Properties window.
4. Select Specify an IP Address.
5. Enter 192.168.168.200 in the IP Address field.
6. Enter 255.255.255.0 in the Subnet Mask field.
7. Click DNS at the top of the window.
8. Type the DNS IP address in the Preferred DNS Server field. If you have more than one
address, enter the second one in the Alternate DNS server field.
9. Click OK, and then click OK again.
10. Restart the computer.
Windows 98
1. From the Start list, highlight Settings and then select Control Panel. Double-click the
Network icon in the Control Panel window.
2. Double-click TCP/IP in the TCP/IP Properties window.
3. Select Specify an IP Address.
4. Enter 192.168.168.200 in the IP Address field.
5. Enter 255.255.255.0 in the Subnet Mask field.
6. Click DNS Configuration.
7. Type the DNS IP address in the Preferred DNS Server field. If you have more than one
address, type the second one in the Alternate DNS server field.
8. Click OK, and then click OK again.
9. Restart the computer.
Setting Up the PRO 5060 Page 19
Accessing the PRO 5060 Management Interface
The SonicWALL PRO 5060 LAN (X0) port is configured with the default IP address of
192.168.168.168.
To begin configuring your security appliance, log into the LAN port of the SonicWALL security
appliance at the default IP address using a Web browser:
Alert! Disable any popup blocking software before launching the Management Interface. Many of the
management procedures will not be able to complete without using popup browser windows.
Allow enough time for the security appliance to power up completely before attempting to log into the
Management Interface. It takes approximately one minute for the security appliance to cycle
completely. When the Test light is no longer lit, the security appliance is ready for configuration.
1. Launch your Web browser.
Note: Because you are temporarily disconnected from the Internet, you may receive an error
message when your Web browser first opens. This does not affect the configuration
process.
2. Enter 192.168.168.168 in the Location or Address field.
3. The first time you log into the SonicWALL Management Interface, the Setup Wizard is
automatically displayed for configuring your WAN (Internet) and LAN setup.
Page 20 SonicWALL PRO 5060 Getting Started Guide
See Configuring WAN and LAN Connectivity with the Setup Wizard for configuration
instructions using the Setup Wizard.
Troubleshooting
If you cannot connect to the security appliance, check the following:
• Did you correctly enter the SonicWALL default LAN IP address in your browser window?
• Is the security appliance connected to the same network as your computer?
• Have you changed the TCP/IP network settings on your computer?
• Try pinging the 192.168.168.168 LAN IP address of the security appliance from your
computer. It should reply, assuming that you are using the correct TCP/IP network
settings and have a good ethernet connection. If it does reply, try again with the Web
browser to 192.168.168.168
Page 21 SonicWALL PRO 5060 Getting Started Guide
3 Configuring the WAN (Internet) and
LAN Connectivity
This procedure steps you through using the Setup Wizard or Management Interface to
configure the Primary WAN (X1) and LAN (X0) Interfaces.
In the example network used in this guide, the LAN and WAN are configured:
• LAN Interface: X0 - 192.168.168.168
• WAN Interface: X1 - 64.56.191.114 (IP address for www.sonicwall.com)
Configuring WAN and LAN Connectivity with the Setup
Wizard
The Setup Wizard automates the following steps:
• Change Administrator Password and Time Zone
• Select WAN mode: Static IP, DHCP, PPPoE, or PPTP
• Configure WAN ports
• Configure LAN port
• Configure DHCP for the LAN
Using the Setup Wizard
1. The first time you log into the security appliance, the Setup Wizard is automatically
displayed. If the Setup Wizard is not displayed, click the Wizards button on the
System>Status page and select Setup Wizard in the first screen.
Page 22 SonicWALL PRO 5060 Getting Started Guide
2. Click Next.
3. In the Change Password page, enter a new management password and click Next.
Alert! If you change the default password (password), be sure to note your new password. You
need the new password to log into your SonicWALL Management Interface.
4. In the Change Time Zone page, select your time zone and click Next.
5. Select the WAN network mode for generating the IP addresses in the WAN Network
Mode page. Click on a link for a definition of that networking mode. You can select:
• Static IP
• DHCP
• PPPoE
• PPTP
For this example, select Static IP and click Next.
6. If you selected Static IP, in the next screen enter the IP Address, Subnet Mask, Gateway
address, and DNS Server information.
For this example, enter:
• SonicWALL WAN IP Address: 64.56.191.114
• WAN Subnet Mask: 255.255.0.0
Configuring the WAN (Internet) and LAN Connectivity Page 23
• Gateway (Router) Address: the address of your gateway router, for example,
10.0.0.254
• DNS Server Address: the address of your DNS server, for example, 10.50.128.52
• DNS Server Address #2 (optional): if you have a secondary DNS server, its
address, for example, 10.50.128.53
If you selected DHCP, you do not need to enter any ISP settings in the next screen. Your
security appliance will automatically detect the DHCP server settings.
If you selected PPPoE, in the next screen select whether to automatically obtain an IP
address from the server or use a specific one. Enter the PPPoE username and
password. Check the Inactivity Disconnect box and specify a number of minutes if you
want it to automatically disconnect from the PPPoE server after a certain amount of
inactive time.
If you selected PPTP, enter the PPTP server IP address, username, and password.
Select whether you want the device to automatically obtain an IP address or use a
specified address. If you select to use a specified address, enter the WAN IP address,
the WAN/DMZ netmask, and the IP address of the gateway router.
7. Configure the LAN Settings: Enter the IP address and subnet mask.
For this example, accept the default:
• SonicWALL LAN IP Address: 192.168.168.168
• LAN Subnet Mask: 255.255.255.0
8. If you are using DHCP for your LAN, check the Enable DHCP box and enter the range of
IP addresses available for the DHCP server.
For this example, enter a LAN address range from 192.168.168.1 to 192.168.168.255.
Note: If you already have a DHCP Server configured for the LAN, the Setup Wizard automatically
detects it and does not display the LAN DHCP Settings page.
Page 24 SonicWALL PRO 5060 Getting Started Guide
9. Verify the configuration in the Configuration Summary page. Click Back to return to a
previous screen of the wizard and change a setting.
10.Click Apply to apply the configuration to your security appliance.The next screen shows
the progress as it applies the settings. When the configuration is complete, you see the
Wizard Complete page showing your management URL, and the management login ID.
For security purposes, the configuration summary does not display the management
password.
Page 25 SonicWALL PRO 5060 Getting Started Guide
4 Configuring Access to Public Servers
SonicOS Enhanced includes the Public Server Wizard to automate the process of
configuring the SonicWALL PRO 5060 for handling public servers. For example, if you have
an e-mail and Web servers on your network for access from users on the Internet.
The Public Server Wizard allows you to select or define the server type (HTTP, FTP, Mail),
the private (external) address objects, and the public (internal) address objects. Once the
server type, private and public network objects are configured, the wizard creates the correct
NAT Policies and Access Rule entries on the PRO 5060 for the server. You can use the
SonicWALL Management Interface for additional configuration options.
Creating the DMZ for Public Servers
The example network used in this guide has two public servers, an e-mail server and a web
server, in the DMZ zone. The DMZ is configured:
• DMZ Interface: X2 - 172.22.2.1
• DMZ IP Range: 172.22.2.1 to 172.22.2.255
• Mail Server IP: 172.22.2.33
This example steps you through configuring the mail server in the DMZ zone, and making it
available both inside and outside your network. Placing your servers on the DMZ provides
added protection for your LAN from Internet threats.
Before using the Public Server Wizard to create the e-mail server in the DMZ, you must
configure a DMZ port:
1. Select Network>Interfaces.
2. Select an unassigned interface and click the Edit icon to edit its settings. For the
example in this guide, select X2.
3. In the Edit Interface window, assign:
Page 26 SonicWALL PRO 5060 Getting Started Guide
• Zone: DMZ
• IP Address: 172.22.2.1
• Subnet Mask: 255.255.255.0
4. Click OK.
Note: Note the IP address range you assigned to the DMZ. To create a server in the DMZ, you
need to assign an IP in that range to the server. The IP address range you created in this
example is 172.22.2.1 - 172.22.2.255.
Configuring Access to Public Servers Page 27
Creating Access to the Server with the Public Server
Wizard
Once you create the DMZ zone, you use the Public Server Wizard to set up each server on
your DMZ. The following example shows you how to configure the PRO 5060 to handle an
e-mail server.
1. On the System>Status page, click Wizards.
2. Select Public Server Wizard and click Next.
3. For Server Type, select Mail Server. Leave all three protocols selected, SMTP, POP3,
and IMAP. Click Next
4. Enter the name of the server.
5. Enter the private IP address of the server. For this server to be in the DMZ zone, you must
specify an IP address in the range assigned to DMZ. The Public Server Wizard
automatically assigns the server to the zone in which its IP address belongs. In this
example, because the DMZ address range is 172.22.2.x/24, enter 172.22.2.33.
6. Click Next.
7. Enter the public IP address of the server. The default address is the WAN public IP
address. If you enter a different IP, the Public Server Wizard creates an address object
for that IP address and bind the address object to the WAN zone. For this example, use
the default address.
8. Click Next
Page 28 SonicWALL PRO 5060 Getting Started Guide
9. The Summary page displays a summary of all the configuration you have performed in
the wizard. See the next section for an explanation of what the Public Server Wizard
configures on the PRO 5060.
10. Click Apply to complete the wizard and apply the configuration to your security
appliance. The final Congratulations page is displayed.
11. Click Close.
What the Public Server Wizard Configures
The Public Server Wizard performs several interrelated tasks within the SonicWALL
Management Interface to enable Internet users to access servers on your network. The
following explains the configuration changes made to your security appliance after
completing the wizard.
Server Address Objects
The wizard creates the address object for the new server and binds it to the DMZ zone. It
gives the object a name you specified for the server plus “_private.” The wizard assigns the
server to the DMZ because you specified an IP address in the DMZ address range. If you had
specified an IP address in the range of another zone, it would have bound the address object
to that zone. For example, if you had specified 10.0.93.100, and the IP range for the WAN
zone is 10.0.93.x/24, the wizard would have bound the IP address to the WAN zone. If you
specified an IP address out of the range of any zone you have configured, the wizard would
have bound the address object to the LAN zone. The wizard states that it uses the existing
WAN address object when constructing policies between the new server and the WAN.
Server Service Address Object
The wizard creates a service group object for the services used by the new server. In this
example, the service group includes SMTP, IMAP4 and POP3, the three mail services. This
Configuring Access to Public Servers Page 29
way, you have a convenient group to refer to when creating or editing access policies for this
server.
Server NAT Policies
The wizard creates a NAT policy to translate the destination addresses of all incoming
packets with one of the services in the new service group and addressed to the WAN address
of the address of the new server. Therefore, in this example, if a packet with a service type
of POP3 comes in addressed to the WAN interface (64.56.191.114), the NAT policy
translates its address to 172.22.2.33. The wizard also creates a Loopback NAT policy to
translate mail service traffic from inside your network addresses to the WAN IP address back
to the address of the mail server.
Server Access Rules
The wizard creates an access policy allowing all mail service traffic from the WAN zone to the
DMZ.
Testing the Public Server
You may wish to verify that all Address Objects, Access Rules and NAT Policies are created
properly by testing access from the WAN with an external host as well as internal (Firewalled
Subnets) access, which should be tested from all applicable zones and interfaces via both
the private and public addresses.
Page 30 SonicWALL PRO 5060 Getting Started Guide
Page 31 SonicWALL PRO 5060 Getting Started Guide
5 Creating a Custom Security Zone
SonicOS Enhanced provides zone-based security policies. A security zone is a logical
method for grouping one or more interfaces with user-configurable names, and applying
security rules as traffic passes from one zone to another zone. Using zones on your security
appliance enables you to organize resources into different zones, and then selectively allow
or deny various types of network traffic between zones. This allows you to restrict access to
critical internal resources, such as accounting or engineering code servers.
In this example, the administrator creates a custom zone on X4 to secure an Accounting
network on the network.
Creating and Configuring the Zone
Creating and configuring a custom zone consists of three primary steps:
1. Create the zone and assign an interface.
2. Configure the DHCP server for the zone.
3. Configure Access Rules for the zone.
Creating the Zone and Assigning an Interface
1. In the SonicWALL Management Interface, select Network>Interface.
2. To edit the interface, click on the Edit icon for the X4 interface. In the Edit Interface
X4 window is displayed.
Page 32 SonicWALL PRO 5060 Getting Started Guide
3. In the General tab, select Create new Zone from the Zone menu.
4. In the Add Zone dialog box, enter the configuration for the new zone:
• Name: Enter the name of the zone, for this example Accounting.
• Security Type: When creating a custom zone, the zone can be Trusted, Public, or
Wireless. Because you want this zone in this example to be on the LAN (protected)
side of the security appliance, select Trusted.
• Check Allow Interface Trust to allow unhindered traffic between interfaces within the
same zone.
• The three services, Content Filtering, Anti-Virus, and Intrusion Prevention
Service (IPS) are optional. See the SonicOS Administrators Guide or
www.sonicwall.com for information on these services.
5. Click OK. You return to the Edit Interface window with the new accounting zone selected
and the rest of the configuration choices available.
6. Enter the information for the interface:
• Zone: The new zone is already selected.
• IP Address and Subnet Mask: Enter the IP address and subnet mask for the
interface. This will define the address range for this zone. For this example, enter
172.22.3.1 for the IP address and 255.255.255.0 for the subnet mask.
• Comment: Enter any descriptive text about the zone.
• Management: The choices under the Management heading define allow the firewall
administrator to log in and manage the firewall using the selected protocol. For this
example, do not allow any management traffic. Leave all choices unchecked.
• User Login: These choices allow users to authenticate directly with the firewall using
HTTP or HTTPS. For this example, the users will authenticate with Windows
networking and the local servers in the accounting zone. Leave both options
unchecked.
7. Click OK.
8. A warning dialog box tells you that Web management is disabled on this zone. Because
Web management is enabled on the LAN zone, click OK to continue.
Creating a Custom Security Zone Page 33
Configuring the DHCP Server
1. In the SonicWALL Management Interface, select Network>DHCP Server.
2. In the Network>DHCP Server page, if Enable DHCP Server is not checked, check it.
3. Click Configure. The DHCP Server Configuration window is displayed.
4. The Dynamic tab of the DHCP Server Configuration window should list a DHCP server
range for the X0 (LAN) zone.
5. Click Add in the Dynamic tab to add a range for your custom zone. The Dynamic
Range Configuration window is displayed.
6. Select the X4 interface you assigned to the new zone from the Interface list. When you
select the interface, the rest of the fields automatically populate with the information for
that zone.
7. Lease Time is the number of minutes a resource (a PC or Server) can hold on to a
dynamically assigned IP number. The default is 1440 minutes (24 hours).
8. Make sure Enable this DHCP Range is checked and click OK.
Page 34 SonicWALL PRO 5060 Getting Started Guide
Configuring Access Rules for the Zone
1. In the SonicWALL Management Interface, select Firewall>Access Rules.
The default view of access rules is Matrix, which allows you to select the intersection of
two zones to view and configure rules between those zones. When you click on the Edit
icon in the matrix, you see the access rules for traffic from the zone in the left column
to the zone in the top row.
2. Check the access rule from the LAN to the new zone Accounting.
Because you selected Trusted for Security Type when you created the zone, the new
zone is on the trusted side of the firewall, and there is an access rule allowing all traffic
from the LAN to the new Accounting zone.
3. Select Firewall>Access Rules to return to the access rule matrix.
4. Click on the Edit icon to edit rules from the WAN to the new Accounting zone.
Because the zone is on the trusted side of the firewall, by default there is a rule denying
all traffic between the WAN and the new Accounting zone. To enable traffic outside the
firewall, you must add rules to allow specific kinds of traffic to and from the WAN
5. Click Add to add a new rule.
6. In the Add Rule dialog box, enter the information for the rule:
• Action: Select Allow.
• Service: Select the service or service group you want to allow from the WAN to the
new zone. To test the new zone, Ping and FTP can be useful.
• Source: Select a specific network source for the traffic. For this example, select Any.
• Destination: Select a destination within the new zone. For this example select Any.
Creating a Custom Security Zone Page 35
• Users Allowed: Select the user or user group from whom traffic is allowed. For this
example, select All.
• Schedule: If you want the rule to be in effect only at specified times, select the times
when this rule is in effect from the Schedule list. This can be very useful if you do not
want access to a particular resource at certain hours or periods on a weekly basis. For
this example, select Always On.
• Logging: Check logging to automatically create a record of all traffic denied by this
rule.
7. Click OK to create the rule.
8. Click Access Rules in the left column to display the matrix again.
9. Click the Edit icon to edit rules from the new Accounting zone to the WAN.
Testing Access from the New Zone
1. Add another rule similar to the one in steps 5 through 7.
2. Connect a PC to the DMZ zone (X2).
3. Connect another PC to the new Accounting zone (X4). Make a note of it’s IP address.
4. On the PC in the DMZ, open a command prompt window.
5. Ping the IP address of the PC in the Accounting zone. For example.
H:\>ping 172.22.3.3
Pinging 172.22.3.3 with 32 bytes of data:
Reply from 172.22.3.3: bytes=32 time<1ms TTL=128
Reply from 172.22.3.3: bytes=32 time<1ms TTL=128
Reply from 172.22.3.3: bytes=32 time<1ms TTL=128
Reply from 172.22.3.3: bytes=32 time<1ms TTL=128
Ping statistics for 172.22.3.3:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
H:\>
Page 36 SonicWALL PRO 5060 Getting Started Guide
Page 37 SonicWALL PRO 5060 Getting Started Guide
6 Configuring GroupVPN for SonicWALL
Global VPN Clients
SonicWALL’s GroupVPN provides automatic VPN policy provisioning for SonicWALL Global
VPN Clients. The SonicWALL Global VPN Client provides an easy-to-use solution for secure,
encrypted access to the corporate network for remote dial-up or broadband users.
The GroupVPN on the security appliance and the SonicWALL Global VPN Client (part of the
SonicWALL Global Security Client) dramatically streamline VPN deployment and
management. Using SonicWALL’s Client Policy Provisioning technology, you define the VPN
policies for Global VPN Client users. This policy information automatically downloads from
the security appliance (VPN Gateway) to Global Security Clients, saving remote users the
burden of provisioning VPN connections.
The procedure in this guide includes a single GroupVPN policy configuration on the PRO
5060 to allow SonicWALL Global Security Client users to connect to the LAN through the
default WAN port.
Note: For more information on the SonicWALL Global VPN Client, see the SonicWALL Global
VPN Client Administrator’s Guide. For more information on the SonicWALL Global
Security Client, see the SonicWALL Global Security Client Administrator’s Guide.
Configuring GroupVPN using the VPN Policy Wizard
The VPN Wizard walks you step-by-step through the configuration of GroupVPN on the
security appliance. After the completing configuration, the wizard creates the necessary VPN
settings for the selected VPN policy. You can use the SonicWALL Management Interface for
optional advanced configuration options.
Note: For more information on configuring GroupVPN, see the SonicOS 2.5 Administrator’s
Guide on the SonicWALL PRO 5060 Resource CD.
Page 38 SonicWALL PRO 5060 Getting Started Guide
Using the VPN Policy Wizard
1. On the System>Status page, click on Wizards.
2. In the Welcome to the SonicWALL Configuration Wizard page select VPN Wizard
and click Next.
3. In the VPN Policy Type page, select WAN GroupVPN and click Next.
4. In the IKE Phase 1 Key Method page, you select the authentication key to use for this
VPN policy:
• Default Key: If you choose the default key, all your Global VPN Clients and Global
Security Clients will automatically use the default key generated by the security appliance
to authenticate with the security appliance.
• Use this Key: If you choose a custom preshared key, you must distribute the key to
every VPN Client because the user is prompted for this key when connecting to the
security appliance.
Note: If you select Use this Key, and leave the default key as the value, you must still distribute
the key to your VPN clients.
5. Click Next.
6. In the IKE Security Settings page, you select the security settings for IKE Phase 2
negotiations and for the VPN tunnel. You can use the defaults settings.
• DH Group: The Diffie-Hellman (DH) group are the group of numbers used to create
the key pair. Each subsequent group uses larger numbers to start with. You can
Configuring GroupVPN for SonicWALL Global VPN Clients Page 39
choose Group 1, Group 2, or Group 5. The VPN Uses this during IKE negotiation to
create the key pair.
• Encryption: This is the method for encrypting data through the VPN Tunnel. The
methods are listed in order of security. DES is the least secure and the and takes the
least amount of time to encrypt and decrypt. AES-256 is the most secure and takes
the longest time to encrypt and decrypt. You can choose DES, 3DES, AES-128, or
AES-256.
• Authentication: This is the hashing method used to authenticate the key, once it is
exchanged during IKE negotiation. You can choose MD5 or SHA-1.
• Life Time (seconds): This is the length of time the VPN tunnel stays open before
needing to re-authenticate. The default is eight hours (28800).
Alert! The SonicWALL Global VPN Client version 1.x does not support AES encryption, so if you
chose this method, only SonicWALL Global VPN Client versions 2.x and higher will be able
to connect.
7. Click Next.
8. In the User Authentication page, select if you want the VPN Users to be required to
authenticate with the security appliance when they connect. If you select Enable User
Authentication, you must select the user group which contains the VPN users. For this
example, leave Enable User Authentication unchecked.
Alert! If you selected Default Key for the IKE Phase 1 Key Method (step 4), you must select
Enable User Authentication.
Note: If you enable user authentication, the users must be entered in the SonicWALL database
for authentication. Users are entered into the SonicWALL database on the Users>Local
Users page, and then you can add users to groups in the Users>Local Groups page.
9. Click Next.
10.In the Configure Virtual IP Adapter page, select whether you want SonicWALL Global
VPN Clients to use IP addresses from a DHCP server on the internal LAN (X0) interface
when the client connects to the SonicWALL Security Appliance. This allows Global VPN
Clients to obtain IP addresses from the LAN zone’s IP address range. Therefore, when a
user connects, it appears that the user is inside the LAN. The virtual IP address can be
Page 40 SonicWALL PRO 5060 Getting Started Guide
obtained from the SonicWALL Security Appliance’s internal DHCP server or from an
existing network DHCP server. Check the Use Virtual IP Adapter box and click Next.
11.The Configuration Summary page details the settings that will be pushed to the
security appliance when you apply the configuration. Click Apply to create your
GroupVPN.
Connecting the Global VPN Clients
Remote users install the SonicWALL Global VPN Client software. Once they have installed
the application, they use a connection wizard to setup their VPN connection. To configure the
VPN connection, the client must have the following information:
• A public IP address (or domain name) of the WAN port for your security appliance
• The shared secret if you selected a custom preshared secret in the VPN Wizard.
• The authentication username and password.
Note: For more information on installing, configuring and managing the SonicWALL Global VPN
Client, see the SonicWALL Global VPN Client Administrator’s Guide or the
SonicWALL Global Security Client Administrator’s Guide on the PRO 5060 Resource
CD.
Page 41 SonicWALL PRO 5060 Getting Started Guide
7 Configuring a Site-to-Site VPN
Remote office networks can securely connect to your network using site-to-site VPN
connections. For example, a satellite office using a SonicWALL TZ 170 Wireless that
supports a small group of users can provide secure access to corporate network for all the
users at the remote office through a single VPN tunnel.
Using the VPN Policy Wizard, you can quickly create a site-to-site VPN policy from the PRO
5060 to the remote site. Whenever data is intended for the remote site, the SonicWALL
security appliance automatically encrypts the data and sends it over the Internet to the remote
site, where it is decrypted and forwarded to the intended destination.
Note: You need to configure the remote SonicWALL TZ 170 Wireless to complete the site-to-site
VPN configuration. See the SonicOS Administrator’s Guide for the SonicWALL TZ 170
Wireless for configuration instructions.
Configuring a Site-to-Site VPN using the VPN Policy
Wizard
You use the VPN Policy Wizard to create the site-to-site VPN policy.
Using the VPN Policy Wizard to Configure Preshared Secret
1. On the System>Status page, click on Wizards.
Page 42 SonicWALL PRO 5060 Getting Started Guide
2. In the Welcome to the SonicWALL Configuration Wizard page select VPN Wizard
and click Next.
3. In the VPN Policy Type page, select Site-to-Site and click Next.
4. In the Create Site-to-Site Policy page, enter the following information:
• Policy Name: Enter a name you can use to refer to the policy. For example, Boston
Office.
• Preshared Key: Enter a character string to use to authenticate traffic during IKE
Phase 1 negotiation. You can use the default, generated Preshared Key.
• I know my Remote Peer IP Address (or FQDN): If you check this option, this security
appliance can initiate the contact with the named remote peer.
If you do not check this option, the peer must initiate contact to create a VPN tunnel.
This device will use aggressive mode for IKE negotiation.
Note: The I know my Remote Peer IP Address (for FQDN) should specify the peer address
whenever possible. Only leave it blank if the remote is dynamically addressed, or as a very
last resort.
For this example, leave the option unchecked.
• Remote Peer IP Address (or FQDN): If you checked the option above, enter the IP
address or Fully Qualified Domain Name (FQDN) of the remote peer (For example,
gateway.yourcompany.com).
Configuring a Site-to-Site VPN Page 43
5. Click Next.
6. In the Network Selection page, select the local and destination resources connecting
through this VPN:
• Local Networks: Select the local network resources protected by this security appliance
that you are connecting with this VPN. You can select any address object or
group on the device, including networks, subnets, individual servers, and interface IP
addresses.
If the object or group you want has not been created yet, select Create Object or
Create Group. Create the new object or group in the dialog box that pops up. Then
select the new object or group.
For this example, select LAN Subnets.
• Destination Networks: Select the network resources on the destination end of the
VPN Tunnel. If the object or group does not exist, select Create new Address Object
or Create new Address Group.
Page 44 SonicWALL PRO 5060 Getting Started Guide
For example:
a.Select Create new Address Group.
a.In the Name field, enter LAN-DMZ Group.
b.In the list on the left, select LAN Subnets and DMZ Subnets click the -> button.
Hold down the Ctrl key while clicking to select more than one item.
c.Click OK to create the group and return to the Network Selection page.
d.In the Destination Networks field, select the newly created group.
5. Click Next.
6. In the IKE Security Settings page, select the security settings used for IKE Phase 2
negotiations and for traffic through the VPN tunnel. You can use the default settings.
• DH Group: The Diffie-Hellman (DH) group are the group of numbers used to create
the key pair. Each subsequent group uses larger numbers to start with. You can
choose Group 1, Group 2, or Group 5. The VPN uses this during IKE negotiation to
create the key pair.
• Encryption: This is the method for encrypting data through the VPN Tunnel. The
methods are listed in order of security. DES is the least secure and the and takes the
least amount of time to encrypt and decrypt. AES-256 is the most secure and takes
the longest time to encrypt and decrypt. You can choose DES, 3DES, AES-128, or
AES-256. The VPN uses this for all data through the tunnel.
• Authentication: This is the hashing method used to authenticate the key, once it is
exchanged during IKE negotiation. You can choose MD5 or SHA-1
• Life Time (seconds): This is the length of time the VPN tunnel stays open before
needing to re-authenticate. The default is eight hours (28800).
7. The Configuration Summary page details the settings that will be pushed to the
security appliance when you apply the configuration. Click Apply to create the VPN.
Page 45 SonicWALL PRO 5060 Getting Started Guide
8 Registering the PRO 5060 and
Activating Security Services
Once you’ve established your Internet connection, you can register your security appliance
at mySonicWALL.com as well as activate SonicWALL Security Services. Any bundled
services included with your SonicWALL PRO 5060 are automatically activated when your
register.
You need a mySonicWALL.com account to register your security appliance or activate
SonicWALL Security Services. You can create a mySonicWALL.com account directly from
the SonicWALL Management Interface. If your security appliance is connected to the
Internet, and you have a mySonicWALL.com account, you can register the security appliance
and activate SonicWALL Security Services directly from the Management Interface.
mySonicWALL.com
mySonicWALL.com delivers a convenient, one-stop resource for registration, activation, and
management of your SonicWALL products and services. Your mySonicWALL.com account
provides a single profile to do the following:
• Register your SonicWALL Internet Security Appliances
• Purchase/Activate SonicWALL Security Services and Upgrades
• Receive SonicWALL firmware and security service updates and alerts
• Manage (change or delete) your SonicWALL security services
• Access SonicWALL Technical Support
Creating a mySonicWALL.com account is easy and FREE. Simply complete an online
registration form. Once your account is created, you can register SonicWALL Internet
Security Appliances and activate SonicWALL Security Services associated with the security
appliance.
Your mySonicWALL.com account is accessible from any Internet connection with a Web
browser using the HTTPS (Hypertext Transfer Protocol Secure) protocol to protect your
sensitive information. You can also access mySonicWALL.com license and registration
services directly from the SonicWALL management interface for increased ease of use and
simplified services activation.
Tip! For more information on mySonicWALL.com, access the online help available at
https://www.mysonicwall.com.
Note: mySonicWALL.com registration information is not sold or shared with any other company.
Page 46 SonicWALL PRO 5060 Getting Started Guide
Registering Your SonicWALL
If your security appliance is not registered, the following message is displayed in the Security
Services folder on the System>Status page in the SonicWALL Management Interface: Your
SonicWALL is not registered. Click here to Register your SonicWALL Security
Appliance.
You can also manually register your security appliance at the www.mySonicWALL.com site
by using the Serial Number and Authentication Code displayed in the Security Services
section. Click the SonicWALL link to access your mySonicWALL.com account. You will be
given a registration code after you have registered your security appliance. Enter the
registration code in the field below the You will be given a registration code, which you
should enter below heading, then click Update.
The following sections explain how to create a mySonicWALL.com account from the
SonicWALL Management Interface, if you don’t have an account, and how to register your
security appliance directly from the Management Interface.
Creating Your mySonicWALL.com Account
If you already have a mySonicWALL.com account, skip this section. To create a
mySonicWALL.com account from the SonicWALL Management Interface, follow these steps:
1. In the Security Services folder on the System>Status page in the SonicWALL
Management Interface, click the here link in Your security appliance is not registered.
Click here to Register your security appliance. The mySonicWALL.com Login page
is displayed.
2. Click the here link in If you do not have a mySonicWALL account, please click here
to create one. The mySonicWALL.com account form is displayed.
Registering the PRO 5060 and Activating Security Services Page 47
3. Enter in your information in the Account Information, Personal Information and
Preferences fields. All fields marked with an * are required fields.
Alert! Remember your username and password to access your mySonicWALL.com account.
4. Click Submit after completing the mySonicWALL.com account form.
5. Review your account information. If the information is correct, click OK. You will receive
a subscription code by e-mail from SonicWALL. This code is required to complete the
activation of your new account.
Alert! Your new account must be activated with the subscription code within 72 hours of receiving
the code.
6. After you receive your subscription code, in the Security Services folder on the
System>Status page in the SonicWALL Management Interface, click the here link in
Your SonicWALL is not registered. Click here to Register your SonicWALL.
7. In the mySonicWALL.com Login page, enter your mySonicWALL.com account
username and password, and click Submit. You are prompted for the subscription code.
8. Enter your subscription code and click Submit. Your mySonicWALL.com account is
activated.
Registering Your SonicWALL from the Management Interface
If you have a mySonicWALL.com account, follow these steps to register your security
appliance:
1. Click the here link to automatically register your security appliance. The
mySonicWALL.com Login page is displayed.
2. Type your mySonicWALL.com username and password in the User Name and
Password fields and click Submit.
3. Type in a “friendly name” for your SonicWALL in the Friendly Name field. A friendly name
is used to help identify your SonicWALL, such as its location.
4. Click Submit. Your security appliance is now registered.
Alert! Make sure the DNS and Time settings on your security appliance are correct when you
register the device.
Page 48 SonicWALL PRO 5060 Getting Started Guide
Activating SonicWALL Security Services
After you have successfully registered your SonicWALL PRO 5060, all the bundled Security
Services are automatically activated. You can view the status of all your SonicWALL Security
Services from the Management Interface.
In the System>Licenses page, click the click here link in the Manage Security Services
Online section to display the MySonicWALL.com Login page. In the mySonicWALL.com
Login page, type your mySonicWALL.com username and password in the User Name and
Password fields, then click Submit. The Manage Services Online page is displayed.
All the available SonicWALL Security Services available for the security appliance are
displayed. If a service is activated, the number of licenses for the Security Services are
displayed in the Count column. The expiration date for any activated service is displayed in
the Expiration column.
Note: For product documentation on a SonicWALL Security Service, see the PRO 5060
Resource CD or go to the SonicWALL documentation site at
http://www.sonicwall.com/services.documentation.html.
© 2004 SonicWALL, I n c . SonicWALL is a registered trademark of SonicWALL, I n c . Other product and company names mentioned herein may be
t rademarks and/ or registered trademarks of their respective companies. Specifications and descriptions subject to change with out notice.
T: 408.745.9600
F: 408.745.9300
www.sonicwall.com
SonicWALL,Inc.
1143 Borregas Avenue
Sunnyvale,CA 94089-1306COMPREHENSIVE INTERNET SECURITY™
S SSSSSSSSo n i c WALL Gateway Anti-Virus
Administrator's Guide
Page 1
Table of Contents
Preface .................................................................................................. 1
Copyright Notice ..............................................................................1
Trademarks......................................................................................1
Limited Warranty..............................................................................1
About this Guide.................................................................................... 3
Guide Conventions .......................................................................... 3
Icons Used in this Guide............................................................. 3
SonicWALL Technical Support ........................................................ 4
North America Telephone Support ............................................. 4
International Telephone Support ................................................ 4
SonicWALL Gateway Anti-Virus Overview............................................ 5
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features ...... 6
SonicWALL GAV Multi-Layered Approach............................................ 7
Remote Site Protection ....................................................................8
Internal Network Protection.............................................................. 9
HTTP File Downloads ...................................................................... 9
Server Protection ...........................................................................10
SonicWALL GAV Architecture............................................................. 11
Stream Concurrency Limitations
by SonicWALL Security Appliance................................................. 12
Disabling the SonicWALL GAV/IPS Engine................................... 12
Protocol Handling...........................................................................13
SMTP........................................................................................ 13
POP3 ........................................................................................ 13
IMAP......................................................................................... 13
HTTP ........................................................................................ 14
FTP........................................................................................... 14
IM, P2P and Proprietary Protocols ........................................... 14
Deploying SonicWALL GAV................................................................ 14
Activating SonicWALL GAV ................................................................ 15
Creating a mySonicWALL.com Account ........................................ 16
Registering Your SonicWALL Security Appliance.......................... 17
Activating SonicWALL GAV........................................................... 18
Activating the SonicWALL GAV FREE TRIAL ............................... 18
Setting Up SonicWALL GAV Protection .............................................. 19
Enabling SonicWALL GAV............................................................. 19
Applying SonicWALL GAV Protection on Interfaces...................... 19
Applying SonicWALL GAV Protection on Zones
(SonicOS Enhanced 3.0) ............................................................... 20
Viewing SonicWALL GAV Status Information................................ 21
Updating SonicWALL GAV Signatures .......................................... 22
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
Specifying Protocol Filtering ................................................................22
Enabling Inbound Inspection ..........................................................22
Enabling Outbound SMTP Inspection ............................................23
Configuring Client Alerts and an Exclusion List ...................................23
Configuring Client Alerts.................................................................23
Configuring a SonicWALL GAV Exclusion List...............................24
Restricting File Transfers.....................................................................24
Viewing SonicWALL GAV Signatures..................................................25
Displaying Signatures.....................................................................25
Navigating the Gateway Anti-Virus Signatures Table ....................25
Searching the Gateway Anti-Virus Signature Database.................26
Glossary...............................................................................................26
Index ....................................................................................................27
Page 1 SonicWALL Gateway Anti-Virus Administrator’s Guide
Preface
Copyright Notice
© 2005 SonicWALL, Inc.
All rights reserved.
Under the copyright laws, this manual or the software described within, can not be copied, in whole or part,
without the written consent of the manufacturer, except in the normal use of the software to make a backup
copy. The same proprietary and copyright notices must be affixed to any permitted copies as were affixed
to the original. This exception does not allow copies to be made for others, whether or not sold, but all of
the material purchased (with all backup copies) can be sold, given, or loaned to another person. Under
the law, copying includes translating into another language or format.
Specifications and descriptions subject to change without notice.
Trademarks
SonicWALL is a registered trademark of SonicWALL, Inc.
Microsoft Windows 98, Windows NT, Windows 2000, Windows XP, Windows Server 2003, Internet
Explorer, and Active Directory are trademarks or registered trademarks of Microsoft Corporation.
Netscape is a registered trademark of Netscape Communications Corporation in the U.S. and other
countries. Netscape Navigator and Netscape Communicator are also trademarks of Netscape
Communications Corporation and may be registered outside the U.S.
Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems
Incorporated in the U.S. and/or other countries.
Other product and company names mentioned herein may be trademarks and/or registered trademarks
of their respective companies and are the sole property of their respective manufacturers.
Limited Warranty
SonicWALL, Inc. warrants that commencing from the delivery date to Customer (but in any case
commencing not more than ninety (90) days after the original shipment by SonicWALL), and continuing
for a period of twelve (12) months, that the product will be free from defects in materials and workmanship
under normal use. This Limited Warranty is not transferable and applies only to the original end user of
the product. SonicWALL and its suppliers' entire liability and Customer's sole and exclusive remedy under
this limited warranty will be shipment of a replacement product. At SonicWALL's discretion the
replacement product may be of equal or greater functionality and may be of either new or like-new quality.
SonicWALL's obligations under this warranty are contingent upon the return of the defective product
according to the terms of SonicWALL's then-current Support Services policies.
This warranty does not apply if the product has been subjected to abnormal electrical stress, damaged by
accident, abuse, misuse or misapplication, or has been modified without the written permission of
SonicWALL.
DISCLAIMER OF WARRANTY. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR
IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT
LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, NONINFRINGEMENT, SATISFACTORY QUALITY OR ARISING FROM A
COURSE OF DEALING, LAW, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE
MAXIMUM EXTENT ALLOWED BY APPLICABLE LAW. TO THE EXTENT AN IMPLIED WARRANTY
CANNOT BE EXCLUDED, SUCH WARRANTY IS LIMITED IN DURATION TO THE WARRANTY
PERIOD. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW
LONG AN IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. THIS
WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, AND YOU MAY ALSO HAVE OTHER RIGHTS
WHICH VARY FROM JURISDICTION TO JURISDICTION. This disclaimer and exclusion shall apply
even if the express warranty set forth above fails of its essential purpose.
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
DISCLAIMER OF LIABILITY. SONICWALL'S SOLE LIABILITY IS THE SHIPMENT OF A
REPLACEMENT PRODUCT AS DESCRIBED IN THE ABOVE LIMITED WARRANTY. IN NO EVENT
SHALL SONICWALL OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER,
INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS
INTERRUPTION, LOSS OF INFORMATION, OR OTHER PECUNIARY LOSS ARISING OUT OF THE
USE OR INABILITY TO USE THE PRODUCT, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL,
INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY
OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE HARDWARE OR SOFTWARE
EVEN IF SONICWALL OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. In no event shall SonicWALL or its suppliers' liability to Customer, whether in contract, tort
(including negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shall
apply even if the above-stated warranty fails of its essential purpose. BECAUSE SOME STATES OR
JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR
INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.
Page 3
About this Guide
Welcome to the SonicWALL Gateway Anti-Virus Administrator’s Guide. This manual provides the
information you need to successfully activate, configure, and administer SonicWALL Gateway Anti-Virus
(SonicWALL (GAV) on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher). The audience for this guide is administrators that are familiar with the
features, functions, and operating characteristics of SonicWALL security appliances.
Note: This guide assumes your SonicWALL security appliance is operational with Internet connectivity. If your
SonicWALL security appliance is not setup, refer to the Getting Started Guide for your SonicWALL
security appliance located on the SonicWALL Web site:
.
SonicWALL GAV is part of the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service solution that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate a SonicWALL GAV license, SonicWALL Intrusion Prevention Service is included and activated.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the complete
instructions on configuring SonicWALL Intrusion Prevention Service 2.0, located on the SonicWALL
Web site: .
Guide Conventions
Conventions used in this guide are as follows:
Icons Used in this Guide
These special messages refer to noteworthy information, and include a symbol for quick identification:
Alert! Important information that cautions about features affecting SonicWALL Gateway Anti-Virus
performance, security features, or causing potential problems with your SonicWALL security appliance.
Tip! Useful information about security features and configurations for your SonicWALL Gateway Anti-Virus
running on a SonicWALL security appliance.
Convention Use
Bold Highlights items you can select on the SonicWALL
management interface.
Italic Highlights a value to enter into a field. For example, “type
192.168.168.168 in the IP Address field.”
Top Level Menu Button >
Submenu Item
Indicates a multiple step Management Interface menu
choice. For example, Security Services > Gateway Anti-
Virus means select Security Services, then select
Gateway Anti-Virus.
Page 4 SonicWALL Gateway Anti-Virus Administrator’s Guide
Note: Important information on a feature that requires callout for special attention or reference to other related
resources.
SonicWALL Technical Support
For timely resolution of technical support questions, visit SonicWALL on the Internet at
. Web-based resources are available to help you
resolve most technical issues or contact SonicWALL Technical Support.
To contact SonicWALL telephone support, see the telephone numbers listed below:
North America Telephone Support
U.S./Canada - 888.777.1476 or +1 408.752.7819
International Telephone Support
Australia - + 1800.35.1642
Austria - + 43(0)820.400.105
EMEA - +31(0)411.617.810
France - + 33(0)1.4933.7414
Germany - + 49(0)1805.0800.22
Hong Kong - + 1.800.93.0997
India - + 8026556828
Italy - +39.02.7541.9803
Japan - + 81(0)3.5460.5356
New Zealand - + 0800.446489
Singapore - + 800.110.1441
Spain - + 34(0)9137.53035
Switzerland - +41.1.308.3.977
UK - +44(0)1344.668.484
Note: Please visit for the latest technical support telephone
numbers.
Page 5
SonicWALL Gateway Anti-Virus Overview
SonicWALL Gateway Anti-Virus (SonicWALL GAV) is part of the SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service solution that provides unified threat management. The integration of gateway
anti-virus and intrusion prevention delivers intelligent, real-time network security protection against
sophisticated application layer and content-based attacks. Utilizing a configurable, high-performance
deep packet inspection architecture, SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
secures the network from the core to the perimeter against a comprehensive array of dynamic threats
including viruses, worms, Trojans, and software vulnerabilities, such as buffer overflows, as well as peerto-
peer and instant messenger applications, backdoor exploits, and other malicious code.
SonicWALL GAV delivers real-time virus protection directly on the SonicWALL security appliance by
using SonicWALL’s IPS-Deep Packet Inspection v2.0 engine to inspect all traffic that traverses the
SonicWALL gateway. Building on SonicWALL’s reassembly-free architecture, SonicWALL GAV inspects
multiple application protocols, as well as generic TCP streams, and compressed traffic. Because
SonicWALL GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also performed on a
single-pass, per-packet basis.
SonicWALL GAV delivers threat protection directly on the SonicWALL security appliance by matching
downloaded or e-mailed files against an extensive and dynamically updated database of threat virus
signatures. Virus attacks are caught and suppressed before they travel to desktops. New signatures are
created and added to the database by a combination of SonicWALL’s SonicAlert Team, third-party virus
analysts, open source developers and other sources.
SonicWALL GAV can be configured to protect against internal threats as well as those originating outside
the network. It operates over a multitude of protocols including SMTP, POP3, IMAP, HTTP, FTP,
NetBIOS, instant messaging and peer-to-peer applications and dozens of other stream-based protocols,
to provide administrators with comprehensive network threat prevention and control. Because files
containing malicious code and viruses can also be compressed and therefore inaccessible to
conventional anti-virus solutions, SonicWALL GAV integrates advanced decompression technology that
automatically decompresses and scans files on a per packet basis.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
Page 6 SonicWALL Gateway Anti-Virus Administrator’s Guide
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features
• Integrated Deep Packet Inspection Technology - SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service features a configurable, high-performance deep packet inspection architecture
that uses parallel searching algorithms up through the application layer to deliver increased
application layer, Web and e-mail attack prevention. Parallel processing reduces the performance
impact on the firewall and maximizes available memory for exceptional throughput on SonicWALL
integrated security gateways.
• Real-Time Anti-Virus Gateway Scanning - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers intelligent file-based virus and malicious code prevention by scanning in real-time for
decompressed and compressed files containing viruses, Trojans, worms and other Internet threats
over the corporate network.
• Powerful Intrusion Prevention - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
provides complete protection from a comprehensive array of network-based application layer threats
by scanning packet payloads for worms, Trojans, software vulnerabilities such as buffer overflows,
peer-to-peer and instant messenger applications, backdoor exploits, and other malicious code.
• Ultimate Scalability and Performance - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a per packet scanning engine, making SonicWALL’s solution unique in its ability to
handle unlimited file size and virtually unlimited concurrent downloads, offering ultimate scalability
and performance for today’s networked environment.
• Day Zero Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service ensures
incredibly fast time-to-protection by employing a dynamically-updated database of signatures created
by a combination of SonicWALL’s SonicAlert Team, third-party virus analysts and developers, and
open source databases of known threats.
• Extensive Virus Signature List - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
utilizes an extensive database of thousands of attack and vulnerability signatures written to detect and
prevent intrusions, viruses, worms, Tojans, application exploits, and malicious applications.
• Distributed Enforcement Architecture - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a distributed enforcement architecture to deliver automated signature updates,
providing real-time protection from emerging threats and lowering total cost of ownership.
• Inter-zone Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides
application layer attack protection against malicious code and other threats originating from the
Internet or from internal sources. Administrators have the ability to enforce intrusion prevention and
anti-virus scanning not only between each network zone and the Internet, but also between internal
network zones for added security (Requires SonicOS Enhanced).
• Advanced File Decompression Technology - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service includes advanced decompression technology that can automatically decompress and scan
files on a per packet basis to search for viruses, Trojans, worms and malware. Supported
compression formats include: ZIP, Deflate and GZIP.
• File-Based Scanning Protocol Support - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers protection for high threat viruses and malware by inspecting the most common
protocols used in today’s networked environments, including SMTP, POP3, IMAP, HTTP, FTP,
NETBIOS, instant messaging and peer-to-peer applications, and dozens of other stream-based
protocols. This closes potential backdoors that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Application Control - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides the
ability to prevent instant messaging and peer-to-peer file sharing programs from operating through
the firewall, closing a potential back door that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Simplified Deployment and Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service allows network administrators to create global policies between security zones and group
attacks by priority, simplifying deployment and management across a distributed network.
Page 7
• Granular Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides an
intuitive user interface and granular policy tools, allowing network administrators to configure a
custom set of detection or prevention policies for their specific network environment and reduce the
number of false policies while identifying immediate threats.
• Logging and Reporting - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service offers
comprehensive logging of all intrusion attempts with the ability to filter logs based on priority level,
enabling administrators to highlight high priority attacks. Granular reporting based on attack source,
destination and type of intrusion is available through SonicWALL ViewPoint and Global Management
System.
SonicWALL GAV Multi-Layered Approach
SonicWALL GAV delivers comprehensive, multi-layered anti-virus protection for networks at the desktop,
the network, and at remote sites. SonicWALL GAV enforces anti-virus policies at the gateway to ensure
all users have the latest updates and monitors files as they come into the network.
Page 8 SonicWALL Gateway Anti-Virus Administrator’s Guide
Remote Site Protection
1. Users send typical e-mail and files between remote sites and the corporate office.
2. SonicWALL GAV scans and analyzes files and e-mail messages on the SonicWALL security
appliance.
3. Viruses are found and blocked before infecting remote desktop.
4. Virus is logged and alert is sent to administrator.
Page 9
Internal Network Protection
1. Internal user contracts a virus and releases it internally.
2. All files are scanned at the gateway before being received by other network users.
3. If virus is found, file is discarded.
4. Virus is logged and alert is sent to administrator.
HTTP File Downloads
1. Client makes a request to download a file from the Web.
2. File is downloaded through the Internet.
3. File is analyzed the SonicWALL GAV engine for malicious code and viruses
4. If virus found, file discarded.
5. Virus is logged and alert sent to administrator.
Page 10 SonicWALL Gateway Anti-Virus Administrator’s Guide
Server Protection
1. Outside user sends an incoming e-mail.
2. E-mail is analyzed the SonicWALL GAV engine for malicious code and viruses before received by email
server.
3. If virus found, threat prevented.
4. E-mail is returned to sender, virus is logged, and alert sent to administrator.
Page 11
SonicWALL GAV Architecture
SonicWALL GAV is based on SonicWALL's high performance DPIv2.0 engine (Deep Packet Inspection
version 2.0) engine, which performs all scanning directly on the SonicWALL security appliance.
SonicWALL GAV includes advanced decompression technology that can automatically decompress and
scan files on a per packet basis to search for viruses and malware. The SonicWALL GAV engine can
perform base64 decoding without ever reassembling the entire base64 encoded mail stream. Because
SonicWALL's GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding and ZIP, LHZ, and GZIP (LZ77) decompression are also performed
on a single-pass, per-packet basis. Reassembly free virus scanning functionality of the SonicWALL GAV
engine is inherited from the Deep Packet Inspection engine, which is capable of scanning streams without
ever buffering any of the bytes within the stream.
Building on SonicWALL's reassembly-free architecture, GAV has the ability to inspect multiple application
protocols, as well as generic TCP streams, and compressed traffic. SonicWALL GAV protocol inspection
is based on high performance state machines which are specific to each supported protocol. SonicWALL
GAV delivers protection by inspecting over the most common protocols used in today's networked
environments, including SMTP, POP3, IMAP, HTTP, FTP, NetBIOS, instant messaging and peer-to-peer
applications and dozens of other stream-based protocols. This closes potential backdoors that can be
used to compromise the network while also improving employee productivity and conserving Internet
bandwidth.
Page 12 SonicWALL Gateway Anti-Virus Administrator’s Guide
Stream Concurrency Limitations by SonicWALL Security Appliance
Because SonicWALL GAV does not have to perform reassembly, there are no file-size limitations
imposed by the scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also
performed on a single-pass, per-packet basis. Stream-concurrency are platform dependent as follows:.
Disabling the SonicWALL GAV/IPS Engine
In the unlikely event that SonicWALL Gateway Anti-Virus/Intrusion Prevention Service is not enabled on
your SonicWALL security appliance, the SonicWALL GAV/IPS engine itself can be disabled, and the
resources can be reallocated to the SPI connection cache.
To disable the SonicWALL GAV/IPS engine:
1. Select the Firewall > Advanced page.
2. Select the Disable Gateway AV and IPS Engine (increases maximum SPI connections)
checkbox. This presents an alert informing you that the SonicWALL security appliance must be
rebooted for the change to take effect.
3. Restart your SonicWALL security appliance.
Platform
GAV-Disabled
Connections
Cache Size
GAV-Enabled
Connections
Cache Size
(Concurrent File
Downloads)
Concurrent
Compressed
File Downloads
with GAV
GAV Signatures
TZ 150
Series
2,048 2,048 100 4,500
TZ 170
Series
6,144 6,144 100 4,500
PRO 1260 6,144 6,144 100 4,500
PRO 2040 32,768 16,384 300 25,000
PRO 3060 131,072 65,536 1,000 25,000
PRO 4060 524,288 131,072 1,500 25,000
PRO 5060 750,000 393,216 3,000 25,000
Page 13
Protocol Handling
SonicWALL GAV functionality supports the following protocols: HTTP, SMTP, IMAP, POP3, FTP and the
scanning of generic TCP streams for viruses.
If malicious traffic is detected, appropriate actions are taken based on the protocol. For generic TCP
streams, the traffic is dropped and the connection is reset. If so configured, an encrypted and hashed
message explaining the action is sent to the user's Global Security Client (requires version 2.0 or higher)
and to the user's 'Security Action Notification Applet', and displayed to the user if either application is
active. Application level awareness of the type of protocol that was transporting the violation allows for
very specific actions to be taken to gracefully handle the rejection of the payload:
Note: 8-bit encoding is handled natively for all email based protocols (SMTP, POP3, and IMAP) since no
decoding is required for each encoding scheme.
SMTP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the head of the sent
queue, thus preventing it from being resent, via 552 SMTP response and the connection is terminated.
POP3
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the POP3 server via
'DELE' command and the connection is terminated. Continuation of message downloads following
termination requires the user to re-initiate the download process on their POP3 client in order to download
the rest of the messages from the POP3 server.
Note: POP3 client behavior varies from one client to the next. SonicWALL GAV attempts to determine the type
of POP3 client being used, and to compensate for behavioral differences. In rare cases, some clients
may require special GAV settings - these settings have been made available in the /diag.html page.
• Disable Gateway AV POP3 Auto Deletion - When a POP3 client is identified as Outlook Express,
DELE (delete) message sequencing is tailored to Outlook Express' behavior. This setting can resolve
problems caused by misidentification that are encountered during the deletion of virus-infected
emails.
• Disable Gateway AV POP3 UIDL Rewriting - Certain Netscape POP3 clients have difficulty with the
UIDL (unique ID listing - RFC1939) command. When a POP3 client is recognized as Netscape, UIDL
messages are suppressed, which is allowable because they are optional. This setting can resolve
problems caused by misidentification that are encountered during the message retrieval process.
IMAP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from downloading the mail
containing the violation. The user must manually mark the mail deleted and purge it from the server.
Page 14 SonicWALL Gateway Anti-Virus Administrator’s Guide
HTTP
Capabilities: zip (including archives), gzip and deflate decompression. Deflate decompression method is
not supported when HTTP response is Chunk Encoded. All HTTP traffic is inspected, not just TCP port
80. Suppresses the use of HTTP Byte-Range requests to prevent the sectional retrieval and reassembly
of potentially malicious content.
Note: Suppression of HTTP Byte-Range requests may inhibit the use of certain download accelerator
programs that attempt to retrieve files as multiple simultaneous requests.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
FTP
Capabilities: zip (including archives) and gzip decompression. FTP stateful code follows data port
negotiations, allowing FTP data to be inspected across any operating TCP port. Suppresses the use of
the FTP 'REST' (restart) request to prevent the sectional retrieval and reassembly of potentially malicious
content. "The suppression of the 'REST' request can be overridden from the /diag.html page with the
option 'Enable FTP 'REST' requests with Gateway AV’.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
IM, P2P and Proprietary Protocols
Capabilities: zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
Deploying SonicWALL GAV
SonicWALL GAV is designed to provide comprehensive virus protection with minimal configuration. The
following sections provide the key information you need to successfully activate, configure, and administer
SonicWALL GAV on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher):
• “Activating SonicWALL GAV” on page 15 - provides instructions for activating the SonicWALL GAV
license on your SonicWALL security appliance via the management interface. If you already have
SonicWALL GAV activated on your SonicWALL security appliance, skip this section.
• “Setting Up SonicWALL GAV Protection” on page 19 - provides instructions for essential
configuration of SonicWALL IPS to protect your network against the most dangerous and disruptive
attacks.
Alert! After activating your SonicWALL GAV license, you must enable SonicWALL GAV on the SonicWALL
management interface before anti-virus protection are applied to your network traffic.
• “Configuring Client Alerts and an Exclusion List” on page 23 - provides instructions for configuring
SonicWALL GAV client notification alerts and creating a SonicWALL GAV exclusion list.
• “Restricting File Transfers” on page 24 - provides instructions on preventing files with specific
attributes from being transferred.
Page 15
Activating SonicWALL GAV
If you do not have SonicWALL GAV installed on your SonicWALL security appliance, the Security
Services > Gateway Anti-Virus page indicates an upgrade is required and includes a link to activiate it
from your SonicWALL security appliance management interface.
SonicWALL GAV is part of the unified SonicWALL Gateway Anti-Virus/Intrusion Prevention Service that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is also activated.
To activate a SonicWALL Gateway Anti-Virus/Intrusion Prevention Service on your SonicWALL security
appliance, you need the following:
• SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license. You need to purchase a
SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license from a SonicWALL reseller or
through your mySonicWALL.com account (limited to customers in the USA and Canada).
• mySonicWALL.com account. Creating a mySonicWALL.com account is fast, simple, and FREE.
Simply complete an online registration form from your SonicWALL security appliance management
interface. Your mySonicWALL.com account is also accessible at
from any Internet connection with a Web browser.
• Registered SonicWALL security appliance with active Internet connection. Registering your
SonicWALL security appliance is a simple procedure done directly from the management interface.
• SonicOS Standard 3.0 or SonicOS Enhanced 3.0. Your SonicWALL security appliance must be
running SonicOS Standard 3.0 or SonicOS Enhanced 3.0 for SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service.
Tip! If your SonicWALL security appliance is connected to the Internet and registered at
mySonicWALL.com, you can activate a 30-day FREE TRIAL of SonicWALL IPS.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
If you activated SonicWALL GAV at , SonicWALL GAV activation is
automatically enabled on your SonicWALL within 24-hours or you can click the Synchronize button on
the Security Services > Summary page to update your SonicWALL security appliance.
Page 16 SonicWALL Gateway Anti-Virus Administrator’s Guide
Creating a mySonicWALL.com Account
Creating a mySonicWALL.com account is fast, simple, and FREE. Simply complete an online
registration form in the SonicWALL security appliance management interface.
Note: If you already have a mysonicWALL.com account, go to “Registering Your SonicWALL Security
Appliance” on page 17.
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displayed in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link in Your
SonicWALL is not registered. Click here to Register your SonicWALL.
4. In the mySonicWALL.com Login page, click the here link in If you do not have a mySonicWALL
account, please click here to create one.
5. In the MySonicWall Account page, enter in your information in the Account Information, Personal
Information and Preferences fields. All fields marked with an asterisk (*) are required fields.
Note: Remember your username and password to access your mySonicWALL.com account.
6. Click Submit after completing the MySonicWALL Account form.
7. When the mySonicWALL.com server has finished processing your account, you will see a page
saying that your account has been created. Click Continue.
Congratulations. Your mySonicWALL.com account is activated.
Now you need to log into mySonicWALL.com to register your SonicWALL security appliance.
Note: mySonicWALL.com registration information is not sold or shared with any other company.
Page 17
Registering Your SonicWALL Security Appliance
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displaying in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link. The
mySonicWALL.com Login page is displayed.
4. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit.
5. The next several pages inform you about the free trials available to you for SonicWALL’s Security
Services:
• Gateway Anti-Virus - Delivers real-time virus protection for your entire network.
• Network Anti Virus - Provides desktop and server anti-virus protection with software running on
each computer.
• Premium Content Filtering Service - Enhances productivity by limiting access to objectionable
Web content.
• Intrusion Prevention Service - Protects your network against worms, Trojans, and application
layer attacks.
Click Continue on each page.
6. At the top of the Product Survey page, Enter a “friendly name” for your SonicWALL content security
appliance in the Friendly Name field. The friendly name allows you to easily identify your
SonicWALL content security appliance in your mySonicWALL.com account.
7. Please complete the Product Survey. SonicWALL uses this information to further tailor services to fit
your needs.
8. Click Submit.
9. When the mySonicWALL.com server has finished processing your registration, a page is displayed
informing you that the SonicWALL security appliance is registered. Click Continue, and the
System > Licenses page is displayed showing you the available services. You can activate the
service from this page or the specific service page under the Security Services left-navigation
menu in the management interface.
Page 18 SonicWALL Gateway Anti-Virus Administrator’s Guide
Activating SonicWALL GAV
If you do not have a SonicWALL GAV license activated on your SonicWALL security appliance, you must
purchase it from a SonicWALL reseller or through your mySonicWALL.com account (limited to customers
in the USA and Canada).
SonicWALL GAV is part of SonicWALL Gateway Anti-Virus/Intrusion Prevention Service. The Activation
Key you receive is for both SonicWALL GAV and SonicWALL Intrusion Prevention Service. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is automatically activated.
If you have an Activation Key for SonicWALL Gateway Anti-Virus/Intrusion Prevention Service, perform
these steps to activate the combined services:
1. On the Security Services > Intrusion Prevention page, click the SonicWALL Intrusion
Prevention Service Subscription link. The mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already registered to your
mySonicWALL.com account, the System > Licenses page appears.
3. Click Activate or Renew in the Manage Service column in the Manage Services Online table.
4. Type in the Activation Key in the New License Key field and click Submit. Your SonicWALL GAV
subscription is activated on your SonicWALL security appliance.
If you activated the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service subscription on
mySonicWALL.com, the activation is automatically enabled on your SonicWALL security appliance within
24-hours or you can click the Synchronize button on the Security Services > Summary page to
immediately update your SonicWALL security appliance.
Activating the SonicWALL GAV FREE TRIAL
To try a FREE TRIAL of SonicWALL GAV, perform these steps:
1. Click the FREE TRIAL link on the Security Services > Gateway Anti-Virus page. The
mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already connected to your
mySonicWALL.com account, the System > Licenses page appears after you click the FREE TRIAL
link.
3. Click Try in the FREE TRIAL column in the Manage Services Online table. Your SonicWALL GAV
trial subscription is activated on your SonicWALL security appliance.
Page 19
Setting Up SonicWALL GAV Protection
The Security Services > Gateway Anti-Virus page provides the settings for configuring SonicWALL
GAV on your SonicWALL security appliance.
Enabling SonicWALL GAV
You must select Enable Gateway Anti-Virus check box in the Gateway Anti-Virus Global Settings
section to enable SonicWALL GAV on your SonicWALL security appliance. If your SonicWALL security
appliance is running SonicOS Standard 3.0, you must also specify the interfaces you want to apply
SonicWALL GAV protection. If your SonicWALL security appliance is running SonicOS Enhanced 3.0,
you must specify the Zones you want to SonicWALL GAV protection on the Network > Zones page.
Applying SonicWALL GAV Protection on Interfaces
If your SonicWALL security appliance is running SonicOS Standard 3.0, you also need to specify the
interface that you want to enable SonicWALL GAV protection. Depending on the SonicWALL security
appliance model you are using, you can choose the WAN, LAN, DMZ, OPT or WLAN port, depending on
your SonicWALL security appliance model. After selecting the interface(s), click Apply.It is recommended
you select the WAN and LAN interfaces.
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you apply SonicWALL GAV to
Zones on the Network > Zones page.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 20 SonicWALL Gateway Anti-Virus Administrator’s Guide
Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you can enforce SonicWALL
GAV not only between each network zone and the WAN, but also between internal zones. For example,
enabling SonicWALL GAV on the LAN zone enforces anti-virus protection on all incoming and outgoing
LAN traffic.
1. In the SonicWALL security appliance management interface, select Network > Zones or from the
Gateway Anti-Virus Status section, on the Security Services > Gateway Anti-Virus page, click the
Network > Zones link. The Network > Zones page is displayed.
2. In the Configure column in the Zone Settings table, click the edit icon . The Edit Zone window
is displayed.
3. Click the Enable Gateway Anti-Virus Service checkbox. A checkmark appears. To disable Gateway
Anti-Virus Service, uncheck the box.
4. Click OK.
Page 21
Note: You also enable SonicWALL GAV protection for new zones you create on the Network > Zones page.
Clicking the Add button displays the Add Zone window, which includes the same settings as the Edit
Zone window.
Viewing SonicWALL GAV Status Information
The Gateway Anti-Virus Status section shows the state of the anti-virus signature database, including
the database's timestamp, and the time the SonicWALL signature servers were last checked for the most
current database version. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
The Gateway Anti-Virus Status section displays the following information:
• Signature Database indicates whether the signature database needs to be downloaded or has been
downloaded.
• Signature Database Timestamp displays the last update to the SonicWALL GAV signature
database, not the last update to your SonicWALL security appliance.
• Last Checked indicates the last time the SonicWALL security appliance checked the signature
database for updates. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
• Gateway Anti-Virus Expiration Date indicates the date when the SonicWALL GAV service expires.
If your SonicWALL GAV subscription expires, the SonicWALL IPS inspection is stopped and the
SonicWALL GAV configuration settings are removed from the SonicWALL security appliance. These
settings are automatically restored after renewing your SonicWALL GAV license to the previously
configured state.
If your SonicWALL security appliance is running SonicOS Standard 3.0 and no interfaces are specified in
the Gateway Anti-Virus Global Settings section, the message: Warning: No interfaces have Gateway
Anti-Virus enabled is displayed in the Gateway Anti-Virus Status section. You must check the Enable
Gateway Anti-Virus on Interface and specify the interface(s) you want to apply anti-virus scanning.
If your SonicWALL security appliance you are using SonicOS Enhanced 3.0, the Gateway Anti-Virus
Status section displays Note: Enable the Gateway Anti-Virus per zone from the Network > Zones
page. Clicking on the Network > Zones link displays the Network > Zones page for applying SonicWALL
GAV on Zones.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 22 SonicWALL Gateway Anti-Virus Administrator’s Guide
Updating SonicWALL GAV Signatures
By default, the SonicWALL security appliance running SonicWALL GAV automatically checks the
SonicWALL signature servers once an hour. There is no need for an administrator to constantly check for
new signature updates. You can also manually update your SonicWALL GAV database at any time by
clicking the Update button located in the Gateway Anti-Virus Status section.
SonicWALL GAV signature updates are secured. The SonicWALL security appliance must first
authenticate itself with a pre-shared secret, created during the SonicWALL Distributed Enforcement
Architecture licensing registration. The signature request is transported through HTTPS, along with full
server certificate verification.
Specifying Protocol Filtering
Application-level awareness of the type of protocol that is transporting the violation allows SonicWALL
GAV to perform specific actions within the context of the application to gracefully handle the rejection of
the payload.
By default, SonicWALL GAV inspects all inbound HTTP, FTP, IMAP, SMTP and POP3 traffic. Generic
TCP Stream can optionally be enabled to inspect all other TCP based traffic, such as
non-standard ports of operation for SMTP and POP3, and IM and P2P protocols.
Note: Refer to “Protocol Handling” on page 13 for detailed descriptions of how SonicWALL GAV handles
protocol traffic.
Enabling Inbound Inspection
Within the context of SonicWALL GAV, the Enable Inbound Inspection protocol traffic handling refers
to the following:
• Non-SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to any Zone.
• Non-SMTP traffic from a Public Zone destined to an Untrusted Zone.
• SMTP traffic initiating from a non-Trusted Zone destined to a Trusted, Wireless, Encrypted, or Public
Zone.
• SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to a Trusted, Wireless,
or Encrypted Zone.
Page 23
The Enable Inbound Inspection protocol traffic handling represented as a table:
Enabling Outbound SMTP Inspection
The Enable Outbound Inspection feature is available for SMTP traffic, such as for a mail server that
might be hosted on the DMZ. Enabling outbound inspection for SMTP scans mail that is delivered to the
internally hosted SMTP server for viruses.
Configuring Client Alerts and an Exclusion List
Clicking the Configure Gateway AV Settings button in the Gateway Anti-Virus Global Settings section
displays the Gateway AV Config View window, which allows you to configure client notification alerts and
create a SonicWALL GAV exclusion list.
Configuring Client Alerts
If you want clients on your network to receive notifications on their desktop when a HTTP file download is
blocked by GAV, check the Enable Client Notification Alerts (desktop client installation is required)
box. You must install the client software included on the Resource CD for your SonicWALL security
appliance for the client to receive these notifications from SonicWALL GAV.
Page 24 SonicWALL Gateway Anti-Virus Administrator’s Guide
If you want to suppress the sending of e-mail messages (SMTP) to clients from SonicWALL GAV when a
virus is detected in an e-mail or attachment, check the Disable SMTP Responses box.
Configuring a SonicWALL GAV Exclusion List
Any IP addresses listed in the exclusion list bypass virus scanning on their traffic.The Gateway AV
Exclusion List section provides the ability to define a range of IP addresses whose traffic will be excluded
from SonicWALL GAV scanning.
Alert! Use caution when specifying exclusions to SonicWALL GAV protection.
To add an IP address range for exclusion, perform these steps:
1. Click the Enable Gateway AV Exclusion List checkbox to enable the exclusion list.
2. Click the Add button. The Add GAV Range Entry window is displayed.
3. Enter the IP address range in the IP Address Form and IP Address To fields, then click OK. You IP
address range appears in the Gateway AV Exclusion List table. Click the edit icon in the Configure
column to change an entry or click the trashcan icon to delete an entry.
4. Click OK to exit the Gateway AV Config View window.
Restricting File Transfers
The restrict transfer settings listed under the Configure Gateway AV Settings button in the
Gateway Anti-Virus Global Settings section, if enabled, prevent files with specific attributes from being
transferred.
These restrict transfer settings include:
• Restrict Transfer of password-protected Zip files - Disables the transfer of password protected
ZIP files over any enabled protocol. This option only functions on protocols (e.g. HTTP, FTP, SMTP)
that are enabled for inspection.
• Restrict Transfer of MS-Office type files containing macros (VBA 5 and above) - Disables the
transfers of any MS Office 97 and above files that contain VBA macros.
• Restrict Transfer of packed executable files (UPX, FSG, etc.) - Disables the transfer of packed
executable files. Packers are utilities which compress and sometimes encrypt executables. Although
there are legitimate applications for these, they are also sometimes used with the intent of
obfuscation, so as to make the executables less detectable by anti-virus applications. The packer
adds a header that expands the file in memory, and then executes that file. SonicWALL Gateway
Anti-Virus currently recognizes the most common packed formats: UPX, FSG, PKLite32, Petite, and
ASPack. additional formats are dynamically added along with SonicWALL GAV signature updates.
Page 25
Viewing SonicWALL GAV Signatures
The Gateway Anti-Virus Signatures section allows you to view the contents of the SonicWALL GAV
signature database. All the entries displayed in the Gateway Anti-Virus Signatures table are from the
SonicWALL GAV signature database downloaded to your SonicWALL security appliance.
Note: Signature entries in the database change over time in response to new threats.
Displaying Signatures
You can display the signatures in a variety of views using the View Style menu.
• Use Search String - Allows you to display signatures containing a specified string entered in the
Lookup Signatures Containing String field.
• All Signatures - Displays all the signatures in the table, 50 to a page.
• 0 - 9 - Displays signature names beginning with the number you select from the menu.
• A-Z - Displays signature names beginning with the letter you select from menu.
Navigating the Gateway Anti-Virus Signatures Table
The SonicWALL GAV signatures are displayed fifty to a page in the Gateway Anti-Virus Signatures
table. The Items field displays the table number of the first signature. If your displaying the first page of a
signature table, the entry might be Items 1 to 50 (of 58). Use the navigation buttons to navigate the table.
Page 26 SonicWALL Gateway Anti-Virus Administrator’s Guide
Searching the Gateway Anti-Virus Signature Database
You can search the signature database by entering a search string in the Lookup Signatures
Containing String field, then clicking the edit (Notepad) icon.
The signatures that match the specified string are displayed in the Gateway Anti-Virus Signatures table.
Glossary
• Deep Packet Inspection - looking at the data portion of the packet. Enables the firewall to investigate
farther into the protocol to examine information at the application layer and defend against attacks
targeting application vulnerabilities.
• Distributed Enforcement Architecture - SonicWALL’s unified threat management technology that
delivers automated signature updates that provide real-time protection from current and emerging
threats.
• False Positive - a falsely identified attack traffic pattern.
• Signature - code written to detect and prevent viruses, worms, application exploits, and other
malicious code.
• Stateful Packet Inspection - examines the contents of individual packets at all layers of the OSI
model, from network layer to application layer.
Page 27
Index
A
activating Gateway Anti-Virus
overview 15
free trial version 18
activating Gateway Anti-Virus
activation key 18
C
client alerts
configuring 23
concurrency limitations 12
PRO 1260 12
PRO 2040 12
PRO 3060 12
PRO 4060 12
PRO 5060 12
TZ 150 Series 12
TZ 170 Series 12
creating a mysonicwall.com account 16
D
deploying SonicWALL GAV 14
disabling GAV/IPS engine 12
displaying signatures 25
all signatures 25
signatures beginning with letter 25
signatures beginning with number 25
using search strings 25
E
Edit Zone window 20
enable inbound inspection 22
enable outbound SMTP inspection 23
enabling inbound inspection 22
exclusion list
configuring 24
G
Gateway AV Config View window 23
GAV/IPS
real-time scanning 6
GAV/IPS features
application control 6
deep packet inspection 6
distributed enforcement architecture 6
file based scanning protocol support 6
file decompression technology 6
granular management 7
inter-zone scanning 6
logging and reporting 7
real-time scanning 6
glossary 26
deep packet inspection 26
Distributed Enforcement Architecture 26
false positive 26
signature 26
stateful packet inspection 26
H
how DPIv2.0 works
11
protocol handling 13
HTTP file downloads protection 9
I
internal network protection 9
N
navigating signatures table 25
P
protocol handling
FTP 14
HTTP 14
IM, P2P, proprietary 14
IMAP 13
POP3 13
SMTP 13
R
registering your SonicWALL security appliance 17
remote site protection 8
restrict 24
restrict file transfer
MS-Office files 24
packed executable files 24
password protected ZIP files 24
S
searching signature database 26
server protection 10
setting up GAV protection
applying to infaces (SonicOS Standard 3.0) 19
applying to zones (SonicOS Enhanced) 20
enabling 19
overview 19
signatures table 25
SonicWALL Gateway Anti-Virus
overview 5
SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service
overview 5
specifying protocol filtering 22
specifying protocols 22
status information
expiration date 21
last checked 21
overview 21
signature database 21
signature database timestamp 21
surpress SMTP messages 24
U
updating signatures 22
Page 28 SonicWALL Gateway Anti-Virus Administrator’s Guide
© 2005 SonicWALL, I n c . SonicWALL is a registered trademark of SonicWALL, I n c . Other product and company names mentioned herein may be
t rademarks and/ or registered trademarks of their respective companies. Specifications and descriptions subject to change with out notice.
T: 408.745.9600
F: 408.745.9300
www.sonicwall.com
SonicWALL,Inc.
1143 Borregas Avenue
Sunnyvale,CA 94089-1306
P/ N 232- 000610- 00
Rev E 01/05COMPREHENSIVE INTERNET SECURITY™
S SSSSSSSSo n i c WALL Gateway Anti-Virus
Administrator's Guide
Page 1
Table of Contents
Preface .................................................................................................. 1
Copyright Notice ..............................................................................1
Trademarks......................................................................................1
Limited Warranty..............................................................................1
About this Guide.................................................................................... 3
Guide Conventions .......................................................................... 3
Icons Used in this Guide............................................................. 3
SonicWALL Technical Support ........................................................ 4
North America Telephone Support ............................................. 4
International Telephone Support ................................................ 4
SonicWALL Gateway Anti-Virus Overview............................................ 5
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features ...... 6
SonicWALL GAV Multi-Layered Approach............................................ 7
Remote Site Protection ....................................................................8
Internal Network Protection.............................................................. 9
HTTP File Downloads ...................................................................... 9
Server Protection ...........................................................................10
SonicWALL GAV Architecture............................................................. 11
Stream Concurrency Limitations
by SonicWALL Security Appliance................................................. 12
Disabling the SonicWALL GAV/IPS Engine................................... 12
Protocol Handling...........................................................................13
SMTP........................................................................................ 13
POP3 ........................................................................................ 13
IMAP......................................................................................... 13
HTTP ........................................................................................ 14
FTP........................................................................................... 14
IM, P2P and Proprietary Protocols ........................................... 14
Deploying SonicWALL GAV................................................................ 14
Activating SonicWALL GAV ................................................................ 15
Creating a mySonicWALL.com Account ........................................ 16
Registering Your SonicWALL Security Appliance.......................... 17
Activating SonicWALL GAV........................................................... 18
Activating the SonicWALL GAV FREE TRIAL ............................... 18
Setting Up SonicWALL GAV Protection .............................................. 19
Enabling SonicWALL GAV............................................................. 19
Applying SonicWALL GAV Protection on Interfaces...................... 19
Applying SonicWALL GAV Protection on Zones
(SonicOS Enhanced 3.0) ............................................................... 20
Viewing SonicWALL GAV Status Information................................ 21
Updating SonicWALL GAV Signatures .......................................... 22
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
Specifying Protocol Filtering ................................................................22
Enabling Inbound Inspection ..........................................................22
Enabling Outbound SMTP Inspection ............................................23
Configuring Client Alerts and an Exclusion List ...................................23
Configuring Client Alerts.................................................................23
Configuring a SonicWALL GAV Exclusion List...............................24
Restricting File Transfers.....................................................................24
Viewing SonicWALL GAV Signatures..................................................25
Displaying Signatures.....................................................................25
Navigating the Gateway Anti-Virus Signatures Table ....................25
Searching the Gateway Anti-Virus Signature Database.................26
Glossary...............................................................................................26
Index ....................................................................................................27
Page 1 SonicWALL Gateway Anti-Virus Administrator’s Guide
Preface
Copyright Notice
© 2005 SonicWALL, Inc.
All rights reserved.
Under the copyright laws, this manual or the software described within, can not be copied, in whole or part,
without the written consent of the manufacturer, except in the normal use of the software to make a backup
copy. The same proprietary and copyright notices must be affixed to any permitted copies as were affixed
to the original. This exception does not allow copies to be made for others, whether or not sold, but all of
the material purchased (with all backup copies) can be sold, given, or loaned to another person. Under
the law, copying includes translating into another language or format.
Specifications and descriptions subject to change without notice.
Trademarks
SonicWALL is a registered trademark of SonicWALL, Inc.
Microsoft Windows 98, Windows NT, Windows 2000, Windows XP, Windows Server 2003, Internet
Explorer, and Active Directory are trademarks or registered trademarks of Microsoft Corporation.
Netscape is a registered trademark of Netscape Communications Corporation in the U.S. and other
countries. Netscape Navigator and Netscape Communicator are also trademarks of Netscape
Communications Corporation and may be registered outside the U.S.
Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems
Incorporated in the U.S. and/or other countries.
Other product and company names mentioned herein may be trademarks and/or registered trademarks
of their respective companies and are the sole property of their respective manufacturers.
Limited Warranty
SonicWALL, Inc. warrants that commencing from the delivery date to Customer (but in any case
commencing not more than ninety (90) days after the original shipment by SonicWALL), and continuing
for a period of twelve (12) months, that the product will be free from defects in materials and workmanship
under normal use. This Limited Warranty is not transferable and applies only to the original end user of
the product. SonicWALL and its suppliers' entire liability and Customer's sole and exclusive remedy under
this limited warranty will be shipment of a replacement product. At SonicWALL's discretion the
replacement product may be of equal or greater functionality and may be of either new or like-new quality.
SonicWALL's obligations under this warranty are contingent upon the return of the defective product
according to the terms of SonicWALL's then-current Support Services policies.
This warranty does not apply if the product has been subjected to abnormal electrical stress, damaged by
accident, abuse, misuse or misapplication, or has been modified without the written permission of
SonicWALL.
DISCLAIMER OF WARRANTY. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR
IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT
LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, NONINFRINGEMENT, SATISFACTORY QUALITY OR ARISING FROM A
COURSE OF DEALING, LAW, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE
MAXIMUM EXTENT ALLOWED BY APPLICABLE LAW. TO THE EXTENT AN IMPLIED WARRANTY
CANNOT BE EXCLUDED, SUCH WARRANTY IS LIMITED IN DURATION TO THE WARRANTY
PERIOD. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW
LONG AN IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. THIS
WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, AND YOU MAY ALSO HAVE OTHER RIGHTS
WHICH VARY FROM JURISDICTION TO JURISDICTION. This disclaimer and exclusion shall apply
even if the express warranty set forth above fails of its essential purpose.
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
DISCLAIMER OF LIABILITY. SONICWALL'S SOLE LIABILITY IS THE SHIPMENT OF A
REPLACEMENT PRODUCT AS DESCRIBED IN THE ABOVE LIMITED WARRANTY. IN NO EVENT
SHALL SONICWALL OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER,
INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS
INTERRUPTION, LOSS OF INFORMATION, OR OTHER PECUNIARY LOSS ARISING OUT OF THE
USE OR INABILITY TO USE THE PRODUCT, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL,
INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY
OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE HARDWARE OR SOFTWARE
EVEN IF SONICWALL OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. In no event shall SonicWALL or its suppliers' liability to Customer, whether in contract, tort
(including negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shall
apply even if the above-stated warranty fails of its essential purpose. BECAUSE SOME STATES OR
JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR
INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.
Page 3
About this Guide
Welcome to the SonicWALL Gateway Anti-Virus Administrator’s Guide. This manual provides the
information you need to successfully activate, configure, and administer SonicWALL Gateway Anti-Virus
(SonicWALL (GAV) on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher). The audience for this guide is administrators that are familiar with the
features, functions, and operating characteristics of SonicWALL security appliances.
Note: This guide assumes your SonicWALL security appliance is operational with Internet connectivity. If your
SonicWALL security appliance is not setup, refer to the Getting Started Guide for your SonicWALL
security appliance located on the SonicWALL Web site:
.
SonicWALL GAV is part of the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service solution that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate a SonicWALL GAV license, SonicWALL Intrusion Prevention Service is included and activated.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the complete
instructions on configuring SonicWALL Intrusion Prevention Service 2.0, located on the SonicWALL
Web site: .
Guide Conventions
Conventions used in this guide are as follows:
Icons Used in this Guide
These special messages refer to noteworthy information, and include a symbol for quick identification:
Alert! Important information that cautions about features affecting SonicWALL Gateway Anti-Virus
performance, security features, or causing potential problems with your SonicWALL security appliance.
Tip! Useful information about security features and configurations for your SonicWALL Gateway Anti-Virus
running on a SonicWALL security appliance.
Convention Use
Bold Highlights items you can select on the SonicWALL
management interface.
Italic Highlights a value to enter into a field. For example, “type
192.168.168.168 in the IP Address field.”
Top Level Menu Button >
Submenu Item
Indicates a multiple step Management Interface menu
choice. For example, Security Services > Gateway Anti-
Virus means select Security Services, then select
Gateway Anti-Virus.
Page 4 SonicWALL Gateway Anti-Virus Administrator’s Guide
Note: Important information on a feature that requires callout for special attention or reference to other related
resources.
SonicWALL Technical Support
For timely resolution of technical support questions, visit SonicWALL on the Internet at
. Web-based resources are available to help you
resolve most technical issues or contact SonicWALL Technical Support.
To contact SonicWALL telephone support, see the telephone numbers listed below:
North America Telephone Support
U.S./Canada - 888.777.1476 or +1 408.752.7819
International Telephone Support
Australia - + 1800.35.1642
Austria - + 43(0)820.400.105
EMEA - +31(0)411.617.810
France - + 33(0)1.4933.7414
Germany - + 49(0)1805.0800.22
Hong Kong - + 1.800.93.0997
India - + 8026556828
Italy - +39.02.7541.9803
Japan - + 81(0)3.5460.5356
New Zealand - + 0800.446489
Singapore - + 800.110.1441
Spain - + 34(0)9137.53035
Switzerland - +41.1.308.3.977
UK - +44(0)1344.668.484
Note: Please visit for the latest technical support telephone
numbers.
Page 5
SonicWALL Gateway Anti-Virus Overview
SonicWALL Gateway Anti-Virus (SonicWALL GAV) is part of the SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service solution that provides unified threat management. The integration of gateway
anti-virus and intrusion prevention delivers intelligent, real-time network security protection against
sophisticated application layer and content-based attacks. Utilizing a configurable, high-performance
deep packet inspection architecture, SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
secures the network from the core to the perimeter against a comprehensive array of dynamic threats
including viruses, worms, Trojans, and software vulnerabilities, such as buffer overflows, as well as peerto-
peer and instant messenger applications, backdoor exploits, and other malicious code.
SonicWALL GAV delivers real-time virus protection directly on the SonicWALL security appliance by
using SonicWALL’s IPS-Deep Packet Inspection v2.0 engine to inspect all traffic that traverses the
SonicWALL gateway. Building on SonicWALL’s reassembly-free architecture, SonicWALL GAV inspects
multiple application protocols, as well as generic TCP streams, and compressed traffic. Because
SonicWALL GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also performed on a
single-pass, per-packet basis.
SonicWALL GAV delivers threat protection directly on the SonicWALL security appliance by matching
downloaded or e-mailed files against an extensive and dynamically updated database of threat virus
signatures. Virus attacks are caught and suppressed before they travel to desktops. New signatures are
created and added to the database by a combination of SonicWALL’s SonicAlert Team, third-party virus
analysts, open source developers and other sources.
SonicWALL GAV can be configured to protect against internal threats as well as those originating outside
the network. It operates over a multitude of protocols including SMTP, POP3, IMAP, HTTP, FTP,
NetBIOS, instant messaging and peer-to-peer applications and dozens of other stream-based protocols,
to provide administrators with comprehensive network threat prevention and control. Because files
containing malicious code and viruses can also be compressed and therefore inaccessible to
conventional anti-virus solutions, SonicWALL GAV integrates advanced decompression technology that
automatically decompresses and scans files on a per packet basis.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
Page 6 SonicWALL Gateway Anti-Virus Administrator’s Guide
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features
• Integrated Deep Packet Inspection Technology - SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service features a configurable, high-performance deep packet inspection architecture
that uses parallel searching algorithms up through the application layer to deliver increased
application layer, Web and e-mail attack prevention. Parallel processing reduces the performance
impact on the firewall and maximizes available memory for exceptional throughput on SonicWALL
integrated security gateways.
• Real-Time Anti-Virus Gateway Scanning - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers intelligent file-based virus and malicious code prevention by scanning in real-time for
decompressed and compressed files containing viruses, Trojans, worms and other Internet threats
over the corporate network.
• Powerful Intrusion Prevention - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
provides complete protection from a comprehensive array of network-based application layer threats
by scanning packet payloads for worms, Trojans, software vulnerabilities such as buffer overflows,
peer-to-peer and instant messenger applications, backdoor exploits, and other malicious code.
• Ultimate Scalability and Performance - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a per packet scanning engine, making SonicWALL’s solution unique in its ability to
handle unlimited file size and virtually unlimited concurrent downloads, offering ultimate scalability
and performance for today’s networked environment.
• Day Zero Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service ensures
incredibly fast time-to-protection by employing a dynamically-updated database of signatures created
by a combination of SonicWALL’s SonicAlert Team, third-party virus analysts and developers, and
open source databases of known threats.
• Extensive Virus Signature List - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
utilizes an extensive database of thousands of attack and vulnerability signatures written to detect and
prevent intrusions, viruses, worms, Tojans, application exploits, and malicious applications.
• Distributed Enforcement Architecture - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a distributed enforcement architecture to deliver automated signature updates,
providing real-time protection from emerging threats and lowering total cost of ownership.
• Inter-zone Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides
application layer attack protection against malicious code and other threats originating from the
Internet or from internal sources. Administrators have the ability to enforce intrusion prevention and
anti-virus scanning not only between each network zone and the Internet, but also between internal
network zones for added security (Requires SonicOS Enhanced).
• Advanced File Decompression Technology - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service includes advanced decompression technology that can automatically decompress and scan
files on a per packet basis to search for viruses, Trojans, worms and malware. Supported
compression formats include: ZIP, Deflate and GZIP.
• File-Based Scanning Protocol Support - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers protection for high threat viruses and malware by inspecting the most common
protocols used in today’s networked environments, including SMTP, POP3, IMAP, HTTP, FTP,
NETBIOS, instant messaging and peer-to-peer applications, and dozens of other stream-based
protocols. This closes potential backdoors that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Application Control - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides the
ability to prevent instant messaging and peer-to-peer file sharing programs from operating through
the firewall, closing a potential back door that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Simplified Deployment and Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service allows network administrators to create global policies between security zones and group
attacks by priority, simplifying deployment and management across a distributed network.
Page 7
• Granular Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides an
intuitive user interface and granular policy tools, allowing network administrators to configure a
custom set of detection or prevention policies for their specific network environment and reduce the
number of false policies while identifying immediate threats.
• Logging and Reporting - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service offers
comprehensive logging of all intrusion attempts with the ability to filter logs based on priority level,
enabling administrators to highlight high priority attacks. Granular reporting based on attack source,
destination and type of intrusion is available through SonicWALL ViewPoint and Global Management
System.
SonicWALL GAV Multi-Layered Approach
SonicWALL GAV delivers comprehensive, multi-layered anti-virus protection for networks at the desktop,
the network, and at remote sites. SonicWALL GAV enforces anti-virus policies at the gateway to ensure
all users have the latest updates and monitors files as they come into the network.
Page 8 SonicWALL Gateway Anti-Virus Administrator’s Guide
Remote Site Protection
1. Users send typical e-mail and files between remote sites and the corporate office.
2. SonicWALL GAV scans and analyzes files and e-mail messages on the SonicWALL security
appliance.
3. Viruses are found and blocked before infecting remote desktop.
4. Virus is logged and alert is sent to administrator.
Page 9
Internal Network Protection
1. Internal user contracts a virus and releases it internally.
2. All files are scanned at the gateway before being received by other network users.
3. If virus is found, file is discarded.
4. Virus is logged and alert is sent to administrator.
HTTP File Downloads
1. Client makes a request to download a file from the Web.
2. File is downloaded through the Internet.
3. File is analyzed the SonicWALL GAV engine for malicious code and viruses
4. If virus found, file discarded.
5. Virus is logged and alert sent to administrator.
Page 10 SonicWALL Gateway Anti-Virus Administrator’s Guide
Server Protection
1. Outside user sends an incoming e-mail.
2. E-mail is analyzed the SonicWALL GAV engine for malicious code and viruses before received by email
server.
3. If virus found, threat prevented.
4. E-mail is returned to sender, virus is logged, and alert sent to administrator.
Page 11
SonicWALL GAV Architecture
SonicWALL GAV is based on SonicWALL's high performance DPIv2.0 engine (Deep Packet Inspection
version 2.0) engine, which performs all scanning directly on the SonicWALL security appliance.
SonicWALL GAV includes advanced decompression technology that can automatically decompress and
scan files on a per packet basis to search for viruses and malware. The SonicWALL GAV engine can
perform base64 decoding without ever reassembling the entire base64 encoded mail stream. Because
SonicWALL's GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding and ZIP, LHZ, and GZIP (LZ77) decompression are also performed
on a single-pass, per-packet basis. Reassembly free virus scanning functionality of the SonicWALL GAV
engine is inherited from the Deep Packet Inspection engine, which is capable of scanning streams without
ever buffering any of the bytes within the stream.
Building on SonicWALL's reassembly-free architecture, GAV has the ability to inspect multiple application
protocols, as well as generic TCP streams, and compressed traffic. SonicWALL GAV protocol inspection
is based on high performance state machines which are specific to each supported protocol. SonicWALL
GAV delivers protection by inspecting over the most common protocols used in today's networked
environments, including SMTP, POP3, IMAP, HTTP, FTP, NetBIOS, instant messaging and peer-to-peer
applications and dozens of other stream-based protocols. This closes potential backdoors that can be
used to compromise the network while also improving employee productivity and conserving Internet
bandwidth.
Page 12 SonicWALL Gateway Anti-Virus Administrator’s Guide
Stream Concurrency Limitations by SonicWALL Security Appliance
Because SonicWALL GAV does not have to perform reassembly, there are no file-size limitations
imposed by the scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also
performed on a single-pass, per-packet basis. Stream-concurrency are platform dependent as follows:.
Disabling the SonicWALL GAV/IPS Engine
In the unlikely event that SonicWALL Gateway Anti-Virus/Intrusion Prevention Service is not enabled on
your SonicWALL security appliance, the SonicWALL GAV/IPS engine itself can be disabled, and the
resources can be reallocated to the SPI connection cache.
To disable the SonicWALL GAV/IPS engine:
1. Select the Firewall > Advanced page.
2. Select the Disable Gateway AV and IPS Engine (increases maximum SPI connections)
checkbox. This presents an alert informing you that the SonicWALL security appliance must be
rebooted for the change to take effect.
3. Restart your SonicWALL security appliance.
Platform
GAV-Disabled
Connections
Cache Size
GAV-Enabled
Connections
Cache Size
(Concurrent File
Downloads)
Concurrent
Compressed
File Downloads
with GAV
GAV Signatures
TZ 150
Series
2,048 2,048 100 4,500
TZ 170
Series
6,144 6,144 100 4,500
PRO 1260 6,144 6,144 100 4,500
PRO 2040 32,768 16,384 300 25,000
PRO 3060 131,072 65,536 1,000 25,000
PRO 4060 524,288 131,072 1,500 25,000
PRO 5060 750,000 393,216 3,000 25,000
Page 13
Protocol Handling
SonicWALL GAV functionality supports the following protocols: HTTP, SMTP, IMAP, POP3, FTP and the
scanning of generic TCP streams for viruses.
If malicious traffic is detected, appropriate actions are taken based on the protocol. For generic TCP
streams, the traffic is dropped and the connection is reset. If so configured, an encrypted and hashed
message explaining the action is sent to the user's Global Security Client (requires version 2.0 or higher)
and to the user's 'Security Action Notification Applet', and displayed to the user if either application is
active. Application level awareness of the type of protocol that was transporting the violation allows for
very specific actions to be taken to gracefully handle the rejection of the payload:
Note: 8-bit encoding is handled natively for all email based protocols (SMTP, POP3, and IMAP) since no
decoding is required for each encoding scheme.
SMTP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the head of the sent
queue, thus preventing it from being resent, via 552 SMTP response and the connection is terminated.
POP3
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the POP3 server via
'DELE' command and the connection is terminated. Continuation of message downloads following
termination requires the user to re-initiate the download process on their POP3 client in order to download
the rest of the messages from the POP3 server.
Note: POP3 client behavior varies from one client to the next. SonicWALL GAV attempts to determine the type
of POP3 client being used, and to compensate for behavioral differences. In rare cases, some clients
may require special GAV settings - these settings have been made available in the /diag.html page.
• Disable Gateway AV POP3 Auto Deletion - When a POP3 client is identified as Outlook Express,
DELE (delete) message sequencing is tailored to Outlook Express' behavior. This setting can resolve
problems caused by misidentification that are encountered during the deletion of virus-infected
emails.
• Disable Gateway AV POP3 UIDL Rewriting - Certain Netscape POP3 clients have difficulty with the
UIDL (unique ID listing - RFC1939) command. When a POP3 client is recognized as Netscape, UIDL
messages are suppressed, which is allowable because they are optional. This setting can resolve
problems caused by misidentification that are encountered during the message retrieval process.
IMAP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from downloading the mail
containing the violation. The user must manually mark the mail deleted and purge it from the server.
Page 14 SonicWALL Gateway Anti-Virus Administrator’s Guide
HTTP
Capabilities: zip (including archives), gzip and deflate decompression. Deflate decompression method is
not supported when HTTP response is Chunk Encoded. All HTTP traffic is inspected, not just TCP port
80. Suppresses the use of HTTP Byte-Range requests to prevent the sectional retrieval and reassembly
of potentially malicious content.
Note: Suppression of HTTP Byte-Range requests may inhibit the use of certain download accelerator
programs that attempt to retrieve files as multiple simultaneous requests.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
FTP
Capabilities: zip (including archives) and gzip decompression. FTP stateful code follows data port
negotiations, allowing FTP data to be inspected across any operating TCP port. Suppresses the use of
the FTP 'REST' (restart) request to prevent the sectional retrieval and reassembly of potentially malicious
content. "The suppression of the 'REST' request can be overridden from the /diag.html page with the
option 'Enable FTP 'REST' requests with Gateway AV’.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
IM, P2P and Proprietary Protocols
Capabilities: zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
Deploying SonicWALL GAV
SonicWALL GAV is designed to provide comprehensive virus protection with minimal configuration. The
following sections provide the key information you need to successfully activate, configure, and administer
SonicWALL GAV on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher):
• “Activating SonicWALL GAV” on page 15 - provides instructions for activating the SonicWALL GAV
license on your SonicWALL security appliance via the management interface. If you already have
SonicWALL GAV activated on your SonicWALL security appliance, skip this section.
• “Setting Up SonicWALL GAV Protection” on page 19 - provides instructions for essential
configuration of SonicWALL IPS to protect your network against the most dangerous and disruptive
attacks.
Alert! After activating your SonicWALL GAV license, you must enable SonicWALL GAV on the SonicWALL
management interface before anti-virus protection are applied to your network traffic.
• “Configuring Client Alerts and an Exclusion List” on page 23 - provides instructions for configuring
SonicWALL GAV client notification alerts and creating a SonicWALL GAV exclusion list.
• “Restricting File Transfers” on page 24 - provides instructions on preventing files with specific
attributes from being transferred.
Page 15
Activating SonicWALL GAV
If you do not have SonicWALL GAV installed on your SonicWALL security appliance, the Security
Services > Gateway Anti-Virus page indicates an upgrade is required and includes a link to activiate it
from your SonicWALL security appliance management interface.
SonicWALL GAV is part of the unified SonicWALL Gateway Anti-Virus/Intrusion Prevention Service that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is also activated.
To activate a SonicWALL Gateway Anti-Virus/Intrusion Prevention Service on your SonicWALL security
appliance, you need the following:
• SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license. You need to purchase a
SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license from a SonicWALL reseller or
through your mySonicWALL.com account (limited to customers in the USA and Canada).
• mySonicWALL.com account. Creating a mySonicWALL.com account is fast, simple, and FREE.
Simply complete an online registration form from your SonicWALL security appliance management
interface. Your mySonicWALL.com account is also accessible at
from any Internet connection with a Web browser.
• Registered SonicWALL security appliance with active Internet connection. Registering your
SonicWALL security appliance is a simple procedure done directly from the management interface.
• SonicOS Standard 3.0 or SonicOS Enhanced 3.0. Your SonicWALL security appliance must be
running SonicOS Standard 3.0 or SonicOS Enhanced 3.0 for SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service.
Tip! If your SonicWALL security appliance is connected to the Internet and registered at
mySonicWALL.com, you can activate a 30-day FREE TRIAL of SonicWALL IPS.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
If you activated SonicWALL GAV at , SonicWALL GAV activation is
automatically enabled on your SonicWALL within 24-hours or you can click the Synchronize button on
the Security Services > Summary page to update your SonicWALL security appliance.
Page 16 SonicWALL Gateway Anti-Virus Administrator’s Guide
Creating a mySonicWALL.com Account
Creating a mySonicWALL.com account is fast, simple, and FREE. Simply complete an online
registration form in the SonicWALL security appliance management interface.
Note: If you already have a mysonicWALL.com account, go to “Registering Your SonicWALL Security
Appliance” on page 17.
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displayed in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link in Your
SonicWALL is not registered. Click here to Register your SonicWALL.
4. In the mySonicWALL.com Login page, click the here link in If you do not have a mySonicWALL
account, please click here to create one.
5. In the MySonicWall Account page, enter in your information in the Account Information, Personal
Information and Preferences fields. All fields marked with an asterisk (*) are required fields.
Note: Remember your username and password to access your mySonicWALL.com account.
6. Click Submit after completing the MySonicWALL Account form.
7. When the mySonicWALL.com server has finished processing your account, you will see a page
saying that your account has been created. Click Continue.
Congratulations. Your mySonicWALL.com account is activated.
Now you need to log into mySonicWALL.com to register your SonicWALL security appliance.
Note: mySonicWALL.com registration information is not sold or shared with any other company.
Page 17
Registering Your SonicWALL Security Appliance
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displaying in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link. The
mySonicWALL.com Login page is displayed.
4. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit.
5. The next several pages inform you about the free trials available to you for SonicWALL’s Security
Services:
• Gateway Anti-Virus - Delivers real-time virus protection for your entire network.
• Network Anti Virus - Provides desktop and server anti-virus protection with software running on
each computer.
• Premium Content Filtering Service - Enhances productivity by limiting access to objectionable
Web content.
• Intrusion Prevention Service - Protects your network against worms, Trojans, and application
layer attacks.
Click Continue on each page.
6. At the top of the Product Survey page, Enter a “friendly name” for your SonicWALL content security
appliance in the Friendly Name field. The friendly name allows you to easily identify your
SonicWALL content security appliance in your mySonicWALL.com account.
7. Please complete the Product Survey. SonicWALL uses this information to further tailor services to fit
your needs.
8. Click Submit.
9. When the mySonicWALL.com server has finished processing your registration, a page is displayed
informing you that the SonicWALL security appliance is registered. Click Continue, and the
System > Licenses page is displayed showing you the available services. You can activate the
service from this page or the specific service page under the Security Services left-navigation
menu in the management interface.
Page 18 SonicWALL Gateway Anti-Virus Administrator’s Guide
Activating SonicWALL GAV
If you do not have a SonicWALL GAV license activated on your SonicWALL security appliance, you must
purchase it from a SonicWALL reseller or through your mySonicWALL.com account (limited to customers
in the USA and Canada).
SonicWALL GAV is part of SonicWALL Gateway Anti-Virus/Intrusion Prevention Service. The Activation
Key you receive is for both SonicWALL GAV and SonicWALL Intrusion Prevention Service. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is automatically activated.
If you have an Activation Key for SonicWALL Gateway Anti-Virus/Intrusion Prevention Service, perform
these steps to activate the combined services:
1. On the Security Services > Intrusion Prevention page, click the SonicWALL Intrusion
Prevention Service Subscription link. The mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already registered to your
mySonicWALL.com account, the System > Licenses page appears.
3. Click Activate or Renew in the Manage Service column in the Manage Services Online table.
4. Type in the Activation Key in the New License Key field and click Submit. Your SonicWALL GAV
subscription is activated on your SonicWALL security appliance.
If you activated the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service subscription on
mySonicWALL.com, the activation is automatically enabled on your SonicWALL security appliance within
24-hours or you can click the Synchronize button on the Security Services > Summary page to
immediately update your SonicWALL security appliance.
Activating the SonicWALL GAV FREE TRIAL
To try a FREE TRIAL of SonicWALL GAV, perform these steps:
1. Click the FREE TRIAL link on the Security Services > Gateway Anti-Virus page. The
mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already connected to your
mySonicWALL.com account, the System > Licenses page appears after you click the FREE TRIAL
link.
3. Click Try in the FREE TRIAL column in the Manage Services Online table. Your SonicWALL GAV
trial subscription is activated on your SonicWALL security appliance.
Page 19
Setting Up SonicWALL GAV Protection
The Security Services > Gateway Anti-Virus page provides the settings for configuring SonicWALL
GAV on your SonicWALL security appliance.
Enabling SonicWALL GAV
You must select Enable Gateway Anti-Virus check box in the Gateway Anti-Virus Global Settings
section to enable SonicWALL GAV on your SonicWALL security appliance. If your SonicWALL security
appliance is running SonicOS Standard 3.0, you must also specify the interfaces you want to apply
SonicWALL GAV protection. If your SonicWALL security appliance is running SonicOS Enhanced 3.0,
you must specify the Zones you want to SonicWALL GAV protection on the Network > Zones page.
Applying SonicWALL GAV Protection on Interfaces
If your SonicWALL security appliance is running SonicOS Standard 3.0, you also need to specify the
interface that you want to enable SonicWALL GAV protection. Depending on the SonicWALL security
appliance model you are using, you can choose the WAN, LAN, DMZ, OPT or WLAN port, depending on
your SonicWALL security appliance model. After selecting the interface(s), click Apply.It is recommended
you select the WAN and LAN interfaces.
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you apply SonicWALL GAV to
Zones on the Network > Zones page.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 20 SonicWALL Gateway Anti-Virus Administrator’s Guide
Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you can enforce SonicWALL
GAV not only between each network zone and the WAN, but also between internal zones. For example,
enabling SonicWALL GAV on the LAN zone enforces anti-virus protection on all incoming and outgoing
LAN traffic.
1. In the SonicWALL security appliance management interface, select Network > Zones or from the
Gateway Anti-Virus Status section, on the Security Services > Gateway Anti-Virus page, click the
Network > Zones link. The Network > Zones page is displayed.
2. In the Configure column in the Zone Settings table, click the edit icon . The Edit Zone window
is displayed.
3. Click the Enable Gateway Anti-Virus Service checkbox. A checkmark appears. To disable Gateway
Anti-Virus Service, uncheck the box.
4. Click OK.
Page 21
Note: You also enable SonicWALL GAV protection for new zones you create on the Network > Zones page.
Clicking the Add button displays the Add Zone window, which includes the same settings as the Edit
Zone window.
Viewing SonicWALL GAV Status Information
The Gateway Anti-Virus Status section shows the state of the anti-virus signature database, including
the database's timestamp, and the time the SonicWALL signature servers were last checked for the most
current database version. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
The Gateway Anti-Virus Status section displays the following information:
• Signature Database indicates whether the signature database needs to be downloaded or has been
downloaded.
• Signature Database Timestamp displays the last update to the SonicWALL GAV signature
database, not the last update to your SonicWALL security appliance.
• Last Checked indicates the last time the SonicWALL security appliance checked the signature
database for updates. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
• Gateway Anti-Virus Expiration Date indicates the date when the SonicWALL GAV service expires.
If your SonicWALL GAV subscription expires, the SonicWALL IPS inspection is stopped and the
SonicWALL GAV configuration settings are removed from the SonicWALL security appliance. These
settings are automatically restored after renewing your SonicWALL GAV license to the previously
configured state.
If your SonicWALL security appliance is running SonicOS Standard 3.0 and no interfaces are specified in
the Gateway Anti-Virus Global Settings section, the message: Warning: No interfaces have Gateway
Anti-Virus enabled is displayed in the Gateway Anti-Virus Status section. You must check the Enable
Gateway Anti-Virus on Interface and specify the interface(s) you want to apply anti-virus scanning.
If your SonicWALL security appliance you are using SonicOS Enhanced 3.0, the Gateway Anti-Virus
Status section displays Note: Enable the Gateway Anti-Virus per zone from the Network > Zones
page. Clicking on the Network > Zones link displays the Network > Zones page for applying SonicWALL
GAV on Zones.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 22 SonicWALL Gateway Anti-Virus Administrator’s Guide
Updating SonicWALL GAV Signatures
By default, the SonicWALL security appliance running SonicWALL GAV automatically checks the
SonicWALL signature servers once an hour. There is no need for an administrator to constantly check for
new signature updates. You can also manually update your SonicWALL GAV database at any time by
clicking the Update button located in the Gateway Anti-Virus Status section.
SonicWALL GAV signature updates are secured. The SonicWALL security appliance must first
authenticate itself with a pre-shared secret, created during the SonicWALL Distributed Enforcement
Architecture licensing registration. The signature request is transported through HTTPS, along with full
server certificate verification.
Specifying Protocol Filtering
Application-level awareness of the type of protocol that is transporting the violation allows SonicWALL
GAV to perform specific actions within the context of the application to gracefully handle the rejection of
the payload.
By default, SonicWALL GAV inspects all inbound HTTP, FTP, IMAP, SMTP and POP3 traffic. Generic
TCP Stream can optionally be enabled to inspect all other TCP based traffic, such as
non-standard ports of operation for SMTP and POP3, and IM and P2P protocols.
Note: Refer to “Protocol Handling” on page 13 for detailed descriptions of how SonicWALL GAV handles
protocol traffic.
Enabling Inbound Inspection
Within the context of SonicWALL GAV, the Enable Inbound Inspection protocol traffic handling refers
to the following:
• Non-SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to any Zone.
• Non-SMTP traffic from a Public Zone destined to an Untrusted Zone.
• SMTP traffic initiating from a non-Trusted Zone destined to a Trusted, Wireless, Encrypted, or Public
Zone.
• SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to a Trusted, Wireless,
or Encrypted Zone.
Page 23
The Enable Inbound Inspection protocol traffic handling represented as a table:
Enabling Outbound SMTP Inspection
The Enable Outbound Inspection feature is available for SMTP traffic, such as for a mail server that
might be hosted on the DMZ. Enabling outbound inspection for SMTP scans mail that is delivered to the
internally hosted SMTP server for viruses.
Configuring Client Alerts and an Exclusion List
Clicking the Configure Gateway AV Settings button in the Gateway Anti-Virus Global Settings section
displays the Gateway AV Config View window, which allows you to configure client notification alerts and
create a SonicWALL GAV exclusion list.
Configuring Client Alerts
If you want clients on your network to receive notifications on their desktop when a HTTP file download is
blocked by GAV, check the Enable Client Notification Alerts (desktop client installation is required)
box. You must install the client software included on the Resource CD for your SonicWALL security
appliance for the client to receive these notifications from SonicWALL GAV.
Page 24 SonicWALL Gateway Anti-Virus Administrator’s Guide
If you want to suppress the sending of e-mail messages (SMTP) to clients from SonicWALL GAV when a
virus is detected in an e-mail or attachment, check the Disable SMTP Responses box.
Configuring a SonicWALL GAV Exclusion List
Any IP addresses listed in the exclusion list bypass virus scanning on their traffic.The Gateway AV
Exclusion List section provides the ability to define a range of IP addresses whose traffic will be excluded
from SonicWALL GAV scanning.
Alert! Use caution when specifying exclusions to SonicWALL GAV protection.
To add an IP address range for exclusion, perform these steps:
1. Click the Enable Gateway AV Exclusion List checkbox to enable the exclusion list.
2. Click the Add button. The Add GAV Range Entry window is displayed.
3. Enter the IP address range in the IP Address Form and IP Address To fields, then click OK. You IP
address range appears in the Gateway AV Exclusion List table. Click the edit icon in the Configure
column to change an entry or click the trashcan icon to delete an entry.
4. Click OK to exit the Gateway AV Config View window.
Restricting File Transfers
The restrict transfer settings listed under the Configure Gateway AV Settings button in the
Gateway Anti-Virus Global Settings section, if enabled, prevent files with specific attributes from being
transferred.
These restrict transfer settings include:
• Restrict Transfer of password-protected Zip files - Disables the transfer of password protected
ZIP files over any enabled protocol. This option only functions on protocols (e.g. HTTP, FTP, SMTP)
that are enabled for inspection.
• Restrict Transfer of MS-Office type files containing macros (VBA 5 and above) - Disables the
transfers of any MS Office 97 and above files that contain VBA macros.
• Restrict Transfer of packed executable files (UPX, FSG, etc.) - Disables the transfer of packed
executable files. Packers are utilities which compress and sometimes encrypt executables. Although
there are legitimate applications for these, they are also sometimes used with the intent of
obfuscation, so as to make the executables less detectable by anti-virus applications. The packer
adds a header that expands the file in memory, and then executes that file. SonicWALL Gateway
Anti-Virus currently recognizes the most common packed formats: UPX, FSG, PKLite32, Petite, and
ASPack. additional formats are dynamically added along with SonicWALL GAV signature updates.
Page 25
Viewing SonicWALL GAV Signatures
The Gateway Anti-Virus Signatures section allows you to view the contents of the SonicWALL GAV
signature database. All the entries displayed in the Gateway Anti-Virus Signatures table are from the
SonicWALL GAV signature database downloaded to your SonicWALL security appliance.
Note: Signature entries in the database change over time in response to new threats.
Displaying Signatures
You can display the signatures in a variety of views using the View Style menu.
• Use Search String - Allows you to display signatures containing a specified string entered in the
Lookup Signatures Containing String field.
• All Signatures - Displays all the signatures in the table, 50 to a page.
• 0 - 9 - Displays signature names beginning with the number you select from the menu.
• A-Z - Displays signature names beginning with the letter you select from menu.
Navigating the Gateway Anti-Virus Signatures Table
The SonicWALL GAV signatures are displayed fifty to a page in the Gateway Anti-Virus Signatures
table. The Items field displays the table number of the first signature. If your displaying the first page of a
signature table, the entry might be Items 1 to 50 (of 58). Use the navigation buttons to navigate the table.
Page 26 SonicWALL Gateway Anti-Virus Administrator’s Guide
Searching the Gateway Anti-Virus Signature Database
You can search the signature database by entering a search string in the Lookup Signatures
Containing String field, then clicking the edit (Notepad) icon.
The signatures that match the specified string are displayed in the Gateway Anti-Virus Signatures table.
Glossary
• Deep Packet Inspection - looking at the data portion of the packet. Enables the firewall to investigate
farther into the protocol to examine information at the application layer and defend against attacks
targeting application vulnerabilities.
• Distributed Enforcement Architecture - SonicWALL’s unified threat management technology that
delivers automated signature updates that provide real-time protection from current and emerging
threats.
• False Positive - a falsely identified attack traffic pattern.
• Signature - code written to detect and prevent viruses, worms, application exploits, and other
malicious code.
• Stateful Packet Inspection - examines the contents of individual packets at all layers of the OSI
model, from network layer to application layer.
Page 27
Index
A
activating Gateway Anti-Virus
overview 15
free trial version 18
activating Gateway Anti-Virus
activation key 18
C
client alerts
configuring 23
concurrency limitations 12
PRO 1260 12
PRO 2040 12
PRO 3060 12
PRO 4060 12
PRO 5060 12
TZ 150 Series 12
TZ 170 Series 12
creating a mysonicwall.com account 16
D
deploying SonicWALL GAV 14
disabling GAV/IPS engine 12
displaying signatures 25
all signatures 25
signatures beginning with letter 25
signatures beginning with number 25
using search strings 25
E
Edit Zone window 20
enable inbound inspection 22
enable outbound SMTP inspection 23
enabling inbound inspection 22
exclusion list
configuring 24
G
Gateway AV Config View window 23
GAV/IPS
real-time scanning 6
GAV/IPS features
application control 6
deep packet inspection 6
distributed enforcement architecture 6
file based scanning protocol support 6
file decompression technology 6
granular management 7
inter-zone scanning 6
logging and reporting 7
real-time scanning 6
glossary 26
deep packet inspection 26
Distributed Enforcement Architecture 26
false positive 26
signature 26
stateful packet inspection 26
H
how DPIv2.0 works
11
protocol handling 13
HTTP file downloads protection 9
I
internal network protection 9
N
navigating signatures table 25
P
protocol handling
FTP 14
HTTP 14
IM, P2P, proprietary 14
IMAP 13
POP3 13
SMTP 13
R
registering your SonicWALL security appliance 17
remote site protection 8
restrict 24
restrict file transfer
MS-Office files 24
packed executable files 24
password protected ZIP files 24
S
searching signature database 26
server protection 10
setting up GAV protection
applying to infaces (SonicOS Standard 3.0) 19
applying to zones (SonicOS Enhanced) 20
enabling 19
overview 19
signatures table 25
SonicWALL Gateway Anti-Virus
overview 5
SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service
overview 5
specifying protocol filtering 22
specifying protocols 22
status information
expiration date 21
last checked 21
overview 21
signature database 21
signature database timestamp 21
surpress SMTP messages 24
U
updating signatures 22
Page 28 SonicWALL Gateway Anti-Virus Administrator’s Guide
© 2005 SonicWALL, I n c . SonicWALL is a registered trademark of SonicWALL, I n c . Other product and company names mentioned herein may be
t rademarks and/ or registered trademarks of their respective companies. Specifications and descriptions subject to change with out notice.
T: 408.745.9600
F: 408.745.9300
www.sonicwall.com
SonicWALL,Inc.
1143 Borregas Avenue
Sunnyvale,CA 94089-1306
P/ N 232- 000610- 00
Rev E 01/05COMPREHENSIVE INTERNET SECURITY™
S SSSSSSSSo n i c WALL Gateway Anti-Virus
Administrator's Guide
Page 1
Table of Contents
Preface .................................................................................................. 1
Copyright Notice ..............................................................................1
Trademarks......................................................................................1
Limited Warranty..............................................................................1
About this Guide.................................................................................... 3
Guide Conventions .......................................................................... 3
Icons Used in this Guide............................................................. 3
SonicWALL Technical Support ........................................................ 4
North America Telephone Support ............................................. 4
International Telephone Support ................................................ 4
SonicWALL Gateway Anti-Virus Overview............................................ 5
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features ...... 6
SonicWALL GAV Multi-Layered Approach............................................ 7
Remote Site Protection ....................................................................8
Internal Network Protection.............................................................. 9
HTTP File Downloads ...................................................................... 9
Server Protection ...........................................................................10
SonicWALL GAV Architecture............................................................. 11
Stream Concurrency Limitations
by SonicWALL Security Appliance................................................. 12
Disabling the SonicWALL GAV/IPS Engine................................... 12
Protocol Handling...........................................................................13
SMTP........................................................................................ 13
POP3 ........................................................................................ 13
IMAP......................................................................................... 13
HTTP ........................................................................................ 14
FTP........................................................................................... 14
IM, P2P and Proprietary Protocols ........................................... 14
Deploying SonicWALL GAV................................................................ 14
Activating SonicWALL GAV ................................................................ 15
Creating a mySonicWALL.com Account ........................................ 16
Registering Your SonicWALL Security Appliance.......................... 17
Activating SonicWALL GAV........................................................... 18
Activating the SonicWALL GAV FREE TRIAL ............................... 18
Setting Up SonicWALL GAV Protection .............................................. 19
Enabling SonicWALL GAV............................................................. 19
Applying SonicWALL GAV Protection on Interfaces...................... 19
Applying SonicWALL GAV Protection on Zones
(SonicOS Enhanced 3.0) ............................................................... 20
Viewing SonicWALL GAV Status Information................................ 21
Updating SonicWALL GAV Signatures .......................................... 22
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
Specifying Protocol Filtering ................................................................22
Enabling Inbound Inspection ..........................................................22
Enabling Outbound SMTP Inspection ............................................23
Configuring Client Alerts and an Exclusion List ...................................23
Configuring Client Alerts.................................................................23
Configuring a SonicWALL GAV Exclusion List...............................24
Restricting File Transfers.....................................................................24
Viewing SonicWALL GAV Signatures..................................................25
Displaying Signatures.....................................................................25
Navigating the Gateway Anti-Virus Signatures Table ....................25
Searching the Gateway Anti-Virus Signature Database.................26
Glossary...............................................................................................26
Index ....................................................................................................27
Page 1 SonicWALL Gateway Anti-Virus Administrator’s Guide
Preface
Copyright Notice
© 2005 SonicWALL, Inc.
All rights reserved.
Under the copyright laws, this manual or the software described within, can not be copied, in whole or part,
without the written consent of the manufacturer, except in the normal use of the software to make a backup
copy. The same proprietary and copyright notices must be affixed to any permitted copies as were affixed
to the original. This exception does not allow copies to be made for others, whether or not sold, but all of
the material purchased (with all backup copies) can be sold, given, or loaned to another person. Under
the law, copying includes translating into another language or format.
Specifications and descriptions subject to change without notice.
Trademarks
SonicWALL is a registered trademark of SonicWALL, Inc.
Microsoft Windows 98, Windows NT, Windows 2000, Windows XP, Windows Server 2003, Internet
Explorer, and Active Directory are trademarks or registered trademarks of Microsoft Corporation.
Netscape is a registered trademark of Netscape Communications Corporation in the U.S. and other
countries. Netscape Navigator and Netscape Communicator are also trademarks of Netscape
Communications Corporation and may be registered outside the U.S.
Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems
Incorporated in the U.S. and/or other countries.
Other product and company names mentioned herein may be trademarks and/or registered trademarks
of their respective companies and are the sole property of their respective manufacturers.
Limited Warranty
SonicWALL, Inc. warrants that commencing from the delivery date to Customer (but in any case
commencing not more than ninety (90) days after the original shipment by SonicWALL), and continuing
for a period of twelve (12) months, that the product will be free from defects in materials and workmanship
under normal use. This Limited Warranty is not transferable and applies only to the original end user of
the product. SonicWALL and its suppliers' entire liability and Customer's sole and exclusive remedy under
this limited warranty will be shipment of a replacement product. At SonicWALL's discretion the
replacement product may be of equal or greater functionality and may be of either new or like-new quality.
SonicWALL's obligations under this warranty are contingent upon the return of the defective product
according to the terms of SonicWALL's then-current Support Services policies.
This warranty does not apply if the product has been subjected to abnormal electrical stress, damaged by
accident, abuse, misuse or misapplication, or has been modified without the written permission of
SonicWALL.
DISCLAIMER OF WARRANTY. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR
IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT
LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, NONINFRINGEMENT, SATISFACTORY QUALITY OR ARISING FROM A
COURSE OF DEALING, LAW, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE
MAXIMUM EXTENT ALLOWED BY APPLICABLE LAW. TO THE EXTENT AN IMPLIED WARRANTY
CANNOT BE EXCLUDED, SUCH WARRANTY IS LIMITED IN DURATION TO THE WARRANTY
PERIOD. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW
LONG AN IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. THIS
WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, AND YOU MAY ALSO HAVE OTHER RIGHTS
WHICH VARY FROM JURISDICTION TO JURISDICTION. This disclaimer and exclusion shall apply
even if the express warranty set forth above fails of its essential purpose.
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
DISCLAIMER OF LIABILITY. SONICWALL'S SOLE LIABILITY IS THE SHIPMENT OF A
REPLACEMENT PRODUCT AS DESCRIBED IN THE ABOVE LIMITED WARRANTY. IN NO EVENT
SHALL SONICWALL OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER,
INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS
INTERRUPTION, LOSS OF INFORMATION, OR OTHER PECUNIARY LOSS ARISING OUT OF THE
USE OR INABILITY TO USE THE PRODUCT, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL,
INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY
OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE HARDWARE OR SOFTWARE
EVEN IF SONICWALL OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. In no event shall SonicWALL or its suppliers' liability to Customer, whether in contract, tort
(including negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shall
apply even if the above-stated warranty fails of its essential purpose. BECAUSE SOME STATES OR
JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR
INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.
Page 3
About this Guide
Welcome to the SonicWALL Gateway Anti-Virus Administrator’s Guide. This manual provides the
information you need to successfully activate, configure, and administer SonicWALL Gateway Anti-Virus
(SonicWALL (GAV) on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher). The audience for this guide is administrators that are familiar with the
features, functions, and operating characteristics of SonicWALL security appliances.
Note: This guide assumes your SonicWALL security appliance is operational with Internet connectivity. If your
SonicWALL security appliance is not setup, refer to the Getting Started Guide for your SonicWALL
security appliance located on the SonicWALL Web site:
.
SonicWALL GAV is part of the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service solution that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate a SonicWALL GAV license, SonicWALL Intrusion Prevention Service is included and activated.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the complete
instructions on configuring SonicWALL Intrusion Prevention Service 2.0, located on the SonicWALL
Web site: .
Guide Conventions
Conventions used in this guide are as follows:
Icons Used in this Guide
These special messages refer to noteworthy information, and include a symbol for quick identification:
Alert! Important information that cautions about features affecting SonicWALL Gateway Anti-Virus
performance, security features, or causing potential problems with your SonicWALL security appliance.
Tip! Useful information about security features and configurations for your SonicWALL Gateway Anti-Virus
running on a SonicWALL security appliance.
Convention Use
Bold Highlights items you can select on the SonicWALL
management interface.
Italic Highlights a value to enter into a field. For example, “type
192.168.168.168 in the IP Address field.”
Top Level Menu Button >
Submenu Item
Indicates a multiple step Management Interface menu
choice. For example, Security Services > Gateway Anti-
Virus means select Security Services, then select
Gateway Anti-Virus.
Page 4 SonicWALL Gateway Anti-Virus Administrator’s Guide
Note: Important information on a feature that requires callout for special attention or reference to other related
resources.
SonicWALL Technical Support
For timely resolution of technical support questions, visit SonicWALL on the Internet at
. Web-based resources are available to help you
resolve most technical issues or contact SonicWALL Technical Support.
To contact SonicWALL telephone support, see the telephone numbers listed below:
North America Telephone Support
U.S./Canada - 888.777.1476 or +1 408.752.7819
International Telephone Support
Australia - + 1800.35.1642
Austria - + 43(0)820.400.105
EMEA - +31(0)411.617.810
France - + 33(0)1.4933.7414
Germany - + 49(0)1805.0800.22
Hong Kong - + 1.800.93.0997
India - + 8026556828
Italy - +39.02.7541.9803
Japan - + 81(0)3.5460.5356
New Zealand - + 0800.446489
Singapore - + 800.110.1441
Spain - + 34(0)9137.53035
Switzerland - +41.1.308.3.977
UK - +44(0)1344.668.484
Note: Please visit for the latest technical support telephone
numbers.
Page 5
SonicWALL Gateway Anti-Virus Overview
SonicWALL Gateway Anti-Virus (SonicWALL GAV) is part of the SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service solution that provides unified threat management. The integration of gateway
anti-virus and intrusion prevention delivers intelligent, real-time network security protection against
sophisticated application layer and content-based attacks. Utilizing a configurable, high-performance
deep packet inspection architecture, SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
secures the network from the core to the perimeter against a comprehensive array of dynamic threats
including viruses, worms, Trojans, and software vulnerabilities, such as buffer overflows, as well as peerto-
peer and instant messenger applications, backdoor exploits, and other malicious code.
SonicWALL GAV delivers real-time virus protection directly on the SonicWALL security appliance by
using SonicWALL’s IPS-Deep Packet Inspection v2.0 engine to inspect all traffic that traverses the
SonicWALL gateway. Building on SonicWALL’s reassembly-free architecture, SonicWALL GAV inspects
multiple application protocols, as well as generic TCP streams, and compressed traffic. Because
SonicWALL GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also performed on a
single-pass, per-packet basis.
SonicWALL GAV delivers threat protection directly on the SonicWALL security appliance by matching
downloaded or e-mailed files against an extensive and dynamically updated database of threat virus
signatures. Virus attacks are caught and suppressed before they travel to desktops. New signatures are
created and added to the database by a combination of SonicWALL’s SonicAlert Team, third-party virus
analysts, open source developers and other sources.
SonicWALL GAV can be configured to protect against internal threats as well as those originating outside
the network. It operates over a multitude of protocols including SMTP, POP3, IMAP, HTTP, FTP,
NetBIOS, instant messaging and peer-to-peer applications and dozens of other stream-based protocols,
to provide administrators with comprehensive network threat prevention and control. Because files
containing malicious code and viruses can also be compressed and therefore inaccessible to
conventional anti-virus solutions, SonicWALL GAV integrates advanced decompression technology that
automatically decompresses and scans files on a per packet basis.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
Page 6 SonicWALL Gateway Anti-Virus Administrator’s Guide
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features
• Integrated Deep Packet Inspection Technology - SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service features a configurable, high-performance deep packet inspection architecture
that uses parallel searching algorithms up through the application layer to deliver increased
application layer, Web and e-mail attack prevention. Parallel processing reduces the performance
impact on the firewall and maximizes available memory for exceptional throughput on SonicWALL
integrated security gateways.
• Real-Time Anti-Virus Gateway Scanning - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers intelligent file-based virus and malicious code prevention by scanning in real-time for
decompressed and compressed files containing viruses, Trojans, worms and other Internet threats
over the corporate network.
• Powerful Intrusion Prevention - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
provides complete protection from a comprehensive array of network-based application layer threats
by scanning packet payloads for worms, Trojans, software vulnerabilities such as buffer overflows,
peer-to-peer and instant messenger applications, backdoor exploits, and other malicious code.
• Ultimate Scalability and Performance - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a per packet scanning engine, making SonicWALL’s solution unique in its ability to
handle unlimited file size and virtually unlimited concurrent downloads, offering ultimate scalability
and performance for today’s networked environment.
• Day Zero Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service ensures
incredibly fast time-to-protection by employing a dynamically-updated database of signatures created
by a combination of SonicWALL’s SonicAlert Team, third-party virus analysts and developers, and
open source databases of known threats.
• Extensive Virus Signature List - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
utilizes an extensive database of thousands of attack and vulnerability signatures written to detect and
prevent intrusions, viruses, worms, Tojans, application exploits, and malicious applications.
• Distributed Enforcement Architecture - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a distributed enforcement architecture to deliver automated signature updates,
providing real-time protection from emerging threats and lowering total cost of ownership.
• Inter-zone Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides
application layer attack protection against malicious code and other threats originating from the
Internet or from internal sources. Administrators have the ability to enforce intrusion prevention and
anti-virus scanning not only between each network zone and the Internet, but also between internal
network zones for added security (Requires SonicOS Enhanced).
• Advanced File Decompression Technology - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service includes advanced decompression technology that can automatically decompress and scan
files on a per packet basis to search for viruses, Trojans, worms and malware. Supported
compression formats include: ZIP, Deflate and GZIP.
• File-Based Scanning Protocol Support - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers protection for high threat viruses and malware by inspecting the most common
protocols used in today’s networked environments, including SMTP, POP3, IMAP, HTTP, FTP,
NETBIOS, instant messaging and peer-to-peer applications, and dozens of other stream-based
protocols. This closes potential backdoors that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Application Control - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides the
ability to prevent instant messaging and peer-to-peer file sharing programs from operating through
the firewall, closing a potential back door that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Simplified Deployment and Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service allows network administrators to create global policies between security zones and group
attacks by priority, simplifying deployment and management across a distributed network.
Page 7
• Granular Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides an
intuitive user interface and granular policy tools, allowing network administrators to configure a
custom set of detection or prevention policies for their specific network environment and reduce the
number of false policies while identifying immediate threats.
• Logging and Reporting - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service offers
comprehensive logging of all intrusion attempts with the ability to filter logs based on priority level,
enabling administrators to highlight high priority attacks. Granular reporting based on attack source,
destination and type of intrusion is available through SonicWALL ViewPoint and Global Management
System.
SonicWALL GAV Multi-Layered Approach
SonicWALL GAV delivers comprehensive, multi-layered anti-virus protection for networks at the desktop,
the network, and at remote sites. SonicWALL GAV enforces anti-virus policies at the gateway to ensure
all users have the latest updates and monitors files as they come into the network.
Page 8 SonicWALL Gateway Anti-Virus Administrator’s Guide
Remote Site Protection
1. Users send typical e-mail and files between remote sites and the corporate office.
2. SonicWALL GAV scans and analyzes files and e-mail messages on the SonicWALL security
appliance.
3. Viruses are found and blocked before infecting remote desktop.
4. Virus is logged and alert is sent to administrator.
Page 9
Internal Network Protection
1. Internal user contracts a virus and releases it internally.
2. All files are scanned at the gateway before being received by other network users.
3. If virus is found, file is discarded.
4. Virus is logged and alert is sent to administrator.
HTTP File Downloads
1. Client makes a request to download a file from the Web.
2. File is downloaded through the Internet.
3. File is analyzed the SonicWALL GAV engine for malicious code and viruses
4. If virus found, file discarded.
5. Virus is logged and alert sent to administrator.
Page 10 SonicWALL Gateway Anti-Virus Administrator’s Guide
Server Protection
1. Outside user sends an incoming e-mail.
2. E-mail is analyzed the SonicWALL GAV engine for malicious code and viruses before received by email
server.
3. If virus found, threat prevented.
4. E-mail is returned to sender, virus is logged, and alert sent to administrator.
Page 11
SonicWALL GAV Architecture
SonicWALL GAV is based on SonicWALL's high performance DPIv2.0 engine (Deep Packet Inspection
version 2.0) engine, which performs all scanning directly on the SonicWALL security appliance.
SonicWALL GAV includes advanced decompression technology that can automatically decompress and
scan files on a per packet basis to search for viruses and malware. The SonicWALL GAV engine can
perform base64 decoding without ever reassembling the entire base64 encoded mail stream. Because
SonicWALL's GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding and ZIP, LHZ, and GZIP (LZ77) decompression are also performed
on a single-pass, per-packet basis. Reassembly free virus scanning functionality of the SonicWALL GAV
engine is inherited from the Deep Packet Inspection engine, which is capable of scanning streams without
ever buffering any of the bytes within the stream.
Building on SonicWALL's reassembly-free architecture, GAV has the ability to inspect multiple application
protocols, as well as generic TCP streams, and compressed traffic. SonicWALL GAV protocol inspection
is based on high performance state machines which are specific to each supported protocol. SonicWALL
GAV delivers protection by inspecting over the most common protocols used in today's networked
environments, including SMTP, POP3, IMAP, HTTP, FTP, NetBIOS, instant messaging and peer-to-peer
applications and dozens of other stream-based protocols. This closes potential backdoors that can be
used to compromise the network while also improving employee productivity and conserving Internet
bandwidth.
Page 12 SonicWALL Gateway Anti-Virus Administrator’s Guide
Stream Concurrency Limitations by SonicWALL Security Appliance
Because SonicWALL GAV does not have to perform reassembly, there are no file-size limitations
imposed by the scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also
performed on a single-pass, per-packet basis. Stream-concurrency are platform dependent as follows:.
Disabling the SonicWALL GAV/IPS Engine
In the unlikely event that SonicWALL Gateway Anti-Virus/Intrusion Prevention Service is not enabled on
your SonicWALL security appliance, the SonicWALL GAV/IPS engine itself can be disabled, and the
resources can be reallocated to the SPI connection cache.
To disable the SonicWALL GAV/IPS engine:
1. Select the Firewall > Advanced page.
2. Select the Disable Gateway AV and IPS Engine (increases maximum SPI connections)
checkbox. This presents an alert informing you that the SonicWALL security appliance must be
rebooted for the change to take effect.
3. Restart your SonicWALL security appliance.
Platform
GAV-Disabled
Connections
Cache Size
GAV-Enabled
Connections
Cache Size
(Concurrent File
Downloads)
Concurrent
Compressed
File Downloads
with GAV
GAV Signatures
TZ 150
Series
2,048 2,048 100 4,500
TZ 170
Series
6,144 6,144 100 4,500
PRO 1260 6,144 6,144 100 4,500
PRO 2040 32,768 16,384 300 25,000
PRO 3060 131,072 65,536 1,000 25,000
PRO 4060 524,288 131,072 1,500 25,000
PRO 5060 750,000 393,216 3,000 25,000
Page 13
Protocol Handling
SonicWALL GAV functionality supports the following protocols: HTTP, SMTP, IMAP, POP3, FTP and the
scanning of generic TCP streams for viruses.
If malicious traffic is detected, appropriate actions are taken based on the protocol. For generic TCP
streams, the traffic is dropped and the connection is reset. If so configured, an encrypted and hashed
message explaining the action is sent to the user's Global Security Client (requires version 2.0 or higher)
and to the user's 'Security Action Notification Applet', and displayed to the user if either application is
active. Application level awareness of the type of protocol that was transporting the violation allows for
very specific actions to be taken to gracefully handle the rejection of the payload:
Note: 8-bit encoding is handled natively for all email based protocols (SMTP, POP3, and IMAP) since no
decoding is required for each encoding scheme.
SMTP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the head of the sent
queue, thus preventing it from being resent, via 552 SMTP response and the connection is terminated.
POP3
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the POP3 server via
'DELE' command and the connection is terminated. Continuation of message downloads following
termination requires the user to re-initiate the download process on their POP3 client in order to download
the rest of the messages from the POP3 server.
Note: POP3 client behavior varies from one client to the next. SonicWALL GAV attempts to determine the type
of POP3 client being used, and to compensate for behavioral differences. In rare cases, some clients
may require special GAV settings - these settings have been made available in the /diag.html page.
• Disable Gateway AV POP3 Auto Deletion - When a POP3 client is identified as Outlook Express,
DELE (delete) message sequencing is tailored to Outlook Express' behavior. This setting can resolve
problems caused by misidentification that are encountered during the deletion of virus-infected
emails.
• Disable Gateway AV POP3 UIDL Rewriting - Certain Netscape POP3 clients have difficulty with the
UIDL (unique ID listing - RFC1939) command. When a POP3 client is recognized as Netscape, UIDL
messages are suppressed, which is allowable because they are optional. This setting can resolve
problems caused by misidentification that are encountered during the message retrieval process.
IMAP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from downloading the mail
containing the violation. The user must manually mark the mail deleted and purge it from the server.
Page 14 SonicWALL Gateway Anti-Virus Administrator’s Guide
HTTP
Capabilities: zip (including archives), gzip and deflate decompression. Deflate decompression method is
not supported when HTTP response is Chunk Encoded. All HTTP traffic is inspected, not just TCP port
80. Suppresses the use of HTTP Byte-Range requests to prevent the sectional retrieval and reassembly
of potentially malicious content.
Note: Suppression of HTTP Byte-Range requests may inhibit the use of certain download accelerator
programs that attempt to retrieve files as multiple simultaneous requests.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
FTP
Capabilities: zip (including archives) and gzip decompression. FTP stateful code follows data port
negotiations, allowing FTP data to be inspected across any operating TCP port. Suppresses the use of
the FTP 'REST' (restart) request to prevent the sectional retrieval and reassembly of potentially malicious
content. "The suppression of the 'REST' request can be overridden from the /diag.html page with the
option 'Enable FTP 'REST' requests with Gateway AV’.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
IM, P2P and Proprietary Protocols
Capabilities: zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
Deploying SonicWALL GAV
SonicWALL GAV is designed to provide comprehensive virus protection with minimal configuration. The
following sections provide the key information you need to successfully activate, configure, and administer
SonicWALL GAV on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher):
• “Activating SonicWALL GAV” on page 15 - provides instructions for activating the SonicWALL GAV
license on your SonicWALL security appliance via the management interface. If you already have
SonicWALL GAV activated on your SonicWALL security appliance, skip this section.
• “Setting Up SonicWALL GAV Protection” on page 19 - provides instructions for essential
configuration of SonicWALL IPS to protect your network against the most dangerous and disruptive
attacks.
Alert! After activating your SonicWALL GAV license, you must enable SonicWALL GAV on the SonicWALL
management interface before anti-virus protection are applied to your network traffic.
• “Configuring Client Alerts and an Exclusion List” on page 23 - provides instructions for configuring
SonicWALL GAV client notification alerts and creating a SonicWALL GAV exclusion list.
• “Restricting File Transfers” on page 24 - provides instructions on preventing files with specific
attributes from being transferred.
Page 15
Activating SonicWALL GAV
If you do not have SonicWALL GAV installed on your SonicWALL security appliance, the Security
Services > Gateway Anti-Virus page indicates an upgrade is required and includes a link to activiate it
from your SonicWALL security appliance management interface.
SonicWALL GAV is part of the unified SonicWALL Gateway Anti-Virus/Intrusion Prevention Service that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is also activated.
To activate a SonicWALL Gateway Anti-Virus/Intrusion Prevention Service on your SonicWALL security
appliance, you need the following:
• SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license. You need to purchase a
SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license from a SonicWALL reseller or
through your mySonicWALL.com account (limited to customers in the USA and Canada).
• mySonicWALL.com account. Creating a mySonicWALL.com account is fast, simple, and FREE.
Simply complete an online registration form from your SonicWALL security appliance management
interface. Your mySonicWALL.com account is also accessible at
from any Internet connection with a Web browser.
• Registered SonicWALL security appliance with active Internet connection. Registering your
SonicWALL security appliance is a simple procedure done directly from the management interface.
• SonicOS Standard 3.0 or SonicOS Enhanced 3.0. Your SonicWALL security appliance must be
running SonicOS Standard 3.0 or SonicOS Enhanced 3.0 for SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service.
Tip! If your SonicWALL security appliance is connected to the Internet and registered at
mySonicWALL.com, you can activate a 30-day FREE TRIAL of SonicWALL IPS.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
If you activated SonicWALL GAV at , SonicWALL GAV activation is
automatically enabled on your SonicWALL within 24-hours or you can click the Synchronize button on
the Security Services > Summary page to update your SonicWALL security appliance.
Page 16 SonicWALL Gateway Anti-Virus Administrator’s Guide
Creating a mySonicWALL.com Account
Creating a mySonicWALL.com account is fast, simple, and FREE. Simply complete an online
registration form in the SonicWALL security appliance management interface.
Note: If you already have a mysonicWALL.com account, go to “Registering Your SonicWALL Security
Appliance” on page 17.
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displayed in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link in Your
SonicWALL is not registered. Click here to Register your SonicWALL.
4. In the mySonicWALL.com Login page, click the here link in If you do not have a mySonicWALL
account, please click here to create one.
5. In the MySonicWall Account page, enter in your information in the Account Information, Personal
Information and Preferences fields. All fields marked with an asterisk (*) are required fields.
Note: Remember your username and password to access your mySonicWALL.com account.
6. Click Submit after completing the MySonicWALL Account form.
7. When the mySonicWALL.com server has finished processing your account, you will see a page
saying that your account has been created. Click Continue.
Congratulations. Your mySonicWALL.com account is activated.
Now you need to log into mySonicWALL.com to register your SonicWALL security appliance.
Note: mySonicWALL.com registration information is not sold or shared with any other company.
Page 17
Registering Your SonicWALL Security Appliance
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displaying in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link. The
mySonicWALL.com Login page is displayed.
4. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit.
5. The next several pages inform you about the free trials available to you for SonicWALL’s Security
Services:
• Gateway Anti-Virus - Delivers real-time virus protection for your entire network.
• Network Anti Virus - Provides desktop and server anti-virus protection with software running on
each computer.
• Premium Content Filtering Service - Enhances productivity by limiting access to objectionable
Web content.
• Intrusion Prevention Service - Protects your network against worms, Trojans, and application
layer attacks.
Click Continue on each page.
6. At the top of the Product Survey page, Enter a “friendly name” for your SonicWALL content security
appliance in the Friendly Name field. The friendly name allows you to easily identify your
SonicWALL content security appliance in your mySonicWALL.com account.
7. Please complete the Product Survey. SonicWALL uses this information to further tailor services to fit
your needs.
8. Click Submit.
9. When the mySonicWALL.com server has finished processing your registration, a page is displayed
informing you that the SonicWALL security appliance is registered. Click Continue, and the
System > Licenses page is displayed showing you the available services. You can activate the
service from this page or the specific service page under the Security Services left-navigation
menu in the management interface.
Page 18 SonicWALL Gateway Anti-Virus Administrator’s Guide
Activating SonicWALL GAV
If you do not have a SonicWALL GAV license activated on your SonicWALL security appliance, you must
purchase it from a SonicWALL reseller or through your mySonicWALL.com account (limited to customers
in the USA and Canada).
SonicWALL GAV is part of SonicWALL Gateway Anti-Virus/Intrusion Prevention Service. The Activation
Key you receive is for both SonicWALL GAV and SonicWALL Intrusion Prevention Service. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is automatically activated.
If you have an Activation Key for SonicWALL Gateway Anti-Virus/Intrusion Prevention Service, perform
these steps to activate the combined services:
1. On the Security Services > Intrusion Prevention page, click the SonicWALL Intrusion
Prevention Service Subscription link. The mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already registered to your
mySonicWALL.com account, the System > Licenses page appears.
3. Click Activate or Renew in the Manage Service column in the Manage Services Online table.
4. Type in the Activation Key in the New License Key field and click Submit. Your SonicWALL GAV
subscription is activated on your SonicWALL security appliance.
If you activated the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service subscription on
mySonicWALL.com, the activation is automatically enabled on your SonicWALL security appliance within
24-hours or you can click the Synchronize button on the Security Services > Summary page to
immediately update your SonicWALL security appliance.
Activating the SonicWALL GAV FREE TRIAL
To try a FREE TRIAL of SonicWALL GAV, perform these steps:
1. Click the FREE TRIAL link on the Security Services > Gateway Anti-Virus page. The
mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already connected to your
mySonicWALL.com account, the System > Licenses page appears after you click the FREE TRIAL
link.
3. Click Try in the FREE TRIAL column in the Manage Services Online table. Your SonicWALL GAV
trial subscription is activated on your SonicWALL security appliance.
Page 19
Setting Up SonicWALL GAV Protection
The Security Services > Gateway Anti-Virus page provides the settings for configuring SonicWALL
GAV on your SonicWALL security appliance.
Enabling SonicWALL GAV
You must select Enable Gateway Anti-Virus check box in the Gateway Anti-Virus Global Settings
section to enable SonicWALL GAV on your SonicWALL security appliance. If your SonicWALL security
appliance is running SonicOS Standard 3.0, you must also specify the interfaces you want to apply
SonicWALL GAV protection. If your SonicWALL security appliance is running SonicOS Enhanced 3.0,
you must specify the Zones you want to SonicWALL GAV protection on the Network > Zones page.
Applying SonicWALL GAV Protection on Interfaces
If your SonicWALL security appliance is running SonicOS Standard 3.0, you also need to specify the
interface that you want to enable SonicWALL GAV protection. Depending on the SonicWALL security
appliance model you are using, you can choose the WAN, LAN, DMZ, OPT or WLAN port, depending on
your SonicWALL security appliance model. After selecting the interface(s), click Apply.It is recommended
you select the WAN and LAN interfaces.
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you apply SonicWALL GAV to
Zones on the Network > Zones page.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 20 SonicWALL Gateway Anti-Virus Administrator’s Guide
Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you can enforce SonicWALL
GAV not only between each network zone and the WAN, but also between internal zones. For example,
enabling SonicWALL GAV on the LAN zone enforces anti-virus protection on all incoming and outgoing
LAN traffic.
1. In the SonicWALL security appliance management interface, select Network > Zones or from the
Gateway Anti-Virus Status section, on the Security Services > Gateway Anti-Virus page, click the
Network > Zones link. The Network > Zones page is displayed.
2. In the Configure column in the Zone Settings table, click the edit icon . The Edit Zone window
is displayed.
3. Click the Enable Gateway Anti-Virus Service checkbox. A checkmark appears. To disable Gateway
Anti-Virus Service, uncheck the box.
4. Click OK.
Page 21
Note: You also enable SonicWALL GAV protection for new zones you create on the Network > Zones page.
Clicking the Add button displays the Add Zone window, which includes the same settings as the Edit
Zone window.
Viewing SonicWALL GAV Status Information
The Gateway Anti-Virus Status section shows the state of the anti-virus signature database, including
the database's timestamp, and the time the SonicWALL signature servers were last checked for the most
current database version. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
The Gateway Anti-Virus Status section displays the following information:
• Signature Database indicates whether the signature database needs to be downloaded or has been
downloaded.
• Signature Database Timestamp displays the last update to the SonicWALL GAV signature
database, not the last update to your SonicWALL security appliance.
• Last Checked indicates the last time the SonicWALL security appliance checked the signature
database for updates. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
• Gateway Anti-Virus Expiration Date indicates the date when the SonicWALL GAV service expires.
If your SonicWALL GAV subscription expires, the SonicWALL IPS inspection is stopped and the
SonicWALL GAV configuration settings are removed from the SonicWALL security appliance. These
settings are automatically restored after renewing your SonicWALL GAV license to the previously
configured state.
If your SonicWALL security appliance is running SonicOS Standard 3.0 and no interfaces are specified in
the Gateway Anti-Virus Global Settings section, the message: Warning: No interfaces have Gateway
Anti-Virus enabled is displayed in the Gateway Anti-Virus Status section. You must check the Enable
Gateway Anti-Virus on Interface and specify the interface(s) you want to apply anti-virus scanning.
If your SonicWALL security appliance you are using SonicOS Enhanced 3.0, the Gateway Anti-Virus
Status section displays Note: Enable the Gateway Anti-Virus per zone from the Network > Zones
page. Clicking on the Network > Zones link displays the Network > Zones page for applying SonicWALL
GAV on Zones.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 22 SonicWALL Gateway Anti-Virus Administrator’s Guide
Updating SonicWALL GAV Signatures
By default, the SonicWALL security appliance running SonicWALL GAV automatically checks the
SonicWALL signature servers once an hour. There is no need for an administrator to constantly check for
new signature updates. You can also manually update your SonicWALL GAV database at any time by
clicking the Update button located in the Gateway Anti-Virus Status section.
SonicWALL GAV signature updates are secured. The SonicWALL security appliance must first
authenticate itself with a pre-shared secret, created during the SonicWALL Distributed Enforcement
Architecture licensing registration. The signature request is transported through HTTPS, along with full
server certificate verification.
Specifying Protocol Filtering
Application-level awareness of the type of protocol that is transporting the violation allows SonicWALL
GAV to perform specific actions within the context of the application to gracefully handle the rejection of
the payload.
By default, SonicWALL GAV inspects all inbound HTTP, FTP, IMAP, SMTP and POP3 traffic. Generic
TCP Stream can optionally be enabled to inspect all other TCP based traffic, such as
non-standard ports of operation for SMTP and POP3, and IM and P2P protocols.
Note: Refer to “Protocol Handling” on page 13 for detailed descriptions of how SonicWALL GAV handles
protocol traffic.
Enabling Inbound Inspection
Within the context of SonicWALL GAV, the Enable Inbound Inspection protocol traffic handling refers
to the following:
• Non-SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to any Zone.
• Non-SMTP traffic from a Public Zone destined to an Untrusted Zone.
• SMTP traffic initiating from a non-Trusted Zone destined to a Trusted, Wireless, Encrypted, or Public
Zone.
• SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to a Trusted, Wireless,
or Encrypted Zone.
Page 23
The Enable Inbound Inspection protocol traffic handling represented as a table:
Enabling Outbound SMTP Inspection
The Enable Outbound Inspection feature is available for SMTP traffic, such as for a mail server that
might be hosted on the DMZ. Enabling outbound inspection for SMTP scans mail that is delivered to the
internally hosted SMTP server for viruses.
Configuring Client Alerts and an Exclusion List
Clicking the Configure Gateway AV Settings button in the Gateway Anti-Virus Global Settings section
displays the Gateway AV Config View window, which allows you to configure client notification alerts and
create a SonicWALL GAV exclusion list.
Configuring Client Alerts
If you want clients on your network to receive notifications on their desktop when a HTTP file download is
blocked by GAV, check the Enable Client Notification Alerts (desktop client installation is required)
box. You must install the client software included on the Resource CD for your SonicWALL security
appliance for the client to receive these notifications from SonicWALL GAV.
Page 24 SonicWALL Gateway Anti-Virus Administrator’s Guide
If you want to suppress the sending of e-mail messages (SMTP) to clients from SonicWALL GAV when a
virus is detected in an e-mail or attachment, check the Disable SMTP Responses box.
Configuring a SonicWALL GAV Exclusion List
Any IP addresses listed in the exclusion list bypass virus scanning on their traffic.The Gateway AV
Exclusion List section provides the ability to define a range of IP addresses whose traffic will be excluded
from SonicWALL GAV scanning.
Alert! Use caution when specifying exclusions to SonicWALL GAV protection.
To add an IP address range for exclusion, perform these steps:
1. Click the Enable Gateway AV Exclusion List checkbox to enable the exclusion list.
2. Click the Add button. The Add GAV Range Entry window is displayed.
3. Enter the IP address range in the IP Address Form and IP Address To fields, then click OK. You IP
address range appears in the Gateway AV Exclusion List table. Click the edit icon in the Configure
column to change an entry or click the trashcan icon to delete an entry.
4. Click OK to exit the Gateway AV Config View window.
Restricting File Transfers
The restrict transfer settings listed under the Configure Gateway AV Settings button in the
Gateway Anti-Virus Global Settings section, if enabled, prevent files with specific attributes from being
transferred.
These restrict transfer settings include:
• Restrict Transfer of password-protected Zip files - Disables the transfer of password protected
ZIP files over any enabled protocol. This option only functions on protocols (e.g. HTTP, FTP, SMTP)
that are enabled for inspection.
• Restrict Transfer of MS-Office type files containing macros (VBA 5 and above) - Disables the
transfers of any MS Office 97 and above files that contain VBA macros.
• Restrict Transfer of packed executable files (UPX, FSG, etc.) - Disables the transfer of packed
executable files. Packers are utilities which compress and sometimes encrypt executables. Although
there are legitimate applications for these, they are also sometimes used with the intent of
obfuscation, so as to make the executables less detectable by anti-virus applications. The packer
adds a header that expands the file in memory, and then executes that file. SonicWALL Gateway
Anti-Virus currently recognizes the most common packed formats: UPX, FSG, PKLite32, Petite, and
ASPack. additional formats are dynamically added along with SonicWALL GAV signature updates.
Page 25
Viewing SonicWALL GAV Signatures
The Gateway Anti-Virus Signatures section allows you to view the contents of the SonicWALL GAV
signature database. All the entries displayed in the Gateway Anti-Virus Signatures table are from the
SonicWALL GAV signature database downloaded to your SonicWALL security appliance.
Note: Signature entries in the database change over time in response to new threats.
Displaying Signatures
You can display the signatures in a variety of views using the View Style menu.
• Use Search String - Allows you to display signatures containing a specified string entered in the
Lookup Signatures Containing String field.
• All Signatures - Displays all the signatures in the table, 50 to a page.
• 0 - 9 - Displays signature names beginning with the number you select from the menu.
• A-Z - Displays signature names beginning with the letter you select from menu.
Navigating the Gateway Anti-Virus Signatures Table
The SonicWALL GAV signatures are displayed fifty to a page in the Gateway Anti-Virus Signatures
table. The Items field displays the table number of the first signature. If your displaying the first page of a
signature table, the entry might be Items 1 to 50 (of 58). Use the navigation buttons to navigate the table.
Page 26 SonicWALL Gateway Anti-Virus Administrator’s Guide
Searching the Gateway Anti-Virus Signature Database
You can search the signature database by entering a search string in the Lookup Signatures
Containing String field, then clicking the edit (Notepad) icon.
The signatures that match the specified string are displayed in the Gateway Anti-Virus Signatures table.
Glossary
• Deep Packet Inspection - looking at the data portion of the packet. Enables the firewall to investigate
farther into the protocol to examine information at the application layer and defend against attacks
targeting application vulnerabilities.
• Distributed Enforcement Architecture - SonicWALL’s unified threat management technology that
delivers automated signature updates that provide real-time protection from current and emerging
threats.
• False Positive - a falsely identified attack traffic pattern.
• Signature - code written to detect and prevent viruses, worms, application exploits, and other
malicious code.
• Stateful Packet Inspection - examines the contents of individual packets at all layers of the OSI
model, from network layer to application layer.
Page 27
Index
A
activating Gateway Anti-Virus
overview 15
free trial version 18
activating Gateway Anti-Virus
activation key 18
C
client alerts
configuring 23
concurrency limitations 12
PRO 1260 12
PRO 2040 12
PRO 3060 12
PRO 4060 12
PRO 5060 12
TZ 150 Series 12
TZ 170 Series 12
creating a mysonicwall.com account 16
D
deploying SonicWALL GAV 14
disabling GAV/IPS engine 12
displaying signatures 25
all signatures 25
signatures beginning with letter 25
signatures beginning with number 25
using search strings 25
E
Edit Zone window 20
enable inbound inspection 22
enable outbound SMTP inspection 23
enabling inbound inspection 22
exclusion list
configuring 24
G
Gateway AV Config View window 23
GAV/IPS
real-time scanning 6
GAV/IPS features
application control 6
deep packet inspection 6
distributed enforcement architecture 6
file based scanning protocol support 6
file decompression technology 6
granular management 7
inter-zone scanning 6
logging and reporting 7
real-time scanning 6
glossary 26
deep packet inspection 26
Distributed Enforcement Architecture 26
false positive 26
signature 26
stateful packet inspection 26
H
how DPIv2.0 works
11
protocol handling 13
HTTP file downloads protection 9
I
internal network protection 9
N
navigating signatures table 25
P
protocol handling
FTP 14
HTTP 14
IM, P2P, proprietary 14
IMAP 13
POP3 13
SMTP 13
R
registering your SonicWALL security appliance 17
remote site protection 8
restrict 24
restrict file transfer
MS-Office files 24
packed executable files 24
password protected ZIP files 24
S
searching signature database 26
server protection 10
setting up GAV protection
applying to infaces (SonicOS Standard 3.0) 19
applying to zones (SonicOS Enhanced) 20
enabling 19
overview 19
signatures table 25
SonicWALL Gateway Anti-Virus
overview 5
SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service
overview 5
specifying protocol filtering 22
specifying protocols 22
status information
expiration date 21
last checked 21
overview 21
signature database 21
signature database timestamp 21
surpress SMTP messages 24
U
updating signatures 22
Page 28 SonicWALL Gateway Anti-Virus Administrator’s Guide
© 2005 SonicWALL, I n c . SonicWALL is a registered trademark of SonicWALL, I n c . Other product and company names mentioned herein may be
t rademarks and/ or registered trademarks of their respective companies. Specifications and descriptions subject to change with out notice.
T: 408.745.9600
F: 408.745.9300
www.sonicwall.com
SonicWALL,Inc.
1143 Borregas Avenue
Sunnyvale,CA 94089-1306
P/ N 232- 000610- 00
Rev E 01/05COMPREHENSIVE INTERNET SECURITY™
S SSSSSSSSo n i c WALL Gateway Anti-Virus
Administrator's Guide
Page 1
Table of Contents
Preface .................................................................................................. 1
Copyright Notice ..............................................................................1
Trademarks......................................................................................1
Limited Warranty..............................................................................1
About this Guide.................................................................................... 3
Guide Conventions .......................................................................... 3
Icons Used in this Guide............................................................. 3
SonicWALL Technical Support ........................................................ 4
North America Telephone Support ............................................. 4
International Telephone Support ................................................ 4
SonicWALL Gateway Anti-Virus Overview............................................ 5
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features ...... 6
SonicWALL GAV Multi-Layered Approach............................................ 7
Remote Site Protection ....................................................................8
Internal Network Protection.............................................................. 9
HTTP File Downloads ...................................................................... 9
Server Protection ...........................................................................10
SonicWALL GAV Architecture............................................................. 11
Stream Concurrency Limitations
by SonicWALL Security Appliance................................................. 12
Disabling the SonicWALL GAV/IPS Engine................................... 12
Protocol Handling...........................................................................13
SMTP........................................................................................ 13
POP3 ........................................................................................ 13
IMAP......................................................................................... 13
HTTP ........................................................................................ 14
FTP........................................................................................... 14
IM, P2P and Proprietary Protocols ........................................... 14
Deploying SonicWALL GAV................................................................ 14
Activating SonicWALL GAV ................................................................ 15
Creating a mySonicWALL.com Account ........................................ 16
Registering Your SonicWALL Security Appliance.......................... 17
Activating SonicWALL GAV........................................................... 18
Activating the SonicWALL GAV FREE TRIAL ............................... 18
Setting Up SonicWALL GAV Protection .............................................. 19
Enabling SonicWALL GAV............................................................. 19
Applying SonicWALL GAV Protection on Interfaces...................... 19
Applying SonicWALL GAV Protection on Zones
(SonicOS Enhanced 3.0) ............................................................... 20
Viewing SonicWALL GAV Status Information................................ 21
Updating SonicWALL GAV Signatures .......................................... 22
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
Specifying Protocol Filtering ................................................................22
Enabling Inbound Inspection ..........................................................22
Enabling Outbound SMTP Inspection ............................................23
Configuring Client Alerts and an Exclusion List ...................................23
Configuring Client Alerts.................................................................23
Configuring a SonicWALL GAV Exclusion List...............................24
Restricting File Transfers.....................................................................24
Viewing SonicWALL GAV Signatures..................................................25
Displaying Signatures.....................................................................25
Navigating the Gateway Anti-Virus Signatures Table ....................25
Searching the Gateway Anti-Virus Signature Database.................26
Glossary...............................................................................................26
Index ....................................................................................................27
Page 1 SonicWALL Gateway Anti-Virus Administrator’s Guide
Preface
Copyright Notice
© 2005 SonicWALL, Inc.
All rights reserved.
Under the copyright laws, this manual or the software described within, can not be copied, in whole or part,
without the written consent of the manufacturer, except in the normal use of the software to make a backup
copy. The same proprietary and copyright notices must be affixed to any permitted copies as were affixed
to the original. This exception does not allow copies to be made for others, whether or not sold, but all of
the material purchased (with all backup copies) can be sold, given, or loaned to another person. Under
the law, copying includes translating into another language or format.
Specifications and descriptions subject to change without notice.
Trademarks
SonicWALL is a registered trademark of SonicWALL, Inc.
Microsoft Windows 98, Windows NT, Windows 2000, Windows XP, Windows Server 2003, Internet
Explorer, and Active Directory are trademarks or registered trademarks of Microsoft Corporation.
Netscape is a registered trademark of Netscape Communications Corporation in the U.S. and other
countries. Netscape Navigator and Netscape Communicator are also trademarks of Netscape
Communications Corporation and may be registered outside the U.S.
Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems
Incorporated in the U.S. and/or other countries.
Other product and company names mentioned herein may be trademarks and/or registered trademarks
of their respective companies and are the sole property of their respective manufacturers.
Limited Warranty
SonicWALL, Inc. warrants that commencing from the delivery date to Customer (but in any case
commencing not more than ninety (90) days after the original shipment by SonicWALL), and continuing
for a period of twelve (12) months, that the product will be free from defects in materials and workmanship
under normal use. This Limited Warranty is not transferable and applies only to the original end user of
the product. SonicWALL and its suppliers' entire liability and Customer's sole and exclusive remedy under
this limited warranty will be shipment of a replacement product. At SonicWALL's discretion the
replacement product may be of equal or greater functionality and may be of either new or like-new quality.
SonicWALL's obligations under this warranty are contingent upon the return of the defective product
according to the terms of SonicWALL's then-current Support Services policies.
This warranty does not apply if the product has been subjected to abnormal electrical stress, damaged by
accident, abuse, misuse or misapplication, or has been modified without the written permission of
SonicWALL.
DISCLAIMER OF WARRANTY. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR
IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT
LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, NONINFRINGEMENT, SATISFACTORY QUALITY OR ARISING FROM A
COURSE OF DEALING, LAW, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE
MAXIMUM EXTENT ALLOWED BY APPLICABLE LAW. TO THE EXTENT AN IMPLIED WARRANTY
CANNOT BE EXCLUDED, SUCH WARRANTY IS LIMITED IN DURATION TO THE WARRANTY
PERIOD. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW
LONG AN IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. THIS
WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, AND YOU MAY ALSO HAVE OTHER RIGHTS
WHICH VARY FROM JURISDICTION TO JURISDICTION. This disclaimer and exclusion shall apply
even if the express warranty set forth above fails of its essential purpose.
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
DISCLAIMER OF LIABILITY. SONICWALL'S SOLE LIABILITY IS THE SHIPMENT OF A
REPLACEMENT PRODUCT AS DESCRIBED IN THE ABOVE LIMITED WARRANTY. IN NO EVENT
SHALL SONICWALL OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER,
INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS
INTERRUPTION, LOSS OF INFORMATION, OR OTHER PECUNIARY LOSS ARISING OUT OF THE
USE OR INABILITY TO USE THE PRODUCT, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL,
INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY
OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE HARDWARE OR SOFTWARE
EVEN IF SONICWALL OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. In no event shall SonicWALL or its suppliers' liability to Customer, whether in contract, tort
(including negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shall
apply even if the above-stated warranty fails of its essential purpose. BECAUSE SOME STATES OR
JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR
INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.
Page 3
About this Guide
Welcome to the SonicWALL Gateway Anti-Virus Administrator’s Guide. This manual provides the
information you need to successfully activate, configure, and administer SonicWALL Gateway Anti-Virus
(SonicWALL (GAV) on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher). The audience for this guide is administrators that are familiar with the
features, functions, and operating characteristics of SonicWALL security appliances.
Note: This guide assumes your SonicWALL security appliance is operational with Internet connectivity. If your
SonicWALL security appliance is not setup, refer to the Getting Started Guide for your SonicWALL
security appliance located on the SonicWALL Web site:
.
SonicWALL GAV is part of the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service solution that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate a SonicWALL GAV license, SonicWALL Intrusion Prevention Service is included and activated.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the complete
instructions on configuring SonicWALL Intrusion Prevention Service 2.0, located on the SonicWALL
Web site: .
Guide Conventions
Conventions used in this guide are as follows:
Icons Used in this Guide
These special messages refer to noteworthy information, and include a symbol for quick identification:
Alert! Important information that cautions about features affecting SonicWALL Gateway Anti-Virus
performance, security features, or causing potential problems with your SonicWALL security appliance.
Tip! Useful information about security features and configurations for your SonicWALL Gateway Anti-Virus
running on a SonicWALL security appliance.
Convention Use
Bold Highlights items you can select on the SonicWALL
management interface.
Italic Highlights a value to enter into a field. For example, “type
192.168.168.168 in the IP Address field.”
Top Level Menu Button >
Submenu Item
Indicates a multiple step Management Interface menu
choice. For example, Security Services > Gateway Anti-
Virus means select Security Services, then select
Gateway Anti-Virus.
Page 4 SonicWALL Gateway Anti-Virus Administrator’s Guide
Note: Important information on a feature that requires callout for special attention or reference to other related
resources.
SonicWALL Technical Support
For timely resolution of technical support questions, visit SonicWALL on the Internet at
. Web-based resources are available to help you
resolve most technical issues or contact SonicWALL Technical Support.
To contact SonicWALL telephone support, see the telephone numbers listed below:
North America Telephone Support
U.S./Canada - 888.777.1476 or +1 408.752.7819
International Telephone Support
Australia - + 1800.35.1642
Austria - + 43(0)820.400.105
EMEA - +31(0)411.617.810
France - + 33(0)1.4933.7414
Germany - + 49(0)1805.0800.22
Hong Kong - + 1.800.93.0997
India - + 8026556828
Italy - +39.02.7541.9803
Japan - + 81(0)3.5460.5356
New Zealand - + 0800.446489
Singapore - + 800.110.1441
Spain - + 34(0)9137.53035
Switzerland - +41.1.308.3.977
UK - +44(0)1344.668.484
Note: Please visit for the latest technical support telephone
numbers.
Page 5
SonicWALL Gateway Anti-Virus Overview
SonicWALL Gateway Anti-Virus (SonicWALL GAV) is part of the SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service solution that provides unified threat management. The integration of gateway
anti-virus and intrusion prevention delivers intelligent, real-time network security protection against
sophisticated application layer and content-based attacks. Utilizing a configurable, high-performance
deep packet inspection architecture, SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
secures the network from the core to the perimeter against a comprehensive array of dynamic threats
including viruses, worms, Trojans, and software vulnerabilities, such as buffer overflows, as well as peerto-
peer and instant messenger applications, backdoor exploits, and other malicious code.
SonicWALL GAV delivers real-time virus protection directly on the SonicWALL security appliance by
using SonicWALL’s IPS-Deep Packet Inspection v2.0 engine to inspect all traffic that traverses the
SonicWALL gateway. Building on SonicWALL’s reassembly-free architecture, SonicWALL GAV inspects
multiple application protocols, as well as generic TCP streams, and compressed traffic. Because
SonicWALL GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also performed on a
single-pass, per-packet basis.
SonicWALL GAV delivers threat protection directly on the SonicWALL security appliance by matching
downloaded or e-mailed files against an extensive and dynamically updated database of threat virus
signatures. Virus attacks are caught and suppressed before they travel to desktops. New signatures are
created and added to the database by a combination of SonicWALL’s SonicAlert Team, third-party virus
analysts, open source developers and other sources.
SonicWALL GAV can be configured to protect against internal threats as well as those originating outside
the network. It operates over a multitude of protocols including SMTP, POP3, IMAP, HTTP, FTP,
NetBIOS, instant messaging and peer-to-peer applications and dozens of other stream-based protocols,
to provide administrators with comprehensive network threat prevention and control. Because files
containing malicious code and viruses can also be compressed and therefore inaccessible to
conventional anti-virus solutions, SonicWALL GAV integrates advanced decompression technology that
automatically decompresses and scans files on a per packet basis.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
Page 6 SonicWALL Gateway Anti-Virus Administrator’s Guide
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features
• Integrated Deep Packet Inspection Technology - SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service features a configurable, high-performance deep packet inspection architecture
that uses parallel searching algorithms up through the application layer to deliver increased
application layer, Web and e-mail attack prevention. Parallel processing reduces the performance
impact on the firewall and maximizes available memory for exceptional throughput on SonicWALL
integrated security gateways.
• Real-Time Anti-Virus Gateway Scanning - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers intelligent file-based virus and malicious code prevention by scanning in real-time for
decompressed and compressed files containing viruses, Trojans, worms and other Internet threats
over the corporate network.
• Powerful Intrusion Prevention - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
provides complete protection from a comprehensive array of network-based application layer threats
by scanning packet payloads for worms, Trojans, software vulnerabilities such as buffer overflows,
peer-to-peer and instant messenger applications, backdoor exploits, and other malicious code.
• Ultimate Scalability and Performance - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a per packet scanning engine, making SonicWALL’s solution unique in its ability to
handle unlimited file size and virtually unlimited concurrent downloads, offering ultimate scalability
and performance for today’s networked environment.
• Day Zero Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service ensures
incredibly fast time-to-protection by employing a dynamically-updated database of signatures created
by a combination of SonicWALL’s SonicAlert Team, third-party virus analysts and developers, and
open source databases of known threats.
• Extensive Virus Signature List - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
utilizes an extensive database of thousands of attack and vulnerability signatures written to detect and
prevent intrusions, viruses, worms, Tojans, application exploits, and malicious applications.
• Distributed Enforcement Architecture - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a distributed enforcement architecture to deliver automated signature updates,
providing real-time protection from emerging threats and lowering total cost of ownership.
• Inter-zone Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides
application layer attack protection against malicious code and other threats originating from the
Internet or from internal sources. Administrators have the ability to enforce intrusion prevention and
anti-virus scanning not only between each network zone and the Internet, but also between internal
network zones for added security (Requires SonicOS Enhanced).
• Advanced File Decompression Technology - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service includes advanced decompression technology that can automatically decompress and scan
files on a per packet basis to search for viruses, Trojans, worms and malware. Supported
compression formats include: ZIP, Deflate and GZIP.
• File-Based Scanning Protocol Support - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers protection for high threat viruses and malware by inspecting the most common
protocols used in today’s networked environments, including SMTP, POP3, IMAP, HTTP, FTP,
NETBIOS, instant messaging and peer-to-peer applications, and dozens of other stream-based
protocols. This closes potential backdoors that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Application Control - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides the
ability to prevent instant messaging and peer-to-peer file sharing programs from operating through
the firewall, closing a potential back door that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Simplified Deployment and Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service allows network administrators to create global policies between security zones and group
attacks by priority, simplifying deployment and management across a distributed network.
Page 7
• Granular Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides an
intuitive user interface and granular policy tools, allowing network administrators to configure a
custom set of detection or prevention policies for their specific network environment and reduce the
number of false policies while identifying immediate threats.
• Logging and Reporting - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service offers
comprehensive logging of all intrusion attempts with the ability to filter logs based on priority level,
enabling administrators to highlight high priority attacks. Granular reporting based on attack source,
destination and type of intrusion is available through SonicWALL ViewPoint and Global Management
System.
SonicWALL GAV Multi-Layered Approach
SonicWALL GAV delivers comprehensive, multi-layered anti-virus protection for networks at the desktop,
the network, and at remote sites. SonicWALL GAV enforces anti-virus policies at the gateway to ensure
all users have the latest updates and monitors files as they come into the network.
Page 8 SonicWALL Gateway Anti-Virus Administrator’s Guide
Remote Site Protection
1. Users send typical e-mail and files between remote sites and the corporate office.
2. SonicWALL GAV scans and analyzes files and e-mail messages on the SonicWALL security
appliance.
3. Viruses are found and blocked before infecting remote desktop.
4. Virus is logged and alert is sent to administrator.
Page 9
Internal Network Protection
1. Internal user contracts a virus and releases it internally.
2. All files are scanned at the gateway before being received by other network users.
3. If virus is found, file is discarded.
4. Virus is logged and alert is sent to administrator.
HTTP File Downloads
1. Client makes a request to download a file from the Web.
2. File is downloaded through the Internet.
3. File is analyzed the SonicWALL GAV engine for malicious code and viruses
4. If virus found, file discarded.
5. Virus is logged and alert sent to administrator.
Page 10 SonicWALL Gateway Anti-Virus Administrator’s Guide
Server Protection
1. Outside user sends an incoming e-mail.
2. E-mail is analyzed the SonicWALL GAV engine for malicious code and viruses before received by email
server.
3. If virus found, threat prevented.
4. E-mail is returned to sender, virus is logged, and alert sent to administrator.
Page 11
SonicWALL GAV Architecture
SonicWALL GAV is based on SonicWALL's high performance DPIv2.0 engine (Deep Packet Inspection
version 2.0) engine, which performs all scanning directly on the SonicWALL security appliance.
SonicWALL GAV includes advanced decompression technology that can automatically decompress and
scan files on a per packet basis to search for viruses and malware. The SonicWALL GAV engine can
perform base64 decoding without ever reassembling the entire base64 encoded mail stream. Because
SonicWALL's GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding and ZIP, LHZ, and GZIP (LZ77) decompression are also performed
on a single-pass, per-packet basis. Reassembly free virus scanning functionality of the SonicWALL GAV
engine is inherited from the Deep Packet Inspection engine, which is capable of scanning streams without
ever buffering any of the bytes within the stream.
Building on SonicWALL's reassembly-free architecture, GAV has the ability to inspect multiple application
protocols, as well as generic TCP streams, and compressed traffic. SonicWALL GAV protocol inspection
is based on high performance state machines which are specific to each supported protocol. SonicWALL
GAV delivers protection by inspecting over the most common protocols used in today's networked
environments, including SMTP, POP3, IMAP, HTTP, FTP, NetBIOS, instant messaging and peer-to-peer
applications and dozens of other stream-based protocols. This closes potential backdoors that can be
used to compromise the network while also improving employee productivity and conserving Internet
bandwidth.
Page 12 SonicWALL Gateway Anti-Virus Administrator’s Guide
Stream Concurrency Limitations by SonicWALL Security Appliance
Because SonicWALL GAV does not have to perform reassembly, there are no file-size limitations
imposed by the scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also
performed on a single-pass, per-packet basis. Stream-concurrency are platform dependent as follows:.
Disabling the SonicWALL GAV/IPS Engine
In the unlikely event that SonicWALL Gateway Anti-Virus/Intrusion Prevention Service is not enabled on
your SonicWALL security appliance, the SonicWALL GAV/IPS engine itself can be disabled, and the
resources can be reallocated to the SPI connection cache.
To disable the SonicWALL GAV/IPS engine:
1. Select the Firewall > Advanced page.
2. Select the Disable Gateway AV and IPS Engine (increases maximum SPI connections)
checkbox. This presents an alert informing you that the SonicWALL security appliance must be
rebooted for the change to take effect.
3. Restart your SonicWALL security appliance.
Platform
GAV-Disabled
Connections
Cache Size
GAV-Enabled
Connections
Cache Size
(Concurrent File
Downloads)
Concurrent
Compressed
File Downloads
with GAV
GAV Signatures
TZ 150
Series
2,048 2,048 100 4,500
TZ 170
Series
6,144 6,144 100 4,500
PRO 1260 6,144 6,144 100 4,500
PRO 2040 32,768 16,384 300 25,000
PRO 3060 131,072 65,536 1,000 25,000
PRO 4060 524,288 131,072 1,500 25,000
PRO 5060 750,000 393,216 3,000 25,000
Page 13
Protocol Handling
SonicWALL GAV functionality supports the following protocols: HTTP, SMTP, IMAP, POP3, FTP and the
scanning of generic TCP streams for viruses.
If malicious traffic is detected, appropriate actions are taken based on the protocol. For generic TCP
streams, the traffic is dropped and the connection is reset. If so configured, an encrypted and hashed
message explaining the action is sent to the user's Global Security Client (requires version 2.0 or higher)
and to the user's 'Security Action Notification Applet', and displayed to the user if either application is
active. Application level awareness of the type of protocol that was transporting the violation allows for
very specific actions to be taken to gracefully handle the rejection of the payload:
Note: 8-bit encoding is handled natively for all email based protocols (SMTP, POP3, and IMAP) since no
decoding is required for each encoding scheme.
SMTP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the head of the sent
queue, thus preventing it from being resent, via 552 SMTP response and the connection is terminated.
POP3
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the POP3 server via
'DELE' command and the connection is terminated. Continuation of message downloads following
termination requires the user to re-initiate the download process on their POP3 client in order to download
the rest of the messages from the POP3 server.
Note: POP3 client behavior varies from one client to the next. SonicWALL GAV attempts to determine the type
of POP3 client being used, and to compensate for behavioral differences. In rare cases, some clients
may require special GAV settings - these settings have been made available in the /diag.html page.
• Disable Gateway AV POP3 Auto Deletion - When a POP3 client is identified as Outlook Express,
DELE (delete) message sequencing is tailored to Outlook Express' behavior. This setting can resolve
problems caused by misidentification that are encountered during the deletion of virus-infected
emails.
• Disable Gateway AV POP3 UIDL Rewriting - Certain Netscape POP3 clients have difficulty with the
UIDL (unique ID listing - RFC1939) command. When a POP3 client is recognized as Netscape, UIDL
messages are suppressed, which is allowable because they are optional. This setting can resolve
problems caused by misidentification that are encountered during the message retrieval process.
IMAP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from downloading the mail
containing the violation. The user must manually mark the mail deleted and purge it from the server.
Page 14 SonicWALL Gateway Anti-Virus Administrator’s Guide
HTTP
Capabilities: zip (including archives), gzip and deflate decompression. Deflate decompression method is
not supported when HTTP response is Chunk Encoded. All HTTP traffic is inspected, not just TCP port
80. Suppresses the use of HTTP Byte-Range requests to prevent the sectional retrieval and reassembly
of potentially malicious content.
Note: Suppression of HTTP Byte-Range requests may inhibit the use of certain download accelerator
programs that attempt to retrieve files as multiple simultaneous requests.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
FTP
Capabilities: zip (including archives) and gzip decompression. FTP stateful code follows data port
negotiations, allowing FTP data to be inspected across any operating TCP port. Suppresses the use of
the FTP 'REST' (restart) request to prevent the sectional retrieval and reassembly of potentially malicious
content. "The suppression of the 'REST' request can be overridden from the /diag.html page with the
option 'Enable FTP 'REST' requests with Gateway AV’.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
IM, P2P and Proprietary Protocols
Capabilities: zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
Deploying SonicWALL GAV
SonicWALL GAV is designed to provide comprehensive virus protection with minimal configuration. The
following sections provide the key information you need to successfully activate, configure, and administer
SonicWALL GAV on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher):
• “Activating SonicWALL GAV” on page 15 - provides instructions for activating the SonicWALL GAV
license on your SonicWALL security appliance via the management interface. If you already have
SonicWALL GAV activated on your SonicWALL security appliance, skip this section.
• “Setting Up SonicWALL GAV Protection” on page 19 - provides instructions for essential
configuration of SonicWALL IPS to protect your network against the most dangerous and disruptive
attacks.
Alert! After activating your SonicWALL GAV license, you must enable SonicWALL GAV on the SonicWALL
management interface before anti-virus protection are applied to your network traffic.
• “Configuring Client Alerts and an Exclusion List” on page 23 - provides instructions for configuring
SonicWALL GAV client notification alerts and creating a SonicWALL GAV exclusion list.
• “Restricting File Transfers” on page 24 - provides instructions on preventing files with specific
attributes from being transferred.
Page 15
Activating SonicWALL GAV
If you do not have SonicWALL GAV installed on your SonicWALL security appliance, the Security
Services > Gateway Anti-Virus page indicates an upgrade is required and includes a link to activiate it
from your SonicWALL security appliance management interface.
SonicWALL GAV is part of the unified SonicWALL Gateway Anti-Virus/Intrusion Prevention Service that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is also activated.
To activate a SonicWALL Gateway Anti-Virus/Intrusion Prevention Service on your SonicWALL security
appliance, you need the following:
• SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license. You need to purchase a
SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license from a SonicWALL reseller or
through your mySonicWALL.com account (limited to customers in the USA and Canada).
• mySonicWALL.com account. Creating a mySonicWALL.com account is fast, simple, and FREE.
Simply complete an online registration form from your SonicWALL security appliance management
interface. Your mySonicWALL.com account is also accessible at
from any Internet connection with a Web browser.
• Registered SonicWALL security appliance with active Internet connection. Registering your
SonicWALL security appliance is a simple procedure done directly from the management interface.
• SonicOS Standard 3.0 or SonicOS Enhanced 3.0. Your SonicWALL security appliance must be
running SonicOS Standard 3.0 or SonicOS Enhanced 3.0 for SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service.
Tip! If your SonicWALL security appliance is connected to the Internet and registered at
mySonicWALL.com, you can activate a 30-day FREE TRIAL of SonicWALL IPS.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
If you activated SonicWALL GAV at , SonicWALL GAV activation is
automatically enabled on your SonicWALL within 24-hours or you can click the Synchronize button on
the Security Services > Summary page to update your SonicWALL security appliance.
Page 16 SonicWALL Gateway Anti-Virus Administrator’s Guide
Creating a mySonicWALL.com Account
Creating a mySonicWALL.com account is fast, simple, and FREE. Simply complete an online
registration form in the SonicWALL security appliance management interface.
Note: If you already have a mysonicWALL.com account, go to “Registering Your SonicWALL Security
Appliance” on page 17.
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displayed in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link in Your
SonicWALL is not registered. Click here to Register your SonicWALL.
4. In the mySonicWALL.com Login page, click the here link in If you do not have a mySonicWALL
account, please click here to create one.
5. In the MySonicWall Account page, enter in your information in the Account Information, Personal
Information and Preferences fields. All fields marked with an asterisk (*) are required fields.
Note: Remember your username and password to access your mySonicWALL.com account.
6. Click Submit after completing the MySonicWALL Account form.
7. When the mySonicWALL.com server has finished processing your account, you will see a page
saying that your account has been created. Click Continue.
Congratulations. Your mySonicWALL.com account is activated.
Now you need to log into mySonicWALL.com to register your SonicWALL security appliance.
Note: mySonicWALL.com registration information is not sold or shared with any other company.
Page 17
Registering Your SonicWALL Security Appliance
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displaying in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link. The
mySonicWALL.com Login page is displayed.
4. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit.
5. The next several pages inform you about the free trials available to you for SonicWALL’s Security
Services:
• Gateway Anti-Virus - Delivers real-time virus protection for your entire network.
• Network Anti Virus - Provides desktop and server anti-virus protection with software running on
each computer.
• Premium Content Filtering Service - Enhances productivity by limiting access to objectionable
Web content.
• Intrusion Prevention Service - Protects your network against worms, Trojans, and application
layer attacks.
Click Continue on each page.
6. At the top of the Product Survey page, Enter a “friendly name” for your SonicWALL content security
appliance in the Friendly Name field. The friendly name allows you to easily identify your
SonicWALL content security appliance in your mySonicWALL.com account.
7. Please complete the Product Survey. SonicWALL uses this information to further tailor services to fit
your needs.
8. Click Submit.
9. When the mySonicWALL.com server has finished processing your registration, a page is displayed
informing you that the SonicWALL security appliance is registered. Click Continue, and the
System > Licenses page is displayed showing you the available services. You can activate the
service from this page or the specific service page under the Security Services left-navigation
menu in the management interface.
Page 18 SonicWALL Gateway Anti-Virus Administrator’s Guide
Activating SonicWALL GAV
If you do not have a SonicWALL GAV license activated on your SonicWALL security appliance, you must
purchase it from a SonicWALL reseller or through your mySonicWALL.com account (limited to customers
in the USA and Canada).
SonicWALL GAV is part of SonicWALL Gateway Anti-Virus/Intrusion Prevention Service. The Activation
Key you receive is for both SonicWALL GAV and SonicWALL Intrusion Prevention Service. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is automatically activated.
If you have an Activation Key for SonicWALL Gateway Anti-Virus/Intrusion Prevention Service, perform
these steps to activate the combined services:
1. On the Security Services > Intrusion Prevention page, click the SonicWALL Intrusion
Prevention Service Subscription link. The mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already registered to your
mySonicWALL.com account, the System > Licenses page appears.
3. Click Activate or Renew in the Manage Service column in the Manage Services Online table.
4. Type in the Activation Key in the New License Key field and click Submit. Your SonicWALL GAV
subscription is activated on your SonicWALL security appliance.
If you activated the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service subscription on
mySonicWALL.com, the activation is automatically enabled on your SonicWALL security appliance within
24-hours or you can click the Synchronize button on the Security Services > Summary page to
immediately update your SonicWALL security appliance.
Activating the SonicWALL GAV FREE TRIAL
To try a FREE TRIAL of SonicWALL GAV, perform these steps:
1. Click the FREE TRIAL link on the Security Services > Gateway Anti-Virus page. The
mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already connected to your
mySonicWALL.com account, the System > Licenses page appears after you click the FREE TRIAL
link.
3. Click Try in the FREE TRIAL column in the Manage Services Online table. Your SonicWALL GAV
trial subscription is activated on your SonicWALL security appliance.
Page 19
Setting Up SonicWALL GAV Protection
The Security Services > Gateway Anti-Virus page provides the settings for configuring SonicWALL
GAV on your SonicWALL security appliance.
Enabling SonicWALL GAV
You must select Enable Gateway Anti-Virus check box in the Gateway Anti-Virus Global Settings
section to enable SonicWALL GAV on your SonicWALL security appliance. If your SonicWALL security
appliance is running SonicOS Standard 3.0, you must also specify the interfaces you want to apply
SonicWALL GAV protection. If your SonicWALL security appliance is running SonicOS Enhanced 3.0,
you must specify the Zones you want to SonicWALL GAV protection on the Network > Zones page.
Applying SonicWALL GAV Protection on Interfaces
If your SonicWALL security appliance is running SonicOS Standard 3.0, you also need to specify the
interface that you want to enable SonicWALL GAV protection. Depending on the SonicWALL security
appliance model you are using, you can choose the WAN, LAN, DMZ, OPT or WLAN port, depending on
your SonicWALL security appliance model. After selecting the interface(s), click Apply.It is recommended
you select the WAN and LAN interfaces.
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you apply SonicWALL GAV to
Zones on the Network > Zones page.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 20 SonicWALL Gateway Anti-Virus Administrator’s Guide
Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you can enforce SonicWALL
GAV not only between each network zone and the WAN, but also between internal zones. For example,
enabling SonicWALL GAV on the LAN zone enforces anti-virus protection on all incoming and outgoing
LAN traffic.
1. In the SonicWALL security appliance management interface, select Network > Zones or from the
Gateway Anti-Virus Status section, on the Security Services > Gateway Anti-Virus page, click the
Network > Zones link. The Network > Zones page is displayed.
2. In the Configure column in the Zone Settings table, click the edit icon . The Edit Zone window
is displayed.
3. Click the Enable Gateway Anti-Virus Service checkbox. A checkmark appears. To disable Gateway
Anti-Virus Service, uncheck the box.
4. Click OK.
Page 21
Note: You also enable SonicWALL GAV protection for new zones you create on the Network > Zones page.
Clicking the Add button displays the Add Zone window, which includes the same settings as the Edit
Zone window.
Viewing SonicWALL GAV Status Information
The Gateway Anti-Virus Status section shows the state of the anti-virus signature database, including
the database's timestamp, and the time the SonicWALL signature servers were last checked for the most
current database version. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
The Gateway Anti-Virus Status section displays the following information:
• Signature Database indicates whether the signature database needs to be downloaded or has been
downloaded.
• Signature Database Timestamp displays the last update to the SonicWALL GAV signature
database, not the last update to your SonicWALL security appliance.
• Last Checked indicates the last time the SonicWALL security appliance checked the signature
database for updates. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
• Gateway Anti-Virus Expiration Date indicates the date when the SonicWALL GAV service expires.
If your SonicWALL GAV subscription expires, the SonicWALL IPS inspection is stopped and the
SonicWALL GAV configuration settings are removed from the SonicWALL security appliance. These
settings are automatically restored after renewing your SonicWALL GAV license to the previously
configured state.
If your SonicWALL security appliance is running SonicOS Standard 3.0 and no interfaces are specified in
the Gateway Anti-Virus Global Settings section, the message: Warning: No interfaces have Gateway
Anti-Virus enabled is displayed in the Gateway Anti-Virus Status section. You must check the Enable
Gateway Anti-Virus on Interface and specify the interface(s) you want to apply anti-virus scanning.
If your SonicWALL security appliance you are using SonicOS Enhanced 3.0, the Gateway Anti-Virus
Status section displays Note: Enable the Gateway Anti-Virus per zone from the Network > Zones
page. Clicking on the Network > Zones link displays the Network > Zones page for applying SonicWALL
GAV on Zones.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 22 SonicWALL Gateway Anti-Virus Administrator’s Guide
Updating SonicWALL GAV Signatures
By default, the SonicWALL security appliance running SonicWALL GAV automatically checks the
SonicWALL signature servers once an hour. There is no need for an administrator to constantly check for
new signature updates. You can also manually update your SonicWALL GAV database at any time by
clicking the Update button located in the Gateway Anti-Virus Status section.
SonicWALL GAV signature updates are secured. The SonicWALL security appliance must first
authenticate itself with a pre-shared secret, created during the SonicWALL Distributed Enforcement
Architecture licensing registration. The signature request is transported through HTTPS, along with full
server certificate verification.
Specifying Protocol Filtering
Application-level awareness of the type of protocol that is transporting the violation allows SonicWALL
GAV to perform specific actions within the context of the application to gracefully handle the rejection of
the payload.
By default, SonicWALL GAV inspects all inbound HTTP, FTP, IMAP, SMTP and POP3 traffic. Generic
TCP Stream can optionally be enabled to inspect all other TCP based traffic, such as
non-standard ports of operation for SMTP and POP3, and IM and P2P protocols.
Note: Refer to “Protocol Handling” on page 13 for detailed descriptions of how SonicWALL GAV handles
protocol traffic.
Enabling Inbound Inspection
Within the context of SonicWALL GAV, the Enable Inbound Inspection protocol traffic handling refers
to the following:
• Non-SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to any Zone.
• Non-SMTP traffic from a Public Zone destined to an Untrusted Zone.
• SMTP traffic initiating from a non-Trusted Zone destined to a Trusted, Wireless, Encrypted, or Public
Zone.
• SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to a Trusted, Wireless,
or Encrypted Zone.
Page 23
The Enable Inbound Inspection protocol traffic handling represented as a table:
Enabling Outbound SMTP Inspection
The Enable Outbound Inspection feature is available for SMTP traffic, such as for a mail server that
might be hosted on the DMZ. Enabling outbound inspection for SMTP scans mail that is delivered to the
internally hosted SMTP server for viruses.
Configuring Client Alerts and an Exclusion List
Clicking the Configure Gateway AV Settings button in the Gateway Anti-Virus Global Settings section
displays the Gateway AV Config View window, which allows you to configure client notification alerts and
create a SonicWALL GAV exclusion list.
Configuring Client Alerts
If you want clients on your network to receive notifications on their desktop when a HTTP file download is
blocked by GAV, check the Enable Client Notification Alerts (desktop client installation is required)
box. You must install the client software included on the Resource CD for your SonicWALL security
appliance for the client to receive these notifications from SonicWALL GAV.
Page 24 SonicWALL Gateway Anti-Virus Administrator’s Guide
If you want to suppress the sending of e-mail messages (SMTP) to clients from SonicWALL GAV when a
virus is detected in an e-mail or attachment, check the Disable SMTP Responses box.
Configuring a SonicWALL GAV Exclusion List
Any IP addresses listed in the exclusion list bypass virus scanning on their traffic.The Gateway AV
Exclusion List section provides the ability to define a range of IP addresses whose traffic will be excluded
from SonicWALL GAV scanning.
Alert! Use caution when specifying exclusions to SonicWALL GAV protection.
To add an IP address range for exclusion, perform these steps:
1. Click the Enable Gateway AV Exclusion List checkbox to enable the exclusion list.
2. Click the Add button. The Add GAV Range Entry window is displayed.
3. Enter the IP address range in the IP Address Form and IP Address To fields, then click OK. You IP
address range appears in the Gateway AV Exclusion List table. Click the edit icon in the Configure
column to change an entry or click the trashcan icon to delete an entry.
4. Click OK to exit the Gateway AV Config View window.
Restricting File Transfers
The restrict transfer settings listed under the Configure Gateway AV Settings button in the
Gateway Anti-Virus Global Settings section, if enabled, prevent files with specific attributes from being
transferred.
These restrict transfer settings include:
• Restrict Transfer of password-protected Zip files - Disables the transfer of password protected
ZIP files over any enabled protocol. This option only functions on protocols (e.g. HTTP, FTP, SMTP)
that are enabled for inspection.
• Restrict Transfer of MS-Office type files containing macros (VBA 5 and above) - Disables the
transfers of any MS Office 97 and above files that contain VBA macros.
• Restrict Transfer of packed executable files (UPX, FSG, etc.) - Disables the transfer of packed
executable files. Packers are utilities which compress and sometimes encrypt executables. Although
there are legitimate applications for these, they are also sometimes used with the intent of
obfuscation, so as to make the executables less detectable by anti-virus applications. The packer
adds a header that expands the file in memory, and then executes that file. SonicWALL Gateway
Anti-Virus currently recognizes the most common packed formats: UPX, FSG, PKLite32, Petite, and
ASPack. additional formats are dynamically added along with SonicWALL GAV signature updates.
Page 25
Viewing SonicWALL GAV Signatures
The Gateway Anti-Virus Signatures section allows you to view the contents of the SonicWALL GAV
signature database. All the entries displayed in the Gateway Anti-Virus Signatures table are from the
SonicWALL GAV signature database downloaded to your SonicWALL security appliance.
Note: Signature entries in the database change over time in response to new threats.
Displaying Signatures
You can display the signatures in a variety of views using the View Style menu.
• Use Search String - Allows you to display signatures containing a specified string entered in the
Lookup Signatures Containing String field.
• All Signatures - Displays all the signatures in the table, 50 to a page.
• 0 - 9 - Displays signature names beginning with the number you select from the menu.
• A-Z - Displays signature names beginning with the letter you select from menu.
Navigating the Gateway Anti-Virus Signatures Table
The SonicWALL GAV signatures are displayed fifty to a page in the Gateway Anti-Virus Signatures
table. The Items field displays the table number of the first signature. If your displaying the first page of a
signature table, the entry might be Items 1 to 50 (of 58). Use the navigation buttons to navigate the table.
Page 26 SonicWALL Gateway Anti-Virus Administrator’s Guide
Searching the Gateway Anti-Virus Signature Database
You can search the signature database by entering a search string in the Lookup Signatures
Containing String field, then clicking the edit (Notepad) icon.
The signatures that match the specified string are displayed in the Gateway Anti-Virus Signatures table.
Glossary
• Deep Packet Inspection - looking at the data portion of the packet. Enables the firewall to investigate
farther into the protocol to examine information at the application layer and defend against attacks
targeting application vulnerabilities.
• Distributed Enforcement Architecture - SonicWALL’s unified threat management technology that
delivers automated signature updates that provide real-time protection from current and emerging
threats.
• False Positive - a falsely identified attack traffic pattern.
• Signature - code written to detect and prevent viruses, worms, application exploits, and other
malicious code.
• Stateful Packet Inspection - examines the contents of individual packets at all layers of the OSI
model, from network layer to application layer.
Page 27
Index
A
activating Gateway Anti-Virus
overview 15
free trial version 18
activating Gateway Anti-Virus
activation key 18
C
client alerts
configuring 23
concurrency limitations 12
PRO 1260 12
PRO 2040 12
PRO 3060 12
PRO 4060 12
PRO 5060 12
TZ 150 Series 12
TZ 170 Series 12
creating a mysonicwall.com account 16
D
deploying SonicWALL GAV 14
disabling GAV/IPS engine 12
displaying signatures 25
all signatures 25
signatures beginning with letter 25
signatures beginning with number 25
using search strings 25
E
Edit Zone window 20
enable inbound inspection 22
enable outbound SMTP inspection 23
enabling inbound inspection 22
exclusion list
configuring 24
G
Gateway AV Config View window 23
GAV/IPS
real-time scanning 6
GAV/IPS features
application control 6
deep packet inspection 6
distributed enforcement architecture 6
file based scanning protocol support 6
file decompression technology 6
granular management 7
inter-zone scanning 6
logging and reporting 7
real-time scanning 6
glossary 26
deep packet inspection 26
Distributed Enforcement Architecture 26
false positive 26
signature 26
stateful packet inspection 26
H
how DPIv2.0 works
11
protocol handling 13
HTTP file downloads protection 9
I
internal network protection 9
N
navigating signatures table 25
P
protocol handling
FTP 14
HTTP 14
IM, P2P, proprietary 14
IMAP 13
POP3 13
SMTP 13
R
registering your SonicWALL security appliance 17
remote site protection 8
restrict 24
restrict file transfer
MS-Office files 24
packed executable files 24
password protected ZIP files 24
S
searching signature database 26
server protection 10
setting up GAV protection
applying to infaces (SonicOS Standard 3.0) 19
applying to zones (SonicOS Enhanced) 20
enabling 19
overview 19
signatures table 25
SonicWALL Gateway Anti-Virus
overview 5
SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service
overview 5
specifying protocol filtering 22
specifying protocols 22
status information
expiration date 21
last checked 21
overview 21
signature database 21
signature database timestamp 21
surpress SMTP messages 24
U
updating signatures 22
Page 28 SonicWALL Gateway Anti-Virus Administrator’s Guide
© 2005 SonicWALL, I n c . SonicWALL is a registered trademark of SonicWALL, I n c . Other product and company names mentioned herein may be
t rademarks and/ or registered trademarks of their respective companies. Specifications and descriptions subject to change with out notice.
T: 408.745.9600
F: 408.745.9300
www.sonicwall.com
SonicWALL,Inc.
1143 Borregas Avenue
Sunnyvale,CA 94089-1306
P/ N 232- 000610- 00
Rev E 01/05COMPREHENSIVE INTERNET SECURITY™
S SSSSSSSSo n i c WALL Gateway Anti-Virus
Administrator's Guide
Page 1
Table of Contents
Preface .................................................................................................. 1
Copyright Notice ..............................................................................1
Trademarks......................................................................................1
Limited Warranty..............................................................................1
About this Guide.................................................................................... 3
Guide Conventions .......................................................................... 3
Icons Used in this Guide............................................................. 3
SonicWALL Technical Support ........................................................ 4
North America Telephone Support ............................................. 4
International Telephone Support ................................................ 4
SonicWALL Gateway Anti-Virus Overview............................................ 5
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features ...... 6
SonicWALL GAV Multi-Layered Approach............................................ 7
Remote Site Protection ....................................................................8
Internal Network Protection.............................................................. 9
HTTP File Downloads ...................................................................... 9
Server Protection ...........................................................................10
SonicWALL GAV Architecture............................................................. 11
Stream Concurrency Limitations
by SonicWALL Security Appliance................................................. 12
Disabling the SonicWALL GAV/IPS Engine................................... 12
Protocol Handling...........................................................................13
SMTP........................................................................................ 13
POP3 ........................................................................................ 13
IMAP......................................................................................... 13
HTTP ........................................................................................ 14
FTP........................................................................................... 14
IM, P2P and Proprietary Protocols ........................................... 14
Deploying SonicWALL GAV................................................................ 14
Activating SonicWALL GAV ................................................................ 15
Creating a mySonicWALL.com Account ........................................ 16
Registering Your SonicWALL Security Appliance.......................... 17
Activating SonicWALL GAV........................................................... 18
Activating the SonicWALL GAV FREE TRIAL ............................... 18
Setting Up SonicWALL GAV Protection .............................................. 19
Enabling SonicWALL GAV............................................................. 19
Applying SonicWALL GAV Protection on Interfaces...................... 19
Applying SonicWALL GAV Protection on Zones
(SonicOS Enhanced 3.0) ............................................................... 20
Viewing SonicWALL GAV Status Information................................ 21
Updating SonicWALL GAV Signatures .......................................... 22
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
Specifying Protocol Filtering ................................................................22
Enabling Inbound Inspection ..........................................................22
Enabling Outbound SMTP Inspection ............................................23
Configuring Client Alerts and an Exclusion List ...................................23
Configuring Client Alerts.................................................................23
Configuring a SonicWALL GAV Exclusion List...............................24
Restricting File Transfers.....................................................................24
Viewing SonicWALL GAV Signatures..................................................25
Displaying Signatures.....................................................................25
Navigating the Gateway Anti-Virus Signatures Table ....................25
Searching the Gateway Anti-Virus Signature Database.................26
Glossary...............................................................................................26
Index ....................................................................................................27
Page 1 SonicWALL Gateway Anti-Virus Administrator’s Guide
Preface
Copyright Notice
© 2005 SonicWALL, Inc.
All rights reserved.
Under the copyright laws, this manual or the software described within, can not be copied, in whole or part,
without the written consent of the manufacturer, except in the normal use of the software to make a backup
copy. The same proprietary and copyright notices must be affixed to any permitted copies as were affixed
to the original. This exception does not allow copies to be made for others, whether or not sold, but all of
the material purchased (with all backup copies) can be sold, given, or loaned to another person. Under
the law, copying includes translating into another language or format.
Specifications and descriptions subject to change without notice.
Trademarks
SonicWALL is a registered trademark of SonicWALL, Inc.
Microsoft Windows 98, Windows NT, Windows 2000, Windows XP, Windows Server 2003, Internet
Explorer, and Active Directory are trademarks or registered trademarks of Microsoft Corporation.
Netscape is a registered trademark of Netscape Communications Corporation in the U.S. and other
countries. Netscape Navigator and Netscape Communicator are also trademarks of Netscape
Communications Corporation and may be registered outside the U.S.
Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems
Incorporated in the U.S. and/or other countries.
Other product and company names mentioned herein may be trademarks and/or registered trademarks
of their respective companies and are the sole property of their respective manufacturers.
Limited Warranty
SonicWALL, Inc. warrants that commencing from the delivery date to Customer (but in any case
commencing not more than ninety (90) days after the original shipment by SonicWALL), and continuing
for a period of twelve (12) months, that the product will be free from defects in materials and workmanship
under normal use. This Limited Warranty is not transferable and applies only to the original end user of
the product. SonicWALL and its suppliers' entire liability and Customer's sole and exclusive remedy under
this limited warranty will be shipment of a replacement product. At SonicWALL's discretion the
replacement product may be of equal or greater functionality and may be of either new or like-new quality.
SonicWALL's obligations under this warranty are contingent upon the return of the defective product
according to the terms of SonicWALL's then-current Support Services policies.
This warranty does not apply if the product has been subjected to abnormal electrical stress, damaged by
accident, abuse, misuse or misapplication, or has been modified without the written permission of
SonicWALL.
DISCLAIMER OF WARRANTY. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR
IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT
LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, NONINFRINGEMENT, SATISFACTORY QUALITY OR ARISING FROM A
COURSE OF DEALING, LAW, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE
MAXIMUM EXTENT ALLOWED BY APPLICABLE LAW. TO THE EXTENT AN IMPLIED WARRANTY
CANNOT BE EXCLUDED, SUCH WARRANTY IS LIMITED IN DURATION TO THE WARRANTY
PERIOD. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW
LONG AN IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. THIS
WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, AND YOU MAY ALSO HAVE OTHER RIGHTS
WHICH VARY FROM JURISDICTION TO JURISDICTION. This disclaimer and exclusion shall apply
even if the express warranty set forth above fails of its essential purpose.
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
DISCLAIMER OF LIABILITY. SONICWALL'S SOLE LIABILITY IS THE SHIPMENT OF A
REPLACEMENT PRODUCT AS DESCRIBED IN THE ABOVE LIMITED WARRANTY. IN NO EVENT
SHALL SONICWALL OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER,
INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS
INTERRUPTION, LOSS OF INFORMATION, OR OTHER PECUNIARY LOSS ARISING OUT OF THE
USE OR INABILITY TO USE THE PRODUCT, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL,
INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY
OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE HARDWARE OR SOFTWARE
EVEN IF SONICWALL OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. In no event shall SonicWALL or its suppliers' liability to Customer, whether in contract, tort
(including negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shall
apply even if the above-stated warranty fails of its essential purpose. BECAUSE SOME STATES OR
JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR
INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.
Page 3
About this Guide
Welcome to the SonicWALL Gateway Anti-Virus Administrator’s Guide. This manual provides the
information you need to successfully activate, configure, and administer SonicWALL Gateway Anti-Virus
(SonicWALL (GAV) on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher). The audience for this guide is administrators that are familiar with the
features, functions, and operating characteristics of SonicWALL security appliances.
Note: This guide assumes your SonicWALL security appliance is operational with Internet connectivity. If your
SonicWALL security appliance is not setup, refer to the Getting Started Guide for your SonicWALL
security appliance located on the SonicWALL Web site:
.
SonicWALL GAV is part of the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service solution that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate a SonicWALL GAV license, SonicWALL Intrusion Prevention Service is included and activated.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the complete
instructions on configuring SonicWALL Intrusion Prevention Service 2.0, located on the SonicWALL
Web site: .
Guide Conventions
Conventions used in this guide are as follows:
Icons Used in this Guide
These special messages refer to noteworthy information, and include a symbol for quick identification:
Alert! Important information that cautions about features affecting SonicWALL Gateway Anti-Virus
performance, security features, or causing potential problems with your SonicWALL security appliance.
Tip! Useful information about security features and configurations for your SonicWALL Gateway Anti-Virus
running on a SonicWALL security appliance.
Convention Use
Bold Highlights items you can select on the SonicWALL
management interface.
Italic Highlights a value to enter into a field. For example, “type
192.168.168.168 in the IP Address field.”
Top Level Menu Button >
Submenu Item
Indicates a multiple step Management Interface menu
choice. For example, Security Services > Gateway Anti-
Virus means select Security Services, then select
Gateway Anti-Virus.
Page 4 SonicWALL Gateway Anti-Virus Administrator’s Guide
Note: Important information on a feature that requires callout for special attention or reference to other related
resources.
SonicWALL Technical Support
For timely resolution of technical support questions, visit SonicWALL on the Internet at
. Web-based resources are available to help you
resolve most technical issues or contact SonicWALL Technical Support.
To contact SonicWALL telephone support, see the telephone numbers listed below:
North America Telephone Support
U.S./Canada - 888.777.1476 or +1 408.752.7819
International Telephone Support
Australia - + 1800.35.1642
Austria - + 43(0)820.400.105
EMEA - +31(0)411.617.810
France - + 33(0)1.4933.7414
Germany - + 49(0)1805.0800.22
Hong Kong - + 1.800.93.0997
India - + 8026556828
Italy - +39.02.7541.9803
Japan - + 81(0)3.5460.5356
New Zealand - + 0800.446489
Singapore - + 800.110.1441
Spain - + 34(0)9137.53035
Switzerland - +41.1.308.3.977
UK - +44(0)1344.668.484
Note: Please visit for the latest technical support telephone
numbers.
Page 5
SonicWALL Gateway Anti-Virus Overview
SonicWALL Gateway Anti-Virus (SonicWALL GAV) is part of the SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service solution that provides unified threat management. The integration of gateway
anti-virus and intrusion prevention delivers intelligent, real-time network security protection against
sophisticated application layer and content-based attacks. Utilizing a configurable, high-performance
deep packet inspection architecture, SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
secures the network from the core to the perimeter against a comprehensive array of dynamic threats
including viruses, worms, Trojans, and software vulnerabilities, such as buffer overflows, as well as peerto-
peer and instant messenger applications, backdoor exploits, and other malicious code.
SonicWALL GAV delivers real-time virus protection directly on the SonicWALL security appliance by
using SonicWALL’s IPS-Deep Packet Inspection v2.0 engine to inspect all traffic that traverses the
SonicWALL gateway. Building on SonicWALL’s reassembly-free architecture, SonicWALL GAV inspects
multiple application protocols, as well as generic TCP streams, and compressed traffic. Because
SonicWALL GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also performed on a
single-pass, per-packet basis.
SonicWALL GAV delivers threat protection directly on the SonicWALL security appliance by matching
downloaded or e-mailed files against an extensive and dynamically updated database of threat virus
signatures. Virus attacks are caught and suppressed before they travel to desktops. New signatures are
created and added to the database by a combination of SonicWALL’s SonicAlert Team, third-party virus
analysts, open source developers and other sources.
SonicWALL GAV can be configured to protect against internal threats as well as those originating outside
the network. It operates over a multitude of protocols including SMTP, POP3, IMAP, HTTP, FTP,
NetBIOS, instant messaging and peer-to-peer applications and dozens of other stream-based protocols,
to provide administrators with comprehensive network threat prevention and control. Because files
containing malicious code and viruses can also be compressed and therefore inaccessible to
conventional anti-virus solutions, SonicWALL GAV integrates advanced decompression technology that
automatically decompresses and scans files on a per packet basis.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
Page 6 SonicWALL Gateway Anti-Virus Administrator’s Guide
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features
• Integrated Deep Packet Inspection Technology - SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service features a configurable, high-performance deep packet inspection architecture
that uses parallel searching algorithms up through the application layer to deliver increased
application layer, Web and e-mail attack prevention. Parallel processing reduces the performance
impact on the firewall and maximizes available memory for exceptional throughput on SonicWALL
integrated security gateways.
• Real-Time Anti-Virus Gateway Scanning - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers intelligent file-based virus and malicious code prevention by scanning in real-time for
decompressed and compressed files containing viruses, Trojans, worms and other Internet threats
over the corporate network.
• Powerful Intrusion Prevention - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
provides complete protection from a comprehensive array of network-based application layer threats
by scanning packet payloads for worms, Trojans, software vulnerabilities such as buffer overflows,
peer-to-peer and instant messenger applications, backdoor exploits, and other malicious code.
• Ultimate Scalability and Performance - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a per packet scanning engine, making SonicWALL’s solution unique in its ability to
handle unlimited file size and virtually unlimited concurrent downloads, offering ultimate scalability
and performance for today’s networked environment.
• Day Zero Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service ensures
incredibly fast time-to-protection by employing a dynamically-updated database of signatures created
by a combination of SonicWALL’s SonicAlert Team, third-party virus analysts and developers, and
open source databases of known threats.
• Extensive Virus Signature List - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
utilizes an extensive database of thousands of attack and vulnerability signatures written to detect and
prevent intrusions, viruses, worms, Tojans, application exploits, and malicious applications.
• Distributed Enforcement Architecture - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a distributed enforcement architecture to deliver automated signature updates,
providing real-time protection from emerging threats and lowering total cost of ownership.
• Inter-zone Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides
application layer attack protection against malicious code and other threats originating from the
Internet or from internal sources. Administrators have the ability to enforce intrusion prevention and
anti-virus scanning not only between each network zone and the Internet, but also between internal
network zones for added security (Requires SonicOS Enhanced).
• Advanced File Decompression Technology - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service includes advanced decompression technology that can automatically decompress and scan
files on a per packet basis to search for viruses, Trojans, worms and malware. Supported
compression formats include: ZIP, Deflate and GZIP.
• File-Based Scanning Protocol Support - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers protection for high threat viruses and malware by inspecting the most common
protocols used in today’s networked environments, including SMTP, POP3, IMAP, HTTP, FTP,
NETBIOS, instant messaging and peer-to-peer applications, and dozens of other stream-based
protocols. This closes potential backdoors that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Application Control - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides the
ability to prevent instant messaging and peer-to-peer file sharing programs from operating through
the firewall, closing a potential back door that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Simplified Deployment and Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service allows network administrators to create global policies between security zones and group
attacks by priority, simplifying deployment and management across a distributed network.
Page 7
• Granular Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides an
intuitive user interface and granular policy tools, allowing network administrators to configure a
custom set of detection or prevention policies for their specific network environment and reduce the
number of false policies while identifying immediate threats.
• Logging and Reporting - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service offers
comprehensive logging of all intrusion attempts with the ability to filter logs based on priority level,
enabling administrators to highlight high priority attacks. Granular reporting based on attack source,
destination and type of intrusion is available through SonicWALL ViewPoint and Global Management
System.
SonicWALL GAV Multi-Layered Approach
SonicWALL GAV delivers comprehensive, multi-layered anti-virus protection for networks at the desktop,
the network, and at remote sites. SonicWALL GAV enforces anti-virus policies at the gateway to ensure
all users have the latest updates and monitors files as they come into the network.
Page 8 SonicWALL Gateway Anti-Virus Administrator’s Guide
Remote Site Protection
1. Users send typical e-mail and files between remote sites and the corporate office.
2. SonicWALL GAV scans and analyzes files and e-mail messages on the SonicWALL security
appliance.
3. Viruses are found and blocked before infecting remote desktop.
4. Virus is logged and alert is sent to administrator.
Page 9
Internal Network Protection
1. Internal user contracts a virus and releases it internally.
2. All files are scanned at the gateway before being received by other network users.
3. If virus is found, file is discarded.
4. Virus is logged and alert is sent to administrator.
HTTP File Downloads
1. Client makes a request to download a file from the Web.
2. File is downloaded through the Internet.
3. File is analyzed the SonicWALL GAV engine for malicious code and viruses
4. If virus found, file discarded.
5. Virus is logged and alert sent to administrator.
Page 10 SonicWALL Gateway Anti-Virus Administrator’s Guide
Server Protection
1. Outside user sends an incoming e-mail.
2. E-mail is analyzed the SonicWALL GAV engine for malicious code and viruses before received by email
server.
3. If virus found, threat prevented.
4. E-mail is returned to sender, virus is logged, and alert sent to administrator.
Page 11
SonicWALL GAV Architecture
SonicWALL GAV is based on SonicWALL's high performance DPIv2.0 engine (Deep Packet Inspection
version 2.0) engine, which performs all scanning directly on the SonicWALL security appliance.
SonicWALL GAV includes advanced decompression technology that can automatically decompress and
scan files on a per packet basis to search for viruses and malware. The SonicWALL GAV engine can
perform base64 decoding without ever reassembling the entire base64 encoded mail stream. Because
SonicWALL's GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding and ZIP, LHZ, and GZIP (LZ77) decompression are also performed
on a single-pass, per-packet basis. Reassembly free virus scanning functionality of the SonicWALL GAV
engine is inherited from the Deep Packet Inspection engine, which is capable of scanning streams without
ever buffering any of the bytes within the stream.
Building on SonicWALL's reassembly-free architecture, GAV has the ability to inspect multiple application
protocols, as well as generic TCP streams, and compressed traffic. SonicWALL GAV protocol inspection
is based on high performance state machines which are specific to each supported protocol. SonicWALL
GAV delivers protection by inspecting over the most common protocols used in today's networked
environments, including SMTP, POP3, IMAP, HTTP, FTP, NetBIOS, instant messaging and peer-to-peer
applications and dozens of other stream-based protocols. This closes potential backdoors that can be
used to compromise the network while also improving employee productivity and conserving Internet
bandwidth.
Page 12 SonicWALL Gateway Anti-Virus Administrator’s Guide
Stream Concurrency Limitations by SonicWALL Security Appliance
Because SonicWALL GAV does not have to perform reassembly, there are no file-size limitations
imposed by the scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also
performed on a single-pass, per-packet basis. Stream-concurrency are platform dependent as follows:.
Disabling the SonicWALL GAV/IPS Engine
In the unlikely event that SonicWALL Gateway Anti-Virus/Intrusion Prevention Service is not enabled on
your SonicWALL security appliance, the SonicWALL GAV/IPS engine itself can be disabled, and the
resources can be reallocated to the SPI connection cache.
To disable the SonicWALL GAV/IPS engine:
1. Select the Firewall > Advanced page.
2. Select the Disable Gateway AV and IPS Engine (increases maximum SPI connections)
checkbox. This presents an alert informing you that the SonicWALL security appliance must be
rebooted for the change to take effect.
3. Restart your SonicWALL security appliance.
Platform
GAV-Disabled
Connections
Cache Size
GAV-Enabled
Connections
Cache Size
(Concurrent File
Downloads)
Concurrent
Compressed
File Downloads
with GAV
GAV Signatures
TZ 150
Series
2,048 2,048 100 4,500
TZ 170
Series
6,144 6,144 100 4,500
PRO 1260 6,144 6,144 100 4,500
PRO 2040 32,768 16,384 300 25,000
PRO 3060 131,072 65,536 1,000 25,000
PRO 4060 524,288 131,072 1,500 25,000
PRO 5060 750,000 393,216 3,000 25,000
Page 13
Protocol Handling
SonicWALL GAV functionality supports the following protocols: HTTP, SMTP, IMAP, POP3, FTP and the
scanning of generic TCP streams for viruses.
If malicious traffic is detected, appropriate actions are taken based on the protocol. For generic TCP
streams, the traffic is dropped and the connection is reset. If so configured, an encrypted and hashed
message explaining the action is sent to the user's Global Security Client (requires version 2.0 or higher)
and to the user's 'Security Action Notification Applet', and displayed to the user if either application is
active. Application level awareness of the type of protocol that was transporting the violation allows for
very specific actions to be taken to gracefully handle the rejection of the payload:
Note: 8-bit encoding is handled natively for all email based protocols (SMTP, POP3, and IMAP) since no
decoding is required for each encoding scheme.
SMTP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the head of the sent
queue, thus preventing it from being resent, via 552 SMTP response and the connection is terminated.
POP3
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the POP3 server via
'DELE' command and the connection is terminated. Continuation of message downloads following
termination requires the user to re-initiate the download process on their POP3 client in order to download
the rest of the messages from the POP3 server.
Note: POP3 client behavior varies from one client to the next. SonicWALL GAV attempts to determine the type
of POP3 client being used, and to compensate for behavioral differences. In rare cases, some clients
may require special GAV settings - these settings have been made available in the /diag.html page.
• Disable Gateway AV POP3 Auto Deletion - When a POP3 client is identified as Outlook Express,
DELE (delete) message sequencing is tailored to Outlook Express' behavior. This setting can resolve
problems caused by misidentification that are encountered during the deletion of virus-infected
emails.
• Disable Gateway AV POP3 UIDL Rewriting - Certain Netscape POP3 clients have difficulty with the
UIDL (unique ID listing - RFC1939) command. When a POP3 client is recognized as Netscape, UIDL
messages are suppressed, which is allowable because they are optional. This setting can resolve
problems caused by misidentification that are encountered during the message retrieval process.
IMAP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from downloading the mail
containing the violation. The user must manually mark the mail deleted and purge it from the server.
Page 14 SonicWALL Gateway Anti-Virus Administrator’s Guide
HTTP
Capabilities: zip (including archives), gzip and deflate decompression. Deflate decompression method is
not supported when HTTP response is Chunk Encoded. All HTTP traffic is inspected, not just TCP port
80. Suppresses the use of HTTP Byte-Range requests to prevent the sectional retrieval and reassembly
of potentially malicious content.
Note: Suppression of HTTP Byte-Range requests may inhibit the use of certain download accelerator
programs that attempt to retrieve files as multiple simultaneous requests.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
FTP
Capabilities: zip (including archives) and gzip decompression. FTP stateful code follows data port
negotiations, allowing FTP data to be inspected across any operating TCP port. Suppresses the use of
the FTP 'REST' (restart) request to prevent the sectional retrieval and reassembly of potentially malicious
content. "The suppression of the 'REST' request can be overridden from the /diag.html page with the
option 'Enable FTP 'REST' requests with Gateway AV’.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
IM, P2P and Proprietary Protocols
Capabilities: zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
Deploying SonicWALL GAV
SonicWALL GAV is designed to provide comprehensive virus protection with minimal configuration. The
following sections provide the key information you need to successfully activate, configure, and administer
SonicWALL GAV on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher):
• “Activating SonicWALL GAV” on page 15 - provides instructions for activating the SonicWALL GAV
license on your SonicWALL security appliance via the management interface. If you already have
SonicWALL GAV activated on your SonicWALL security appliance, skip this section.
• “Setting Up SonicWALL GAV Protection” on page 19 - provides instructions for essential
configuration of SonicWALL IPS to protect your network against the most dangerous and disruptive
attacks.
Alert! After activating your SonicWALL GAV license, you must enable SonicWALL GAV on the SonicWALL
management interface before anti-virus protection are applied to your network traffic.
• “Configuring Client Alerts and an Exclusion List” on page 23 - provides instructions for configuring
SonicWALL GAV client notification alerts and creating a SonicWALL GAV exclusion list.
• “Restricting File Transfers” on page 24 - provides instructions on preventing files with specific
attributes from being transferred.
Page 15
Activating SonicWALL GAV
If you do not have SonicWALL GAV installed on your SonicWALL security appliance, the Security
Services > Gateway Anti-Virus page indicates an upgrade is required and includes a link to activiate it
from your SonicWALL security appliance management interface.
SonicWALL GAV is part of the unified SonicWALL Gateway Anti-Virus/Intrusion Prevention Service that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is also activated.
To activate a SonicWALL Gateway Anti-Virus/Intrusion Prevention Service on your SonicWALL security
appliance, you need the following:
• SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license. You need to purchase a
SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license from a SonicWALL reseller or
through your mySonicWALL.com account (limited to customers in the USA and Canada).
• mySonicWALL.com account. Creating a mySonicWALL.com account is fast, simple, and FREE.
Simply complete an online registration form from your SonicWALL security appliance management
interface. Your mySonicWALL.com account is also accessible at
from any Internet connection with a Web browser.
• Registered SonicWALL security appliance with active Internet connection. Registering your
SonicWALL security appliance is a simple procedure done directly from the management interface.
• SonicOS Standard 3.0 or SonicOS Enhanced 3.0. Your SonicWALL security appliance must be
running SonicOS Standard 3.0 or SonicOS Enhanced 3.0 for SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service.
Tip! If your SonicWALL security appliance is connected to the Internet and registered at
mySonicWALL.com, you can activate a 30-day FREE TRIAL of SonicWALL IPS.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
If you activated SonicWALL GAV at , SonicWALL GAV activation is
automatically enabled on your SonicWALL within 24-hours or you can click the Synchronize button on
the Security Services > Summary page to update your SonicWALL security appliance.
Page 16 SonicWALL Gateway Anti-Virus Administrator’s Guide
Creating a mySonicWALL.com Account
Creating a mySonicWALL.com account is fast, simple, and FREE. Simply complete an online
registration form in the SonicWALL security appliance management interface.
Note: If you already have a mysonicWALL.com account, go to “Registering Your SonicWALL Security
Appliance” on page 17.
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displayed in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link in Your
SonicWALL is not registered. Click here to Register your SonicWALL.
4. In the mySonicWALL.com Login page, click the here link in If you do not have a mySonicWALL
account, please click here to create one.
5. In the MySonicWall Account page, enter in your information in the Account Information, Personal
Information and Preferences fields. All fields marked with an asterisk (*) are required fields.
Note: Remember your username and password to access your mySonicWALL.com account.
6. Click Submit after completing the MySonicWALL Account form.
7. When the mySonicWALL.com server has finished processing your account, you will see a page
saying that your account has been created. Click Continue.
Congratulations. Your mySonicWALL.com account is activated.
Now you need to log into mySonicWALL.com to register your SonicWALL security appliance.
Note: mySonicWALL.com registration information is not sold or shared with any other company.
Page 17
Registering Your SonicWALL Security Appliance
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displaying in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link. The
mySonicWALL.com Login page is displayed.
4. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit.
5. The next several pages inform you about the free trials available to you for SonicWALL’s Security
Services:
• Gateway Anti-Virus - Delivers real-time virus protection for your entire network.
• Network Anti Virus - Provides desktop and server anti-virus protection with software running on
each computer.
• Premium Content Filtering Service - Enhances productivity by limiting access to objectionable
Web content.
• Intrusion Prevention Service - Protects your network against worms, Trojans, and application
layer attacks.
Click Continue on each page.
6. At the top of the Product Survey page, Enter a “friendly name” for your SonicWALL content security
appliance in the Friendly Name field. The friendly name allows you to easily identify your
SonicWALL content security appliance in your mySonicWALL.com account.
7. Please complete the Product Survey. SonicWALL uses this information to further tailor services to fit
your needs.
8. Click Submit.
9. When the mySonicWALL.com server has finished processing your registration, a page is displayed
informing you that the SonicWALL security appliance is registered. Click Continue, and the
System > Licenses page is displayed showing you the available services. You can activate the
service from this page or the specific service page under the Security Services left-navigation
menu in the management interface.
Page 18 SonicWALL Gateway Anti-Virus Administrator’s Guide
Activating SonicWALL GAV
If you do not have a SonicWALL GAV license activated on your SonicWALL security appliance, you must
purchase it from a SonicWALL reseller or through your mySonicWALL.com account (limited to customers
in the USA and Canada).
SonicWALL GAV is part of SonicWALL Gateway Anti-Virus/Intrusion Prevention Service. The Activation
Key you receive is for both SonicWALL GAV and SonicWALL Intrusion Prevention Service. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is automatically activated.
If you have an Activation Key for SonicWALL Gateway Anti-Virus/Intrusion Prevention Service, perform
these steps to activate the combined services:
1. On the Security Services > Intrusion Prevention page, click the SonicWALL Intrusion
Prevention Service Subscription link. The mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already registered to your
mySonicWALL.com account, the System > Licenses page appears.
3. Click Activate or Renew in the Manage Service column in the Manage Services Online table.
4. Type in the Activation Key in the New License Key field and click Submit. Your SonicWALL GAV
subscription is activated on your SonicWALL security appliance.
If you activated the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service subscription on
mySonicWALL.com, the activation is automatically enabled on your SonicWALL security appliance within
24-hours or you can click the Synchronize button on the Security Services > Summary page to
immediately update your SonicWALL security appliance.
Activating the SonicWALL GAV FREE TRIAL
To try a FREE TRIAL of SonicWALL GAV, perform these steps:
1. Click the FREE TRIAL link on the Security Services > Gateway Anti-Virus page. The
mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already connected to your
mySonicWALL.com account, the System > Licenses page appears after you click the FREE TRIAL
link.
3. Click Try in the FREE TRIAL column in the Manage Services Online table. Your SonicWALL GAV
trial subscription is activated on your SonicWALL security appliance.
Page 19
Setting Up SonicWALL GAV Protection
The Security Services > Gateway Anti-Virus page provides the settings for configuring SonicWALL
GAV on your SonicWALL security appliance.
Enabling SonicWALL GAV
You must select Enable Gateway Anti-Virus check box in the Gateway Anti-Virus Global Settings
section to enable SonicWALL GAV on your SonicWALL security appliance. If your SonicWALL security
appliance is running SonicOS Standard 3.0, you must also specify the interfaces you want to apply
SonicWALL GAV protection. If your SonicWALL security appliance is running SonicOS Enhanced 3.0,
you must specify the Zones you want to SonicWALL GAV protection on the Network > Zones page.
Applying SonicWALL GAV Protection on Interfaces
If your SonicWALL security appliance is running SonicOS Standard 3.0, you also need to specify the
interface that you want to enable SonicWALL GAV protection. Depending on the SonicWALL security
appliance model you are using, you can choose the WAN, LAN, DMZ, OPT or WLAN port, depending on
your SonicWALL security appliance model. After selecting the interface(s), click Apply.It is recommended
you select the WAN and LAN interfaces.
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you apply SonicWALL GAV to
Zones on the Network > Zones page.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 20 SonicWALL Gateway Anti-Virus Administrator’s Guide
Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you can enforce SonicWALL
GAV not only between each network zone and the WAN, but also between internal zones. For example,
enabling SonicWALL GAV on the LAN zone enforces anti-virus protection on all incoming and outgoing
LAN traffic.
1. In the SonicWALL security appliance management interface, select Network > Zones or from the
Gateway Anti-Virus Status section, on the Security Services > Gateway Anti-Virus page, click the
Network > Zones link. The Network > Zones page is displayed.
2. In the Configure column in the Zone Settings table, click the edit icon . The Edit Zone window
is displayed.
3. Click the Enable Gateway Anti-Virus Service checkbox. A checkmark appears. To disable Gateway
Anti-Virus Service, uncheck the box.
4. Click OK.
Page 21
Note: You also enable SonicWALL GAV protection for new zones you create on the Network > Zones page.
Clicking the Add button displays the Add Zone window, which includes the same settings as the Edit
Zone window.
Viewing SonicWALL GAV Status Information
The Gateway Anti-Virus Status section shows the state of the anti-virus signature database, including
the database's timestamp, and the time the SonicWALL signature servers were last checked for the most
current database version. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
The Gateway Anti-Virus Status section displays the following information:
• Signature Database indicates whether the signature database needs to be downloaded or has been
downloaded.
• Signature Database Timestamp displays the last update to the SonicWALL GAV signature
database, not the last update to your SonicWALL security appliance.
• Last Checked indicates the last time the SonicWALL security appliance checked the signature
database for updates. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
• Gateway Anti-Virus Expiration Date indicates the date when the SonicWALL GAV service expires.
If your SonicWALL GAV subscription expires, the SonicWALL IPS inspection is stopped and the
SonicWALL GAV configuration settings are removed from the SonicWALL security appliance. These
settings are automatically restored after renewing your SonicWALL GAV license to the previously
configured state.
If your SonicWALL security appliance is running SonicOS Standard 3.0 and no interfaces are specified in
the Gateway Anti-Virus Global Settings section, the message: Warning: No interfaces have Gateway
Anti-Virus enabled is displayed in the Gateway Anti-Virus Status section. You must check the Enable
Gateway Anti-Virus on Interface and specify the interface(s) you want to apply anti-virus scanning.
If your SonicWALL security appliance you are using SonicOS Enhanced 3.0, the Gateway Anti-Virus
Status section displays Note: Enable the Gateway Anti-Virus per zone from the Network > Zones
page. Clicking on the Network > Zones link displays the Network > Zones page for applying SonicWALL
GAV on Zones.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 22 SonicWALL Gateway Anti-Virus Administrator’s Guide
Updating SonicWALL GAV Signatures
By default, the SonicWALL security appliance running SonicWALL GAV automatically checks the
SonicWALL signature servers once an hour. There is no need for an administrator to constantly check for
new signature updates. You can also manually update your SonicWALL GAV database at any time by
clicking the Update button located in the Gateway Anti-Virus Status section.
SonicWALL GAV signature updates are secured. The SonicWALL security appliance must first
authenticate itself with a pre-shared secret, created during the SonicWALL Distributed Enforcement
Architecture licensing registration. The signature request is transported through HTTPS, along with full
server certificate verification.
Specifying Protocol Filtering
Application-level awareness of the type of protocol that is transporting the violation allows SonicWALL
GAV to perform specific actions within the context of the application to gracefully handle the rejection of
the payload.
By default, SonicWALL GAV inspects all inbound HTTP, FTP, IMAP, SMTP and POP3 traffic. Generic
TCP Stream can optionally be enabled to inspect all other TCP based traffic, such as
non-standard ports of operation for SMTP and POP3, and IM and P2P protocols.
Note: Refer to “Protocol Handling” on page 13 for detailed descriptions of how SonicWALL GAV handles
protocol traffic.
Enabling Inbound Inspection
Within the context of SonicWALL GAV, the Enable Inbound Inspection protocol traffic handling refers
to the following:
• Non-SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to any Zone.
• Non-SMTP traffic from a Public Zone destined to an Untrusted Zone.
• SMTP traffic initiating from a non-Trusted Zone destined to a Trusted, Wireless, Encrypted, or Public
Zone.
• SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to a Trusted, Wireless,
or Encrypted Zone.
Page 23
The Enable Inbound Inspection protocol traffic handling represented as a table:
Enabling Outbound SMTP Inspection
The Enable Outbound Inspection feature is available for SMTP traffic, such as for a mail server that
might be hosted on the DMZ. Enabling outbound inspection for SMTP scans mail that is delivered to the
internally hosted SMTP server for viruses.
Configuring Client Alerts and an Exclusion List
Clicking the Configure Gateway AV Settings button in the Gateway Anti-Virus Global Settings section
displays the Gateway AV Config View window, which allows you to configure client notification alerts and
create a SonicWALL GAV exclusion list.
Configuring Client Alerts
If you want clients on your network to receive notifications on their desktop when a HTTP file download is
blocked by GAV, check the Enable Client Notification Alerts (desktop client installation is required)
box. You must install the client software included on the Resource CD for your SonicWALL security
appliance for the client to receive these notifications from SonicWALL GAV.
Page 24 SonicWALL Gateway Anti-Virus Administrator’s Guide
If you want to suppress the sending of e-mail messages (SMTP) to clients from SonicWALL GAV when a
virus is detected in an e-mail or attachment, check the Disable SMTP Responses box.
Configuring a SonicWALL GAV Exclusion List
Any IP addresses listed in the exclusion list bypass virus scanning on their traffic.The Gateway AV
Exclusion List section provides the ability to define a range of IP addresses whose traffic will be excluded
from SonicWALL GAV scanning.
Alert! Use caution when specifying exclusions to SonicWALL GAV protection.
To add an IP address range for exclusion, perform these steps:
1. Click the Enable Gateway AV Exclusion List checkbox to enable the exclusion list.
2. Click the Add button. The Add GAV Range Entry window is displayed.
3. Enter the IP address range in the IP Address Form and IP Address To fields, then click OK. You IP
address range appears in the Gateway AV Exclusion List table. Click the edit icon in the Configure
column to change an entry or click the trashcan icon to delete an entry.
4. Click OK to exit the Gateway AV Config View window.
Restricting File Transfers
The restrict transfer settings listed under the Configure Gateway AV Settings button in the
Gateway Anti-Virus Global Settings section, if enabled, prevent files with specific attributes from being
transferred.
These restrict transfer settings include:
• Restrict Transfer of password-protected Zip files - Disables the transfer of password protected
ZIP files over any enabled protocol. This option only functions on protocols (e.g. HTTP, FTP, SMTP)
that are enabled for inspection.
• Restrict Transfer of MS-Office type files containing macros (VBA 5 and above) - Disables the
transfers of any MS Office 97 and above files that contain VBA macros.
• Restrict Transfer of packed executable files (UPX, FSG, etc.) - Disables the transfer of packed
executable files. Packers are utilities which compress and sometimes encrypt executables. Although
there are legitimate applications for these, they are also sometimes used with the intent of
obfuscation, so as to make the executables less detectable by anti-virus applications. The packer
adds a header that expands the file in memory, and then executes that file. SonicWALL Gateway
Anti-Virus currently recognizes the most common packed formats: UPX, FSG, PKLite32, Petite, and
ASPack. additional formats are dynamically added along with SonicWALL GAV signature updates.
Page 25
Viewing SonicWALL GAV Signatures
The Gateway Anti-Virus Signatures section allows you to view the contents of the SonicWALL GAV
signature database. All the entries displayed in the Gateway Anti-Virus Signatures table are from the
SonicWALL GAV signature database downloaded to your SonicWALL security appliance.
Note: Signature entries in the database change over time in response to new threats.
Displaying Signatures
You can display the signatures in a variety of views using the View Style menu.
• Use Search String - Allows you to display signatures containing a specified string entered in the
Lookup Signatures Containing String field.
• All Signatures - Displays all the signatures in the table, 50 to a page.
• 0 - 9 - Displays signature names beginning with the number you select from the menu.
• A-Z - Displays signature names beginning with the letter you select from menu.
Navigating the Gateway Anti-Virus Signatures Table
The SonicWALL GAV signatures are displayed fifty to a page in the Gateway Anti-Virus Signatures
table. The Items field displays the table number of the first signature. If your displaying the first page of a
signature table, the entry might be Items 1 to 50 (of 58). Use the navigation buttons to navigate the table.
Page 26 SonicWALL Gateway Anti-Virus Administrator’s Guide
Searching the Gateway Anti-Virus Signature Database
You can search the signature database by entering a search string in the Lookup Signatures
Containing String field, then clicking the edit (Notepad) icon.
The signatures that match the specified string are displayed in the Gateway Anti-Virus Signatures table.
Glossary
• Deep Packet Inspection - looking at the data portion of the packet. Enables the firewall to investigate
farther into the protocol to examine information at the application layer and defend against attacks
targeting application vulnerabilities.
• Distributed Enforcement Architecture - SonicWALL’s unified threat management technology that
delivers automated signature updates that provide real-time protection from current and emerging
threats.
• False Positive - a falsely identified attack traffic pattern.
• Signature - code written to detect and prevent viruses, worms, application exploits, and other
malicious code.
• Stateful Packet Inspection - examines the contents of individual packets at all layers of the OSI
model, from network layer to application layer.
Page 27
Index
A
activating Gateway Anti-Virus
overview 15
free trial version 18
activating Gateway Anti-Virus
activation key 18
C
client alerts
configuring 23
concurrency limitations 12
PRO 1260 12
PRO 2040 12
PRO 3060 12
PRO 4060 12
PRO 5060 12
TZ 150 Series 12
TZ 170 Series 12
creating a mysonicwall.com account 16
D
deploying SonicWALL GAV 14
disabling GAV/IPS engine 12
displaying signatures 25
all signatures 25
signatures beginning with letter 25
signatures beginning with number 25
using search strings 25
E
Edit Zone window 20
enable inbound inspection 22
enable outbound SMTP inspection 23
enabling inbound inspection 22
exclusion list
configuring 24
G
Gateway AV Config View window 23
GAV/IPS
real-time scanning 6
GAV/IPS features
application control 6
deep packet inspection 6
distributed enforcement architecture 6
file based scanning protocol support 6
file decompression technology 6
granular management 7
inter-zone scanning 6
logging and reporting 7
real-time scanning 6
glossary 26
deep packet inspection 26
Distributed Enforcement Architecture 26
false positive 26
signature 26
stateful packet inspection 26
H
how DPIv2.0 works
11
protocol handling 13
HTTP file downloads protection 9
I
internal network protection 9
N
navigating signatures table 25
P
protocol handling
FTP 14
HTTP 14
IM, P2P, proprietary 14
IMAP 13
POP3 13
SMTP 13
R
registering your SonicWALL security appliance 17
remote site protection 8
restrict 24
restrict file transfer
MS-Office files 24
packed executable files 24
password protected ZIP files 24
S
searching signature database 26
server protection 10
setting up GAV protection
applying to infaces (SonicOS Standard 3.0) 19
applying to zones (SonicOS Enhanced) 20
enabling 19
overview 19
signatures table 25
SonicWALL Gateway Anti-Virus
overview 5
SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service
overview 5
specifying protocol filtering 22
specifying protocols 22
status information
expiration date 21
last checked 21
overview 21
signature database 21
signature database timestamp 21
surpress SMTP messages 24
U
updating signatures 22
Page 28 SonicWALL Gateway Anti-Virus Administrator’s Guide
© 2005 SonicWALL, I n c . SonicWALL is a registered trademark of SonicWALL, I n c . Other product and company names mentioned herein may be
t rademarks and/ or registered trademarks of their respective companies. Specifications and descriptions subject to change with out notice.
T: 408.745.9600
F: 408.745.9300
www.sonicwall.com
SonicWALL,Inc.
1143 Borregas Avenue
Sunnyvale,CA 94089-1306
P/ N 232- 000610- 00
Rev E 01/05COMPREHENSIVE INTERNET SECURITY™
S SSSSSSSSo n i c WALL Gateway Anti-Virus
Administrator's Guide
Page 1
Table of Contents
Preface .................................................................................................. 1
Copyright Notice ..............................................................................1
Trademarks......................................................................................1
Limited Warranty..............................................................................1
About this Guide.................................................................................... 3
Guide Conventions .......................................................................... 3
Icons Used in this Guide............................................................. 3
SonicWALL Technical Support ........................................................ 4
North America Telephone Support ............................................. 4
International Telephone Support ................................................ 4
SonicWALL Gateway Anti-Virus Overview............................................ 5
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features ...... 6
SonicWALL GAV Multi-Layered Approach............................................ 7
Remote Site Protection ....................................................................8
Internal Network Protection.............................................................. 9
HTTP File Downloads ...................................................................... 9
Server Protection ...........................................................................10
SonicWALL GAV Architecture............................................................. 11
Stream Concurrency Limitations
by SonicWALL Security Appliance................................................. 12
Disabling the SonicWALL GAV/IPS Engine................................... 12
Protocol Handling...........................................................................13
SMTP........................................................................................ 13
POP3 ........................................................................................ 13
IMAP......................................................................................... 13
HTTP ........................................................................................ 14
FTP........................................................................................... 14
IM, P2P and Proprietary Protocols ........................................... 14
Deploying SonicWALL GAV................................................................ 14
Activating SonicWALL GAV ................................................................ 15
Creating a mySonicWALL.com Account ........................................ 16
Registering Your SonicWALL Security Appliance.......................... 17
Activating SonicWALL GAV........................................................... 18
Activating the SonicWALL GAV FREE TRIAL ............................... 18
Setting Up SonicWALL GAV Protection .............................................. 19
Enabling SonicWALL GAV............................................................. 19
Applying SonicWALL GAV Protection on Interfaces...................... 19
Applying SonicWALL GAV Protection on Zones
(SonicOS Enhanced 3.0) ............................................................... 20
Viewing SonicWALL GAV Status Information................................ 21
Updating SonicWALL GAV Signatures .......................................... 22
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
Specifying Protocol Filtering ................................................................22
Enabling Inbound Inspection ..........................................................22
Enabling Outbound SMTP Inspection ............................................23
Configuring Client Alerts and an Exclusion List ...................................23
Configuring Client Alerts.................................................................23
Configuring a SonicWALL GAV Exclusion List...............................24
Restricting File Transfers.....................................................................24
Viewing SonicWALL GAV Signatures..................................................25
Displaying Signatures.....................................................................25
Navigating the Gateway Anti-Virus Signatures Table ....................25
Searching the Gateway Anti-Virus Signature Database.................26
Glossary...............................................................................................26
Index ....................................................................................................27
Page 1 SonicWALL Gateway Anti-Virus Administrator’s Guide
Preface
Copyright Notice
© 2005 SonicWALL, Inc.
All rights reserved.
Under the copyright laws, this manual or the software described within, can not be copied, in whole or part,
without the written consent of the manufacturer, except in the normal use of the software to make a backup
copy. The same proprietary and copyright notices must be affixed to any permitted copies as were affixed
to the original. This exception does not allow copies to be made for others, whether or not sold, but all of
the material purchased (with all backup copies) can be sold, given, or loaned to another person. Under
the law, copying includes translating into another language or format.
Specifications and descriptions subject to change without notice.
Trademarks
SonicWALL is a registered trademark of SonicWALL, Inc.
Microsoft Windows 98, Windows NT, Windows 2000, Windows XP, Windows Server 2003, Internet
Explorer, and Active Directory are trademarks or registered trademarks of Microsoft Corporation.
Netscape is a registered trademark of Netscape Communications Corporation in the U.S. and other
countries. Netscape Navigator and Netscape Communicator are also trademarks of Netscape
Communications Corporation and may be registered outside the U.S.
Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems
Incorporated in the U.S. and/or other countries.
Other product and company names mentioned herein may be trademarks and/or registered trademarks
of their respective companies and are the sole property of their respective manufacturers.
Limited Warranty
SonicWALL, Inc. warrants that commencing from the delivery date to Customer (but in any case
commencing not more than ninety (90) days after the original shipment by SonicWALL), and continuing
for a period of twelve (12) months, that the product will be free from defects in materials and workmanship
under normal use. This Limited Warranty is not transferable and applies only to the original end user of
the product. SonicWALL and its suppliers' entire liability and Customer's sole and exclusive remedy under
this limited warranty will be shipment of a replacement product. At SonicWALL's discretion the
replacement product may be of equal or greater functionality and may be of either new or like-new quality.
SonicWALL's obligations under this warranty are contingent upon the return of the defective product
according to the terms of SonicWALL's then-current Support Services policies.
This warranty does not apply if the product has been subjected to abnormal electrical stress, damaged by
accident, abuse, misuse or misapplication, or has been modified without the written permission of
SonicWALL.
DISCLAIMER OF WARRANTY. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR
IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT
LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, NONINFRINGEMENT, SATISFACTORY QUALITY OR ARISING FROM A
COURSE OF DEALING, LAW, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE
MAXIMUM EXTENT ALLOWED BY APPLICABLE LAW. TO THE EXTENT AN IMPLIED WARRANTY
CANNOT BE EXCLUDED, SUCH WARRANTY IS LIMITED IN DURATION TO THE WARRANTY
PERIOD. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW
LONG AN IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. THIS
WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, AND YOU MAY ALSO HAVE OTHER RIGHTS
WHICH VARY FROM JURISDICTION TO JURISDICTION. This disclaimer and exclusion shall apply
even if the express warranty set forth above fails of its essential purpose.
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
DISCLAIMER OF LIABILITY. SONICWALL'S SOLE LIABILITY IS THE SHIPMENT OF A
REPLACEMENT PRODUCT AS DESCRIBED IN THE ABOVE LIMITED WARRANTY. IN NO EVENT
SHALL SONICWALL OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER,
INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS
INTERRUPTION, LOSS OF INFORMATION, OR OTHER PECUNIARY LOSS ARISING OUT OF THE
USE OR INABILITY TO USE THE PRODUCT, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL,
INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY
OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE HARDWARE OR SOFTWARE
EVEN IF SONICWALL OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. In no event shall SonicWALL or its suppliers' liability to Customer, whether in contract, tort
(including negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shall
apply even if the above-stated warranty fails of its essential purpose. BECAUSE SOME STATES OR
JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR
INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.
Page 3
About this Guide
Welcome to the SonicWALL Gateway Anti-Virus Administrator’s Guide. This manual provides the
information you need to successfully activate, configure, and administer SonicWALL Gateway Anti-Virus
(SonicWALL (GAV) on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher). The audience for this guide is administrators that are familiar with the
features, functions, and operating characteristics of SonicWALL security appliances.
Note: This guide assumes your SonicWALL security appliance is operational with Internet connectivity. If your
SonicWALL security appliance is not setup, refer to the Getting Started Guide for your SonicWALL
security appliance located on the SonicWALL Web site:
.
SonicWALL GAV is part of the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service solution that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate a SonicWALL GAV license, SonicWALL Intrusion Prevention Service is included and activated.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the complete
instructions on configuring SonicWALL Intrusion Prevention Service 2.0, located on the SonicWALL
Web site: .
Guide Conventions
Conventions used in this guide are as follows:
Icons Used in this Guide
These special messages refer to noteworthy information, and include a symbol for quick identification:
Alert! Important information that cautions about features affecting SonicWALL Gateway Anti-Virus
performance, security features, or causing potential problems with your SonicWALL security appliance.
Tip! Useful information about security features and configurations for your SonicWALL Gateway Anti-Virus
running on a SonicWALL security appliance.
Convention Use
Bold Highlights items you can select on the SonicWALL
management interface.
Italic Highlights a value to enter into a field. For example, “type
192.168.168.168 in the IP Address field.”
Top Level Menu Button >
Submenu Item
Indicates a multiple step Management Interface menu
choice. For example, Security Services > Gateway Anti-
Virus means select Security Services, then select
Gateway Anti-Virus.
Page 4 SonicWALL Gateway Anti-Virus Administrator’s Guide
Note: Important information on a feature that requires callout for special attention or reference to other related
resources.
SonicWALL Technical Support
For timely resolution of technical support questions, visit SonicWALL on the Internet at
. Web-based resources are available to help you
resolve most technical issues or contact SonicWALL Technical Support.
To contact SonicWALL telephone support, see the telephone numbers listed below:
North America Telephone Support
U.S./Canada - 888.777.1476 or +1 408.752.7819
International Telephone Support
Australia - + 1800.35.1642
Austria - + 43(0)820.400.105
EMEA - +31(0)411.617.810
France - + 33(0)1.4933.7414
Germany - + 49(0)1805.0800.22
Hong Kong - + 1.800.93.0997
India - + 8026556828
Italy - +39.02.7541.9803
Japan - + 81(0)3.5460.5356
New Zealand - + 0800.446489
Singapore - + 800.110.1441
Spain - + 34(0)9137.53035
Switzerland - +41.1.308.3.977
UK - +44(0)1344.668.484
Note: Please visit for the latest technical support telephone
numbers.
Page 5
SonicWALL Gateway Anti-Virus Overview
SonicWALL Gateway Anti-Virus (SonicWALL GAV) is part of the SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service solution that provides unified threat management. The integration of gateway
anti-virus and intrusion prevention delivers intelligent, real-time network security protection against
sophisticated application layer and content-based attacks. Utilizing a configurable, high-performance
deep packet inspection architecture, SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
secures the network from the core to the perimeter against a comprehensive array of dynamic threats
including viruses, worms, Trojans, and software vulnerabilities, such as buffer overflows, as well as peerto-
peer and instant messenger applications, backdoor exploits, and other malicious code.
SonicWALL GAV delivers real-time virus protection directly on the SonicWALL security appliance by
using SonicWALL’s IPS-Deep Packet Inspection v2.0 engine to inspect all traffic that traverses the
SonicWALL gateway. Building on SonicWALL’s reassembly-free architecture, SonicWALL GAV inspects
multiple application protocols, as well as generic TCP streams, and compressed traffic. Because
SonicWALL GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also performed on a
single-pass, per-packet basis.
SonicWALL GAV delivers threat protection directly on the SonicWALL security appliance by matching
downloaded or e-mailed files against an extensive and dynamically updated database of threat virus
signatures. Virus attacks are caught and suppressed before they travel to desktops. New signatures are
created and added to the database by a combination of SonicWALL’s SonicAlert Team, third-party virus
analysts, open source developers and other sources.
SonicWALL GAV can be configured to protect against internal threats as well as those originating outside
the network. It operates over a multitude of protocols including SMTP, POP3, IMAP, HTTP, FTP,
NetBIOS, instant messaging and peer-to-peer applications and dozens of other stream-based protocols,
to provide administrators with comprehensive network threat prevention and control. Because files
containing malicious code and viruses can also be compressed and therefore inaccessible to
conventional anti-virus solutions, SonicWALL GAV integrates advanced decompression technology that
automatically decompresses and scans files on a per packet basis.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
Page 6 SonicWALL Gateway Anti-Virus Administrator’s Guide
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features
• Integrated Deep Packet Inspection Technology - SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service features a configurable, high-performance deep packet inspection architecture
that uses parallel searching algorithms up through the application layer to deliver increased
application layer, Web and e-mail attack prevention. Parallel processing reduces the performance
impact on the firewall and maximizes available memory for exceptional throughput on SonicWALL
integrated security gateways.
• Real-Time Anti-Virus Gateway Scanning - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers intelligent file-based virus and malicious code prevention by scanning in real-time for
decompressed and compressed files containing viruses, Trojans, worms and other Internet threats
over the corporate network.
• Powerful Intrusion Prevention - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
provides complete protection from a comprehensive array of network-based application layer threats
by scanning packet payloads for worms, Trojans, software vulnerabilities such as buffer overflows,
peer-to-peer and instant messenger applications, backdoor exploits, and other malicious code.
• Ultimate Scalability and Performance - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a per packet scanning engine, making SonicWALL’s solution unique in its ability to
handle unlimited file size and virtually unlimited concurrent downloads, offering ultimate scalability
and performance for today’s networked environment.
• Day Zero Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service ensures
incredibly fast time-to-protection by employing a dynamically-updated database of signatures created
by a combination of SonicWALL’s SonicAlert Team, third-party virus analysts and developers, and
open source databases of known threats.
• Extensive Virus Signature List - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
utilizes an extensive database of thousands of attack and vulnerability signatures written to detect and
prevent intrusions, viruses, worms, Tojans, application exploits, and malicious applications.
• Distributed Enforcement Architecture - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a distributed enforcement architecture to deliver automated signature updates,
providing real-time protection from emerging threats and lowering total cost of ownership.
• Inter-zone Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides
application layer attack protection against malicious code and other threats originating from the
Internet or from internal sources. Administrators have the ability to enforce intrusion prevention and
anti-virus scanning not only between each network zone and the Internet, but also between internal
network zones for added security (Requires SonicOS Enhanced).
• Advanced File Decompression Technology - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service includes advanced decompression technology that can automatically decompress and scan
files on a per packet basis to search for viruses, Trojans, worms and malware. Supported
compression formats include: ZIP, Deflate and GZIP.
• File-Based Scanning Protocol Support - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers protection for high threat viruses and malware by inspecting the most common
protocols used in today’s networked environments, including SMTP, POP3, IMAP, HTTP, FTP,
NETBIOS, instant messaging and peer-to-peer applications, and dozens of other stream-based
protocols. This closes potential backdoors that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Application Control - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides the
ability to prevent instant messaging and peer-to-peer file sharing programs from operating through
the firewall, closing a potential back door that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Simplified Deployment and Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service allows network administrators to create global policies between security zones and group
attacks by priority, simplifying deployment and management across a distributed network.
Page 7
• Granular Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides an
intuitive user interface and granular policy tools, allowing network administrators to configure a
custom set of detection or prevention policies for their specific network environment and reduce the
number of false policies while identifying immediate threats.
• Logging and Reporting - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service offers
comprehensive logging of all intrusion attempts with the ability to filter logs based on priority level,
enabling administrators to highlight high priority attacks. Granular reporting based on attack source,
destination and type of intrusion is available through SonicWALL ViewPoint and Global Management
System.
SonicWALL GAV Multi-Layered Approach
SonicWALL GAV delivers comprehensive, multi-layered anti-virus protection for networks at the desktop,
the network, and at remote sites. SonicWALL GAV enforces anti-virus policies at the gateway to ensure
all users have the latest updates and monitors files as they come into the network.
Page 8 SonicWALL Gateway Anti-Virus Administrator’s Guide
Remote Site Protection
1. Users send typical e-mail and files between remote sites and the corporate office.
2. SonicWALL GAV scans and analyzes files and e-mail messages on the SonicWALL security
appliance.
3. Viruses are found and blocked before infecting remote desktop.
4. Virus is logged and alert is sent to administrator.
Page 9
Internal Network Protection
1. Internal user contracts a virus and releases it internally.
2. All files are scanned at the gateway before being received by other network users.
3. If virus is found, file is discarded.
4. Virus is logged and alert is sent to administrator.
HTTP File Downloads
1. Client makes a request to download a file from the Web.
2. File is downloaded through the Internet.
3. File is analyzed the SonicWALL GAV engine for malicious code and viruses
4. If virus found, file discarded.
5. Virus is logged and alert sent to administrator.
Page 10 SonicWALL Gateway Anti-Virus Administrator’s Guide
Server Protection
1. Outside user sends an incoming e-mail.
2. E-mail is analyzed the SonicWALL GAV engine for malicious code and viruses before received by email
server.
3. If virus found, threat prevented.
4. E-mail is returned to sender, virus is logged, and alert sent to administrator.
Page 11
SonicWALL GAV Architecture
SonicWALL GAV is based on SonicWALL's high performance DPIv2.0 engine (Deep Packet Inspection
version 2.0) engine, which performs all scanning directly on the SonicWALL security appliance.
SonicWALL GAV includes advanced decompression technology that can automatically decompress and
scan files on a per packet basis to search for viruses and malware. The SonicWALL GAV engine can
perform base64 decoding without ever reassembling the entire base64 encoded mail stream. Because
SonicWALL's GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding and ZIP, LHZ, and GZIP (LZ77) decompression are also performed
on a single-pass, per-packet basis. Reassembly free virus scanning functionality of the SonicWALL GAV
engine is inherited from the Deep Packet Inspection engine, which is capable of scanning streams without
ever buffering any of the bytes within the stream.
Building on SonicWALL's reassembly-free architecture, GAV has the ability to inspect multiple application
protocols, as well as generic TCP streams, and compressed traffic. SonicWALL GAV protocol inspection
is based on high performance state machines which are specific to each supported protocol. SonicWALL
GAV delivers protection by inspecting over the most common protocols used in today's networked
environments, including SMTP, POP3, IMAP, HTTP, FTP, NetBIOS, instant messaging and peer-to-peer
applications and dozens of other stream-based protocols. This closes potential backdoors that can be
used to compromise the network while also improving employee productivity and conserving Internet
bandwidth.
Page 12 SonicWALL Gateway Anti-Virus Administrator’s Guide
Stream Concurrency Limitations by SonicWALL Security Appliance
Because SonicWALL GAV does not have to perform reassembly, there are no file-size limitations
imposed by the scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also
performed on a single-pass, per-packet basis. Stream-concurrency are platform dependent as follows:.
Disabling the SonicWALL GAV/IPS Engine
In the unlikely event that SonicWALL Gateway Anti-Virus/Intrusion Prevention Service is not enabled on
your SonicWALL security appliance, the SonicWALL GAV/IPS engine itself can be disabled, and the
resources can be reallocated to the SPI connection cache.
To disable the SonicWALL GAV/IPS engine:
1. Select the Firewall > Advanced page.
2. Select the Disable Gateway AV and IPS Engine (increases maximum SPI connections)
checkbox. This presents an alert informing you that the SonicWALL security appliance must be
rebooted for the change to take effect.
3. Restart your SonicWALL security appliance.
Platform
GAV-Disabled
Connections
Cache Size
GAV-Enabled
Connections
Cache Size
(Concurrent File
Downloads)
Concurrent
Compressed
File Downloads
with GAV
GAV Signatures
TZ 150
Series
2,048 2,048 100 4,500
TZ 170
Series
6,144 6,144 100 4,500
PRO 1260 6,144 6,144 100 4,500
PRO 2040 32,768 16,384 300 25,000
PRO 3060 131,072 65,536 1,000 25,000
PRO 4060 524,288 131,072 1,500 25,000
PRO 5060 750,000 393,216 3,000 25,000
Page 13
Protocol Handling
SonicWALL GAV functionality supports the following protocols: HTTP, SMTP, IMAP, POP3, FTP and the
scanning of generic TCP streams for viruses.
If malicious traffic is detected, appropriate actions are taken based on the protocol. For generic TCP
streams, the traffic is dropped and the connection is reset. If so configured, an encrypted and hashed
message explaining the action is sent to the user's Global Security Client (requires version 2.0 or higher)
and to the user's 'Security Action Notification Applet', and displayed to the user if either application is
active. Application level awareness of the type of protocol that was transporting the violation allows for
very specific actions to be taken to gracefully handle the rejection of the payload:
Note: 8-bit encoding is handled natively for all email based protocols (SMTP, POP3, and IMAP) since no
decoding is required for each encoding scheme.
SMTP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the head of the sent
queue, thus preventing it from being resent, via 552 SMTP response and the connection is terminated.
POP3
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the POP3 server via
'DELE' command and the connection is terminated. Continuation of message downloads following
termination requires the user to re-initiate the download process on their POP3 client in order to download
the rest of the messages from the POP3 server.
Note: POP3 client behavior varies from one client to the next. SonicWALL GAV attempts to determine the type
of POP3 client being used, and to compensate for behavioral differences. In rare cases, some clients
may require special GAV settings - these settings have been made available in the /diag.html page.
• Disable Gateway AV POP3 Auto Deletion - When a POP3 client is identified as Outlook Express,
DELE (delete) message sequencing is tailored to Outlook Express' behavior. This setting can resolve
problems caused by misidentification that are encountered during the deletion of virus-infected
emails.
• Disable Gateway AV POP3 UIDL Rewriting - Certain Netscape POP3 clients have difficulty with the
UIDL (unique ID listing - RFC1939) command. When a POP3 client is recognized as Netscape, UIDL
messages are suppressed, which is allowable because they are optional. This setting can resolve
problems caused by misidentification that are encountered during the message retrieval process.
IMAP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from downloading the mail
containing the violation. The user must manually mark the mail deleted and purge it from the server.
Page 14 SonicWALL Gateway Anti-Virus Administrator’s Guide
HTTP
Capabilities: zip (including archives), gzip and deflate decompression. Deflate decompression method is
not supported when HTTP response is Chunk Encoded. All HTTP traffic is inspected, not just TCP port
80. Suppresses the use of HTTP Byte-Range requests to prevent the sectional retrieval and reassembly
of potentially malicious content.
Note: Suppression of HTTP Byte-Range requests may inhibit the use of certain download accelerator
programs that attempt to retrieve files as multiple simultaneous requests.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
FTP
Capabilities: zip (including archives) and gzip decompression. FTP stateful code follows data port
negotiations, allowing FTP data to be inspected across any operating TCP port. Suppresses the use of
the FTP 'REST' (restart) request to prevent the sectional retrieval and reassembly of potentially malicious
content. "The suppression of the 'REST' request can be overridden from the /diag.html page with the
option 'Enable FTP 'REST' requests with Gateway AV’.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
IM, P2P and Proprietary Protocols
Capabilities: zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
Deploying SonicWALL GAV
SonicWALL GAV is designed to provide comprehensive virus protection with minimal configuration. The
following sections provide the key information you need to successfully activate, configure, and administer
SonicWALL GAV on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher):
• “Activating SonicWALL GAV” on page 15 - provides instructions for activating the SonicWALL GAV
license on your SonicWALL security appliance via the management interface. If you already have
SonicWALL GAV activated on your SonicWALL security appliance, skip this section.
• “Setting Up SonicWALL GAV Protection” on page 19 - provides instructions for essential
configuration of SonicWALL IPS to protect your network against the most dangerous and disruptive
attacks.
Alert! After activating your SonicWALL GAV license, you must enable SonicWALL GAV on the SonicWALL
management interface before anti-virus protection are applied to your network traffic.
• “Configuring Client Alerts and an Exclusion List” on page 23 - provides instructions for configuring
SonicWALL GAV client notification alerts and creating a SonicWALL GAV exclusion list.
• “Restricting File Transfers” on page 24 - provides instructions on preventing files with specific
attributes from being transferred.
Page 15
Activating SonicWALL GAV
If you do not have SonicWALL GAV installed on your SonicWALL security appliance, the Security
Services > Gateway Anti-Virus page indicates an upgrade is required and includes a link to activiate it
from your SonicWALL security appliance management interface.
SonicWALL GAV is part of the unified SonicWALL Gateway Anti-Virus/Intrusion Prevention Service that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is also activated.
To activate a SonicWALL Gateway Anti-Virus/Intrusion Prevention Service on your SonicWALL security
appliance, you need the following:
• SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license. You need to purchase a
SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license from a SonicWALL reseller or
through your mySonicWALL.com account (limited to customers in the USA and Canada).
• mySonicWALL.com account. Creating a mySonicWALL.com account is fast, simple, and FREE.
Simply complete an online registration form from your SonicWALL security appliance management
interface. Your mySonicWALL.com account is also accessible at
from any Internet connection with a Web browser.
• Registered SonicWALL security appliance with active Internet connection. Registering your
SonicWALL security appliance is a simple procedure done directly from the management interface.
• SonicOS Standard 3.0 or SonicOS Enhanced 3.0. Your SonicWALL security appliance must be
running SonicOS Standard 3.0 or SonicOS Enhanced 3.0 for SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service.
Tip! If your SonicWALL security appliance is connected to the Internet and registered at
mySonicWALL.com, you can activate a 30-day FREE TRIAL of SonicWALL IPS.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
If you activated SonicWALL GAV at , SonicWALL GAV activation is
automatically enabled on your SonicWALL within 24-hours or you can click the Synchronize button on
the Security Services > Summary page to update your SonicWALL security appliance.
Page 16 SonicWALL Gateway Anti-Virus Administrator’s Guide
Creating a mySonicWALL.com Account
Creating a mySonicWALL.com account is fast, simple, and FREE. Simply complete an online
registration form in the SonicWALL security appliance management interface.
Note: If you already have a mysonicWALL.com account, go to “Registering Your SonicWALL Security
Appliance” on page 17.
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displayed in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link in Your
SonicWALL is not registered. Click here to Register your SonicWALL.
4. In the mySonicWALL.com Login page, click the here link in If you do not have a mySonicWALL
account, please click here to create one.
5. In the MySonicWall Account page, enter in your information in the Account Information, Personal
Information and Preferences fields. All fields marked with an asterisk (*) are required fields.
Note: Remember your username and password to access your mySonicWALL.com account.
6. Click Submit after completing the MySonicWALL Account form.
7. When the mySonicWALL.com server has finished processing your account, you will see a page
saying that your account has been created. Click Continue.
Congratulations. Your mySonicWALL.com account is activated.
Now you need to log into mySonicWALL.com to register your SonicWALL security appliance.
Note: mySonicWALL.com registration information is not sold or shared with any other company.
Page 17
Registering Your SonicWALL Security Appliance
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displaying in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link. The
mySonicWALL.com Login page is displayed.
4. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit.
5. The next several pages inform you about the free trials available to you for SonicWALL’s Security
Services:
• Gateway Anti-Virus - Delivers real-time virus protection for your entire network.
• Network Anti Virus - Provides desktop and server anti-virus protection with software running on
each computer.
• Premium Content Filtering Service - Enhances productivity by limiting access to objectionable
Web content.
• Intrusion Prevention Service - Protects your network against worms, Trojans, and application
layer attacks.
Click Continue on each page.
6. At the top of the Product Survey page, Enter a “friendly name” for your SonicWALL content security
appliance in the Friendly Name field. The friendly name allows you to easily identify your
SonicWALL content security appliance in your mySonicWALL.com account.
7. Please complete the Product Survey. SonicWALL uses this information to further tailor services to fit
your needs.
8. Click Submit.
9. When the mySonicWALL.com server has finished processing your registration, a page is displayed
informing you that the SonicWALL security appliance is registered. Click Continue, and the
System > Licenses page is displayed showing you the available services. You can activate the
service from this page or the specific service page under the Security Services left-navigation
menu in the management interface.
Page 18 SonicWALL Gateway Anti-Virus Administrator’s Guide
Activating SonicWALL GAV
If you do not have a SonicWALL GAV license activated on your SonicWALL security appliance, you must
purchase it from a SonicWALL reseller or through your mySonicWALL.com account (limited to customers
in the USA and Canada).
SonicWALL GAV is part of SonicWALL Gateway Anti-Virus/Intrusion Prevention Service. The Activation
Key you receive is for both SonicWALL GAV and SonicWALL Intrusion Prevention Service. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is automatically activated.
If you have an Activation Key for SonicWALL Gateway Anti-Virus/Intrusion Prevention Service, perform
these steps to activate the combined services:
1. On the Security Services > Intrusion Prevention page, click the SonicWALL Intrusion
Prevention Service Subscription link. The mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already registered to your
mySonicWALL.com account, the System > Licenses page appears.
3. Click Activate or Renew in the Manage Service column in the Manage Services Online table.
4. Type in the Activation Key in the New License Key field and click Submit. Your SonicWALL GAV
subscription is activated on your SonicWALL security appliance.
If you activated the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service subscription on
mySonicWALL.com, the activation is automatically enabled on your SonicWALL security appliance within
24-hours or you can click the Synchronize button on the Security Services > Summary page to
immediately update your SonicWALL security appliance.
Activating the SonicWALL GAV FREE TRIAL
To try a FREE TRIAL of SonicWALL GAV, perform these steps:
1. Click the FREE TRIAL link on the Security Services > Gateway Anti-Virus page. The
mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already connected to your
mySonicWALL.com account, the System > Licenses page appears after you click the FREE TRIAL
link.
3. Click Try in the FREE TRIAL column in the Manage Services Online table. Your SonicWALL GAV
trial subscription is activated on your SonicWALL security appliance.
Page 19
Setting Up SonicWALL GAV Protection
The Security Services > Gateway Anti-Virus page provides the settings for configuring SonicWALL
GAV on your SonicWALL security appliance.
Enabling SonicWALL GAV
You must select Enable Gateway Anti-Virus check box in the Gateway Anti-Virus Global Settings
section to enable SonicWALL GAV on your SonicWALL security appliance. If your SonicWALL security
appliance is running SonicOS Standard 3.0, you must also specify the interfaces you want to apply
SonicWALL GAV protection. If your SonicWALL security appliance is running SonicOS Enhanced 3.0,
you must specify the Zones you want to SonicWALL GAV protection on the Network > Zones page.
Applying SonicWALL GAV Protection on Interfaces
If your SonicWALL security appliance is running SonicOS Standard 3.0, you also need to specify the
interface that you want to enable SonicWALL GAV protection. Depending on the SonicWALL security
appliance model you are using, you can choose the WAN, LAN, DMZ, OPT or WLAN port, depending on
your SonicWALL security appliance model. After selecting the interface(s), click Apply.It is recommended
you select the WAN and LAN interfaces.
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you apply SonicWALL GAV to
Zones on the Network > Zones page.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 20 SonicWALL Gateway Anti-Virus Administrator’s Guide
Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you can enforce SonicWALL
GAV not only between each network zone and the WAN, but also between internal zones. For example,
enabling SonicWALL GAV on the LAN zone enforces anti-virus protection on all incoming and outgoing
LAN traffic.
1. In the SonicWALL security appliance management interface, select Network > Zones or from the
Gateway Anti-Virus Status section, on the Security Services > Gateway Anti-Virus page, click the
Network > Zones link. The Network > Zones page is displayed.
2. In the Configure column in the Zone Settings table, click the edit icon . The Edit Zone window
is displayed.
3. Click the Enable Gateway Anti-Virus Service checkbox. A checkmark appears. To disable Gateway
Anti-Virus Service, uncheck the box.
4. Click OK.
Page 21
Note: You also enable SonicWALL GAV protection for new zones you create on the Network > Zones page.
Clicking the Add button displays the Add Zone window, which includes the same settings as the Edit
Zone window.
Viewing SonicWALL GAV Status Information
The Gateway Anti-Virus Status section shows the state of the anti-virus signature database, including
the database's timestamp, and the time the SonicWALL signature servers were last checked for the most
current database version. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
The Gateway Anti-Virus Status section displays the following information:
• Signature Database indicates whether the signature database needs to be downloaded or has been
downloaded.
• Signature Database Timestamp displays the last update to the SonicWALL GAV signature
database, not the last update to your SonicWALL security appliance.
• Last Checked indicates the last time the SonicWALL security appliance checked the signature
database for updates. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
• Gateway Anti-Virus Expiration Date indicates the date when the SonicWALL GAV service expires.
If your SonicWALL GAV subscription expires, the SonicWALL IPS inspection is stopped and the
SonicWALL GAV configuration settings are removed from the SonicWALL security appliance. These
settings are automatically restored after renewing your SonicWALL GAV license to the previously
configured state.
If your SonicWALL security appliance is running SonicOS Standard 3.0 and no interfaces are specified in
the Gateway Anti-Virus Global Settings section, the message: Warning: No interfaces have Gateway
Anti-Virus enabled is displayed in the Gateway Anti-Virus Status section. You must check the Enable
Gateway Anti-Virus on Interface and specify the interface(s) you want to apply anti-virus scanning.
If your SonicWALL security appliance you are using SonicOS Enhanced 3.0, the Gateway Anti-Virus
Status section displays Note: Enable the Gateway Anti-Virus per zone from the Network > Zones
page. Clicking on the Network > Zones link displays the Network > Zones page for applying SonicWALL
GAV on Zones.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 22 SonicWALL Gateway Anti-Virus Administrator’s Guide
Updating SonicWALL GAV Signatures
By default, the SonicWALL security appliance running SonicWALL GAV automatically checks the
SonicWALL signature servers once an hour. There is no need for an administrator to constantly check for
new signature updates. You can also manually update your SonicWALL GAV database at any time by
clicking the Update button located in the Gateway Anti-Virus Status section.
SonicWALL GAV signature updates are secured. The SonicWALL security appliance must first
authenticate itself with a pre-shared secret, created during the SonicWALL Distributed Enforcement
Architecture licensing registration. The signature request is transported through HTTPS, along with full
server certificate verification.
Specifying Protocol Filtering
Application-level awareness of the type of protocol that is transporting the violation allows SonicWALL
GAV to perform specific actions within the context of the application to gracefully handle the rejection of
the payload.
By default, SonicWALL GAV inspects all inbound HTTP, FTP, IMAP, SMTP and POP3 traffic. Generic
TCP Stream can optionally be enabled to inspect all other TCP based traffic, such as
non-standard ports of operation for SMTP and POP3, and IM and P2P protocols.
Note: Refer to “Protocol Handling” on page 13 for detailed descriptions of how SonicWALL GAV handles
protocol traffic.
Enabling Inbound Inspection
Within the context of SonicWALL GAV, the Enable Inbound Inspection protocol traffic handling refers
to the following:
• Non-SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to any Zone.
• Non-SMTP traffic from a Public Zone destined to an Untrusted Zone.
• SMTP traffic initiating from a non-Trusted Zone destined to a Trusted, Wireless, Encrypted, or Public
Zone.
• SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to a Trusted, Wireless,
or Encrypted Zone.
Page 23
The Enable Inbound Inspection protocol traffic handling represented as a table:
Enabling Outbound SMTP Inspection
The Enable Outbound Inspection feature is available for SMTP traffic, such as for a mail server that
might be hosted on the DMZ. Enabling outbound inspection for SMTP scans mail that is delivered to the
internally hosted SMTP server for viruses.
Configuring Client Alerts and an Exclusion List
Clicking the Configure Gateway AV Settings button in the Gateway Anti-Virus Global Settings section
displays the Gateway AV Config View window, which allows you to configure client notification alerts and
create a SonicWALL GAV exclusion list.
Configuring Client Alerts
If you want clients on your network to receive notifications on their desktop when a HTTP file download is
blocked by GAV, check the Enable Client Notification Alerts (desktop client installation is required)
box. You must install the client software included on the Resource CD for your SonicWALL security
appliance for the client to receive these notifications from SonicWALL GAV.
Page 24 SonicWALL Gateway Anti-Virus Administrator’s Guide
If you want to suppress the sending of e-mail messages (SMTP) to clients from SonicWALL GAV when a
virus is detected in an e-mail or attachment, check the Disable SMTP Responses box.
Configuring a SonicWALL GAV Exclusion List
Any IP addresses listed in the exclusion list bypass virus scanning on their traffic.The Gateway AV
Exclusion List section provides the ability to define a range of IP addresses whose traffic will be excluded
from SonicWALL GAV scanning.
Alert! Use caution when specifying exclusions to SonicWALL GAV protection.
To add an IP address range for exclusion, perform these steps:
1. Click the Enable Gateway AV Exclusion List checkbox to enable the exclusion list.
2. Click the Add button. The Add GAV Range Entry window is displayed.
3. Enter the IP address range in the IP Address Form and IP Address To fields, then click OK. You IP
address range appears in the Gateway AV Exclusion List table. Click the edit icon in the Configure
column to change an entry or click the trashcan icon to delete an entry.
4. Click OK to exit the Gateway AV Config View window.
Restricting File Transfers
The restrict transfer settings listed under the Configure Gateway AV Settings button in the
Gateway Anti-Virus Global Settings section, if enabled, prevent files with specific attributes from being
transferred.
These restrict transfer settings include:
• Restrict Transfer of password-protected Zip files - Disables the transfer of password protected
ZIP files over any enabled protocol. This option only functions on protocols (e.g. HTTP, FTP, SMTP)
that are enabled for inspection.
• Restrict Transfer of MS-Office type files containing macros (VBA 5 and above) - Disables the
transfers of any MS Office 97 and above files that contain VBA macros.
• Restrict Transfer of packed executable files (UPX, FSG, etc.) - Disables the transfer of packed
executable files. Packers are utilities which compress and sometimes encrypt executables. Although
there are legitimate applications for these, they are also sometimes used with the intent of
obfuscation, so as to make the executables less detectable by anti-virus applications. The packer
adds a header that expands the file in memory, and then executes that file. SonicWALL Gateway
Anti-Virus currently recognizes the most common packed formats: UPX, FSG, PKLite32, Petite, and
ASPack. additional formats are dynamically added along with SonicWALL GAV signature updates.
Page 25
Viewing SonicWALL GAV Signatures
The Gateway Anti-Virus Signatures section allows you to view the contents of the SonicWALL GAV
signature database. All the entries displayed in the Gateway Anti-Virus Signatures table are from the
SonicWALL GAV signature database downloaded to your SonicWALL security appliance.
Note: Signature entries in the database change over time in response to new threats.
Displaying Signatures
You can display the signatures in a variety of views using the View Style menu.
• Use Search String - Allows you to display signatures containing a specified string entered in the
Lookup Signatures Containing String field.
• All Signatures - Displays all the signatures in the table, 50 to a page.
• 0 - 9 - Displays signature names beginning with the number you select from the menu.
• A-Z - Displays signature names beginning with the letter you select from menu.
Navigating the Gateway Anti-Virus Signatures Table
The SonicWALL GAV signatures are displayed fifty to a page in the Gateway Anti-Virus Signatures
table. The Items field displays the table number of the first signature. If your displaying the first page of a
signature table, the entry might be Items 1 to 50 (of 58). Use the navigation buttons to navigate the table.
Page 26 SonicWALL Gateway Anti-Virus Administrator’s Guide
Searching the Gateway Anti-Virus Signature Database
You can search the signature database by entering a search string in the Lookup Signatures
Containing String field, then clicking the edit (Notepad) icon.
The signatures that match the specified string are displayed in the Gateway Anti-Virus Signatures table.
Glossary
• Deep Packet Inspection - looking at the data portion of the packet. Enables the firewall to investigate
farther into the protocol to examine information at the application layer and defend against attacks
targeting application vulnerabilities.
• Distributed Enforcement Architecture - SonicWALL’s unified threat management technology that
delivers automated signature updates that provide real-time protection from current and emerging
threats.
• False Positive - a falsely identified attack traffic pattern.
• Signature - code written to detect and prevent viruses, worms, application exploits, and other
malicious code.
• Stateful Packet Inspection - examines the contents of individual packets at all layers of the OSI
model, from network layer to application layer.
Page 27
Index
A
activating Gateway Anti-Virus
overview 15
free trial version 18
activating Gateway Anti-Virus
activation key 18
C
client alerts
configuring 23
concurrency limitations 12
PRO 1260 12
PRO 2040 12
PRO 3060 12
PRO 4060 12
PRO 5060 12
TZ 150 Series 12
TZ 170 Series 12
creating a mysonicwall.com account 16
D
deploying SonicWALL GAV 14
disabling GAV/IPS engine 12
displaying signatures 25
all signatures 25
signatures beginning with letter 25
signatures beginning with number 25
using search strings 25
E
Edit Zone window 20
enable inbound inspection 22
enable outbound SMTP inspection 23
enabling inbound inspection 22
exclusion list
configuring 24
G
Gateway AV Config View window 23
GAV/IPS
real-time scanning 6
GAV/IPS features
application control 6
deep packet inspection 6
distributed enforcement architecture 6
file based scanning protocol support 6
file decompression technology 6
granular management 7
inter-zone scanning 6
logging and reporting 7
real-time scanning 6
glossary 26
deep packet inspection 26
Distributed Enforcement Architecture 26
false positive 26
signature 26
stateful packet inspection 26
H
how DPIv2.0 works
11
protocol handling 13
HTTP file downloads protection 9
I
internal network protection 9
N
navigating signatures table 25
P
protocol handling
FTP 14
HTTP 14
IM, P2P, proprietary 14
IMAP 13
POP3 13
SMTP 13
R
registering your SonicWALL security appliance 17
remote site protection 8
restrict 24
restrict file transfer
MS-Office files 24
packed executable files 24
password protected ZIP files 24
S
searching signature database 26
server protection 10
setting up GAV protection
applying to infaces (SonicOS Standard 3.0) 19
applying to zones (SonicOS Enhanced) 20
enabling 19
overview 19
signatures table 25
SonicWALL Gateway Anti-Virus
overview 5
SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service
overview 5
specifying protocol filtering 22
specifying protocols 22
status information
expiration date 21
last checked 21
overview 21
signature database 21
signature database timestamp 21
surpress SMTP messages 24
U
updating signatures 22
Page 28 SonicWALL Gateway Anti-Virus Administrator’s Guide
© 2005 SonicWALL, I n c . SonicWALL is a registered trademark of SonicWALL, I n c . Other product and company names mentioned herein may be
t rademarks and/ or registered trademarks of their respective companies. Specifications and descriptions subject to change with out notice.
T: 408.745.9600
F: 408.745.9300
www.sonicwall.com
SonicWALL,Inc.
1143 Borregas Avenue
Sunnyvale,CA 94089-1306
P/ N 232- 000610- 00
Rev E 01/05COMPREHENSIVE INTERNET SECURITY™
S SSSSSSSSo n i c WALL Gateway Anti-Virus
Administrator's Guide
Page 1
Table of Contents
Preface .................................................................................................. 1
Copyright Notice ..............................................................................1
Trademarks......................................................................................1
Limited Warranty..............................................................................1
About this Guide.................................................................................... 3
Guide Conventions .......................................................................... 3
Icons Used in this Guide............................................................. 3
SonicWALL Technical Support ........................................................ 4
North America Telephone Support ............................................. 4
International Telephone Support ................................................ 4
SonicWALL Gateway Anti-Virus Overview............................................ 5
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features ...... 6
SonicWALL GAV Multi-Layered Approach............................................ 7
Remote Site Protection ....................................................................8
Internal Network Protection.............................................................. 9
HTTP File Downloads ...................................................................... 9
Server Protection ...........................................................................10
SonicWALL GAV Architecture............................................................. 11
Stream Concurrency Limitations
by SonicWALL Security Appliance................................................. 12
Disabling the SonicWALL GAV/IPS Engine................................... 12
Protocol Handling...........................................................................13
SMTP........................................................................................ 13
POP3 ........................................................................................ 13
IMAP......................................................................................... 13
HTTP ........................................................................................ 14
FTP........................................................................................... 14
IM, P2P and Proprietary Protocols ........................................... 14
Deploying SonicWALL GAV................................................................ 14
Activating SonicWALL GAV ................................................................ 15
Creating a mySonicWALL.com Account ........................................ 16
Registering Your SonicWALL Security Appliance.......................... 17
Activating SonicWALL GAV........................................................... 18
Activating the SonicWALL GAV FREE TRIAL ............................... 18
Setting Up SonicWALL GAV Protection .............................................. 19
Enabling SonicWALL GAV............................................................. 19
Applying SonicWALL GAV Protection on Interfaces...................... 19
Applying SonicWALL GAV Protection on Zones
(SonicOS Enhanced 3.0) ............................................................... 20
Viewing SonicWALL GAV Status Information................................ 21
Updating SonicWALL GAV Signatures .......................................... 22
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
Specifying Protocol Filtering ................................................................22
Enabling Inbound Inspection ..........................................................22
Enabling Outbound SMTP Inspection ............................................23
Configuring Client Alerts and an Exclusion List ...................................23
Configuring Client Alerts.................................................................23
Configuring a SonicWALL GAV Exclusion List...............................24
Restricting File Transfers.....................................................................24
Viewing SonicWALL GAV Signatures..................................................25
Displaying Signatures.....................................................................25
Navigating the Gateway Anti-Virus Signatures Table ....................25
Searching the Gateway Anti-Virus Signature Database.................26
Glossary...............................................................................................26
Index ....................................................................................................27
Page 1 SonicWALL Gateway Anti-Virus Administrator’s Guide
Preface
Copyright Notice
© 2005 SonicWALL, Inc.
All rights reserved.
Under the copyright laws, this manual or the software described within, can not be copied, in whole or part,
without the written consent of the manufacturer, except in the normal use of the software to make a backup
copy. The same proprietary and copyright notices must be affixed to any permitted copies as were affixed
to the original. This exception does not allow copies to be made for others, whether or not sold, but all of
the material purchased (with all backup copies) can be sold, given, or loaned to another person. Under
the law, copying includes translating into another language or format.
Specifications and descriptions subject to change without notice.
Trademarks
SonicWALL is a registered trademark of SonicWALL, Inc.
Microsoft Windows 98, Windows NT, Windows 2000, Windows XP, Windows Server 2003, Internet
Explorer, and Active Directory are trademarks or registered trademarks of Microsoft Corporation.
Netscape is a registered trademark of Netscape Communications Corporation in the U.S. and other
countries. Netscape Navigator and Netscape Communicator are also trademarks of Netscape
Communications Corporation and may be registered outside the U.S.
Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems
Incorporated in the U.S. and/or other countries.
Other product and company names mentioned herein may be trademarks and/or registered trademarks
of their respective companies and are the sole property of their respective manufacturers.
Limited Warranty
SonicWALL, Inc. warrants that commencing from the delivery date to Customer (but in any case
commencing not more than ninety (90) days after the original shipment by SonicWALL), and continuing
for a period of twelve (12) months, that the product will be free from defects in materials and workmanship
under normal use. This Limited Warranty is not transferable and applies only to the original end user of
the product. SonicWALL and its suppliers' entire liability and Customer's sole and exclusive remedy under
this limited warranty will be shipment of a replacement product. At SonicWALL's discretion the
replacement product may be of equal or greater functionality and may be of either new or like-new quality.
SonicWALL's obligations under this warranty are contingent upon the return of the defective product
according to the terms of SonicWALL's then-current Support Services policies.
This warranty does not apply if the product has been subjected to abnormal electrical stress, damaged by
accident, abuse, misuse or misapplication, or has been modified without the written permission of
SonicWALL.
DISCLAIMER OF WARRANTY. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR
IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT
LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, NONINFRINGEMENT, SATISFACTORY QUALITY OR ARISING FROM A
COURSE OF DEALING, LAW, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE
MAXIMUM EXTENT ALLOWED BY APPLICABLE LAW. TO THE EXTENT AN IMPLIED WARRANTY
CANNOT BE EXCLUDED, SUCH WARRANTY IS LIMITED IN DURATION TO THE WARRANTY
PERIOD. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW
LONG AN IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. THIS
WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, AND YOU MAY ALSO HAVE OTHER RIGHTS
WHICH VARY FROM JURISDICTION TO JURISDICTION. This disclaimer and exclusion shall apply
even if the express warranty set forth above fails of its essential purpose.
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
DISCLAIMER OF LIABILITY. SONICWALL'S SOLE LIABILITY IS THE SHIPMENT OF A
REPLACEMENT PRODUCT AS DESCRIBED IN THE ABOVE LIMITED WARRANTY. IN NO EVENT
SHALL SONICWALL OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER,
INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS
INTERRUPTION, LOSS OF INFORMATION, OR OTHER PECUNIARY LOSS ARISING OUT OF THE
USE OR INABILITY TO USE THE PRODUCT, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL,
INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY
OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE HARDWARE OR SOFTWARE
EVEN IF SONICWALL OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. In no event shall SonicWALL or its suppliers' liability to Customer, whether in contract, tort
(including negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shall
apply even if the above-stated warranty fails of its essential purpose. BECAUSE SOME STATES OR
JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR
INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.
Page 3
About this Guide
Welcome to the SonicWALL Gateway Anti-Virus Administrator’s Guide. This manual provides the
information you need to successfully activate, configure, and administer SonicWALL Gateway Anti-Virus
(SonicWALL (GAV) on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher). The audience for this guide is administrators that are familiar with the
features, functions, and operating characteristics of SonicWALL security appliances.
Note: This guide assumes your SonicWALL security appliance is operational with Internet connectivity. If your
SonicWALL security appliance is not setup, refer to the Getting Started Guide for your SonicWALL
security appliance located on the SonicWALL Web site:
.
SonicWALL GAV is part of the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service solution that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate a SonicWALL GAV license, SonicWALL Intrusion Prevention Service is included and activated.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the complete
instructions on configuring SonicWALL Intrusion Prevention Service 2.0, located on the SonicWALL
Web site: .
Guide Conventions
Conventions used in this guide are as follows:
Icons Used in this Guide
These special messages refer to noteworthy information, and include a symbol for quick identification:
Alert! Important information that cautions about features affecting SonicWALL Gateway Anti-Virus
performance, security features, or causing potential problems with your SonicWALL security appliance.
Tip! Useful information about security features and configurations for your SonicWALL Gateway Anti-Virus
running on a SonicWALL security appliance.
Convention Use
Bold Highlights items you can select on the SonicWALL
management interface.
Italic Highlights a value to enter into a field. For example, “type
192.168.168.168 in the IP Address field.”
Top Level Menu Button >
Submenu Item
Indicates a multiple step Management Interface menu
choice. For example, Security Services > Gateway Anti-
Virus means select Security Services, then select
Gateway Anti-Virus.
Page 4 SonicWALL Gateway Anti-Virus Administrator’s Guide
Note: Important information on a feature that requires callout for special attention or reference to other related
resources.
SonicWALL Technical Support
For timely resolution of technical support questions, visit SonicWALL on the Internet at
. Web-based resources are available to help you
resolve most technical issues or contact SonicWALL Technical Support.
To contact SonicWALL telephone support, see the telephone numbers listed below:
North America Telephone Support
U.S./Canada - 888.777.1476 or +1 408.752.7819
International Telephone Support
Australia - + 1800.35.1642
Austria - + 43(0)820.400.105
EMEA - +31(0)411.617.810
France - + 33(0)1.4933.7414
Germany - + 49(0)1805.0800.22
Hong Kong - + 1.800.93.0997
India - + 8026556828
Italy - +39.02.7541.9803
Japan - + 81(0)3.5460.5356
New Zealand - + 0800.446489
Singapore - + 800.110.1441
Spain - + 34(0)9137.53035
Switzerland - +41.1.308.3.977
UK - +44(0)1344.668.484
Note: Please visit for the latest technical support telephone
numbers.
Page 5
SonicWALL Gateway Anti-Virus Overview
SonicWALL Gateway Anti-Virus (SonicWALL GAV) is part of the SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service solution that provides unified threat management. The integration of gateway
anti-virus and intrusion prevention delivers intelligent, real-time network security protection against
sophisticated application layer and content-based attacks. Utilizing a configurable, high-performance
deep packet inspection architecture, SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
secures the network from the core to the perimeter against a comprehensive array of dynamic threats
including viruses, worms, Trojans, and software vulnerabilities, such as buffer overflows, as well as peerto-
peer and instant messenger applications, backdoor exploits, and other malicious code.
SonicWALL GAV delivers real-time virus protection directly on the SonicWALL security appliance by
using SonicWALL’s IPS-Deep Packet Inspection v2.0 engine to inspect all traffic that traverses the
SonicWALL gateway. Building on SonicWALL’s reassembly-free architecture, SonicWALL GAV inspects
multiple application protocols, as well as generic TCP streams, and compressed traffic. Because
SonicWALL GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also performed on a
single-pass, per-packet basis.
SonicWALL GAV delivers threat protection directly on the SonicWALL security appliance by matching
downloaded or e-mailed files against an extensive and dynamically updated database of threat virus
signatures. Virus attacks are caught and suppressed before they travel to desktops. New signatures are
created and added to the database by a combination of SonicWALL’s SonicAlert Team, third-party virus
analysts, open source developers and other sources.
SonicWALL GAV can be configured to protect against internal threats as well as those originating outside
the network. It operates over a multitude of protocols including SMTP, POP3, IMAP, HTTP, FTP,
NetBIOS, instant messaging and peer-to-peer applications and dozens of other stream-based protocols,
to provide administrators with comprehensive network threat prevention and control. Because files
containing malicious code and viruses can also be compressed and therefore inaccessible to
conventional anti-virus solutions, SonicWALL GAV integrates advanced decompression technology that
automatically decompresses and scans files on a per packet basis.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
Page 6 SonicWALL Gateway Anti-Virus Administrator’s Guide
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features
• Integrated Deep Packet Inspection Technology - SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service features a configurable, high-performance deep packet inspection architecture
that uses parallel searching algorithms up through the application layer to deliver increased
application layer, Web and e-mail attack prevention. Parallel processing reduces the performance
impact on the firewall and maximizes available memory for exceptional throughput on SonicWALL
integrated security gateways.
• Real-Time Anti-Virus Gateway Scanning - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers intelligent file-based virus and malicious code prevention by scanning in real-time for
decompressed and compressed files containing viruses, Trojans, worms and other Internet threats
over the corporate network.
• Powerful Intrusion Prevention - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
provides complete protection from a comprehensive array of network-based application layer threats
by scanning packet payloads for worms, Trojans, software vulnerabilities such as buffer overflows,
peer-to-peer and instant messenger applications, backdoor exploits, and other malicious code.
• Ultimate Scalability and Performance - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a per packet scanning engine, making SonicWALL’s solution unique in its ability to
handle unlimited file size and virtually unlimited concurrent downloads, offering ultimate scalability
and performance for today’s networked environment.
• Day Zero Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service ensures
incredibly fast time-to-protection by employing a dynamically-updated database of signatures created
by a combination of SonicWALL’s SonicAlert Team, third-party virus analysts and developers, and
open source databases of known threats.
• Extensive Virus Signature List - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
utilizes an extensive database of thousands of attack and vulnerability signatures written to detect and
prevent intrusions, viruses, worms, Tojans, application exploits, and malicious applications.
• Distributed Enforcement Architecture - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a distributed enforcement architecture to deliver automated signature updates,
providing real-time protection from emerging threats and lowering total cost of ownership.
• Inter-zone Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides
application layer attack protection against malicious code and other threats originating from the
Internet or from internal sources. Administrators have the ability to enforce intrusion prevention and
anti-virus scanning not only between each network zone and the Internet, but also between internal
network zones for added security (Requires SonicOS Enhanced).
• Advanced File Decompression Technology - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service includes advanced decompression technology that can automatically decompress and scan
files on a per packet basis to search for viruses, Trojans, worms and malware. Supported
compression formats include: ZIP, Deflate and GZIP.
• File-Based Scanning Protocol Support - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers protection for high threat viruses and malware by inspecting the most common
protocols used in today’s networked environments, including SMTP, POP3, IMAP, HTTP, FTP,
NETBIOS, instant messaging and peer-to-peer applications, and dozens of other stream-based
protocols. This closes potential backdoors that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Application Control - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides the
ability to prevent instant messaging and peer-to-peer file sharing programs from operating through
the firewall, closing a potential back door that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Simplified Deployment and Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service allows network administrators to create global policies between security zones and group
attacks by priority, simplifying deployment and management across a distributed network.
Page 7
• Granular Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides an
intuitive user interface and granular policy tools, allowing network administrators to configure a
custom set of detection or prevention policies for their specific network environment and reduce the
number of false policies while identifying immediate threats.
• Logging and Reporting - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service offers
comprehensive logging of all intrusion attempts with the ability to filter logs based on priority level,
enabling administrators to highlight high priority attacks. Granular reporting based on attack source,
destination and type of intrusion is available through SonicWALL ViewPoint and Global Management
System.
SonicWALL GAV Multi-Layered Approach
SonicWALL GAV delivers comprehensive, multi-layered anti-virus protection for networks at the desktop,
the network, and at remote sites. SonicWALL GAV enforces anti-virus policies at the gateway to ensure
all users have the latest updates and monitors files as they come into the network.
Page 8 SonicWALL Gateway Anti-Virus Administrator’s Guide
Remote Site Protection
1. Users send typical e-mail and files between remote sites and the corporate office.
2. SonicWALL GAV scans and analyzes files and e-mail messages on the SonicWALL security
appliance.
3. Viruses are found and blocked before infecting remote desktop.
4. Virus is logged and alert is sent to administrator.
Page 9
Internal Network Protection
1. Internal user contracts a virus and releases it internally.
2. All files are scanned at the gateway before being received by other network users.
3. If virus is found, file is discarded.
4. Virus is logged and alert is sent to administrator.
HTTP File Downloads
1. Client makes a request to download a file from the Web.
2. File is downloaded through the Internet.
3. File is analyzed the SonicWALL GAV engine for malicious code and viruses
4. If virus found, file discarded.
5. Virus is logged and alert sent to administrator.
Page 10 SonicWALL Gateway Anti-Virus Administrator’s Guide
Server Protection
1. Outside user sends an incoming e-mail.
2. E-mail is analyzed the SonicWALL GAV engine for malicious code and viruses before received by email
server.
3. If virus found, threat prevented.
4. E-mail is returned to sender, virus is logged, and alert sent to administrator.
Page 11
SonicWALL GAV Architecture
SonicWALL GAV is based on SonicWALL's high performance DPIv2.0 engine (Deep Packet Inspection
version 2.0) engine, which performs all scanning directly on the SonicWALL security appliance.
SonicWALL GAV includes advanced decompression technology that can automatically decompress and
scan files on a per packet basis to search for viruses and malware. The SonicWALL GAV engine can
perform base64 decoding without ever reassembling the entire base64 encoded mail stream. Because
SonicWALL's GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding and ZIP, LHZ, and GZIP (LZ77) decompression are also performed
on a single-pass, per-packet basis. Reassembly free virus scanning functionality of the SonicWALL GAV
engine is inherited from the Deep Packet Inspection engine, which is capable of scanning streams without
ever buffering any of the bytes within the stream.
Building on SonicWALL's reassembly-free architecture, GAV has the ability to inspect multiple application
protocols, as well as generic TCP streams, and compressed traffic. SonicWALL GAV protocol inspection
is based on high performance state machines which are specific to each supported protocol. SonicWALL
GAV delivers protection by inspecting over the most common protocols used in today's networked
environments, including SMTP, POP3, IMAP, HTTP, FTP, NetBIOS, instant messaging and peer-to-peer
applications and dozens of other stream-based protocols. This closes potential backdoors that can be
used to compromise the network while also improving employee productivity and conserving Internet
bandwidth.
Page 12 SonicWALL Gateway Anti-Virus Administrator’s Guide
Stream Concurrency Limitations by SonicWALL Security Appliance
Because SonicWALL GAV does not have to perform reassembly, there are no file-size limitations
imposed by the scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also
performed on a single-pass, per-packet basis. Stream-concurrency are platform dependent as follows:.
Disabling the SonicWALL GAV/IPS Engine
In the unlikely event that SonicWALL Gateway Anti-Virus/Intrusion Prevention Service is not enabled on
your SonicWALL security appliance, the SonicWALL GAV/IPS engine itself can be disabled, and the
resources can be reallocated to the SPI connection cache.
To disable the SonicWALL GAV/IPS engine:
1. Select the Firewall > Advanced page.
2. Select the Disable Gateway AV and IPS Engine (increases maximum SPI connections)
checkbox. This presents an alert informing you that the SonicWALL security appliance must be
rebooted for the change to take effect.
3. Restart your SonicWALL security appliance.
Platform
GAV-Disabled
Connections
Cache Size
GAV-Enabled
Connections
Cache Size
(Concurrent File
Downloads)
Concurrent
Compressed
File Downloads
with GAV
GAV Signatures
TZ 150
Series
2,048 2,048 100 4,500
TZ 170
Series
6,144 6,144 100 4,500
PRO 1260 6,144 6,144 100 4,500
PRO 2040 32,768 16,384 300 25,000
PRO 3060 131,072 65,536 1,000 25,000
PRO 4060 524,288 131,072 1,500 25,000
PRO 5060 750,000 393,216 3,000 25,000
Page 13
Protocol Handling
SonicWALL GAV functionality supports the following protocols: HTTP, SMTP, IMAP, POP3, FTP and the
scanning of generic TCP streams for viruses.
If malicious traffic is detected, appropriate actions are taken based on the protocol. For generic TCP
streams, the traffic is dropped and the connection is reset. If so configured, an encrypted and hashed
message explaining the action is sent to the user's Global Security Client (requires version 2.0 or higher)
and to the user's 'Security Action Notification Applet', and displayed to the user if either application is
active. Application level awareness of the type of protocol that was transporting the violation allows for
very specific actions to be taken to gracefully handle the rejection of the payload:
Note: 8-bit encoding is handled natively for all email based protocols (SMTP, POP3, and IMAP) since no
decoding is required for each encoding scheme.
SMTP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the head of the sent
queue, thus preventing it from being resent, via 552 SMTP response and the connection is terminated.
POP3
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the POP3 server via
'DELE' command and the connection is terminated. Continuation of message downloads following
termination requires the user to re-initiate the download process on their POP3 client in order to download
the rest of the messages from the POP3 server.
Note: POP3 client behavior varies from one client to the next. SonicWALL GAV attempts to determine the type
of POP3 client being used, and to compensate for behavioral differences. In rare cases, some clients
may require special GAV settings - these settings have been made available in the /diag.html page.
• Disable Gateway AV POP3 Auto Deletion - When a POP3 client is identified as Outlook Express,
DELE (delete) message sequencing is tailored to Outlook Express' behavior. This setting can resolve
problems caused by misidentification that are encountered during the deletion of virus-infected
emails.
• Disable Gateway AV POP3 UIDL Rewriting - Certain Netscape POP3 clients have difficulty with the
UIDL (unique ID listing - RFC1939) command. When a POP3 client is recognized as Netscape, UIDL
messages are suppressed, which is allowable because they are optional. This setting can resolve
problems caused by misidentification that are encountered during the message retrieval process.
IMAP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from downloading the mail
containing the violation. The user must manually mark the mail deleted and purge it from the server.
Page 14 SonicWALL Gateway Anti-Virus Administrator’s Guide
HTTP
Capabilities: zip (including archives), gzip and deflate decompression. Deflate decompression method is
not supported when HTTP response is Chunk Encoded. All HTTP traffic is inspected, not just TCP port
80. Suppresses the use of HTTP Byte-Range requests to prevent the sectional retrieval and reassembly
of potentially malicious content.
Note: Suppression of HTTP Byte-Range requests may inhibit the use of certain download accelerator
programs that attempt to retrieve files as multiple simultaneous requests.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
FTP
Capabilities: zip (including archives) and gzip decompression. FTP stateful code follows data port
negotiations, allowing FTP data to be inspected across any operating TCP port. Suppresses the use of
the FTP 'REST' (restart) request to prevent the sectional retrieval and reassembly of potentially malicious
content. "The suppression of the 'REST' request can be overridden from the /diag.html page with the
option 'Enable FTP 'REST' requests with Gateway AV’.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
IM, P2P and Proprietary Protocols
Capabilities: zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
Deploying SonicWALL GAV
SonicWALL GAV is designed to provide comprehensive virus protection with minimal configuration. The
following sections provide the key information you need to successfully activate, configure, and administer
SonicWALL GAV on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher):
• “Activating SonicWALL GAV” on page 15 - provides instructions for activating the SonicWALL GAV
license on your SonicWALL security appliance via the management interface. If you already have
SonicWALL GAV activated on your SonicWALL security appliance, skip this section.
• “Setting Up SonicWALL GAV Protection” on page 19 - provides instructions for essential
configuration of SonicWALL IPS to protect your network against the most dangerous and disruptive
attacks.
Alert! After activating your SonicWALL GAV license, you must enable SonicWALL GAV on the SonicWALL
management interface before anti-virus protection are applied to your network traffic.
• “Configuring Client Alerts and an Exclusion List” on page 23 - provides instructions for configuring
SonicWALL GAV client notification alerts and creating a SonicWALL GAV exclusion list.
• “Restricting File Transfers” on page 24 - provides instructions on preventing files with specific
attributes from being transferred.
Page 15
Activating SonicWALL GAV
If you do not have SonicWALL GAV installed on your SonicWALL security appliance, the Security
Services > Gateway Anti-Virus page indicates an upgrade is required and includes a link to activiate it
from your SonicWALL security appliance management interface.
SonicWALL GAV is part of the unified SonicWALL Gateway Anti-Virus/Intrusion Prevention Service that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is also activated.
To activate a SonicWALL Gateway Anti-Virus/Intrusion Prevention Service on your SonicWALL security
appliance, you need the following:
• SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license. You need to purchase a
SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license from a SonicWALL reseller or
through your mySonicWALL.com account (limited to customers in the USA and Canada).
• mySonicWALL.com account. Creating a mySonicWALL.com account is fast, simple, and FREE.
Simply complete an online registration form from your SonicWALL security appliance management
interface. Your mySonicWALL.com account is also accessible at
from any Internet connection with a Web browser.
• Registered SonicWALL security appliance with active Internet connection. Registering your
SonicWALL security appliance is a simple procedure done directly from the management interface.
• SonicOS Standard 3.0 or SonicOS Enhanced 3.0. Your SonicWALL security appliance must be
running SonicOS Standard 3.0 or SonicOS Enhanced 3.0 for SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service.
Tip! If your SonicWALL security appliance is connected to the Internet and registered at
mySonicWALL.com, you can activate a 30-day FREE TRIAL of SonicWALL IPS.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
If you activated SonicWALL GAV at , SonicWALL GAV activation is
automatically enabled on your SonicWALL within 24-hours or you can click the Synchronize button on
the Security Services > Summary page to update your SonicWALL security appliance.
Page 16 SonicWALL Gateway Anti-Virus Administrator’s Guide
Creating a mySonicWALL.com Account
Creating a mySonicWALL.com account is fast, simple, and FREE. Simply complete an online
registration form in the SonicWALL security appliance management interface.
Note: If you already have a mysonicWALL.com account, go to “Registering Your SonicWALL Security
Appliance” on page 17.
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displayed in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link in Your
SonicWALL is not registered. Click here to Register your SonicWALL.
4. In the mySonicWALL.com Login page, click the here link in If you do not have a mySonicWALL
account, please click here to create one.
5. In the MySonicWall Account page, enter in your information in the Account Information, Personal
Information and Preferences fields. All fields marked with an asterisk (*) are required fields.
Note: Remember your username and password to access your mySonicWALL.com account.
6. Click Submit after completing the MySonicWALL Account form.
7. When the mySonicWALL.com server has finished processing your account, you will see a page
saying that your account has been created. Click Continue.
Congratulations. Your mySonicWALL.com account is activated.
Now you need to log into mySonicWALL.com to register your SonicWALL security appliance.
Note: mySonicWALL.com registration information is not sold or shared with any other company.
Page 17
Registering Your SonicWALL Security Appliance
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displaying in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link. The
mySonicWALL.com Login page is displayed.
4. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit.
5. The next several pages inform you about the free trials available to you for SonicWALL’s Security
Services:
• Gateway Anti-Virus - Delivers real-time virus protection for your entire network.
• Network Anti Virus - Provides desktop and server anti-virus protection with software running on
each computer.
• Premium Content Filtering Service - Enhances productivity by limiting access to objectionable
Web content.
• Intrusion Prevention Service - Protects your network against worms, Trojans, and application
layer attacks.
Click Continue on each page.
6. At the top of the Product Survey page, Enter a “friendly name” for your SonicWALL content security
appliance in the Friendly Name field. The friendly name allows you to easily identify your
SonicWALL content security appliance in your mySonicWALL.com account.
7. Please complete the Product Survey. SonicWALL uses this information to further tailor services to fit
your needs.
8. Click Submit.
9. When the mySonicWALL.com server has finished processing your registration, a page is displayed
informing you that the SonicWALL security appliance is registered. Click Continue, and the
System > Licenses page is displayed showing you the available services. You can activate the
service from this page or the specific service page under the Security Services left-navigation
menu in the management interface.
Page 18 SonicWALL Gateway Anti-Virus Administrator’s Guide
Activating SonicWALL GAV
If you do not have a SonicWALL GAV license activated on your SonicWALL security appliance, you must
purchase it from a SonicWALL reseller or through your mySonicWALL.com account (limited to customers
in the USA and Canada).
SonicWALL GAV is part of SonicWALL Gateway Anti-Virus/Intrusion Prevention Service. The Activation
Key you receive is for both SonicWALL GAV and SonicWALL Intrusion Prevention Service. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is automatically activated.
If you have an Activation Key for SonicWALL Gateway Anti-Virus/Intrusion Prevention Service, perform
these steps to activate the combined services:
1. On the Security Services > Intrusion Prevention page, click the SonicWALL Intrusion
Prevention Service Subscription link. The mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already registered to your
mySonicWALL.com account, the System > Licenses page appears.
3. Click Activate or Renew in the Manage Service column in the Manage Services Online table.
4. Type in the Activation Key in the New License Key field and click Submit. Your SonicWALL GAV
subscription is activated on your SonicWALL security appliance.
If you activated the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service subscription on
mySonicWALL.com, the activation is automatically enabled on your SonicWALL security appliance within
24-hours or you can click the Synchronize button on the Security Services > Summary page to
immediately update your SonicWALL security appliance.
Activating the SonicWALL GAV FREE TRIAL
To try a FREE TRIAL of SonicWALL GAV, perform these steps:
1. Click the FREE TRIAL link on the Security Services > Gateway Anti-Virus page. The
mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already connected to your
mySonicWALL.com account, the System > Licenses page appears after you click the FREE TRIAL
link.
3. Click Try in the FREE TRIAL column in the Manage Services Online table. Your SonicWALL GAV
trial subscription is activated on your SonicWALL security appliance.
Page 19
Setting Up SonicWALL GAV Protection
The Security Services > Gateway Anti-Virus page provides the settings for configuring SonicWALL
GAV on your SonicWALL security appliance.
Enabling SonicWALL GAV
You must select Enable Gateway Anti-Virus check box in the Gateway Anti-Virus Global Settings
section to enable SonicWALL GAV on your SonicWALL security appliance. If your SonicWALL security
appliance is running SonicOS Standard 3.0, you must also specify the interfaces you want to apply
SonicWALL GAV protection. If your SonicWALL security appliance is running SonicOS Enhanced 3.0,
you must specify the Zones you want to SonicWALL GAV protection on the Network > Zones page.
Applying SonicWALL GAV Protection on Interfaces
If your SonicWALL security appliance is running SonicOS Standard 3.0, you also need to specify the
interface that you want to enable SonicWALL GAV protection. Depending on the SonicWALL security
appliance model you are using, you can choose the WAN, LAN, DMZ, OPT or WLAN port, depending on
your SonicWALL security appliance model. After selecting the interface(s), click Apply.It is recommended
you select the WAN and LAN interfaces.
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you apply SonicWALL GAV to
Zones on the Network > Zones page.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 20 SonicWALL Gateway Anti-Virus Administrator’s Guide
Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you can enforce SonicWALL
GAV not only between each network zone and the WAN, but also between internal zones. For example,
enabling SonicWALL GAV on the LAN zone enforces anti-virus protection on all incoming and outgoing
LAN traffic.
1. In the SonicWALL security appliance management interface, select Network > Zones or from the
Gateway Anti-Virus Status section, on the Security Services > Gateway Anti-Virus page, click the
Network > Zones link. The Network > Zones page is displayed.
2. In the Configure column in the Zone Settings table, click the edit icon . The Edit Zone window
is displayed.
3. Click the Enable Gateway Anti-Virus Service checkbox. A checkmark appears. To disable Gateway
Anti-Virus Service, uncheck the box.
4. Click OK.
Page 21
Note: You also enable SonicWALL GAV protection for new zones you create on the Network > Zones page.
Clicking the Add button displays the Add Zone window, which includes the same settings as the Edit
Zone window.
Viewing SonicWALL GAV Status Information
The Gateway Anti-Virus Status section shows the state of the anti-virus signature database, including
the database's timestamp, and the time the SonicWALL signature servers were last checked for the most
current database version. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
The Gateway Anti-Virus Status section displays the following information:
• Signature Database indicates whether the signature database needs to be downloaded or has been
downloaded.
• Signature Database Timestamp displays the last update to the SonicWALL GAV signature
database, not the last update to your SonicWALL security appliance.
• Last Checked indicates the last time the SonicWALL security appliance checked the signature
database for updates. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
• Gateway Anti-Virus Expiration Date indicates the date when the SonicWALL GAV service expires.
If your SonicWALL GAV subscription expires, the SonicWALL IPS inspection is stopped and the
SonicWALL GAV configuration settings are removed from the SonicWALL security appliance. These
settings are automatically restored after renewing your SonicWALL GAV license to the previously
configured state.
If your SonicWALL security appliance is running SonicOS Standard 3.0 and no interfaces are specified in
the Gateway Anti-Virus Global Settings section, the message: Warning: No interfaces have Gateway
Anti-Virus enabled is displayed in the Gateway Anti-Virus Status section. You must check the Enable
Gateway Anti-Virus on Interface and specify the interface(s) you want to apply anti-virus scanning.
If your SonicWALL security appliance you are using SonicOS Enhanced 3.0, the Gateway Anti-Virus
Status section displays Note: Enable the Gateway Anti-Virus per zone from the Network > Zones
page. Clicking on the Network > Zones link displays the Network > Zones page for applying SonicWALL
GAV on Zones.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 22 SonicWALL Gateway Anti-Virus Administrator’s Guide
Updating SonicWALL GAV Signatures
By default, the SonicWALL security appliance running SonicWALL GAV automatically checks the
SonicWALL signature servers once an hour. There is no need for an administrator to constantly check for
new signature updates. You can also manually update your SonicWALL GAV database at any time by
clicking the Update button located in the Gateway Anti-Virus Status section.
SonicWALL GAV signature updates are secured. The SonicWALL security appliance must first
authenticate itself with a pre-shared secret, created during the SonicWALL Distributed Enforcement
Architecture licensing registration. The signature request is transported through HTTPS, along with full
server certificate verification.
Specifying Protocol Filtering
Application-level awareness of the type of protocol that is transporting the violation allows SonicWALL
GAV to perform specific actions within the context of the application to gracefully handle the rejection of
the payload.
By default, SonicWALL GAV inspects all inbound HTTP, FTP, IMAP, SMTP and POP3 traffic. Generic
TCP Stream can optionally be enabled to inspect all other TCP based traffic, such as
non-standard ports of operation for SMTP and POP3, and IM and P2P protocols.
Note: Refer to “Protocol Handling” on page 13 for detailed descriptions of how SonicWALL GAV handles
protocol traffic.
Enabling Inbound Inspection
Within the context of SonicWALL GAV, the Enable Inbound Inspection protocol traffic handling refers
to the following:
• Non-SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to any Zone.
• Non-SMTP traffic from a Public Zone destined to an Untrusted Zone.
• SMTP traffic initiating from a non-Trusted Zone destined to a Trusted, Wireless, Encrypted, or Public
Zone.
• SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to a Trusted, Wireless,
or Encrypted Zone.
Page 23
The Enable Inbound Inspection protocol traffic handling represented as a table:
Enabling Outbound SMTP Inspection
The Enable Outbound Inspection feature is available for SMTP traffic, such as for a mail server that
might be hosted on the DMZ. Enabling outbound inspection for SMTP scans mail that is delivered to the
internally hosted SMTP server for viruses.
Configuring Client Alerts and an Exclusion List
Clicking the Configure Gateway AV Settings button in the Gateway Anti-Virus Global Settings section
displays the Gateway AV Config View window, which allows you to configure client notification alerts and
create a SonicWALL GAV exclusion list.
Configuring Client Alerts
If you want clients on your network to receive notifications on their desktop when a HTTP file download is
blocked by GAV, check the Enable Client Notification Alerts (desktop client installation is required)
box. You must install the client software included on the Resource CD for your SonicWALL security
appliance for the client to receive these notifications from SonicWALL GAV.
Page 24 SonicWALL Gateway Anti-Virus Administrator’s Guide
If you want to suppress the sending of e-mail messages (SMTP) to clients from SonicWALL GAV when a
virus is detected in an e-mail or attachment, check the Disable SMTP Responses box.
Configuring a SonicWALL GAV Exclusion List
Any IP addresses listed in the exclusion list bypass virus scanning on their traffic.The Gateway AV
Exclusion List section provides the ability to define a range of IP addresses whose traffic will be excluded
from SonicWALL GAV scanning.
Alert! Use caution when specifying exclusions to SonicWALL GAV protection.
To add an IP address range for exclusion, perform these steps:
1. Click the Enable Gateway AV Exclusion List checkbox to enable the exclusion list.
2. Click the Add button. The Add GAV Range Entry window is displayed.
3. Enter the IP address range in the IP Address Form and IP Address To fields, then click OK. You IP
address range appears in the Gateway AV Exclusion List table. Click the edit icon in the Configure
column to change an entry or click the trashcan icon to delete an entry.
4. Click OK to exit the Gateway AV Config View window.
Restricting File Transfers
The restrict transfer settings listed under the Configure Gateway AV Settings button in the
Gateway Anti-Virus Global Settings section, if enabled, prevent files with specific attributes from being
transferred.
These restrict transfer settings include:
• Restrict Transfer of password-protected Zip files - Disables the transfer of password protected
ZIP files over any enabled protocol. This option only functions on protocols (e.g. HTTP, FTP, SMTP)
that are enabled for inspection.
• Restrict Transfer of MS-Office type files containing macros (VBA 5 and above) - Disables the
transfers of any MS Office 97 and above files that contain VBA macros.
• Restrict Transfer of packed executable files (UPX, FSG, etc.) - Disables the transfer of packed
executable files. Packers are utilities which compress and sometimes encrypt executables. Although
there are legitimate applications for these, they are also sometimes used with the intent of
obfuscation, so as to make the executables less detectable by anti-virus applications. The packer
adds a header that expands the file in memory, and then executes that file. SonicWALL Gateway
Anti-Virus currently recognizes the most common packed formats: UPX, FSG, PKLite32, Petite, and
ASPack. additional formats are dynamically added along with SonicWALL GAV signature updates.
Page 25
Viewing SonicWALL GAV Signatures
The Gateway Anti-Virus Signatures section allows you to view the contents of the SonicWALL GAV
signature database. All the entries displayed in the Gateway Anti-Virus Signatures table are from the
SonicWALL GAV signature database downloaded to your SonicWALL security appliance.
Note: Signature entries in the database change over time in response to new threats.
Displaying Signatures
You can display the signatures in a variety of views using the View Style menu.
• Use Search String - Allows you to display signatures containing a specified string entered in the
Lookup Signatures Containing String field.
• All Signatures - Displays all the signatures in the table, 50 to a page.
• 0 - 9 - Displays signature names beginning with the number you select from the menu.
• A-Z - Displays signature names beginning with the letter you select from menu.
Navigating the Gateway Anti-Virus Signatures Table
The SonicWALL GAV signatures are displayed fifty to a page in the Gateway Anti-Virus Signatures
table. The Items field displays the table number of the first signature. If your displaying the first page of a
signature table, the entry might be Items 1 to 50 (of 58). Use the navigation buttons to navigate the table.
Page 26 SonicWALL Gateway Anti-Virus Administrator’s Guide
Searching the Gateway Anti-Virus Signature Database
You can search the signature database by entering a search string in the Lookup Signatures
Containing String field, then clicking the edit (Notepad) icon.
The signatures that match the specified string are displayed in the Gateway Anti-Virus Signatures table.
Glossary
• Deep Packet Inspection - looking at the data portion of the packet. Enables the firewall to investigate
farther into the protocol to examine information at the application layer and defend against attacks
targeting application vulnerabilities.
• Distributed Enforcement Architecture - SonicWALL’s unified threat management technology that
delivers automated signature updates that provide real-time protection from current and emerging
threats.
• False Positive - a falsely identified attack traffic pattern.
• Signature - code written to detect and prevent viruses, worms, application exploits, and other
malicious code.
• Stateful Packet Inspection - examines the contents of individual packets at all layers of the OSI
model, from network layer to application layer.
Page 27
Index
A
activating Gateway Anti-Virus
overview 15
free trial version 18
activating Gateway Anti-Virus
activation key 18
C
client alerts
configuring 23
concurrency limitations 12
PRO 1260 12
PRO 2040 12
PRO 3060 12
PRO 4060 12
PRO 5060 12
TZ 150 Series 12
TZ 170 Series 12
creating a mysonicwall.com account 16
D
deploying SonicWALL GAV 14
disabling GAV/IPS engine 12
displaying signatures 25
all signatures 25
signatures beginning with letter 25
signatures beginning with number 25
using search strings 25
E
Edit Zone window 20
enable inbound inspection 22
enable outbound SMTP inspection 23
enabling inbound inspection 22
exclusion list
configuring 24
G
Gateway AV Config View window 23
GAV/IPS
real-time scanning 6
GAV/IPS features
application control 6
deep packet inspection 6
distributed enforcement architecture 6
file based scanning protocol support 6
file decompression technology 6
granular management 7
inter-zone scanning 6
logging and reporting 7
real-time scanning 6
glossary 26
deep packet inspection 26
Distributed Enforcement Architecture 26
false positive 26
signature 26
stateful packet inspection 26
H
how DPIv2.0 works
11
protocol handling 13
HTTP file downloads protection 9
I
internal network protection 9
N
navigating signatures table 25
P
protocol handling
FTP 14
HTTP 14
IM, P2P, proprietary 14
IMAP 13
POP3 13
SMTP 13
R
registering your SonicWALL security appliance 17
remote site protection 8
restrict 24
restrict file transfer
MS-Office files 24
packed executable files 24
password protected ZIP files 24
S
searching signature database 26
server protection 10
setting up GAV protection
applying to infaces (SonicOS Standard 3.0) 19
applying to zones (SonicOS Enhanced) 20
enabling 19
overview 19
signatures table 25
SonicWALL Gateway Anti-Virus
overview 5
SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service
overview 5
specifying protocol filtering 22
specifying protocols 22
status information
expiration date 21
last checked 21
overview 21
signature database 21
signature database timestamp 21
surpress SMTP messages 24
U
updating signatures 22
Page 28 SonicWALL Gateway Anti-Virus Administrator’s Guide
© 2005 SonicWALL, I n c . SonicWALL is a registered trademark of SonicWALL, I n c . Other product and company names mentioned herein may be
t rademarks and/ or registered trademarks of their respective companies. Specifications and descriptions subject to change with out notice.
T: 408.745.9600
F: 408.745.9300
www.sonicwall.com
SonicWALL,Inc.
1143 Borregas Avenue
Sunnyvale,CA 94089-1306
P/ N 232- 000610- 00
Rev E 01/05COMPREHENSIVE INTERNET SECURITY™
S SSSSSSSSo n i c WALL Gateway Anti-Virus
Administrator's Guide
Page 1
Table of Contents
Preface .................................................................................................. 1
Copyright Notice ..............................................................................1
Trademarks......................................................................................1
Limited Warranty..............................................................................1
About this Guide.................................................................................... 3
Guide Conventions .......................................................................... 3
Icons Used in this Guide............................................................. 3
SonicWALL Technical Support ........................................................ 4
North America Telephone Support ............................................. 4
International Telephone Support ................................................ 4
SonicWALL Gateway Anti-Virus Overview............................................ 5
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features ...... 6
SonicWALL GAV Multi-Layered Approach............................................ 7
Remote Site Protection ....................................................................8
Internal Network Protection.............................................................. 9
HTTP File Downloads ...................................................................... 9
Server Protection ...........................................................................10
SonicWALL GAV Architecture............................................................. 11
Stream Concurrency Limitations
by SonicWALL Security Appliance................................................. 12
Disabling the SonicWALL GAV/IPS Engine................................... 12
Protocol Handling...........................................................................13
SMTP........................................................................................ 13
POP3 ........................................................................................ 13
IMAP......................................................................................... 13
HTTP ........................................................................................ 14
FTP........................................................................................... 14
IM, P2P and Proprietary Protocols ........................................... 14
Deploying SonicWALL GAV................................................................ 14
Activating SonicWALL GAV ................................................................ 15
Creating a mySonicWALL.com Account ........................................ 16
Registering Your SonicWALL Security Appliance.......................... 17
Activating SonicWALL GAV........................................................... 18
Activating the SonicWALL GAV FREE TRIAL ............................... 18
Setting Up SonicWALL GAV Protection .............................................. 19
Enabling SonicWALL GAV............................................................. 19
Applying SonicWALL GAV Protection on Interfaces...................... 19
Applying SonicWALL GAV Protection on Zones
(SonicOS Enhanced 3.0) ............................................................... 20
Viewing SonicWALL GAV Status Information................................ 21
Updating SonicWALL GAV Signatures .......................................... 22
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
Specifying Protocol Filtering ................................................................22
Enabling Inbound Inspection ..........................................................22
Enabling Outbound SMTP Inspection ............................................23
Configuring Client Alerts and an Exclusion List ...................................23
Configuring Client Alerts.................................................................23
Configuring a SonicWALL GAV Exclusion List...............................24
Restricting File Transfers.....................................................................24
Viewing SonicWALL GAV Signatures..................................................25
Displaying Signatures.....................................................................25
Navigating the Gateway Anti-Virus Signatures Table ....................25
Searching the Gateway Anti-Virus Signature Database.................26
Glossary...............................................................................................26
Index ....................................................................................................27
Page 1 SonicWALL Gateway Anti-Virus Administrator’s Guide
Preface
Copyright Notice
© 2005 SonicWALL, Inc.
All rights reserved.
Under the copyright laws, this manual or the software described within, can not be copied, in whole or part,
without the written consent of the manufacturer, except in the normal use of the software to make a backup
copy. The same proprietary and copyright notices must be affixed to any permitted copies as were affixed
to the original. This exception does not allow copies to be made for others, whether or not sold, but all of
the material purchased (with all backup copies) can be sold, given, or loaned to another person. Under
the law, copying includes translating into another language or format.
Specifications and descriptions subject to change without notice.
Trademarks
SonicWALL is a registered trademark of SonicWALL, Inc.
Microsoft Windows 98, Windows NT, Windows 2000, Windows XP, Windows Server 2003, Internet
Explorer, and Active Directory are trademarks or registered trademarks of Microsoft Corporation.
Netscape is a registered trademark of Netscape Communications Corporation in the U.S. and other
countries. Netscape Navigator and Netscape Communicator are also trademarks of Netscape
Communications Corporation and may be registered outside the U.S.
Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems
Incorporated in the U.S. and/or other countries.
Other product and company names mentioned herein may be trademarks and/or registered trademarks
of their respective companies and are the sole property of their respective manufacturers.
Limited Warranty
SonicWALL, Inc. warrants that commencing from the delivery date to Customer (but in any case
commencing not more than ninety (90) days after the original shipment by SonicWALL), and continuing
for a period of twelve (12) months, that the product will be free from defects in materials and workmanship
under normal use. This Limited Warranty is not transferable and applies only to the original end user of
the product. SonicWALL and its suppliers' entire liability and Customer's sole and exclusive remedy under
this limited warranty will be shipment of a replacement product. At SonicWALL's discretion the
replacement product may be of equal or greater functionality and may be of either new or like-new quality.
SonicWALL's obligations under this warranty are contingent upon the return of the defective product
according to the terms of SonicWALL's then-current Support Services policies.
This warranty does not apply if the product has been subjected to abnormal electrical stress, damaged by
accident, abuse, misuse or misapplication, or has been modified without the written permission of
SonicWALL.
DISCLAIMER OF WARRANTY. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR
IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT
LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, NONINFRINGEMENT, SATISFACTORY QUALITY OR ARISING FROM A
COURSE OF DEALING, LAW, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE
MAXIMUM EXTENT ALLOWED BY APPLICABLE LAW. TO THE EXTENT AN IMPLIED WARRANTY
CANNOT BE EXCLUDED, SUCH WARRANTY IS LIMITED IN DURATION TO THE WARRANTY
PERIOD. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW
LONG AN IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. THIS
WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, AND YOU MAY ALSO HAVE OTHER RIGHTS
WHICH VARY FROM JURISDICTION TO JURISDICTION. This disclaimer and exclusion shall apply
even if the express warranty set forth above fails of its essential purpose.
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
DISCLAIMER OF LIABILITY. SONICWALL'S SOLE LIABILITY IS THE SHIPMENT OF A
REPLACEMENT PRODUCT AS DESCRIBED IN THE ABOVE LIMITED WARRANTY. IN NO EVENT
SHALL SONICWALL OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER,
INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS
INTERRUPTION, LOSS OF INFORMATION, OR OTHER PECUNIARY LOSS ARISING OUT OF THE
USE OR INABILITY TO USE THE PRODUCT, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL,
INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY
OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE HARDWARE OR SOFTWARE
EVEN IF SONICWALL OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. In no event shall SonicWALL or its suppliers' liability to Customer, whether in contract, tort
(including negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shall
apply even if the above-stated warranty fails of its essential purpose. BECAUSE SOME STATES OR
JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR
INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.
Page 3
About this Guide
Welcome to the SonicWALL Gateway Anti-Virus Administrator’s Guide. This manual provides the
information you need to successfully activate, configure, and administer SonicWALL Gateway Anti-Virus
(SonicWALL (GAV) on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher). The audience for this guide is administrators that are familiar with the
features, functions, and operating characteristics of SonicWALL security appliances.
Note: This guide assumes your SonicWALL security appliance is operational with Internet connectivity. If your
SonicWALL security appliance is not setup, refer to the Getting Started Guide for your SonicWALL
security appliance located on the SonicWALL Web site:
.
SonicWALL GAV is part of the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service solution that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate a SonicWALL GAV license, SonicWALL Intrusion Prevention Service is included and activated.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the complete
instructions on configuring SonicWALL Intrusion Prevention Service 2.0, located on the SonicWALL
Web site: .
Guide Conventions
Conventions used in this guide are as follows:
Icons Used in this Guide
These special messages refer to noteworthy information, and include a symbol for quick identification:
Alert! Important information that cautions about features affecting SonicWALL Gateway Anti-Virus
performance, security features, or causing potential problems with your SonicWALL security appliance.
Tip! Useful information about security features and configurations for your SonicWALL Gateway Anti-Virus
running on a SonicWALL security appliance.
Convention Use
Bold Highlights items you can select on the SonicWALL
management interface.
Italic Highlights a value to enter into a field. For example, “type
192.168.168.168 in the IP Address field.”
Top Level Menu Button >
Submenu Item
Indicates a multiple step Management Interface menu
choice. For example, Security Services > Gateway Anti-
Virus means select Security Services, then select
Gateway Anti-Virus.
Page 4 SonicWALL Gateway Anti-Virus Administrator’s Guide
Note: Important information on a feature that requires callout for special attention or reference to other related
resources.
SonicWALL Technical Support
For timely resolution of technical support questions, visit SonicWALL on the Internet at
. Web-based resources are available to help you
resolve most technical issues or contact SonicWALL Technical Support.
To contact SonicWALL telephone support, see the telephone numbers listed below:
North America Telephone Support
U.S./Canada - 888.777.1476 or +1 408.752.7819
International Telephone Support
Australia - + 1800.35.1642
Austria - + 43(0)820.400.105
EMEA - +31(0)411.617.810
France - + 33(0)1.4933.7414
Germany - + 49(0)1805.0800.22
Hong Kong - + 1.800.93.0997
India - + 8026556828
Italy - +39.02.7541.9803
Japan - + 81(0)3.5460.5356
New Zealand - + 0800.446489
Singapore - + 800.110.1441
Spain - + 34(0)9137.53035
Switzerland - +41.1.308.3.977
UK - +44(0)1344.668.484
Note: Please visit for the latest technical support telephone
numbers.
Page 5
SonicWALL Gateway Anti-Virus Overview
SonicWALL Gateway Anti-Virus (SonicWALL GAV) is part of the SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service solution that provides unified threat management. The integration of gateway
anti-virus and intrusion prevention delivers intelligent, real-time network security protection against
sophisticated application layer and content-based attacks. Utilizing a configurable, high-performance
deep packet inspection architecture, SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
secures the network from the core to the perimeter against a comprehensive array of dynamic threats
including viruses, worms, Trojans, and software vulnerabilities, such as buffer overflows, as well as peerto-
peer and instant messenger applications, backdoor exploits, and other malicious code.
SonicWALL GAV delivers real-time virus protection directly on the SonicWALL security appliance by
using SonicWALL’s IPS-Deep Packet Inspection v2.0 engine to inspect all traffic that traverses the
SonicWALL gateway. Building on SonicWALL’s reassembly-free architecture, SonicWALL GAV inspects
multiple application protocols, as well as generic TCP streams, and compressed traffic. Because
SonicWALL GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also performed on a
single-pass, per-packet basis.
SonicWALL GAV delivers threat protection directly on the SonicWALL security appliance by matching
downloaded or e-mailed files against an extensive and dynamically updated database of threat virus
signatures. Virus attacks are caught and suppressed before they travel to desktops. New signatures are
created and added to the database by a combination of SonicWALL’s SonicAlert Team, third-party virus
analysts, open source developers and other sources.
SonicWALL GAV can be configured to protect against internal threats as well as those originating outside
the network. It operates over a multitude of protocols including SMTP, POP3, IMAP, HTTP, FTP,
NetBIOS, instant messaging and peer-to-peer applications and dozens of other stream-based protocols,
to provide administrators with comprehensive network threat prevention and control. Because files
containing malicious code and viruses can also be compressed and therefore inaccessible to
conventional anti-virus solutions, SonicWALL GAV integrates advanced decompression technology that
automatically decompresses and scans files on a per packet basis.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
Page 6 SonicWALL Gateway Anti-Virus Administrator’s Guide
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features
• Integrated Deep Packet Inspection Technology - SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service features a configurable, high-performance deep packet inspection architecture
that uses parallel searching algorithms up through the application layer to deliver increased
application layer, Web and e-mail attack prevention. Parallel processing reduces the performance
impact on the firewall and maximizes available memory for exceptional throughput on SonicWALL
integrated security gateways.
• Real-Time Anti-Virus Gateway Scanning - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers intelligent file-based virus and malicious code prevention by scanning in real-time for
decompressed and compressed files containing viruses, Trojans, worms and other Internet threats
over the corporate network.
• Powerful Intrusion Prevention - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
provides complete protection from a comprehensive array of network-based application layer threats
by scanning packet payloads for worms, Trojans, software vulnerabilities such as buffer overflows,
peer-to-peer and instant messenger applications, backdoor exploits, and other malicious code.
• Ultimate Scalability and Performance - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a per packet scanning engine, making SonicWALL’s solution unique in its ability to
handle unlimited file size and virtually unlimited concurrent downloads, offering ultimate scalability
and performance for today’s networked environment.
• Day Zero Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service ensures
incredibly fast time-to-protection by employing a dynamically-updated database of signatures created
by a combination of SonicWALL’s SonicAlert Team, third-party virus analysts and developers, and
open source databases of known threats.
• Extensive Virus Signature List - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
utilizes an extensive database of thousands of attack and vulnerability signatures written to detect and
prevent intrusions, viruses, worms, Tojans, application exploits, and malicious applications.
• Distributed Enforcement Architecture - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a distributed enforcement architecture to deliver automated signature updates,
providing real-time protection from emerging threats and lowering total cost of ownership.
• Inter-zone Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides
application layer attack protection against malicious code and other threats originating from the
Internet or from internal sources. Administrators have the ability to enforce intrusion prevention and
anti-virus scanning not only between each network zone and the Internet, but also between internal
network zones for added security (Requires SonicOS Enhanced).
• Advanced File Decompression Technology - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service includes advanced decompression technology that can automatically decompress and scan
files on a per packet basis to search for viruses, Trojans, worms and malware. Supported
compression formats include: ZIP, Deflate and GZIP.
• File-Based Scanning Protocol Support - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers protection for high threat viruses and malware by inspecting the most common
protocols used in today’s networked environments, including SMTP, POP3, IMAP, HTTP, FTP,
NETBIOS, instant messaging and peer-to-peer applications, and dozens of other stream-based
protocols. This closes potential backdoors that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Application Control - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides the
ability to prevent instant messaging and peer-to-peer file sharing programs from operating through
the firewall, closing a potential back door that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Simplified Deployment and Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service allows network administrators to create global policies between security zones and group
attacks by priority, simplifying deployment and management across a distributed network.
Page 7
• Granular Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides an
intuitive user interface and granular policy tools, allowing network administrators to configure a
custom set of detection or prevention policies for their specific network environment and reduce the
number of false policies while identifying immediate threats.
• Logging and Reporting - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service offers
comprehensive logging of all intrusion attempts with the ability to filter logs based on priority level,
enabling administrators to highlight high priority attacks. Granular reporting based on attack source,
destination and type of intrusion is available through SonicWALL ViewPoint and Global Management
System.
SonicWALL GAV Multi-Layered Approach
SonicWALL GAV delivers comprehensive, multi-layered anti-virus protection for networks at the desktop,
the network, and at remote sites. SonicWALL GAV enforces anti-virus policies at the gateway to ensure
all users have the latest updates and monitors files as they come into the network.
Page 8 SonicWALL Gateway Anti-Virus Administrator’s Guide
Remote Site Protection
1. Users send typical e-mail and files between remote sites and the corporate office.
2. SonicWALL GAV scans and analyzes files and e-mail messages on the SonicWALL security
appliance.
3. Viruses are found and blocked before infecting remote desktop.
4. Virus is logged and alert is sent to administrator.
Page 9
Internal Network Protection
1. Internal user contracts a virus and releases it internally.
2. All files are scanned at the gateway before being received by other network users.
3. If virus is found, file is discarded.
4. Virus is logged and alert is sent to administrator.
HTTP File Downloads
1. Client makes a request to download a file from the Web.
2. File is downloaded through the Internet.
3. File is analyzed the SonicWALL GAV engine for malicious code and viruses
4. If virus found, file discarded.
5. Virus is logged and alert sent to administrator.
Page 10 SonicWALL Gateway Anti-Virus Administrator’s Guide
Server Protection
1. Outside user sends an incoming e-mail.
2. E-mail is analyzed the SonicWALL GAV engine for malicious code and viruses before received by email
server.
3. If virus found, threat prevented.
4. E-mail is returned to sender, virus is logged, and alert sent to administrator.
Page 11
SonicWALL GAV Architecture
SonicWALL GAV is based on SonicWALL's high performance DPIv2.0 engine (Deep Packet Inspection
version 2.0) engine, which performs all scanning directly on the SonicWALL security appliance.
SonicWALL GAV includes advanced decompression technology that can automatically decompress and
scan files on a per packet basis to search for viruses and malware. The SonicWALL GAV engine can
perform base64 decoding without ever reassembling the entire base64 encoded mail stream. Because
SonicWALL's GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding and ZIP, LHZ, and GZIP (LZ77) decompression are also performed
on a single-pass, per-packet basis. Reassembly free virus scanning functionality of the SonicWALL GAV
engine is inherited from the Deep Packet Inspection engine, which is capable of scanning streams without
ever buffering any of the bytes within the stream.
Building on SonicWALL's reassembly-free architecture, GAV has the ability to inspect multiple application
protocols, as well as generic TCP streams, and compressed traffic. SonicWALL GAV protocol inspection
is based on high performance state machines which are specific to each supported protocol. SonicWALL
GAV delivers protection by inspecting over the most common protocols used in today's networked
environments, including SMTP, POP3, IMAP, HTTP, FTP, NetBIOS, instant messaging and peer-to-peer
applications and dozens of other stream-based protocols. This closes potential backdoors that can be
used to compromise the network while also improving employee productivity and conserving Internet
bandwidth.
Page 12 SonicWALL Gateway Anti-Virus Administrator’s Guide
Stream Concurrency Limitations by SonicWALL Security Appliance
Because SonicWALL GAV does not have to perform reassembly, there are no file-size limitations
imposed by the scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also
performed on a single-pass, per-packet basis. Stream-concurrency are platform dependent as follows:.
Disabling the SonicWALL GAV/IPS Engine
In the unlikely event that SonicWALL Gateway Anti-Virus/Intrusion Prevention Service is not enabled on
your SonicWALL security appliance, the SonicWALL GAV/IPS engine itself can be disabled, and the
resources can be reallocated to the SPI connection cache.
To disable the SonicWALL GAV/IPS engine:
1. Select the Firewall > Advanced page.
2. Select the Disable Gateway AV and IPS Engine (increases maximum SPI connections)
checkbox. This presents an alert informing you that the SonicWALL security appliance must be
rebooted for the change to take effect.
3. Restart your SonicWALL security appliance.
Platform
GAV-Disabled
Connections
Cache Size
GAV-Enabled
Connections
Cache Size
(Concurrent File
Downloads)
Concurrent
Compressed
File Downloads
with GAV
GAV Signatures
TZ 150
Series
2,048 2,048 100 4,500
TZ 170
Series
6,144 6,144 100 4,500
PRO 1260 6,144 6,144 100 4,500
PRO 2040 32,768 16,384 300 25,000
PRO 3060 131,072 65,536 1,000 25,000
PRO 4060 524,288 131,072 1,500 25,000
PRO 5060 750,000 393,216 3,000 25,000
Page 13
Protocol Handling
SonicWALL GAV functionality supports the following protocols: HTTP, SMTP, IMAP, POP3, FTP and the
scanning of generic TCP streams for viruses.
If malicious traffic is detected, appropriate actions are taken based on the protocol. For generic TCP
streams, the traffic is dropped and the connection is reset. If so configured, an encrypted and hashed
message explaining the action is sent to the user's Global Security Client (requires version 2.0 or higher)
and to the user's 'Security Action Notification Applet', and displayed to the user if either application is
active. Application level awareness of the type of protocol that was transporting the violation allows for
very specific actions to be taken to gracefully handle the rejection of the payload:
Note: 8-bit encoding is handled natively for all email based protocols (SMTP, POP3, and IMAP) since no
decoding is required for each encoding scheme.
SMTP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the head of the sent
queue, thus preventing it from being resent, via 552 SMTP response and the connection is terminated.
POP3
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the POP3 server via
'DELE' command and the connection is terminated. Continuation of message downloads following
termination requires the user to re-initiate the download process on their POP3 client in order to download
the rest of the messages from the POP3 server.
Note: POP3 client behavior varies from one client to the next. SonicWALL GAV attempts to determine the type
of POP3 client being used, and to compensate for behavioral differences. In rare cases, some clients
may require special GAV settings - these settings have been made available in the /diag.html page.
• Disable Gateway AV POP3 Auto Deletion - When a POP3 client is identified as Outlook Express,
DELE (delete) message sequencing is tailored to Outlook Express' behavior. This setting can resolve
problems caused by misidentification that are encountered during the deletion of virus-infected
emails.
• Disable Gateway AV POP3 UIDL Rewriting - Certain Netscape POP3 clients have difficulty with the
UIDL (unique ID listing - RFC1939) command. When a POP3 client is recognized as Netscape, UIDL
messages are suppressed, which is allowable because they are optional. This setting can resolve
problems caused by misidentification that are encountered during the message retrieval process.
IMAP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from downloading the mail
containing the violation. The user must manually mark the mail deleted and purge it from the server.
Page 14 SonicWALL Gateway Anti-Virus Administrator’s Guide
HTTP
Capabilities: zip (including archives), gzip and deflate decompression. Deflate decompression method is
not supported when HTTP response is Chunk Encoded. All HTTP traffic is inspected, not just TCP port
80. Suppresses the use of HTTP Byte-Range requests to prevent the sectional retrieval and reassembly
of potentially malicious content.
Note: Suppression of HTTP Byte-Range requests may inhibit the use of certain download accelerator
programs that attempt to retrieve files as multiple simultaneous requests.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
FTP
Capabilities: zip (including archives) and gzip decompression. FTP stateful code follows data port
negotiations, allowing FTP data to be inspected across any operating TCP port. Suppresses the use of
the FTP 'REST' (restart) request to prevent the sectional retrieval and reassembly of potentially malicious
content. "The suppression of the 'REST' request can be overridden from the /diag.html page with the
option 'Enable FTP 'REST' requests with Gateway AV’.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
IM, P2P and Proprietary Protocols
Capabilities: zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
Deploying SonicWALL GAV
SonicWALL GAV is designed to provide comprehensive virus protection with minimal configuration. The
following sections provide the key information you need to successfully activate, configure, and administer
SonicWALL GAV on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher):
• “Activating SonicWALL GAV” on page 15 - provides instructions for activating the SonicWALL GAV
license on your SonicWALL security appliance via the management interface. If you already have
SonicWALL GAV activated on your SonicWALL security appliance, skip this section.
• “Setting Up SonicWALL GAV Protection” on page 19 - provides instructions for essential
configuration of SonicWALL IPS to protect your network against the most dangerous and disruptive
attacks.
Alert! After activating your SonicWALL GAV license, you must enable SonicWALL GAV on the SonicWALL
management interface before anti-virus protection are applied to your network traffic.
• “Configuring Client Alerts and an Exclusion List” on page 23 - provides instructions for configuring
SonicWALL GAV client notification alerts and creating a SonicWALL GAV exclusion list.
• “Restricting File Transfers” on page 24 - provides instructions on preventing files with specific
attributes from being transferred.
Page 15
Activating SonicWALL GAV
If you do not have SonicWALL GAV installed on your SonicWALL security appliance, the Security
Services > Gateway Anti-Virus page indicates an upgrade is required and includes a link to activiate it
from your SonicWALL security appliance management interface.
SonicWALL GAV is part of the unified SonicWALL Gateway Anti-Virus/Intrusion Prevention Service that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is also activated.
To activate a SonicWALL Gateway Anti-Virus/Intrusion Prevention Service on your SonicWALL security
appliance, you need the following:
• SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license. You need to purchase a
SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license from a SonicWALL reseller or
through your mySonicWALL.com account (limited to customers in the USA and Canada).
• mySonicWALL.com account. Creating a mySonicWALL.com account is fast, simple, and FREE.
Simply complete an online registration form from your SonicWALL security appliance management
interface. Your mySonicWALL.com account is also accessible at
from any Internet connection with a Web browser.
• Registered SonicWALL security appliance with active Internet connection. Registering your
SonicWALL security appliance is a simple procedure done directly from the management interface.
• SonicOS Standard 3.0 or SonicOS Enhanced 3.0. Your SonicWALL security appliance must be
running SonicOS Standard 3.0 or SonicOS Enhanced 3.0 for SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service.
Tip! If your SonicWALL security appliance is connected to the Internet and registered at
mySonicWALL.com, you can activate a 30-day FREE TRIAL of SonicWALL IPS.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
If you activated SonicWALL GAV at , SonicWALL GAV activation is
automatically enabled on your SonicWALL within 24-hours or you can click the Synchronize button on
the Security Services > Summary page to update your SonicWALL security appliance.
Page 16 SonicWALL Gateway Anti-Virus Administrator’s Guide
Creating a mySonicWALL.com Account
Creating a mySonicWALL.com account is fast, simple, and FREE. Simply complete an online
registration form in the SonicWALL security appliance management interface.
Note: If you already have a mysonicWALL.com account, go to “Registering Your SonicWALL Security
Appliance” on page 17.
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displayed in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link in Your
SonicWALL is not registered. Click here to Register your SonicWALL.
4. In the mySonicWALL.com Login page, click the here link in If you do not have a mySonicWALL
account, please click here to create one.
5. In the MySonicWall Account page, enter in your information in the Account Information, Personal
Information and Preferences fields. All fields marked with an asterisk (*) are required fields.
Note: Remember your username and password to access your mySonicWALL.com account.
6. Click Submit after completing the MySonicWALL Account form.
7. When the mySonicWALL.com server has finished processing your account, you will see a page
saying that your account has been created. Click Continue.
Congratulations. Your mySonicWALL.com account is activated.
Now you need to log into mySonicWALL.com to register your SonicWALL security appliance.
Note: mySonicWALL.com registration information is not sold or shared with any other company.
Page 17
Registering Your SonicWALL Security Appliance
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displaying in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link. The
mySonicWALL.com Login page is displayed.
4. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit.
5. The next several pages inform you about the free trials available to you for SonicWALL’s Security
Services:
• Gateway Anti-Virus - Delivers real-time virus protection for your entire network.
• Network Anti Virus - Provides desktop and server anti-virus protection with software running on
each computer.
• Premium Content Filtering Service - Enhances productivity by limiting access to objectionable
Web content.
• Intrusion Prevention Service - Protects your network against worms, Trojans, and application
layer attacks.
Click Continue on each page.
6. At the top of the Product Survey page, Enter a “friendly name” for your SonicWALL content security
appliance in the Friendly Name field. The friendly name allows you to easily identify your
SonicWALL content security appliance in your mySonicWALL.com account.
7. Please complete the Product Survey. SonicWALL uses this information to further tailor services to fit
your needs.
8. Click Submit.
9. When the mySonicWALL.com server has finished processing your registration, a page is displayed
informing you that the SonicWALL security appliance is registered. Click Continue, and the
System > Licenses page is displayed showing you the available services. You can activate the
service from this page or the specific service page under the Security Services left-navigation
menu in the management interface.
Page 18 SonicWALL Gateway Anti-Virus Administrator’s Guide
Activating SonicWALL GAV
If you do not have a SonicWALL GAV license activated on your SonicWALL security appliance, you must
purchase it from a SonicWALL reseller or through your mySonicWALL.com account (limited to customers
in the USA and Canada).
SonicWALL GAV is part of SonicWALL Gateway Anti-Virus/Intrusion Prevention Service. The Activation
Key you receive is for both SonicWALL GAV and SonicWALL Intrusion Prevention Service. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is automatically activated.
If you have an Activation Key for SonicWALL Gateway Anti-Virus/Intrusion Prevention Service, perform
these steps to activate the combined services:
1. On the Security Services > Intrusion Prevention page, click the SonicWALL Intrusion
Prevention Service Subscription link. The mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already registered to your
mySonicWALL.com account, the System > Licenses page appears.
3. Click Activate or Renew in the Manage Service column in the Manage Services Online table.
4. Type in the Activation Key in the New License Key field and click Submit. Your SonicWALL GAV
subscription is activated on your SonicWALL security appliance.
If you activated the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service subscription on
mySonicWALL.com, the activation is automatically enabled on your SonicWALL security appliance within
24-hours or you can click the Synchronize button on the Security Services > Summary page to
immediately update your SonicWALL security appliance.
Activating the SonicWALL GAV FREE TRIAL
To try a FREE TRIAL of SonicWALL GAV, perform these steps:
1. Click the FREE TRIAL link on the Security Services > Gateway Anti-Virus page. The
mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already connected to your
mySonicWALL.com account, the System > Licenses page appears after you click the FREE TRIAL
link.
3. Click Try in the FREE TRIAL column in the Manage Services Online table. Your SonicWALL GAV
trial subscription is activated on your SonicWALL security appliance.
Page 19
Setting Up SonicWALL GAV Protection
The Security Services > Gateway Anti-Virus page provides the settings for configuring SonicWALL
GAV on your SonicWALL security appliance.
Enabling SonicWALL GAV
You must select Enable Gateway Anti-Virus check box in the Gateway Anti-Virus Global Settings
section to enable SonicWALL GAV on your SonicWALL security appliance. If your SonicWALL security
appliance is running SonicOS Standard 3.0, you must also specify the interfaces you want to apply
SonicWALL GAV protection. If your SonicWALL security appliance is running SonicOS Enhanced 3.0,
you must specify the Zones you want to SonicWALL GAV protection on the Network > Zones page.
Applying SonicWALL GAV Protection on Interfaces
If your SonicWALL security appliance is running SonicOS Standard 3.0, you also need to specify the
interface that you want to enable SonicWALL GAV protection. Depending on the SonicWALL security
appliance model you are using, you can choose the WAN, LAN, DMZ, OPT or WLAN port, depending on
your SonicWALL security appliance model. After selecting the interface(s), click Apply.It is recommended
you select the WAN and LAN interfaces.
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you apply SonicWALL GAV to
Zones on the Network > Zones page.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 20 SonicWALL Gateway Anti-Virus Administrator’s Guide
Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you can enforce SonicWALL
GAV not only between each network zone and the WAN, but also between internal zones. For example,
enabling SonicWALL GAV on the LAN zone enforces anti-virus protection on all incoming and outgoing
LAN traffic.
1. In the SonicWALL security appliance management interface, select Network > Zones or from the
Gateway Anti-Virus Status section, on the Security Services > Gateway Anti-Virus page, click the
Network > Zones link. The Network > Zones page is displayed.
2. In the Configure column in the Zone Settings table, click the edit icon . The Edit Zone window
is displayed.
3. Click the Enable Gateway Anti-Virus Service checkbox. A checkmark appears. To disable Gateway
Anti-Virus Service, uncheck the box.
4. Click OK.
Page 21
Note: You also enable SonicWALL GAV protection for new zones you create on the Network > Zones page.
Clicking the Add button displays the Add Zone window, which includes the same settings as the Edit
Zone window.
Viewing SonicWALL GAV Status Information
The Gateway Anti-Virus Status section shows the state of the anti-virus signature database, including
the database's timestamp, and the time the SonicWALL signature servers were last checked for the most
current database version. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
The Gateway Anti-Virus Status section displays the following information:
• Signature Database indicates whether the signature database needs to be downloaded or has been
downloaded.
• Signature Database Timestamp displays the last update to the SonicWALL GAV signature
database, not the last update to your SonicWALL security appliance.
• Last Checked indicates the last time the SonicWALL security appliance checked the signature
database for updates. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
• Gateway Anti-Virus Expiration Date indicates the date when the SonicWALL GAV service expires.
If your SonicWALL GAV subscription expires, the SonicWALL IPS inspection is stopped and the
SonicWALL GAV configuration settings are removed from the SonicWALL security appliance. These
settings are automatically restored after renewing your SonicWALL GAV license to the previously
configured state.
If your SonicWALL security appliance is running SonicOS Standard 3.0 and no interfaces are specified in
the Gateway Anti-Virus Global Settings section, the message: Warning: No interfaces have Gateway
Anti-Virus enabled is displayed in the Gateway Anti-Virus Status section. You must check the Enable
Gateway Anti-Virus on Interface and specify the interface(s) you want to apply anti-virus scanning.
If your SonicWALL security appliance you are using SonicOS Enhanced 3.0, the Gateway Anti-Virus
Status section displays Note: Enable the Gateway Anti-Virus per zone from the Network > Zones
page. Clicking on the Network > Zones link displays the Network > Zones page for applying SonicWALL
GAV on Zones.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 22 SonicWALL Gateway Anti-Virus Administrator’s Guide
Updating SonicWALL GAV Signatures
By default, the SonicWALL security appliance running SonicWALL GAV automatically checks the
SonicWALL signature servers once an hour. There is no need for an administrator to constantly check for
new signature updates. You can also manually update your SonicWALL GAV database at any time by
clicking the Update button located in the Gateway Anti-Virus Status section.
SonicWALL GAV signature updates are secured. The SonicWALL security appliance must first
authenticate itself with a pre-shared secret, created during the SonicWALL Distributed Enforcement
Architecture licensing registration. The signature request is transported through HTTPS, along with full
server certificate verification.
Specifying Protocol Filtering
Application-level awareness of the type of protocol that is transporting the violation allows SonicWALL
GAV to perform specific actions within the context of the application to gracefully handle the rejection of
the payload.
By default, SonicWALL GAV inspects all inbound HTTP, FTP, IMAP, SMTP and POP3 traffic. Generic
TCP Stream can optionally be enabled to inspect all other TCP based traffic, such as
non-standard ports of operation for SMTP and POP3, and IM and P2P protocols.
Note: Refer to “Protocol Handling” on page 13 for detailed descriptions of how SonicWALL GAV handles
protocol traffic.
Enabling Inbound Inspection
Within the context of SonicWALL GAV, the Enable Inbound Inspection protocol traffic handling refers
to the following:
• Non-SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to any Zone.
• Non-SMTP traffic from a Public Zone destined to an Untrusted Zone.
• SMTP traffic initiating from a non-Trusted Zone destined to a Trusted, Wireless, Encrypted, or Public
Zone.
• SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to a Trusted, Wireless,
or Encrypted Zone.
Page 23
The Enable Inbound Inspection protocol traffic handling represented as a table:
Enabling Outbound SMTP Inspection
The Enable Outbound Inspection feature is available for SMTP traffic, such as for a mail server that
might be hosted on the DMZ. Enabling outbound inspection for SMTP scans mail that is delivered to the
internally hosted SMTP server for viruses.
Configuring Client Alerts and an Exclusion List
Clicking the Configure Gateway AV Settings button in the Gateway Anti-Virus Global Settings section
displays the Gateway AV Config View window, which allows you to configure client notification alerts and
create a SonicWALL GAV exclusion list.
Configuring Client Alerts
If you want clients on your network to receive notifications on their desktop when a HTTP file download is
blocked by GAV, check the Enable Client Notification Alerts (desktop client installation is required)
box. You must install the client software included on the Resource CD for your SonicWALL security
appliance for the client to receive these notifications from SonicWALL GAV.
Page 24 SonicWALL Gateway Anti-Virus Administrator’s Guide
If you want to suppress the sending of e-mail messages (SMTP) to clients from SonicWALL GAV when a
virus is detected in an e-mail or attachment, check the Disable SMTP Responses box.
Configuring a SonicWALL GAV Exclusion List
Any IP addresses listed in the exclusion list bypass virus scanning on their traffic.The Gateway AV
Exclusion List section provides the ability to define a range of IP addresses whose traffic will be excluded
from SonicWALL GAV scanning.
Alert! Use caution when specifying exclusions to SonicWALL GAV protection.
To add an IP address range for exclusion, perform these steps:
1. Click the Enable Gateway AV Exclusion List checkbox to enable the exclusion list.
2. Click the Add button. The Add GAV Range Entry window is displayed.
3. Enter the IP address range in the IP Address Form and IP Address To fields, then click OK. You IP
address range appears in the Gateway AV Exclusion List table. Click the edit icon in the Configure
column to change an entry or click the trashcan icon to delete an entry.
4. Click OK to exit the Gateway AV Config View window.
Restricting File Transfers
The restrict transfer settings listed under the Configure Gateway AV Settings button in the
Gateway Anti-Virus Global Settings section, if enabled, prevent files with specific attributes from being
transferred.
These restrict transfer settings include:
• Restrict Transfer of password-protected Zip files - Disables the transfer of password protected
ZIP files over any enabled protocol. This option only functions on protocols (e.g. HTTP, FTP, SMTP)
that are enabled for inspection.
• Restrict Transfer of MS-Office type files containing macros (VBA 5 and above) - Disables the
transfers of any MS Office 97 and above files that contain VBA macros.
• Restrict Transfer of packed executable files (UPX, FSG, etc.) - Disables the transfer of packed
executable files. Packers are utilities which compress and sometimes encrypt executables. Although
there are legitimate applications for these, they are also sometimes used with the intent of
obfuscation, so as to make the executables less detectable by anti-virus applications. The packer
adds a header that expands the file in memory, and then executes that file. SonicWALL Gateway
Anti-Virus currently recognizes the most common packed formats: UPX, FSG, PKLite32, Petite, and
ASPack. additional formats are dynamically added along with SonicWALL GAV signature updates.
Page 25
Viewing SonicWALL GAV Signatures
The Gateway Anti-Virus Signatures section allows you to view the contents of the SonicWALL GAV
signature database. All the entries displayed in the Gateway Anti-Virus Signatures table are from the
SonicWALL GAV signature database downloaded to your SonicWALL security appliance.
Note: Signature entries in the database change over time in response to new threats.
Displaying Signatures
You can display the signatures in a variety of views using the View Style menu.
• Use Search String - Allows you to display signatures containing a specified string entered in the
Lookup Signatures Containing String field.
• All Signatures - Displays all the signatures in the table, 50 to a page.
• 0 - 9 - Displays signature names beginning with the number you select from the menu.
• A-Z - Displays signature names beginning with the letter you select from menu.
Navigating the Gateway Anti-Virus Signatures Table
The SonicWALL GAV signatures are displayed fifty to a page in the Gateway Anti-Virus Signatures
table. The Items field displays the table number of the first signature. If your displaying the first page of a
signature table, the entry might be Items 1 to 50 (of 58). Use the navigation buttons to navigate the table.
Page 26 SonicWALL Gateway Anti-Virus Administrator’s Guide
Searching the Gateway Anti-Virus Signature Database
You can search the signature database by entering a search string in the Lookup Signatures
Containing String field, then clicking the edit (Notepad) icon.
The signatures that match the specified string are displayed in the Gateway Anti-Virus Signatures table.
Glossary
• Deep Packet Inspection - looking at the data portion of the packet. Enables the firewall to investigate
farther into the protocol to examine information at the application layer and defend against attacks
targeting application vulnerabilities.
• Distributed Enforcement Architecture - SonicWALL’s unified threat management technology that
delivers automated signature updates that provide real-time protection from current and emerging
threats.
• False Positive - a falsely identified attack traffic pattern.
• Signature - code written to detect and prevent viruses, worms, application exploits, and other
malicious code.
• Stateful Packet Inspection - examines the contents of individual packets at all layers of the OSI
model, from network layer to application layer.
Page 27
Index
A
activating Gateway Anti-Virus
overview 15
free trial version 18
activating Gateway Anti-Virus
activation key 18
C
client alerts
configuring 23
concurrency limitations 12
PRO 1260 12
PRO 2040 12
PRO 3060 12
PRO 4060 12
PRO 5060 12
TZ 150 Series 12
TZ 170 Series 12
creating a mysonicwall.com account 16
D
deploying SonicWALL GAV 14
disabling GAV/IPS engine 12
displaying signatures 25
all signatures 25
signatures beginning with letter 25
signatures beginning with number 25
using search strings 25
E
Edit Zone window 20
enable inbound inspection 22
enable outbound SMTP inspection 23
enabling inbound inspection 22
exclusion list
configuring 24
G
Gateway AV Config View window 23
GAV/IPS
real-time scanning 6
GAV/IPS features
application control 6
deep packet inspection 6
distributed enforcement architecture 6
file based scanning protocol support 6
file decompression technology 6
granular management 7
inter-zone scanning 6
logging and reporting 7
real-time scanning 6
glossary 26
deep packet inspection 26
Distributed Enforcement Architecture 26
false positive 26
signature 26
stateful packet inspection 26
H
how DPIv2.0 works
11
protocol handling 13
HTTP file downloads protection 9
I
internal network protection 9
N
navigating signatures table 25
P
protocol handling
FTP 14
HTTP 14
IM, P2P, proprietary 14
IMAP 13
POP3 13
SMTP 13
R
registering your SonicWALL security appliance 17
remote site protection 8
restrict 24
restrict file transfer
MS-Office files 24
packed executable files 24
password protected ZIP files 24
S
searching signature database 26
server protection 10
setting up GAV protection
applying to infaces (SonicOS Standard 3.0) 19
applying to zones (SonicOS Enhanced) 20
enabling 19
overview 19
signatures table 25
SonicWALL Gateway Anti-Virus
overview 5
SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service
overview 5
specifying protocol filtering 22
specifying protocols 22
status information
expiration date 21
last checked 21
overview 21
signature database 21
signature database timestamp 21
surpress SMTP messages 24
U
updating signatures 22
Page 28 SonicWALL Gateway Anti-Virus Administrator’s Guide
© 2005 SonicWALL, I n c . SonicWALL is a registered trademark of SonicWALL, I n c . Other product and company names mentioned herein may be
t rademarks and/ or registered trademarks of their respective companies. Specifications and descriptions subject to change with out notice.
T: 408.745.9600
F: 408.745.9300
www.sonicwall.com
SonicWALL,Inc.
1143 Borregas Avenue
Sunnyvale,CA 94089-1306
P/ N 232- 000610- 00
Rev E 01/05COMPREHENSIVE INTERNET SECURITY™
S SSSSSSSSo n i c WALL Gateway Anti-Virus
Administrator's Guide
Page 1
Table of Contents
Preface .................................................................................................. 1
Copyright Notice ..............................................................................1
Trademarks......................................................................................1
Limited Warranty..............................................................................1
About this Guide.................................................................................... 3
Guide Conventions .......................................................................... 3
Icons Used in this Guide............................................................. 3
SonicWALL Technical Support ........................................................ 4
North America Telephone Support ............................................. 4
International Telephone Support ................................................ 4
SonicWALL Gateway Anti-Virus Overview............................................ 5
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features ...... 6
SonicWALL GAV Multi-Layered Approach............................................ 7
Remote Site Protection ....................................................................8
Internal Network Protection.............................................................. 9
HTTP File Downloads ...................................................................... 9
Server Protection ...........................................................................10
SonicWALL GAV Architecture............................................................. 11
Stream Concurrency Limitations
by SonicWALL Security Appliance................................................. 12
Disabling the SonicWALL GAV/IPS Engine................................... 12
Protocol Handling...........................................................................13
SMTP........................................................................................ 13
POP3 ........................................................................................ 13
IMAP......................................................................................... 13
HTTP ........................................................................................ 14
FTP........................................................................................... 14
IM, P2P and Proprietary Protocols ........................................... 14
Deploying SonicWALL GAV................................................................ 14
Activating SonicWALL GAV ................................................................ 15
Creating a mySonicWALL.com Account ........................................ 16
Registering Your SonicWALL Security Appliance.......................... 17
Activating SonicWALL GAV........................................................... 18
Activating the SonicWALL GAV FREE TRIAL ............................... 18
Setting Up SonicWALL GAV Protection .............................................. 19
Enabling SonicWALL GAV............................................................. 19
Applying SonicWALL GAV Protection on Interfaces...................... 19
Applying SonicWALL GAV Protection on Zones
(SonicOS Enhanced 3.0) ............................................................... 20
Viewing SonicWALL GAV Status Information................................ 21
Updating SonicWALL GAV Signatures .......................................... 22
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
Specifying Protocol Filtering ................................................................22
Enabling Inbound Inspection ..........................................................22
Enabling Outbound SMTP Inspection ............................................23
Configuring Client Alerts and an Exclusion List ...................................23
Configuring Client Alerts.................................................................23
Configuring a SonicWALL GAV Exclusion List...............................24
Restricting File Transfers.....................................................................24
Viewing SonicWALL GAV Signatures..................................................25
Displaying Signatures.....................................................................25
Navigating the Gateway Anti-Virus Signatures Table ....................25
Searching the Gateway Anti-Virus Signature Database.................26
Glossary...............................................................................................26
Index ....................................................................................................27
Page 1 SonicWALL Gateway Anti-Virus Administrator’s Guide
Preface
Copyright Notice
© 2005 SonicWALL, Inc.
All rights reserved.
Under the copyright laws, this manual or the software described within, can not be copied, in whole or part,
without the written consent of the manufacturer, except in the normal use of the software to make a backup
copy. The same proprietary and copyright notices must be affixed to any permitted copies as were affixed
to the original. This exception does not allow copies to be made for others, whether or not sold, but all of
the material purchased (with all backup copies) can be sold, given, or loaned to another person. Under
the law, copying includes translating into another language or format.
Specifications and descriptions subject to change without notice.
Trademarks
SonicWALL is a registered trademark of SonicWALL, Inc.
Microsoft Windows 98, Windows NT, Windows 2000, Windows XP, Windows Server 2003, Internet
Explorer, and Active Directory are trademarks or registered trademarks of Microsoft Corporation.
Netscape is a registered trademark of Netscape Communications Corporation in the U.S. and other
countries. Netscape Navigator and Netscape Communicator are also trademarks of Netscape
Communications Corporation and may be registered outside the U.S.
Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems
Incorporated in the U.S. and/or other countries.
Other product and company names mentioned herein may be trademarks and/or registered trademarks
of their respective companies and are the sole property of their respective manufacturers.
Limited Warranty
SonicWALL, Inc. warrants that commencing from the delivery date to Customer (but in any case
commencing not more than ninety (90) days after the original shipment by SonicWALL), and continuing
for a period of twelve (12) months, that the product will be free from defects in materials and workmanship
under normal use. This Limited Warranty is not transferable and applies only to the original end user of
the product. SonicWALL and its suppliers' entire liability and Customer's sole and exclusive remedy under
this limited warranty will be shipment of a replacement product. At SonicWALL's discretion the
replacement product may be of equal or greater functionality and may be of either new or like-new quality.
SonicWALL's obligations under this warranty are contingent upon the return of the defective product
according to the terms of SonicWALL's then-current Support Services policies.
This warranty does not apply if the product has been subjected to abnormal electrical stress, damaged by
accident, abuse, misuse or misapplication, or has been modified without the written permission of
SonicWALL.
DISCLAIMER OF WARRANTY. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR
IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT
LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, NONINFRINGEMENT, SATISFACTORY QUALITY OR ARISING FROM A
COURSE OF DEALING, LAW, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE
MAXIMUM EXTENT ALLOWED BY APPLICABLE LAW. TO THE EXTENT AN IMPLIED WARRANTY
CANNOT BE EXCLUDED, SUCH WARRANTY IS LIMITED IN DURATION TO THE WARRANTY
PERIOD. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW
LONG AN IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. THIS
WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, AND YOU MAY ALSO HAVE OTHER RIGHTS
WHICH VARY FROM JURISDICTION TO JURISDICTION. This disclaimer and exclusion shall apply
even if the express warranty set forth above fails of its essential purpose.
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
DISCLAIMER OF LIABILITY. SONICWALL'S SOLE LIABILITY IS THE SHIPMENT OF A
REPLACEMENT PRODUCT AS DESCRIBED IN THE ABOVE LIMITED WARRANTY. IN NO EVENT
SHALL SONICWALL OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER,
INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS
INTERRUPTION, LOSS OF INFORMATION, OR OTHER PECUNIARY LOSS ARISING OUT OF THE
USE OR INABILITY TO USE THE PRODUCT, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL,
INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY
OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE HARDWARE OR SOFTWARE
EVEN IF SONICWALL OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. In no event shall SonicWALL or its suppliers' liability to Customer, whether in contract, tort
(including negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shall
apply even if the above-stated warranty fails of its essential purpose. BECAUSE SOME STATES OR
JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR
INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.
Page 3
About this Guide
Welcome to the SonicWALL Gateway Anti-Virus Administrator’s Guide. This manual provides the
information you need to successfully activate, configure, and administer SonicWALL Gateway Anti-Virus
(SonicWALL (GAV) on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher). The audience for this guide is administrators that are familiar with the
features, functions, and operating characteristics of SonicWALL security appliances.
Note: This guide assumes your SonicWALL security appliance is operational with Internet connectivity. If your
SonicWALL security appliance is not setup, refer to the Getting Started Guide for your SonicWALL
security appliance located on the SonicWALL Web site:
.
SonicWALL GAV is part of the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service solution that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate a SonicWALL GAV license, SonicWALL Intrusion Prevention Service is included and activated.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the complete
instructions on configuring SonicWALL Intrusion Prevention Service 2.0, located on the SonicWALL
Web site: .
Guide Conventions
Conventions used in this guide are as follows:
Icons Used in this Guide
These special messages refer to noteworthy information, and include a symbol for quick identification:
Alert! Important information that cautions about features affecting SonicWALL Gateway Anti-Virus
performance, security features, or causing potential problems with your SonicWALL security appliance.
Tip! Useful information about security features and configurations for your SonicWALL Gateway Anti-Virus
running on a SonicWALL security appliance.
Convention Use
Bold Highlights items you can select on the SonicWALL
management interface.
Italic Highlights a value to enter into a field. For example, “type
192.168.168.168 in the IP Address field.”
Top Level Menu Button >
Submenu Item
Indicates a multiple step Management Interface menu
choice. For example, Security Services > Gateway Anti-
Virus means select Security Services, then select
Gateway Anti-Virus.
Page 4 SonicWALL Gateway Anti-Virus Administrator’s Guide
Note: Important information on a feature that requires callout for special attention or reference to other related
resources.
SonicWALL Technical Support
For timely resolution of technical support questions, visit SonicWALL on the Internet at
. Web-based resources are available to help you
resolve most technical issues or contact SonicWALL Technical Support.
To contact SonicWALL telephone support, see the telephone numbers listed below:
North America Telephone Support
U.S./Canada - 888.777.1476 or +1 408.752.7819
International Telephone Support
Australia - + 1800.35.1642
Austria - + 43(0)820.400.105
EMEA - +31(0)411.617.810
France - + 33(0)1.4933.7414
Germany - + 49(0)1805.0800.22
Hong Kong - + 1.800.93.0997
India - + 8026556828
Italy - +39.02.7541.9803
Japan - + 81(0)3.5460.5356
New Zealand - + 0800.446489
Singapore - + 800.110.1441
Spain - + 34(0)9137.53035
Switzerland - +41.1.308.3.977
UK - +44(0)1344.668.484
Note: Please visit for the latest technical support telephone
numbers.
Page 5
SonicWALL Gateway Anti-Virus Overview
SonicWALL Gateway Anti-Virus (SonicWALL GAV) is part of the SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service solution that provides unified threat management. The integration of gateway
anti-virus and intrusion prevention delivers intelligent, real-time network security protection against
sophisticated application layer and content-based attacks. Utilizing a configurable, high-performance
deep packet inspection architecture, SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
secures the network from the core to the perimeter against a comprehensive array of dynamic threats
including viruses, worms, Trojans, and software vulnerabilities, such as buffer overflows, as well as peerto-
peer and instant messenger applications, backdoor exploits, and other malicious code.
SonicWALL GAV delivers real-time virus protection directly on the SonicWALL security appliance by
using SonicWALL’s IPS-Deep Packet Inspection v2.0 engine to inspect all traffic that traverses the
SonicWALL gateway. Building on SonicWALL’s reassembly-free architecture, SonicWALL GAV inspects
multiple application protocols, as well as generic TCP streams, and compressed traffic. Because
SonicWALL GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also performed on a
single-pass, per-packet basis.
SonicWALL GAV delivers threat protection directly on the SonicWALL security appliance by matching
downloaded or e-mailed files against an extensive and dynamically updated database of threat virus
signatures. Virus attacks are caught and suppressed before they travel to desktops. New signatures are
created and added to the database by a combination of SonicWALL’s SonicAlert Team, third-party virus
analysts, open source developers and other sources.
SonicWALL GAV can be configured to protect against internal threats as well as those originating outside
the network. It operates over a multitude of protocols including SMTP, POP3, IMAP, HTTP, FTP,
NetBIOS, instant messaging and peer-to-peer applications and dozens of other stream-based protocols,
to provide administrators with comprehensive network threat prevention and control. Because files
containing malicious code and viruses can also be compressed and therefore inaccessible to
conventional anti-virus solutions, SonicWALL GAV integrates advanced decompression technology that
automatically decompresses and scans files on a per packet basis.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
Page 6 SonicWALL Gateway Anti-Virus Administrator’s Guide
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features
• Integrated Deep Packet Inspection Technology - SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service features a configurable, high-performance deep packet inspection architecture
that uses parallel searching algorithms up through the application layer to deliver increased
application layer, Web and e-mail attack prevention. Parallel processing reduces the performance
impact on the firewall and maximizes available memory for exceptional throughput on SonicWALL
integrated security gateways.
• Real-Time Anti-Virus Gateway Scanning - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers intelligent file-based virus and malicious code prevention by scanning in real-time for
decompressed and compressed files containing viruses, Trojans, worms and other Internet threats
over the corporate network.
• Powerful Intrusion Prevention - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
provides complete protection from a comprehensive array of network-based application layer threats
by scanning packet payloads for worms, Trojans, software vulnerabilities such as buffer overflows,
peer-to-peer and instant messenger applications, backdoor exploits, and other malicious code.
• Ultimate Scalability and Performance - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a per packet scanning engine, making SonicWALL’s solution unique in its ability to
handle unlimited file size and virtually unlimited concurrent downloads, offering ultimate scalability
and performance for today’s networked environment.
• Day Zero Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service ensures
incredibly fast time-to-protection by employing a dynamically-updated database of signatures created
by a combination of SonicWALL’s SonicAlert Team, third-party virus analysts and developers, and
open source databases of known threats.
• Extensive Virus Signature List - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
utilizes an extensive database of thousands of attack and vulnerability signatures written to detect and
prevent intrusions, viruses, worms, Tojans, application exploits, and malicious applications.
• Distributed Enforcement Architecture - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a distributed enforcement architecture to deliver automated signature updates,
providing real-time protection from emerging threats and lowering total cost of ownership.
• Inter-zone Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides
application layer attack protection against malicious code and other threats originating from the
Internet or from internal sources. Administrators have the ability to enforce intrusion prevention and
anti-virus scanning not only between each network zone and the Internet, but also between internal
network zones for added security (Requires SonicOS Enhanced).
• Advanced File Decompression Technology - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service includes advanced decompression technology that can automatically decompress and scan
files on a per packet basis to search for viruses, Trojans, worms and malware. Supported
compression formats include: ZIP, Deflate and GZIP.
• File-Based Scanning Protocol Support - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers protection for high threat viruses and malware by inspecting the most common
protocols used in today’s networked environments, including SMTP, POP3, IMAP, HTTP, FTP,
NETBIOS, instant messaging and peer-to-peer applications, and dozens of other stream-based
protocols. This closes potential backdoors that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Application Control - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides the
ability to prevent instant messaging and peer-to-peer file sharing programs from operating through
the firewall, closing a potential back door that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Simplified Deployment and Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service allows network administrators to create global policies between security zones and group
attacks by priority, simplifying deployment and management across a distributed network.
Page 7
• Granular Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides an
intuitive user interface and granular policy tools, allowing network administrators to configure a
custom set of detection or prevention policies for their specific network environment and reduce the
number of false policies while identifying immediate threats.
• Logging and Reporting - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service offers
comprehensive logging of all intrusion attempts with the ability to filter logs based on priority level,
enabling administrators to highlight high priority attacks. Granular reporting based on attack source,
destination and type of intrusion is available through SonicWALL ViewPoint and Global Management
System.
SonicWALL GAV Multi-Layered Approach
SonicWALL GAV delivers comprehensive, multi-layered anti-virus protection for networks at the desktop,
the network, and at remote sites. SonicWALL GAV enforces anti-virus policies at the gateway to ensure
all users have the latest updates and monitors files as they come into the network.
Page 8 SonicWALL Gateway Anti-Virus Administrator’s Guide
Remote Site Protection
1. Users send typical e-mail and files between remote sites and the corporate office.
2. SonicWALL GAV scans and analyzes files and e-mail messages on the SonicWALL security
appliance.
3. Viruses are found and blocked before infecting remote desktop.
4. Virus is logged and alert is sent to administrator.
Page 9
Internal Network Protection
1. Internal user contracts a virus and releases it internally.
2. All files are scanned at the gateway before being received by other network users.
3. If virus is found, file is discarded.
4. Virus is logged and alert is sent to administrator.
HTTP File Downloads
1. Client makes a request to download a file from the Web.
2. File is downloaded through the Internet.
3. File is analyzed the SonicWALL GAV engine for malicious code and viruses
4. If virus found, file discarded.
5. Virus is logged and alert sent to administrator.
Page 10 SonicWALL Gateway Anti-Virus Administrator’s Guide
Server Protection
1. Outside user sends an incoming e-mail.
2. E-mail is analyzed the SonicWALL GAV engine for malicious code and viruses before received by email
server.
3. If virus found, threat prevented.
4. E-mail is returned to sender, virus is logged, and alert sent to administrator.
Page 11
SonicWALL GAV Architecture
SonicWALL GAV is based on SonicWALL's high performance DPIv2.0 engine (Deep Packet Inspection
version 2.0) engine, which performs all scanning directly on the SonicWALL security appliance.
SonicWALL GAV includes advanced decompression technology that can automatically decompress and
scan files on a per packet basis to search for viruses and malware. The SonicWALL GAV engine can
perform base64 decoding without ever reassembling the entire base64 encoded mail stream. Because
SonicWALL's GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding and ZIP, LHZ, and GZIP (LZ77) decompression are also performed
on a single-pass, per-packet basis. Reassembly free virus scanning functionality of the SonicWALL GAV
engine is inherited from the Deep Packet Inspection engine, which is capable of scanning streams without
ever buffering any of the bytes within the stream.
Building on SonicWALL's reassembly-free architecture, GAV has the ability to inspect multiple application
protocols, as well as generic TCP streams, and compressed traffic. SonicWALL GAV protocol inspection
is based on high performance state machines which are specific to each supported protocol. SonicWALL
GAV delivers protection by inspecting over the most common protocols used in today's networked
environments, including SMTP, POP3, IMAP, HTTP, FTP, NetBIOS, instant messaging and peer-to-peer
applications and dozens of other stream-based protocols. This closes potential backdoors that can be
used to compromise the network while also improving employee productivity and conserving Internet
bandwidth.
Page 12 SonicWALL Gateway Anti-Virus Administrator’s Guide
Stream Concurrency Limitations by SonicWALL Security Appliance
Because SonicWALL GAV does not have to perform reassembly, there are no file-size limitations
imposed by the scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also
performed on a single-pass, per-packet basis. Stream-concurrency are platform dependent as follows:.
Disabling the SonicWALL GAV/IPS Engine
In the unlikely event that SonicWALL Gateway Anti-Virus/Intrusion Prevention Service is not enabled on
your SonicWALL security appliance, the SonicWALL GAV/IPS engine itself can be disabled, and the
resources can be reallocated to the SPI connection cache.
To disable the SonicWALL GAV/IPS engine:
1. Select the Firewall > Advanced page.
2. Select the Disable Gateway AV and IPS Engine (increases maximum SPI connections)
checkbox. This presents an alert informing you that the SonicWALL security appliance must be
rebooted for the change to take effect.
3. Restart your SonicWALL security appliance.
Platform
GAV-Disabled
Connections
Cache Size
GAV-Enabled
Connections
Cache Size
(Concurrent File
Downloads)
Concurrent
Compressed
File Downloads
with GAV
GAV Signatures
TZ 150
Series
2,048 2,048 100 4,500
TZ 170
Series
6,144 6,144 100 4,500
PRO 1260 6,144 6,144 100 4,500
PRO 2040 32,768 16,384 300 25,000
PRO 3060 131,072 65,536 1,000 25,000
PRO 4060 524,288 131,072 1,500 25,000
PRO 5060 750,000 393,216 3,000 25,000
Page 13
Protocol Handling
SonicWALL GAV functionality supports the following protocols: HTTP, SMTP, IMAP, POP3, FTP and the
scanning of generic TCP streams for viruses.
If malicious traffic is detected, appropriate actions are taken based on the protocol. For generic TCP
streams, the traffic is dropped and the connection is reset. If so configured, an encrypted and hashed
message explaining the action is sent to the user's Global Security Client (requires version 2.0 or higher)
and to the user's 'Security Action Notification Applet', and displayed to the user if either application is
active. Application level awareness of the type of protocol that was transporting the violation allows for
very specific actions to be taken to gracefully handle the rejection of the payload:
Note: 8-bit encoding is handled natively for all email based protocols (SMTP, POP3, and IMAP) since no
decoding is required for each encoding scheme.
SMTP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the head of the sent
queue, thus preventing it from being resent, via 552 SMTP response and the connection is terminated.
POP3
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the POP3 server via
'DELE' command and the connection is terminated. Continuation of message downloads following
termination requires the user to re-initiate the download process on their POP3 client in order to download
the rest of the messages from the POP3 server.
Note: POP3 client behavior varies from one client to the next. SonicWALL GAV attempts to determine the type
of POP3 client being used, and to compensate for behavioral differences. In rare cases, some clients
may require special GAV settings - these settings have been made available in the /diag.html page.
• Disable Gateway AV POP3 Auto Deletion - When a POP3 client is identified as Outlook Express,
DELE (delete) message sequencing is tailored to Outlook Express' behavior. This setting can resolve
problems caused by misidentification that are encountered during the deletion of virus-infected
emails.
• Disable Gateway AV POP3 UIDL Rewriting - Certain Netscape POP3 clients have difficulty with the
UIDL (unique ID listing - RFC1939) command. When a POP3 client is recognized as Netscape, UIDL
messages are suppressed, which is allowable because they are optional. This setting can resolve
problems caused by misidentification that are encountered during the message retrieval process.
IMAP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from downloading the mail
containing the violation. The user must manually mark the mail deleted and purge it from the server.
Page 14 SonicWALL Gateway Anti-Virus Administrator’s Guide
HTTP
Capabilities: zip (including archives), gzip and deflate decompression. Deflate decompression method is
not supported when HTTP response is Chunk Encoded. All HTTP traffic is inspected, not just TCP port
80. Suppresses the use of HTTP Byte-Range requests to prevent the sectional retrieval and reassembly
of potentially malicious content.
Note: Suppression of HTTP Byte-Range requests may inhibit the use of certain download accelerator
programs that attempt to retrieve files as multiple simultaneous requests.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
FTP
Capabilities: zip (including archives) and gzip decompression. FTP stateful code follows data port
negotiations, allowing FTP data to be inspected across any operating TCP port. Suppresses the use of
the FTP 'REST' (restart) request to prevent the sectional retrieval and reassembly of potentially malicious
content. "The suppression of the 'REST' request can be overridden from the /diag.html page with the
option 'Enable FTP 'REST' requests with Gateway AV’.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
IM, P2P and Proprietary Protocols
Capabilities: zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
Deploying SonicWALL GAV
SonicWALL GAV is designed to provide comprehensive virus protection with minimal configuration. The
following sections provide the key information you need to successfully activate, configure, and administer
SonicWALL GAV on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher):
• “Activating SonicWALL GAV” on page 15 - provides instructions for activating the SonicWALL GAV
license on your SonicWALL security appliance via the management interface. If you already have
SonicWALL GAV activated on your SonicWALL security appliance, skip this section.
• “Setting Up SonicWALL GAV Protection” on page 19 - provides instructions for essential
configuration of SonicWALL IPS to protect your network against the most dangerous and disruptive
attacks.
Alert! After activating your SonicWALL GAV license, you must enable SonicWALL GAV on the SonicWALL
management interface before anti-virus protection are applied to your network traffic.
• “Configuring Client Alerts and an Exclusion List” on page 23 - provides instructions for configuring
SonicWALL GAV client notification alerts and creating a SonicWALL GAV exclusion list.
• “Restricting File Transfers” on page 24 - provides instructions on preventing files with specific
attributes from being transferred.
Page 15
Activating SonicWALL GAV
If you do not have SonicWALL GAV installed on your SonicWALL security appliance, the Security
Services > Gateway Anti-Virus page indicates an upgrade is required and includes a link to activiate it
from your SonicWALL security appliance management interface.
SonicWALL GAV is part of the unified SonicWALL Gateway Anti-Virus/Intrusion Prevention Service that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is also activated.
To activate a SonicWALL Gateway Anti-Virus/Intrusion Prevention Service on your SonicWALL security
appliance, you need the following:
• SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license. You need to purchase a
SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license from a SonicWALL reseller or
through your mySonicWALL.com account (limited to customers in the USA and Canada).
• mySonicWALL.com account. Creating a mySonicWALL.com account is fast, simple, and FREE.
Simply complete an online registration form from your SonicWALL security appliance management
interface. Your mySonicWALL.com account is also accessible at
from any Internet connection with a Web browser.
• Registered SonicWALL security appliance with active Internet connection. Registering your
SonicWALL security appliance is a simple procedure done directly from the management interface.
• SonicOS Standard 3.0 or SonicOS Enhanced 3.0. Your SonicWALL security appliance must be
running SonicOS Standard 3.0 or SonicOS Enhanced 3.0 for SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service.
Tip! If your SonicWALL security appliance is connected to the Internet and registered at
mySonicWALL.com, you can activate a 30-day FREE TRIAL of SonicWALL IPS.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
If you activated SonicWALL GAV at , SonicWALL GAV activation is
automatically enabled on your SonicWALL within 24-hours or you can click the Synchronize button on
the Security Services > Summary page to update your SonicWALL security appliance.
Page 16 SonicWALL Gateway Anti-Virus Administrator’s Guide
Creating a mySonicWALL.com Account
Creating a mySonicWALL.com account is fast, simple, and FREE. Simply complete an online
registration form in the SonicWALL security appliance management interface.
Note: If you already have a mysonicWALL.com account, go to “Registering Your SonicWALL Security
Appliance” on page 17.
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displayed in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link in Your
SonicWALL is not registered. Click here to Register your SonicWALL.
4. In the mySonicWALL.com Login page, click the here link in If you do not have a mySonicWALL
account, please click here to create one.
5. In the MySonicWall Account page, enter in your information in the Account Information, Personal
Information and Preferences fields. All fields marked with an asterisk (*) are required fields.
Note: Remember your username and password to access your mySonicWALL.com account.
6. Click Submit after completing the MySonicWALL Account form.
7. When the mySonicWALL.com server has finished processing your account, you will see a page
saying that your account has been created. Click Continue.
Congratulations. Your mySonicWALL.com account is activated.
Now you need to log into mySonicWALL.com to register your SonicWALL security appliance.
Note: mySonicWALL.com registration information is not sold or shared with any other company.
Page 17
Registering Your SonicWALL Security Appliance
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displaying in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link. The
mySonicWALL.com Login page is displayed.
4. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit.
5. The next several pages inform you about the free trials available to you for SonicWALL’s Security
Services:
• Gateway Anti-Virus - Delivers real-time virus protection for your entire network.
• Network Anti Virus - Provides desktop and server anti-virus protection with software running on
each computer.
• Premium Content Filtering Service - Enhances productivity by limiting access to objectionable
Web content.
• Intrusion Prevention Service - Protects your network against worms, Trojans, and application
layer attacks.
Click Continue on each page.
6. At the top of the Product Survey page, Enter a “friendly name” for your SonicWALL content security
appliance in the Friendly Name field. The friendly name allows you to easily identify your
SonicWALL content security appliance in your mySonicWALL.com account.
7. Please complete the Product Survey. SonicWALL uses this information to further tailor services to fit
your needs.
8. Click Submit.
9. When the mySonicWALL.com server has finished processing your registration, a page is displayed
informing you that the SonicWALL security appliance is registered. Click Continue, and the
System > Licenses page is displayed showing you the available services. You can activate the
service from this page or the specific service page under the Security Services left-navigation
menu in the management interface.
Page 18 SonicWALL Gateway Anti-Virus Administrator’s Guide
Activating SonicWALL GAV
If you do not have a SonicWALL GAV license activated on your SonicWALL security appliance, you must
purchase it from a SonicWALL reseller or through your mySonicWALL.com account (limited to customers
in the USA and Canada).
SonicWALL GAV is part of SonicWALL Gateway Anti-Virus/Intrusion Prevention Service. The Activation
Key you receive is for both SonicWALL GAV and SonicWALL Intrusion Prevention Service. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is automatically activated.
If you have an Activation Key for SonicWALL Gateway Anti-Virus/Intrusion Prevention Service, perform
these steps to activate the combined services:
1. On the Security Services > Intrusion Prevention page, click the SonicWALL Intrusion
Prevention Service Subscription link. The mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already registered to your
mySonicWALL.com account, the System > Licenses page appears.
3. Click Activate or Renew in the Manage Service column in the Manage Services Online table.
4. Type in the Activation Key in the New License Key field and click Submit. Your SonicWALL GAV
subscription is activated on your SonicWALL security appliance.
If you activated the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service subscription on
mySonicWALL.com, the activation is automatically enabled on your SonicWALL security appliance within
24-hours or you can click the Synchronize button on the Security Services > Summary page to
immediately update your SonicWALL security appliance.
Activating the SonicWALL GAV FREE TRIAL
To try a FREE TRIAL of SonicWALL GAV, perform these steps:
1. Click the FREE TRIAL link on the Security Services > Gateway Anti-Virus page. The
mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already connected to your
mySonicWALL.com account, the System > Licenses page appears after you click the FREE TRIAL
link.
3. Click Try in the FREE TRIAL column in the Manage Services Online table. Your SonicWALL GAV
trial subscription is activated on your SonicWALL security appliance.
Page 19
Setting Up SonicWALL GAV Protection
The Security Services > Gateway Anti-Virus page provides the settings for configuring SonicWALL
GAV on your SonicWALL security appliance.
Enabling SonicWALL GAV
You must select Enable Gateway Anti-Virus check box in the Gateway Anti-Virus Global Settings
section to enable SonicWALL GAV on your SonicWALL security appliance. If your SonicWALL security
appliance is running SonicOS Standard 3.0, you must also specify the interfaces you want to apply
SonicWALL GAV protection. If your SonicWALL security appliance is running SonicOS Enhanced 3.0,
you must specify the Zones you want to SonicWALL GAV protection on the Network > Zones page.
Applying SonicWALL GAV Protection on Interfaces
If your SonicWALL security appliance is running SonicOS Standard 3.0, you also need to specify the
interface that you want to enable SonicWALL GAV protection. Depending on the SonicWALL security
appliance model you are using, you can choose the WAN, LAN, DMZ, OPT or WLAN port, depending on
your SonicWALL security appliance model. After selecting the interface(s), click Apply.It is recommended
you select the WAN and LAN interfaces.
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you apply SonicWALL GAV to
Zones on the Network > Zones page.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 20 SonicWALL Gateway Anti-Virus Administrator’s Guide
Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you can enforce SonicWALL
GAV not only between each network zone and the WAN, but also between internal zones. For example,
enabling SonicWALL GAV on the LAN zone enforces anti-virus protection on all incoming and outgoing
LAN traffic.
1. In the SonicWALL security appliance management interface, select Network > Zones or from the
Gateway Anti-Virus Status section, on the Security Services > Gateway Anti-Virus page, click the
Network > Zones link. The Network > Zones page is displayed.
2. In the Configure column in the Zone Settings table, click the edit icon . The Edit Zone window
is displayed.
3. Click the Enable Gateway Anti-Virus Service checkbox. A checkmark appears. To disable Gateway
Anti-Virus Service, uncheck the box.
4. Click OK.
Page 21
Note: You also enable SonicWALL GAV protection for new zones you create on the Network > Zones page.
Clicking the Add button displays the Add Zone window, which includes the same settings as the Edit
Zone window.
Viewing SonicWALL GAV Status Information
The Gateway Anti-Virus Status section shows the state of the anti-virus signature database, including
the database's timestamp, and the time the SonicWALL signature servers were last checked for the most
current database version. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
The Gateway Anti-Virus Status section displays the following information:
• Signature Database indicates whether the signature database needs to be downloaded or has been
downloaded.
• Signature Database Timestamp displays the last update to the SonicWALL GAV signature
database, not the last update to your SonicWALL security appliance.
• Last Checked indicates the last time the SonicWALL security appliance checked the signature
database for updates. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
• Gateway Anti-Virus Expiration Date indicates the date when the SonicWALL GAV service expires.
If your SonicWALL GAV subscription expires, the SonicWALL IPS inspection is stopped and the
SonicWALL GAV configuration settings are removed from the SonicWALL security appliance. These
settings are automatically restored after renewing your SonicWALL GAV license to the previously
configured state.
If your SonicWALL security appliance is running SonicOS Standard 3.0 and no interfaces are specified in
the Gateway Anti-Virus Global Settings section, the message: Warning: No interfaces have Gateway
Anti-Virus enabled is displayed in the Gateway Anti-Virus Status section. You must check the Enable
Gateway Anti-Virus on Interface and specify the interface(s) you want to apply anti-virus scanning.
If your SonicWALL security appliance you are using SonicOS Enhanced 3.0, the Gateway Anti-Virus
Status section displays Note: Enable the Gateway Anti-Virus per zone from the Network > Zones
page. Clicking on the Network > Zones link displays the Network > Zones page for applying SonicWALL
GAV on Zones.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 22 SonicWALL Gateway Anti-Virus Administrator’s Guide
Updating SonicWALL GAV Signatures
By default, the SonicWALL security appliance running SonicWALL GAV automatically checks the
SonicWALL signature servers once an hour. There is no need for an administrator to constantly check for
new signature updates. You can also manually update your SonicWALL GAV database at any time by
clicking the Update button located in the Gateway Anti-Virus Status section.
SonicWALL GAV signature updates are secured. The SonicWALL security appliance must first
authenticate itself with a pre-shared secret, created during the SonicWALL Distributed Enforcement
Architecture licensing registration. The signature request is transported through HTTPS, along with full
server certificate verification.
Specifying Protocol Filtering
Application-level awareness of the type of protocol that is transporting the violation allows SonicWALL
GAV to perform specific actions within the context of the application to gracefully handle the rejection of
the payload.
By default, SonicWALL GAV inspects all inbound HTTP, FTP, IMAP, SMTP and POP3 traffic. Generic
TCP Stream can optionally be enabled to inspect all other TCP based traffic, such as
non-standard ports of operation for SMTP and POP3, and IM and P2P protocols.
Note: Refer to “Protocol Handling” on page 13 for detailed descriptions of how SonicWALL GAV handles
protocol traffic.
Enabling Inbound Inspection
Within the context of SonicWALL GAV, the Enable Inbound Inspection protocol traffic handling refers
to the following:
• Non-SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to any Zone.
• Non-SMTP traffic from a Public Zone destined to an Untrusted Zone.
• SMTP traffic initiating from a non-Trusted Zone destined to a Trusted, Wireless, Encrypted, or Public
Zone.
• SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to a Trusted, Wireless,
or Encrypted Zone.
Page 23
The Enable Inbound Inspection protocol traffic handling represented as a table:
Enabling Outbound SMTP Inspection
The Enable Outbound Inspection feature is available for SMTP traffic, such as for a mail server that
might be hosted on the DMZ. Enabling outbound inspection for SMTP scans mail that is delivered to the
internally hosted SMTP server for viruses.
Configuring Client Alerts and an Exclusion List
Clicking the Configure Gateway AV Settings button in the Gateway Anti-Virus Global Settings section
displays the Gateway AV Config View window, which allows you to configure client notification alerts and
create a SonicWALL GAV exclusion list.
Configuring Client Alerts
If you want clients on your network to receive notifications on their desktop when a HTTP file download is
blocked by GAV, check the Enable Client Notification Alerts (desktop client installation is required)
box. You must install the client software included on the Resource CD for your SonicWALL security
appliance for the client to receive these notifications from SonicWALL GAV.
Page 24 SonicWALL Gateway Anti-Virus Administrator’s Guide
If you want to suppress the sending of e-mail messages (SMTP) to clients from SonicWALL GAV when a
virus is detected in an e-mail or attachment, check the Disable SMTP Responses box.
Configuring a SonicWALL GAV Exclusion List
Any IP addresses listed in the exclusion list bypass virus scanning on their traffic.The Gateway AV
Exclusion List section provides the ability to define a range of IP addresses whose traffic will be excluded
from SonicWALL GAV scanning.
Alert! Use caution when specifying exclusions to SonicWALL GAV protection.
To add an IP address range for exclusion, perform these steps:
1. Click the Enable Gateway AV Exclusion List checkbox to enable the exclusion list.
2. Click the Add button. The Add GAV Range Entry window is displayed.
3. Enter the IP address range in the IP Address Form and IP Address To fields, then click OK. You IP
address range appears in the Gateway AV Exclusion List table. Click the edit icon in the Configure
column to change an entry or click the trashcan icon to delete an entry.
4. Click OK to exit the Gateway AV Config View window.
Restricting File Transfers
The restrict transfer settings listed under the Configure Gateway AV Settings button in the
Gateway Anti-Virus Global Settings section, if enabled, prevent files with specific attributes from being
transferred.
These restrict transfer settings include:
• Restrict Transfer of password-protected Zip files - Disables the transfer of password protected
ZIP files over any enabled protocol. This option only functions on protocols (e.g. HTTP, FTP, SMTP)
that are enabled for inspection.
• Restrict Transfer of MS-Office type files containing macros (VBA 5 and above) - Disables the
transfers of any MS Office 97 and above files that contain VBA macros.
• Restrict Transfer of packed executable files (UPX, FSG, etc.) - Disables the transfer of packed
executable files. Packers are utilities which compress and sometimes encrypt executables. Although
there are legitimate applications for these, they are also sometimes used with the intent of
obfuscation, so as to make the executables less detectable by anti-virus applications. The packer
adds a header that expands the file in memory, and then executes that file. SonicWALL Gateway
Anti-Virus currently recognizes the most common packed formats: UPX, FSG, PKLite32, Petite, and
ASPack. additional formats are dynamically added along with SonicWALL GAV signature updates.
Page 25
Viewing SonicWALL GAV Signatures
The Gateway Anti-Virus Signatures section allows you to view the contents of the SonicWALL GAV
signature database. All the entries displayed in the Gateway Anti-Virus Signatures table are from the
SonicWALL GAV signature database downloaded to your SonicWALL security appliance.
Note: Signature entries in the database change over time in response to new threats.
Displaying Signatures
You can display the signatures in a variety of views using the View Style menu.
• Use Search String - Allows you to display signatures containing a specified string entered in the
Lookup Signatures Containing String field.
• All Signatures - Displays all the signatures in the table, 50 to a page.
• 0 - 9 - Displays signature names beginning with the number you select from the menu.
• A-Z - Displays signature names beginning with the letter you select from menu.
Navigating the Gateway Anti-Virus Signatures Table
The SonicWALL GAV signatures are displayed fifty to a page in the Gateway Anti-Virus Signatures
table. The Items field displays the table number of the first signature. If your displaying the first page of a
signature table, the entry might be Items 1 to 50 (of 58). Use the navigation buttons to navigate the table.
Page 26 SonicWALL Gateway Anti-Virus Administrator’s Guide
Searching the Gateway Anti-Virus Signature Database
You can search the signature database by entering a search string in the Lookup Signatures
Containing String field, then clicking the edit (Notepad) icon.
The signatures that match the specified string are displayed in the Gateway Anti-Virus Signatures table.
Glossary
• Deep Packet Inspection - looking at the data portion of the packet. Enables the firewall to investigate
farther into the protocol to examine information at the application layer and defend against attacks
targeting application vulnerabilities.
• Distributed Enforcement Architecture - SonicWALL’s unified threat management technology that
delivers automated signature updates that provide real-time protection from current and emerging
threats.
• False Positive - a falsely identified attack traffic pattern.
• Signature - code written to detect and prevent viruses, worms, application exploits, and other
malicious code.
• Stateful Packet Inspection - examines the contents of individual packets at all layers of the OSI
model, from network layer to application layer.
Page 27
Index
A
activating Gateway Anti-Virus
overview 15
free trial version 18
activating Gateway Anti-Virus
activation key 18
C
client alerts
configuring 23
concurrency limitations 12
PRO 1260 12
PRO 2040 12
PRO 3060 12
PRO 4060 12
PRO 5060 12
TZ 150 Series 12
TZ 170 Series 12
creating a mysonicwall.com account 16
D
deploying SonicWALL GAV 14
disabling GAV/IPS engine 12
displaying signatures 25
all signatures 25
signatures beginning with letter 25
signatures beginning with number 25
using search strings 25
E
Edit Zone window 20
enable inbound inspection 22
enable outbound SMTP inspection 23
enabling inbound inspection 22
exclusion list
configuring 24
G
Gateway AV Config View window 23
GAV/IPS
real-time scanning 6
GAV/IPS features
application control 6
deep packet inspection 6
distributed enforcement architecture 6
file based scanning protocol support 6
file decompression technology 6
granular management 7
inter-zone scanning 6
logging and reporting 7
real-time scanning 6
glossary 26
deep packet inspection 26
Distributed Enforcement Architecture 26
false positive 26
signature 26
stateful packet inspection 26
H
how DPIv2.0 works
11
protocol handling 13
HTTP file downloads protection 9
I
internal network protection 9
N
navigating signatures table 25
P
protocol handling
FTP 14
HTTP 14
IM, P2P, proprietary 14
IMAP 13
POP3 13
SMTP 13
R
registering your SonicWALL security appliance 17
remote site protection 8
restrict 24
restrict file transfer
MS-Office files 24
packed executable files 24
password protected ZIP files 24
S
searching signature database 26
server protection 10
setting up GAV protection
applying to infaces (SonicOS Standard 3.0) 19
applying to zones (SonicOS Enhanced) 20
enabling 19
overview 19
signatures table 25
SonicWALL Gateway Anti-Virus
overview 5
SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service
overview 5
specifying protocol filtering 22
specifying protocols 22
status information
expiration date 21
last checked 21
overview 21
signature database 21
signature database timestamp 21
surpress SMTP messages 24
U
updating signatures 22
Page 28 SonicWALL Gateway Anti-Virus Administrator’s Guide
© 2005 SonicWALL, I n c . SonicWALL is a registered trademark of SonicWALL, I n c . Other product and company names mentioned herein may be
t rademarks and/ or registered trademarks of their respective companies. Specifications and descriptions subject to change with out notice.
T: 408.745.9600
F: 408.745.9300
www.sonicwall.com
SonicWALL,Inc.
1143 Borregas Avenue
Sunnyvale,CA 94089-1306
P/ N 232- 000610- 00
Rev E 01/05COMPREHENSIVE INTERNET SECURITY™
S SSSSSSSSo n i c WALL Gateway Anti-Virus
Administrator's Guide
Page 1
Table of Contents
Preface .................................................................................................. 1
Copyright Notice ..............................................................................1
Trademarks......................................................................................1
Limited Warranty..............................................................................1
About this Guide.................................................................................... 3
Guide Conventions .......................................................................... 3
Icons Used in this Guide............................................................. 3
SonicWALL Technical Support ........................................................ 4
North America Telephone Support ............................................. 4
International Telephone Support ................................................ 4
SonicWALL Gateway Anti-Virus Overview............................................ 5
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features ...... 6
SonicWALL GAV Multi-Layered Approach............................................ 7
Remote Site Protection ....................................................................8
Internal Network Protection.............................................................. 9
HTTP File Downloads ...................................................................... 9
Server Protection ...........................................................................10
SonicWALL GAV Architecture............................................................. 11
Stream Concurrency Limitations
by SonicWALL Security Appliance................................................. 12
Disabling the SonicWALL GAV/IPS Engine................................... 12
Protocol Handling...........................................................................13
SMTP........................................................................................ 13
POP3 ........................................................................................ 13
IMAP......................................................................................... 13
HTTP ........................................................................................ 14
FTP........................................................................................... 14
IM, P2P and Proprietary Protocols ........................................... 14
Deploying SonicWALL GAV................................................................ 14
Activating SonicWALL GAV ................................................................ 15
Creating a mySonicWALL.com Account ........................................ 16
Registering Your SonicWALL Security Appliance.......................... 17
Activating SonicWALL GAV........................................................... 18
Activating the SonicWALL GAV FREE TRIAL ............................... 18
Setting Up SonicWALL GAV Protection .............................................. 19
Enabling SonicWALL GAV............................................................. 19
Applying SonicWALL GAV Protection on Interfaces...................... 19
Applying SonicWALL GAV Protection on Zones
(SonicOS Enhanced 3.0) ............................................................... 20
Viewing SonicWALL GAV Status Information................................ 21
Updating SonicWALL GAV Signatures .......................................... 22
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
Specifying Protocol Filtering ................................................................22
Enabling Inbound Inspection ..........................................................22
Enabling Outbound SMTP Inspection ............................................23
Configuring Client Alerts and an Exclusion List ...................................23
Configuring Client Alerts.................................................................23
Configuring a SonicWALL GAV Exclusion List...............................24
Restricting File Transfers.....................................................................24
Viewing SonicWALL GAV Signatures..................................................25
Displaying Signatures.....................................................................25
Navigating the Gateway Anti-Virus Signatures Table ....................25
Searching the Gateway Anti-Virus Signature Database.................26
Glossary...............................................................................................26
Index ....................................................................................................27
Page 1 SonicWALL Gateway Anti-Virus Administrator’s Guide
Preface
Copyright Notice
© 2005 SonicWALL, Inc.
All rights reserved.
Under the copyright laws, this manual or the software described within, can not be copied, in whole or part,
without the written consent of the manufacturer, except in the normal use of the software to make a backup
copy. The same proprietary and copyright notices must be affixed to any permitted copies as were affixed
to the original. This exception does not allow copies to be made for others, whether or not sold, but all of
the material purchased (with all backup copies) can be sold, given, or loaned to another person. Under
the law, copying includes translating into another language or format.
Specifications and descriptions subject to change without notice.
Trademarks
SonicWALL is a registered trademark of SonicWALL, Inc.
Microsoft Windows 98, Windows NT, Windows 2000, Windows XP, Windows Server 2003, Internet
Explorer, and Active Directory are trademarks or registered trademarks of Microsoft Corporation.
Netscape is a registered trademark of Netscape Communications Corporation in the U.S. and other
countries. Netscape Navigator and Netscape Communicator are also trademarks of Netscape
Communications Corporation and may be registered outside the U.S.
Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems
Incorporated in the U.S. and/or other countries.
Other product and company names mentioned herein may be trademarks and/or registered trademarks
of their respective companies and are the sole property of their respective manufacturers.
Limited Warranty
SonicWALL, Inc. warrants that commencing from the delivery date to Customer (but in any case
commencing not more than ninety (90) days after the original shipment by SonicWALL), and continuing
for a period of twelve (12) months, that the product will be free from defects in materials and workmanship
under normal use. This Limited Warranty is not transferable and applies only to the original end user of
the product. SonicWALL and its suppliers' entire liability and Customer's sole and exclusive remedy under
this limited warranty will be shipment of a replacement product. At SonicWALL's discretion the
replacement product may be of equal or greater functionality and may be of either new or like-new quality.
SonicWALL's obligations under this warranty are contingent upon the return of the defective product
according to the terms of SonicWALL's then-current Support Services policies.
This warranty does not apply if the product has been subjected to abnormal electrical stress, damaged by
accident, abuse, misuse or misapplication, or has been modified without the written permission of
SonicWALL.
DISCLAIMER OF WARRANTY. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR
IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT
LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, NONINFRINGEMENT, SATISFACTORY QUALITY OR ARISING FROM A
COURSE OF DEALING, LAW, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE
MAXIMUM EXTENT ALLOWED BY APPLICABLE LAW. TO THE EXTENT AN IMPLIED WARRANTY
CANNOT BE EXCLUDED, SUCH WARRANTY IS LIMITED IN DURATION TO THE WARRANTY
PERIOD. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW
LONG AN IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. THIS
WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, AND YOU MAY ALSO HAVE OTHER RIGHTS
WHICH VARY FROM JURISDICTION TO JURISDICTION. This disclaimer and exclusion shall apply
even if the express warranty set forth above fails of its essential purpose.
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
DISCLAIMER OF LIABILITY. SONICWALL'S SOLE LIABILITY IS THE SHIPMENT OF A
REPLACEMENT PRODUCT AS DESCRIBED IN THE ABOVE LIMITED WARRANTY. IN NO EVENT
SHALL SONICWALL OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER,
INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS
INTERRUPTION, LOSS OF INFORMATION, OR OTHER PECUNIARY LOSS ARISING OUT OF THE
USE OR INABILITY TO USE THE PRODUCT, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL,
INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY
OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE HARDWARE OR SOFTWARE
EVEN IF SONICWALL OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. In no event shall SonicWALL or its suppliers' liability to Customer, whether in contract, tort
(including negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shall
apply even if the above-stated warranty fails of its essential purpose. BECAUSE SOME STATES OR
JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR
INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.
Page 3
About this Guide
Welcome to the SonicWALL Gateway Anti-Virus Administrator’s Guide. This manual provides the
information you need to successfully activate, configure, and administer SonicWALL Gateway Anti-Virus
(SonicWALL (GAV) on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher). The audience for this guide is administrators that are familiar with the
features, functions, and operating characteristics of SonicWALL security appliances.
Note: This guide assumes your SonicWALL security appliance is operational with Internet connectivity. If your
SonicWALL security appliance is not setup, refer to the Getting Started Guide for your SonicWALL
security appliance located on the SonicWALL Web site:
.
SonicWALL GAV is part of the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service solution that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate a SonicWALL GAV license, SonicWALL Intrusion Prevention Service is included and activated.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the complete
instructions on configuring SonicWALL Intrusion Prevention Service 2.0, located on the SonicWALL
Web site: .
Guide Conventions
Conventions used in this guide are as follows:
Icons Used in this Guide
These special messages refer to noteworthy information, and include a symbol for quick identification:
Alert! Important information that cautions about features affecting SonicWALL Gateway Anti-Virus
performance, security features, or causing potential problems with your SonicWALL security appliance.
Tip! Useful information about security features and configurations for your SonicWALL Gateway Anti-Virus
running on a SonicWALL security appliance.
Convention Use
Bold Highlights items you can select on the SonicWALL
management interface.
Italic Highlights a value to enter into a field. For example, “type
192.168.168.168 in the IP Address field.”
Top Level Menu Button >
Submenu Item
Indicates a multiple step Management Interface menu
choice. For example, Security Services > Gateway Anti-
Virus means select Security Services, then select
Gateway Anti-Virus.
Page 4 SonicWALL Gateway Anti-Virus Administrator’s Guide
Note: Important information on a feature that requires callout for special attention or reference to other related
resources.
SonicWALL Technical Support
For timely resolution of technical support questions, visit SonicWALL on the Internet at
. Web-based resources are available to help you
resolve most technical issues or contact SonicWALL Technical Support.
To contact SonicWALL telephone support, see the telephone numbers listed below:
North America Telephone Support
U.S./Canada - 888.777.1476 or +1 408.752.7819
International Telephone Support
Australia - + 1800.35.1642
Austria - + 43(0)820.400.105
EMEA - +31(0)411.617.810
France - + 33(0)1.4933.7414
Germany - + 49(0)1805.0800.22
Hong Kong - + 1.800.93.0997
India - + 8026556828
Italy - +39.02.7541.9803
Japan - + 81(0)3.5460.5356
New Zealand - + 0800.446489
Singapore - + 800.110.1441
Spain - + 34(0)9137.53035
Switzerland - +41.1.308.3.977
UK - +44(0)1344.668.484
Note: Please visit for the latest technical support telephone
numbers.
Page 5
SonicWALL Gateway Anti-Virus Overview
SonicWALL Gateway Anti-Virus (SonicWALL GAV) is part of the SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service solution that provides unified threat management. The integration of gateway
anti-virus and intrusion prevention delivers intelligent, real-time network security protection against
sophisticated application layer and content-based attacks. Utilizing a configurable, high-performance
deep packet inspection architecture, SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
secures the network from the core to the perimeter against a comprehensive array of dynamic threats
including viruses, worms, Trojans, and software vulnerabilities, such as buffer overflows, as well as peerto-
peer and instant messenger applications, backdoor exploits, and other malicious code.
SonicWALL GAV delivers real-time virus protection directly on the SonicWALL security appliance by
using SonicWALL’s IPS-Deep Packet Inspection v2.0 engine to inspect all traffic that traverses the
SonicWALL gateway. Building on SonicWALL’s reassembly-free architecture, SonicWALL GAV inspects
multiple application protocols, as well as generic TCP streams, and compressed traffic. Because
SonicWALL GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also performed on a
single-pass, per-packet basis.
SonicWALL GAV delivers threat protection directly on the SonicWALL security appliance by matching
downloaded or e-mailed files against an extensive and dynamically updated database of threat virus
signatures. Virus attacks are caught and suppressed before they travel to desktops. New signatures are
created and added to the database by a combination of SonicWALL’s SonicAlert Team, third-party virus
analysts, open source developers and other sources.
SonicWALL GAV can be configured to protect against internal threats as well as those originating outside
the network. It operates over a multitude of protocols including SMTP, POP3, IMAP, HTTP, FTP,
NetBIOS, instant messaging and peer-to-peer applications and dozens of other stream-based protocols,
to provide administrators with comprehensive network threat prevention and control. Because files
containing malicious code and viruses can also be compressed and therefore inaccessible to
conventional anti-virus solutions, SonicWALL GAV integrates advanced decompression technology that
automatically decompresses and scans files on a per packet basis.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
Page 6 SonicWALL Gateway Anti-Virus Administrator’s Guide
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features
• Integrated Deep Packet Inspection Technology - SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service features a configurable, high-performance deep packet inspection architecture
that uses parallel searching algorithms up through the application layer to deliver increased
application layer, Web and e-mail attack prevention. Parallel processing reduces the performance
impact on the firewall and maximizes available memory for exceptional throughput on SonicWALL
integrated security gateways.
• Real-Time Anti-Virus Gateway Scanning - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers intelligent file-based virus and malicious code prevention by scanning in real-time for
decompressed and compressed files containing viruses, Trojans, worms and other Internet threats
over the corporate network.
• Powerful Intrusion Prevention - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
provides complete protection from a comprehensive array of network-based application layer threats
by scanning packet payloads for worms, Trojans, software vulnerabilities such as buffer overflows,
peer-to-peer and instant messenger applications, backdoor exploits, and other malicious code.
• Ultimate Scalability and Performance - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a per packet scanning engine, making SonicWALL’s solution unique in its ability to
handle unlimited file size and virtually unlimited concurrent downloads, offering ultimate scalability
and performance for today’s networked environment.
• Day Zero Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service ensures
incredibly fast time-to-protection by employing a dynamically-updated database of signatures created
by a combination of SonicWALL’s SonicAlert Team, third-party virus analysts and developers, and
open source databases of known threats.
• Extensive Virus Signature List - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
utilizes an extensive database of thousands of attack and vulnerability signatures written to detect and
prevent intrusions, viruses, worms, Tojans, application exploits, and malicious applications.
• Distributed Enforcement Architecture - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a distributed enforcement architecture to deliver automated signature updates,
providing real-time protection from emerging threats and lowering total cost of ownership.
• Inter-zone Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides
application layer attack protection against malicious code and other threats originating from the
Internet or from internal sources. Administrators have the ability to enforce intrusion prevention and
anti-virus scanning not only between each network zone and the Internet, but also between internal
network zones for added security (Requires SonicOS Enhanced).
• Advanced File Decompression Technology - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service includes advanced decompression technology that can automatically decompress and scan
files on a per packet basis to search for viruses, Trojans, worms and malware. Supported
compression formats include: ZIP, Deflate and GZIP.
• File-Based Scanning Protocol Support - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers protection for high threat viruses and malware by inspecting the most common
protocols used in today’s networked environments, including SMTP, POP3, IMAP, HTTP, FTP,
NETBIOS, instant messaging and peer-to-peer applications, and dozens of other stream-based
protocols. This closes potential backdoors that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Application Control - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides the
ability to prevent instant messaging and peer-to-peer file sharing programs from operating through
the firewall, closing a potential back door that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Simplified Deployment and Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service allows network administrators to create global policies between security zones and group
attacks by priority, simplifying deployment and management across a distributed network.
Page 7
• Granular Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides an
intuitive user interface and granular policy tools, allowing network administrators to configure a
custom set of detection or prevention policies for their specific network environment and reduce the
number of false policies while identifying immediate threats.
• Logging and Reporting - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service offers
comprehensive logging of all intrusion attempts with the ability to filter logs based on priority level,
enabling administrators to highlight high priority attacks. Granular reporting based on attack source,
destination and type of intrusion is available through SonicWALL ViewPoint and Global Management
System.
SonicWALL GAV Multi-Layered Approach
SonicWALL GAV delivers comprehensive, multi-layered anti-virus protection for networks at the desktop,
the network, and at remote sites. SonicWALL GAV enforces anti-virus policies at the gateway to ensure
all users have the latest updates and monitors files as they come into the network.
Page 8 SonicWALL Gateway Anti-Virus Administrator’s Guide
Remote Site Protection
1. Users send typical e-mail and files between remote sites and the corporate office.
2. SonicWALL GAV scans and analyzes files and e-mail messages on the SonicWALL security
appliance.
3. Viruses are found and blocked before infecting remote desktop.
4. Virus is logged and alert is sent to administrator.
Page 9
Internal Network Protection
1. Internal user contracts a virus and releases it internally.
2. All files are scanned at the gateway before being received by other network users.
3. If virus is found, file is discarded.
4. Virus is logged and alert is sent to administrator.
HTTP File Downloads
1. Client makes a request to download a file from the Web.
2. File is downloaded through the Internet.
3. File is analyzed the SonicWALL GAV engine for malicious code and viruses
4. If virus found, file discarded.
5. Virus is logged and alert sent to administrator.
Page 10 SonicWALL Gateway Anti-Virus Administrator’s Guide
Server Protection
1. Outside user sends an incoming e-mail.
2. E-mail is analyzed the SonicWALL GAV engine for malicious code and viruses before received by email
server.
3. If virus found, threat prevented.
4. E-mail is returned to sender, virus is logged, and alert sent to administrator.
Page 11
SonicWALL GAV Architecture
SonicWALL GAV is based on SonicWALL's high performance DPIv2.0 engine (Deep Packet Inspection
version 2.0) engine, which performs all scanning directly on the SonicWALL security appliance.
SonicWALL GAV includes advanced decompression technology that can automatically decompress and
scan files on a per packet basis to search for viruses and malware. The SonicWALL GAV engine can
perform base64 decoding without ever reassembling the entire base64 encoded mail stream. Because
SonicWALL's GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding and ZIP, LHZ, and GZIP (LZ77) decompression are also performed
on a single-pass, per-packet basis. Reassembly free virus scanning functionality of the SonicWALL GAV
engine is inherited from the Deep Packet Inspection engine, which is capable of scanning streams without
ever buffering any of the bytes within the stream.
Building on SonicWALL's reassembly-free architecture, GAV has the ability to inspect multiple application
protocols, as well as generic TCP streams, and compressed traffic. SonicWALL GAV protocol inspection
is based on high performance state machines which are specific to each supported protocol. SonicWALL
GAV delivers protection by inspecting over the most common protocols used in today's networked
environments, including SMTP, POP3, IMAP, HTTP, FTP, NetBIOS, instant messaging and peer-to-peer
applications and dozens of other stream-based protocols. This closes potential backdoors that can be
used to compromise the network while also improving employee productivity and conserving Internet
bandwidth.
Page 12 SonicWALL Gateway Anti-Virus Administrator’s Guide
Stream Concurrency Limitations by SonicWALL Security Appliance
Because SonicWALL GAV does not have to perform reassembly, there are no file-size limitations
imposed by the scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also
performed on a single-pass, per-packet basis. Stream-concurrency are platform dependent as follows:.
Disabling the SonicWALL GAV/IPS Engine
In the unlikely event that SonicWALL Gateway Anti-Virus/Intrusion Prevention Service is not enabled on
your SonicWALL security appliance, the SonicWALL GAV/IPS engine itself can be disabled, and the
resources can be reallocated to the SPI connection cache.
To disable the SonicWALL GAV/IPS engine:
1. Select the Firewall > Advanced page.
2. Select the Disable Gateway AV and IPS Engine (increases maximum SPI connections)
checkbox. This presents an alert informing you that the SonicWALL security appliance must be
rebooted for the change to take effect.
3. Restart your SonicWALL security appliance.
Platform
GAV-Disabled
Connections
Cache Size
GAV-Enabled
Connections
Cache Size
(Concurrent File
Downloads)
Concurrent
Compressed
File Downloads
with GAV
GAV Signatures
TZ 150
Series
2,048 2,048 100 4,500
TZ 170
Series
6,144 6,144 100 4,500
PRO 1260 6,144 6,144 100 4,500
PRO 2040 32,768 16,384 300 25,000
PRO 3060 131,072 65,536 1,000 25,000
PRO 4060 524,288 131,072 1,500 25,000
PRO 5060 750,000 393,216 3,000 25,000
Page 13
Protocol Handling
SonicWALL GAV functionality supports the following protocols: HTTP, SMTP, IMAP, POP3, FTP and the
scanning of generic TCP streams for viruses.
If malicious traffic is detected, appropriate actions are taken based on the protocol. For generic TCP
streams, the traffic is dropped and the connection is reset. If so configured, an encrypted and hashed
message explaining the action is sent to the user's Global Security Client (requires version 2.0 or higher)
and to the user's 'Security Action Notification Applet', and displayed to the user if either application is
active. Application level awareness of the type of protocol that was transporting the violation allows for
very specific actions to be taken to gracefully handle the rejection of the payload:
Note: 8-bit encoding is handled natively for all email based protocols (SMTP, POP3, and IMAP) since no
decoding is required for each encoding scheme.
SMTP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the head of the sent
queue, thus preventing it from being resent, via 552 SMTP response and the connection is terminated.
POP3
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the POP3 server via
'DELE' command and the connection is terminated. Continuation of message downloads following
termination requires the user to re-initiate the download process on their POP3 client in order to download
the rest of the messages from the POP3 server.
Note: POP3 client behavior varies from one client to the next. SonicWALL GAV attempts to determine the type
of POP3 client being used, and to compensate for behavioral differences. In rare cases, some clients
may require special GAV settings - these settings have been made available in the /diag.html page.
• Disable Gateway AV POP3 Auto Deletion - When a POP3 client is identified as Outlook Express,
DELE (delete) message sequencing is tailored to Outlook Express' behavior. This setting can resolve
problems caused by misidentification that are encountered during the deletion of virus-infected
emails.
• Disable Gateway AV POP3 UIDL Rewriting - Certain Netscape POP3 clients have difficulty with the
UIDL (unique ID listing - RFC1939) command. When a POP3 client is recognized as Netscape, UIDL
messages are suppressed, which is allowable because they are optional. This setting can resolve
problems caused by misidentification that are encountered during the message retrieval process.
IMAP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from downloading the mail
containing the violation. The user must manually mark the mail deleted and purge it from the server.
Page 14 SonicWALL Gateway Anti-Virus Administrator’s Guide
HTTP
Capabilities: zip (including archives), gzip and deflate decompression. Deflate decompression method is
not supported when HTTP response is Chunk Encoded. All HTTP traffic is inspected, not just TCP port
80. Suppresses the use of HTTP Byte-Range requests to prevent the sectional retrieval and reassembly
of potentially malicious content.
Note: Suppression of HTTP Byte-Range requests may inhibit the use of certain download accelerator
programs that attempt to retrieve files as multiple simultaneous requests.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
FTP
Capabilities: zip (including archives) and gzip decompression. FTP stateful code follows data port
negotiations, allowing FTP data to be inspected across any operating TCP port. Suppresses the use of
the FTP 'REST' (restart) request to prevent the sectional retrieval and reassembly of potentially malicious
content. "The suppression of the 'REST' request can be overridden from the /diag.html page with the
option 'Enable FTP 'REST' requests with Gateway AV’.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
IM, P2P and Proprietary Protocols
Capabilities: zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
Deploying SonicWALL GAV
SonicWALL GAV is designed to provide comprehensive virus protection with minimal configuration. The
following sections provide the key information you need to successfully activate, configure, and administer
SonicWALL GAV on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher):
• “Activating SonicWALL GAV” on page 15 - provides instructions for activating the SonicWALL GAV
license on your SonicWALL security appliance via the management interface. If you already have
SonicWALL GAV activated on your SonicWALL security appliance, skip this section.
• “Setting Up SonicWALL GAV Protection” on page 19 - provides instructions for essential
configuration of SonicWALL IPS to protect your network against the most dangerous and disruptive
attacks.
Alert! After activating your SonicWALL GAV license, you must enable SonicWALL GAV on the SonicWALL
management interface before anti-virus protection are applied to your network traffic.
• “Configuring Client Alerts and an Exclusion List” on page 23 - provides instructions for configuring
SonicWALL GAV client notification alerts and creating a SonicWALL GAV exclusion list.
• “Restricting File Transfers” on page 24 - provides instructions on preventing files with specific
attributes from being transferred.
Page 15
Activating SonicWALL GAV
If you do not have SonicWALL GAV installed on your SonicWALL security appliance, the Security
Services > Gateway Anti-Virus page indicates an upgrade is required and includes a link to activiate it
from your SonicWALL security appliance management interface.
SonicWALL GAV is part of the unified SonicWALL Gateway Anti-Virus/Intrusion Prevention Service that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is also activated.
To activate a SonicWALL Gateway Anti-Virus/Intrusion Prevention Service on your SonicWALL security
appliance, you need the following:
• SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license. You need to purchase a
SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license from a SonicWALL reseller or
through your mySonicWALL.com account (limited to customers in the USA and Canada).
• mySonicWALL.com account. Creating a mySonicWALL.com account is fast, simple, and FREE.
Simply complete an online registration form from your SonicWALL security appliance management
interface. Your mySonicWALL.com account is also accessible at
from any Internet connection with a Web browser.
• Registered SonicWALL security appliance with active Internet connection. Registering your
SonicWALL security appliance is a simple procedure done directly from the management interface.
• SonicOS Standard 3.0 or SonicOS Enhanced 3.0. Your SonicWALL security appliance must be
running SonicOS Standard 3.0 or SonicOS Enhanced 3.0 for SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service.
Tip! If your SonicWALL security appliance is connected to the Internet and registered at
mySonicWALL.com, you can activate a 30-day FREE TRIAL of SonicWALL IPS.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
If you activated SonicWALL GAV at , SonicWALL GAV activation is
automatically enabled on your SonicWALL within 24-hours or you can click the Synchronize button on
the Security Services > Summary page to update your SonicWALL security appliance.
Page 16 SonicWALL Gateway Anti-Virus Administrator’s Guide
Creating a mySonicWALL.com Account
Creating a mySonicWALL.com account is fast, simple, and FREE. Simply complete an online
registration form in the SonicWALL security appliance management interface.
Note: If you already have a mysonicWALL.com account, go to “Registering Your SonicWALL Security
Appliance” on page 17.
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displayed in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link in Your
SonicWALL is not registered. Click here to Register your SonicWALL.
4. In the mySonicWALL.com Login page, click the here link in If you do not have a mySonicWALL
account, please click here to create one.
5. In the MySonicWall Account page, enter in your information in the Account Information, Personal
Information and Preferences fields. All fields marked with an asterisk (*) are required fields.
Note: Remember your username and password to access your mySonicWALL.com account.
6. Click Submit after completing the MySonicWALL Account form.
7. When the mySonicWALL.com server has finished processing your account, you will see a page
saying that your account has been created. Click Continue.
Congratulations. Your mySonicWALL.com account is activated.
Now you need to log into mySonicWALL.com to register your SonicWALL security appliance.
Note: mySonicWALL.com registration information is not sold or shared with any other company.
Page 17
Registering Your SonicWALL Security Appliance
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displaying in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link. The
mySonicWALL.com Login page is displayed.
4. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit.
5. The next several pages inform you about the free trials available to you for SonicWALL’s Security
Services:
• Gateway Anti-Virus - Delivers real-time virus protection for your entire network.
• Network Anti Virus - Provides desktop and server anti-virus protection with software running on
each computer.
• Premium Content Filtering Service - Enhances productivity by limiting access to objectionable
Web content.
• Intrusion Prevention Service - Protects your network against worms, Trojans, and application
layer attacks.
Click Continue on each page.
6. At the top of the Product Survey page, Enter a “friendly name” for your SonicWALL content security
appliance in the Friendly Name field. The friendly name allows you to easily identify your
SonicWALL content security appliance in your mySonicWALL.com account.
7. Please complete the Product Survey. SonicWALL uses this information to further tailor services to fit
your needs.
8. Click Submit.
9. When the mySonicWALL.com server has finished processing your registration, a page is displayed
informing you that the SonicWALL security appliance is registered. Click Continue, and the
System > Licenses page is displayed showing you the available services. You can activate the
service from this page or the specific service page under the Security Services left-navigation
menu in the management interface.
Page 18 SonicWALL Gateway Anti-Virus Administrator’s Guide
Activating SonicWALL GAV
If you do not have a SonicWALL GAV license activated on your SonicWALL security appliance, you must
purchase it from a SonicWALL reseller or through your mySonicWALL.com account (limited to customers
in the USA and Canada).
SonicWALL GAV is part of SonicWALL Gateway Anti-Virus/Intrusion Prevention Service. The Activation
Key you receive is for both SonicWALL GAV and SonicWALL Intrusion Prevention Service. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is automatically activated.
If you have an Activation Key for SonicWALL Gateway Anti-Virus/Intrusion Prevention Service, perform
these steps to activate the combined services:
1. On the Security Services > Intrusion Prevention page, click the SonicWALL Intrusion
Prevention Service Subscription link. The mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already registered to your
mySonicWALL.com account, the System > Licenses page appears.
3. Click Activate or Renew in the Manage Service column in the Manage Services Online table.
4. Type in the Activation Key in the New License Key field and click Submit. Your SonicWALL GAV
subscription is activated on your SonicWALL security appliance.
If you activated the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service subscription on
mySonicWALL.com, the activation is automatically enabled on your SonicWALL security appliance within
24-hours or you can click the Synchronize button on the Security Services > Summary page to
immediately update your SonicWALL security appliance.
Activating the SonicWALL GAV FREE TRIAL
To try a FREE TRIAL of SonicWALL GAV, perform these steps:
1. Click the FREE TRIAL link on the Security Services > Gateway Anti-Virus page. The
mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already connected to your
mySonicWALL.com account, the System > Licenses page appears after you click the FREE TRIAL
link.
3. Click Try in the FREE TRIAL column in the Manage Services Online table. Your SonicWALL GAV
trial subscription is activated on your SonicWALL security appliance.
Page 19
Setting Up SonicWALL GAV Protection
The Security Services > Gateway Anti-Virus page provides the settings for configuring SonicWALL
GAV on your SonicWALL security appliance.
Enabling SonicWALL GAV
You must select Enable Gateway Anti-Virus check box in the Gateway Anti-Virus Global Settings
section to enable SonicWALL GAV on your SonicWALL security appliance. If your SonicWALL security
appliance is running SonicOS Standard 3.0, you must also specify the interfaces you want to apply
SonicWALL GAV protection. If your SonicWALL security appliance is running SonicOS Enhanced 3.0,
you must specify the Zones you want to SonicWALL GAV protection on the Network > Zones page.
Applying SonicWALL GAV Protection on Interfaces
If your SonicWALL security appliance is running SonicOS Standard 3.0, you also need to specify the
interface that you want to enable SonicWALL GAV protection. Depending on the SonicWALL security
appliance model you are using, you can choose the WAN, LAN, DMZ, OPT or WLAN port, depending on
your SonicWALL security appliance model. After selecting the interface(s), click Apply.It is recommended
you select the WAN and LAN interfaces.
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you apply SonicWALL GAV to
Zones on the Network > Zones page.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 20 SonicWALL Gateway Anti-Virus Administrator’s Guide
Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you can enforce SonicWALL
GAV not only between each network zone and the WAN, but also between internal zones. For example,
enabling SonicWALL GAV on the LAN zone enforces anti-virus protection on all incoming and outgoing
LAN traffic.
1. In the SonicWALL security appliance management interface, select Network > Zones or from the
Gateway Anti-Virus Status section, on the Security Services > Gateway Anti-Virus page, click the
Network > Zones link. The Network > Zones page is displayed.
2. In the Configure column in the Zone Settings table, click the edit icon . The Edit Zone window
is displayed.
3. Click the Enable Gateway Anti-Virus Service checkbox. A checkmark appears. To disable Gateway
Anti-Virus Service, uncheck the box.
4. Click OK.
Page 21
Note: You also enable SonicWALL GAV protection for new zones you create on the Network > Zones page.
Clicking the Add button displays the Add Zone window, which includes the same settings as the Edit
Zone window.
Viewing SonicWALL GAV Status Information
The Gateway Anti-Virus Status section shows the state of the anti-virus signature database, including
the database's timestamp, and the time the SonicWALL signature servers were last checked for the most
current database version. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
The Gateway Anti-Virus Status section displays the following information:
• Signature Database indicates whether the signature database needs to be downloaded or has been
downloaded.
• Signature Database Timestamp displays the last update to the SonicWALL GAV signature
database, not the last update to your SonicWALL security appliance.
• Last Checked indicates the last time the SonicWALL security appliance checked the signature
database for updates. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
• Gateway Anti-Virus Expiration Date indicates the date when the SonicWALL GAV service expires.
If your SonicWALL GAV subscription expires, the SonicWALL IPS inspection is stopped and the
SonicWALL GAV configuration settings are removed from the SonicWALL security appliance. These
settings are automatically restored after renewing your SonicWALL GAV license to the previously
configured state.
If your SonicWALL security appliance is running SonicOS Standard 3.0 and no interfaces are specified in
the Gateway Anti-Virus Global Settings section, the message: Warning: No interfaces have Gateway
Anti-Virus enabled is displayed in the Gateway Anti-Virus Status section. You must check the Enable
Gateway Anti-Virus on Interface and specify the interface(s) you want to apply anti-virus scanning.
If your SonicWALL security appliance you are using SonicOS Enhanced 3.0, the Gateway Anti-Virus
Status section displays Note: Enable the Gateway Anti-Virus per zone from the Network > Zones
page. Clicking on the Network > Zones link displays the Network > Zones page for applying SonicWALL
GAV on Zones.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 22 SonicWALL Gateway Anti-Virus Administrator’s Guide
Updating SonicWALL GAV Signatures
By default, the SonicWALL security appliance running SonicWALL GAV automatically checks the
SonicWALL signature servers once an hour. There is no need for an administrator to constantly check for
new signature updates. You can also manually update your SonicWALL GAV database at any time by
clicking the Update button located in the Gateway Anti-Virus Status section.
SonicWALL GAV signature updates are secured. The SonicWALL security appliance must first
authenticate itself with a pre-shared secret, created during the SonicWALL Distributed Enforcement
Architecture licensing registration. The signature request is transported through HTTPS, along with full
server certificate verification.
Specifying Protocol Filtering
Application-level awareness of the type of protocol that is transporting the violation allows SonicWALL
GAV to perform specific actions within the context of the application to gracefully handle the rejection of
the payload.
By default, SonicWALL GAV inspects all inbound HTTP, FTP, IMAP, SMTP and POP3 traffic. Generic
TCP Stream can optionally be enabled to inspect all other TCP based traffic, such as
non-standard ports of operation for SMTP and POP3, and IM and P2P protocols.
Note: Refer to “Protocol Handling” on page 13 for detailed descriptions of how SonicWALL GAV handles
protocol traffic.
Enabling Inbound Inspection
Within the context of SonicWALL GAV, the Enable Inbound Inspection protocol traffic handling refers
to the following:
• Non-SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to any Zone.
• Non-SMTP traffic from a Public Zone destined to an Untrusted Zone.
• SMTP traffic initiating from a non-Trusted Zone destined to a Trusted, Wireless, Encrypted, or Public
Zone.
• SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to a Trusted, Wireless,
or Encrypted Zone.
Page 23
The Enable Inbound Inspection protocol traffic handling represented as a table:
Enabling Outbound SMTP Inspection
The Enable Outbound Inspection feature is available for SMTP traffic, such as for a mail server that
might be hosted on the DMZ. Enabling outbound inspection for SMTP scans mail that is delivered to the
internally hosted SMTP server for viruses.
Configuring Client Alerts and an Exclusion List
Clicking the Configure Gateway AV Settings button in the Gateway Anti-Virus Global Settings section
displays the Gateway AV Config View window, which allows you to configure client notification alerts and
create a SonicWALL GAV exclusion list.
Configuring Client Alerts
If you want clients on your network to receive notifications on their desktop when a HTTP file download is
blocked by GAV, check the Enable Client Notification Alerts (desktop client installation is required)
box. You must install the client software included on the Resource CD for your SonicWALL security
appliance for the client to receive these notifications from SonicWALL GAV.
Page 24 SonicWALL Gateway Anti-Virus Administrator’s Guide
If you want to suppress the sending of e-mail messages (SMTP) to clients from SonicWALL GAV when a
virus is detected in an e-mail or attachment, check the Disable SMTP Responses box.
Configuring a SonicWALL GAV Exclusion List
Any IP addresses listed in the exclusion list bypass virus scanning on their traffic.The Gateway AV
Exclusion List section provides the ability to define a range of IP addresses whose traffic will be excluded
from SonicWALL GAV scanning.
Alert! Use caution when specifying exclusions to SonicWALL GAV protection.
To add an IP address range for exclusion, perform these steps:
1. Click the Enable Gateway AV Exclusion List checkbox to enable the exclusion list.
2. Click the Add button. The Add GAV Range Entry window is displayed.
3. Enter the IP address range in the IP Address Form and IP Address To fields, then click OK. You IP
address range appears in the Gateway AV Exclusion List table. Click the edit icon in the Configure
column to change an entry or click the trashcan icon to delete an entry.
4. Click OK to exit the Gateway AV Config View window.
Restricting File Transfers
The restrict transfer settings listed under the Configure Gateway AV Settings button in the
Gateway Anti-Virus Global Settings section, if enabled, prevent files with specific attributes from being
transferred.
These restrict transfer settings include:
• Restrict Transfer of password-protected Zip files - Disables the transfer of password protected
ZIP files over any enabled protocol. This option only functions on protocols (e.g. HTTP, FTP, SMTP)
that are enabled for inspection.
• Restrict Transfer of MS-Office type files containing macros (VBA 5 and above) - Disables the
transfers of any MS Office 97 and above files that contain VBA macros.
• Restrict Transfer of packed executable files (UPX, FSG, etc.) - Disables the transfer of packed
executable files. Packers are utilities which compress and sometimes encrypt executables. Although
there are legitimate applications for these, they are also sometimes used with the intent of
obfuscation, so as to make the executables less detectable by anti-virus applications. The packer
adds a header that expands the file in memory, and then executes that file. SonicWALL Gateway
Anti-Virus currently recognizes the most common packed formats: UPX, FSG, PKLite32, Petite, and
ASPack. additional formats are dynamically added along with SonicWALL GAV signature updates.
Page 25
Viewing SonicWALL GAV Signatures
The Gateway Anti-Virus Signatures section allows you to view the contents of the SonicWALL GAV
signature database. All the entries displayed in the Gateway Anti-Virus Signatures table are from the
SonicWALL GAV signature database downloaded to your SonicWALL security appliance.
Note: Signature entries in the database change over time in response to new threats.
Displaying Signatures
You can display the signatures in a variety of views using the View Style menu.
• Use Search String - Allows you to display signatures containing a specified string entered in the
Lookup Signatures Containing String field.
• All Signatures - Displays all the signatures in the table, 50 to a page.
• 0 - 9 - Displays signature names beginning with the number you select from the menu.
• A-Z - Displays signature names beginning with the letter you select from menu.
Navigating the Gateway Anti-Virus Signatures Table
The SonicWALL GAV signatures are displayed fifty to a page in the Gateway Anti-Virus Signatures
table. The Items field displays the table number of the first signature. If your displaying the first page of a
signature table, the entry might be Items 1 to 50 (of 58). Use the navigation buttons to navigate the table.
Page 26 SonicWALL Gateway Anti-Virus Administrator’s Guide
Searching the Gateway Anti-Virus Signature Database
You can search the signature database by entering a search string in the Lookup Signatures
Containing String field, then clicking the edit (Notepad) icon.
The signatures that match the specified string are displayed in the Gateway Anti-Virus Signatures table.
Glossary
• Deep Packet Inspection - looking at the data portion of the packet. Enables the firewall to investigate
farther into the protocol to examine information at the application layer and defend against attacks
targeting application vulnerabilities.
• Distributed Enforcement Architecture - SonicWALL’s unified threat management technology that
delivers automated signature updates that provide real-time protection from current and emerging
threats.
• False Positive - a falsely identified attack traffic pattern.
• Signature - code written to detect and prevent viruses, worms, application exploits, and other
malicious code.
• Stateful Packet Inspection - examines the contents of individual packets at all layers of the OSI
model, from network layer to application layer.
Page 27
Index
A
activating Gateway Anti-Virus
overview 15
free trial version 18
activating Gateway Anti-Virus
activation key 18
C
client alerts
configuring 23
concurrency limitations 12
PRO 1260 12
PRO 2040 12
PRO 3060 12
PRO 4060 12
PRO 5060 12
TZ 150 Series 12
TZ 170 Series 12
creating a mysonicwall.com account 16
D
deploying SonicWALL GAV 14
disabling GAV/IPS engine 12
displaying signatures 25
all signatures 25
signatures beginning with letter 25
signatures beginning with number 25
using search strings 25
E
Edit Zone window 20
enable inbound inspection 22
enable outbound SMTP inspection 23
enabling inbound inspection 22
exclusion list
configuring 24
G
Gateway AV Config View window 23
GAV/IPS
real-time scanning 6
GAV/IPS features
application control 6
deep packet inspection 6
distributed enforcement architecture 6
file based scanning protocol support 6
file decompression technology 6
granular management 7
inter-zone scanning 6
logging and reporting 7
real-time scanning 6
glossary 26
deep packet inspection 26
Distributed Enforcement Architecture 26
false positive 26
signature 26
stateful packet inspection 26
H
how DPIv2.0 works
11
protocol handling 13
HTTP file downloads protection 9
I
internal network protection 9
N
navigating signatures table 25
P
protocol handling
FTP 14
HTTP 14
IM, P2P, proprietary 14
IMAP 13
POP3 13
SMTP 13
R
registering your SonicWALL security appliance 17
remote site protection 8
restrict 24
restrict file transfer
MS-Office files 24
packed executable files 24
password protected ZIP files 24
S
searching signature database 26
server protection 10
setting up GAV protection
applying to infaces (SonicOS Standard 3.0) 19
applying to zones (SonicOS Enhanced) 20
enabling 19
overview 19
signatures table 25
SonicWALL Gateway Anti-Virus
overview 5
SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service
overview 5
specifying protocol filtering 22
specifying protocols 22
status information
expiration date 21
last checked 21
overview 21
signature database 21
signature database timestamp 21
surpress SMTP messages 24
U
updating signatures 22
Page 28 SonicWALL Gateway Anti-Virus Administrator’s Guide
© 2005 SonicWALL, I n c . SonicWALL is a registered trademark of SonicWALL, I n c . Other product and company names mentioned herein may be
t rademarks and/ or registered trademarks of their respective companies. Specifications and descriptions subject to change with out notice.
T: 408.745.9600
F: 408.745.9300
www.sonicwall.com
SonicWALL,Inc.
1143 Borregas Avenue
Sunnyvale,CA 94089-1306
P/ N 232- 000610- 00
Rev E 01/05COMPREHENSIVE INTERNET SECURITY™
S SSSSSSSSo n i c WALL Gateway Anti-Virus
Administrator's Guide
Page 1
Table of Contents
Preface .................................................................................................. 1
Copyright Notice ..............................................................................1
Trademarks......................................................................................1
Limited Warranty..............................................................................1
About this Guide.................................................................................... 3
Guide Conventions .......................................................................... 3
Icons Used in this Guide............................................................. 3
SonicWALL Technical Support ........................................................ 4
North America Telephone Support ............................................. 4
International Telephone Support ................................................ 4
SonicWALL Gateway Anti-Virus Overview............................................ 5
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features ...... 6
SonicWALL GAV Multi-Layered Approach............................................ 7
Remote Site Protection ....................................................................8
Internal Network Protection.............................................................. 9
HTTP File Downloads ...................................................................... 9
Server Protection ...........................................................................10
SonicWALL GAV Architecture............................................................. 11
Stream Concurrency Limitations
by SonicWALL Security Appliance................................................. 12
Disabling the SonicWALL GAV/IPS Engine................................... 12
Protocol Handling...........................................................................13
SMTP........................................................................................ 13
POP3 ........................................................................................ 13
IMAP......................................................................................... 13
HTTP ........................................................................................ 14
FTP........................................................................................... 14
IM, P2P and Proprietary Protocols ........................................... 14
Deploying SonicWALL GAV................................................................ 14
Activating SonicWALL GAV ................................................................ 15
Creating a mySonicWALL.com Account ........................................ 16
Registering Your SonicWALL Security Appliance.......................... 17
Activating SonicWALL GAV........................................................... 18
Activating the SonicWALL GAV FREE TRIAL ............................... 18
Setting Up SonicWALL GAV Protection .............................................. 19
Enabling SonicWALL GAV............................................................. 19
Applying SonicWALL GAV Protection on Interfaces...................... 19
Applying SonicWALL GAV Protection on Zones
(SonicOS Enhanced 3.0) ............................................................... 20
Viewing SonicWALL GAV Status Information................................ 21
Updating SonicWALL GAV Signatures .......................................... 22
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
Specifying Protocol Filtering ................................................................22
Enabling Inbound Inspection ..........................................................22
Enabling Outbound SMTP Inspection ............................................23
Configuring Client Alerts and an Exclusion List ...................................23
Configuring Client Alerts.................................................................23
Configuring a SonicWALL GAV Exclusion List...............................24
Restricting File Transfers.....................................................................24
Viewing SonicWALL GAV Signatures..................................................25
Displaying Signatures.....................................................................25
Navigating the Gateway Anti-Virus Signatures Table ....................25
Searching the Gateway Anti-Virus Signature Database.................26
Glossary...............................................................................................26
Index ....................................................................................................27
Page 1 SonicWALL Gateway Anti-Virus Administrator’s Guide
Preface
Copyright Notice
© 2005 SonicWALL, Inc.
All rights reserved.
Under the copyright laws, this manual or the software described within, can not be copied, in whole or part,
without the written consent of the manufacturer, except in the normal use of the software to make a backup
copy. The same proprietary and copyright notices must be affixed to any permitted copies as were affixed
to the original. This exception does not allow copies to be made for others, whether or not sold, but all of
the material purchased (with all backup copies) can be sold, given, or loaned to another person. Under
the law, copying includes translating into another language or format.
Specifications and descriptions subject to change without notice.
Trademarks
SonicWALL is a registered trademark of SonicWALL, Inc.
Microsoft Windows 98, Windows NT, Windows 2000, Windows XP, Windows Server 2003, Internet
Explorer, and Active Directory are trademarks or registered trademarks of Microsoft Corporation.
Netscape is a registered trademark of Netscape Communications Corporation in the U.S. and other
countries. Netscape Navigator and Netscape Communicator are also trademarks of Netscape
Communications Corporation and may be registered outside the U.S.
Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems
Incorporated in the U.S. and/or other countries.
Other product and company names mentioned herein may be trademarks and/or registered trademarks
of their respective companies and are the sole property of their respective manufacturers.
Limited Warranty
SonicWALL, Inc. warrants that commencing from the delivery date to Customer (but in any case
commencing not more than ninety (90) days after the original shipment by SonicWALL), and continuing
for a period of twelve (12) months, that the product will be free from defects in materials and workmanship
under normal use. This Limited Warranty is not transferable and applies only to the original end user of
the product. SonicWALL and its suppliers' entire liability and Customer's sole and exclusive remedy under
this limited warranty will be shipment of a replacement product. At SonicWALL's discretion the
replacement product may be of equal or greater functionality and may be of either new or like-new quality.
SonicWALL's obligations under this warranty are contingent upon the return of the defective product
according to the terms of SonicWALL's then-current Support Services policies.
This warranty does not apply if the product has been subjected to abnormal electrical stress, damaged by
accident, abuse, misuse or misapplication, or has been modified without the written permission of
SonicWALL.
DISCLAIMER OF WARRANTY. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR
IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT
LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, NONINFRINGEMENT, SATISFACTORY QUALITY OR ARISING FROM A
COURSE OF DEALING, LAW, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE
MAXIMUM EXTENT ALLOWED BY APPLICABLE LAW. TO THE EXTENT AN IMPLIED WARRANTY
CANNOT BE EXCLUDED, SUCH WARRANTY IS LIMITED IN DURATION TO THE WARRANTY
PERIOD. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW
LONG AN IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. THIS
WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, AND YOU MAY ALSO HAVE OTHER RIGHTS
WHICH VARY FROM JURISDICTION TO JURISDICTION. This disclaimer and exclusion shall apply
even if the express warranty set forth above fails of its essential purpose.
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
DISCLAIMER OF LIABILITY. SONICWALL'S SOLE LIABILITY IS THE SHIPMENT OF A
REPLACEMENT PRODUCT AS DESCRIBED IN THE ABOVE LIMITED WARRANTY. IN NO EVENT
SHALL SONICWALL OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER,
INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS
INTERRUPTION, LOSS OF INFORMATION, OR OTHER PECUNIARY LOSS ARISING OUT OF THE
USE OR INABILITY TO USE THE PRODUCT, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL,
INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY
OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE HARDWARE OR SOFTWARE
EVEN IF SONICWALL OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. In no event shall SonicWALL or its suppliers' liability to Customer, whether in contract, tort
(including negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shall
apply even if the above-stated warranty fails of its essential purpose. BECAUSE SOME STATES OR
JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR
INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.
Page 3
About this Guide
Welcome to the SonicWALL Gateway Anti-Virus Administrator’s Guide. This manual provides the
information you need to successfully activate, configure, and administer SonicWALL Gateway Anti-Virus
(SonicWALL (GAV) on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher). The audience for this guide is administrators that are familiar with the
features, functions, and operating characteristics of SonicWALL security appliances.
Note: This guide assumes your SonicWALL security appliance is operational with Internet connectivity. If your
SonicWALL security appliance is not setup, refer to the Getting Started Guide for your SonicWALL
security appliance located on the SonicWALL Web site:
.
SonicWALL GAV is part of the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service solution that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate a SonicWALL GAV license, SonicWALL Intrusion Prevention Service is included and activated.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the complete
instructions on configuring SonicWALL Intrusion Prevention Service 2.0, located on the SonicWALL
Web site: .
Guide Conventions
Conventions used in this guide are as follows:
Icons Used in this Guide
These special messages refer to noteworthy information, and include a symbol for quick identification:
Alert! Important information that cautions about features affecting SonicWALL Gateway Anti-Virus
performance, security features, or causing potential problems with your SonicWALL security appliance.
Tip! Useful information about security features and configurations for your SonicWALL Gateway Anti-Virus
running on a SonicWALL security appliance.
Convention Use
Bold Highlights items you can select on the SonicWALL
management interface.
Italic Highlights a value to enter into a field. For example, “type
192.168.168.168 in the IP Address field.”
Top Level Menu Button >
Submenu Item
Indicates a multiple step Management Interface menu
choice. For example, Security Services > Gateway Anti-
Virus means select Security Services, then select
Gateway Anti-Virus.
Page 4 SonicWALL Gateway Anti-Virus Administrator’s Guide
Note: Important information on a feature that requires callout for special attention or reference to other related
resources.
SonicWALL Technical Support
For timely resolution of technical support questions, visit SonicWALL on the Internet at
. Web-based resources are available to help you
resolve most technical issues or contact SonicWALL Technical Support.
To contact SonicWALL telephone support, see the telephone numbers listed below:
North America Telephone Support
U.S./Canada - 888.777.1476 or +1 408.752.7819
International Telephone Support
Australia - + 1800.35.1642
Austria - + 43(0)820.400.105
EMEA - +31(0)411.617.810
France - + 33(0)1.4933.7414
Germany - + 49(0)1805.0800.22
Hong Kong - + 1.800.93.0997
India - + 8026556828
Italy - +39.02.7541.9803
Japan - + 81(0)3.5460.5356
New Zealand - + 0800.446489
Singapore - + 800.110.1441
Spain - + 34(0)9137.53035
Switzerland - +41.1.308.3.977
UK - +44(0)1344.668.484
Note: Please visit for the latest technical support telephone
numbers.
Page 5
SonicWALL Gateway Anti-Virus Overview
SonicWALL Gateway Anti-Virus (SonicWALL GAV) is part of the SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service solution that provides unified threat management. The integration of gateway
anti-virus and intrusion prevention delivers intelligent, real-time network security protection against
sophisticated application layer and content-based attacks. Utilizing a configurable, high-performance
deep packet inspection architecture, SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
secures the network from the core to the perimeter against a comprehensive array of dynamic threats
including viruses, worms, Trojans, and software vulnerabilities, such as buffer overflows, as well as peerto-
peer and instant messenger applications, backdoor exploits, and other malicious code.
SonicWALL GAV delivers real-time virus protection directly on the SonicWALL security appliance by
using SonicWALL’s IPS-Deep Packet Inspection v2.0 engine to inspect all traffic that traverses the
SonicWALL gateway. Building on SonicWALL’s reassembly-free architecture, SonicWALL GAV inspects
multiple application protocols, as well as generic TCP streams, and compressed traffic. Because
SonicWALL GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also performed on a
single-pass, per-packet basis.
SonicWALL GAV delivers threat protection directly on the SonicWALL security appliance by matching
downloaded or e-mailed files against an extensive and dynamically updated database of threat virus
signatures. Virus attacks are caught and suppressed before they travel to desktops. New signatures are
created and added to the database by a combination of SonicWALL’s SonicAlert Team, third-party virus
analysts, open source developers and other sources.
SonicWALL GAV can be configured to protect against internal threats as well as those originating outside
the network. It operates over a multitude of protocols including SMTP, POP3, IMAP, HTTP, FTP,
NetBIOS, instant messaging and peer-to-peer applications and dozens of other stream-based protocols,
to provide administrators with comprehensive network threat prevention and control. Because files
containing malicious code and viruses can also be compressed and therefore inaccessible to
conventional anti-virus solutions, SonicWALL GAV integrates advanced decompression technology that
automatically decompresses and scans files on a per packet basis.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
Page 6 SonicWALL Gateway Anti-Virus Administrator’s Guide
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features
• Integrated Deep Packet Inspection Technology - SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service features a configurable, high-performance deep packet inspection architecture
that uses parallel searching algorithms up through the application layer to deliver increased
application layer, Web and e-mail attack prevention. Parallel processing reduces the performance
impact on the firewall and maximizes available memory for exceptional throughput on SonicWALL
integrated security gateways.
• Real-Time Anti-Virus Gateway Scanning - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers intelligent file-based virus and malicious code prevention by scanning in real-time for
decompressed and compressed files containing viruses, Trojans, worms and other Internet threats
over the corporate network.
• Powerful Intrusion Prevention - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
provides complete protection from a comprehensive array of network-based application layer threats
by scanning packet payloads for worms, Trojans, software vulnerabilities such as buffer overflows,
peer-to-peer and instant messenger applications, backdoor exploits, and other malicious code.
• Ultimate Scalability and Performance - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a per packet scanning engine, making SonicWALL’s solution unique in its ability to
handle unlimited file size and virtually unlimited concurrent downloads, offering ultimate scalability
and performance for today’s networked environment.
• Day Zero Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service ensures
incredibly fast time-to-protection by employing a dynamically-updated database of signatures created
by a combination of SonicWALL’s SonicAlert Team, third-party virus analysts and developers, and
open source databases of known threats.
• Extensive Virus Signature List - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
utilizes an extensive database of thousands of attack and vulnerability signatures written to detect and
prevent intrusions, viruses, worms, Tojans, application exploits, and malicious applications.
• Distributed Enforcement Architecture - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a distributed enforcement architecture to deliver automated signature updates,
providing real-time protection from emerging threats and lowering total cost of ownership.
• Inter-zone Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides
application layer attack protection against malicious code and other threats originating from the
Internet or from internal sources. Administrators have the ability to enforce intrusion prevention and
anti-virus scanning not only between each network zone and the Internet, but also between internal
network zones for added security (Requires SonicOS Enhanced).
• Advanced File Decompression Technology - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service includes advanced decompression technology that can automatically decompress and scan
files on a per packet basis to search for viruses, Trojans, worms and malware. Supported
compression formats include: ZIP, Deflate and GZIP.
• File-Based Scanning Protocol Support - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers protection for high threat viruses and malware by inspecting the most common
protocols used in today’s networked environments, including SMTP, POP3, IMAP, HTTP, FTP,
NETBIOS, instant messaging and peer-to-peer applications, and dozens of other stream-based
protocols. This closes potential backdoors that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Application Control - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides the
ability to prevent instant messaging and peer-to-peer file sharing programs from operating through
the firewall, closing a potential back door that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Simplified Deployment and Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service allows network administrators to create global policies between security zones and group
attacks by priority, simplifying deployment and management across a distributed network.
Page 7
• Granular Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides an
intuitive user interface and granular policy tools, allowing network administrators to configure a
custom set of detection or prevention policies for their specific network environment and reduce the
number of false policies while identifying immediate threats.
• Logging and Reporting - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service offers
comprehensive logging of all intrusion attempts with the ability to filter logs based on priority level,
enabling administrators to highlight high priority attacks. Granular reporting based on attack source,
destination and type of intrusion is available through SonicWALL ViewPoint and Global Management
System.
SonicWALL GAV Multi-Layered Approach
SonicWALL GAV delivers comprehensive, multi-layered anti-virus protection for networks at the desktop,
the network, and at remote sites. SonicWALL GAV enforces anti-virus policies at the gateway to ensure
all users have the latest updates and monitors files as they come into the network.
Page 8 SonicWALL Gateway Anti-Virus Administrator’s Guide
Remote Site Protection
1. Users send typical e-mail and files between remote sites and the corporate office.
2. SonicWALL GAV scans and analyzes files and e-mail messages on the SonicWALL security
appliance.
3. Viruses are found and blocked before infecting remote desktop.
4. Virus is logged and alert is sent to administrator.
Page 9
Internal Network Protection
1. Internal user contracts a virus and releases it internally.
2. All files are scanned at the gateway before being received by other network users.
3. If virus is found, file is discarded.
4. Virus is logged and alert is sent to administrator.
HTTP File Downloads
1. Client makes a request to download a file from the Web.
2. File is downloaded through the Internet.
3. File is analyzed the SonicWALL GAV engine for malicious code and viruses
4. If virus found, file discarded.
5. Virus is logged and alert sent to administrator.
Page 10 SonicWALL Gateway Anti-Virus Administrator’s Guide
Server Protection
1. Outside user sends an incoming e-mail.
2. E-mail is analyzed the SonicWALL GAV engine for malicious code and viruses before received by email
server.
3. If virus found, threat prevented.
4. E-mail is returned to sender, virus is logged, and alert sent to administrator.
Page 11
SonicWALL GAV Architecture
SonicWALL GAV is based on SonicWALL's high performance DPIv2.0 engine (Deep Packet Inspection
version 2.0) engine, which performs all scanning directly on the SonicWALL security appliance.
SonicWALL GAV includes advanced decompression technology that can automatically decompress and
scan files on a per packet basis to search for viruses and malware. The SonicWALL GAV engine can
perform base64 decoding without ever reassembling the entire base64 encoded mail stream. Because
SonicWALL's GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding and ZIP, LHZ, and GZIP (LZ77) decompression are also performed
on a single-pass, per-packet basis. Reassembly free virus scanning functionality of the SonicWALL GAV
engine is inherited from the Deep Packet Inspection engine, which is capable of scanning streams without
ever buffering any of the bytes within the stream.
Building on SonicWALL's reassembly-free architecture, GAV has the ability to inspect multiple application
protocols, as well as generic TCP streams, and compressed traffic. SonicWALL GAV protocol inspection
is based on high performance state machines which are specific to each supported protocol. SonicWALL
GAV delivers protection by inspecting over the most common protocols used in today's networked
environments, including SMTP, POP3, IMAP, HTTP, FTP, NetBIOS, instant messaging and peer-to-peer
applications and dozens of other stream-based protocols. This closes potential backdoors that can be
used to compromise the network while also improving employee productivity and conserving Internet
bandwidth.
Page 12 SonicWALL Gateway Anti-Virus Administrator’s Guide
Stream Concurrency Limitations by SonicWALL Security Appliance
Because SonicWALL GAV does not have to perform reassembly, there are no file-size limitations
imposed by the scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also
performed on a single-pass, per-packet basis. Stream-concurrency are platform dependent as follows:.
Disabling the SonicWALL GAV/IPS Engine
In the unlikely event that SonicWALL Gateway Anti-Virus/Intrusion Prevention Service is not enabled on
your SonicWALL security appliance, the SonicWALL GAV/IPS engine itself can be disabled, and the
resources can be reallocated to the SPI connection cache.
To disable the SonicWALL GAV/IPS engine:
1. Select the Firewall > Advanced page.
2. Select the Disable Gateway AV and IPS Engine (increases maximum SPI connections)
checkbox. This presents an alert informing you that the SonicWALL security appliance must be
rebooted for the change to take effect.
3. Restart your SonicWALL security appliance.
Platform
GAV-Disabled
Connections
Cache Size
GAV-Enabled
Connections
Cache Size
(Concurrent File
Downloads)
Concurrent
Compressed
File Downloads
with GAV
GAV Signatures
TZ 150
Series
2,048 2,048 100 4,500
TZ 170
Series
6,144 6,144 100 4,500
PRO 1260 6,144 6,144 100 4,500
PRO 2040 32,768 16,384 300 25,000
PRO 3060 131,072 65,536 1,000 25,000
PRO 4060 524,288 131,072 1,500 25,000
PRO 5060 750,000 393,216 3,000 25,000
Page 13
Protocol Handling
SonicWALL GAV functionality supports the following protocols: HTTP, SMTP, IMAP, POP3, FTP and the
scanning of generic TCP streams for viruses.
If malicious traffic is detected, appropriate actions are taken based on the protocol. For generic TCP
streams, the traffic is dropped and the connection is reset. If so configured, an encrypted and hashed
message explaining the action is sent to the user's Global Security Client (requires version 2.0 or higher)
and to the user's 'Security Action Notification Applet', and displayed to the user if either application is
active. Application level awareness of the type of protocol that was transporting the violation allows for
very specific actions to be taken to gracefully handle the rejection of the payload:
Note: 8-bit encoding is handled natively for all email based protocols (SMTP, POP3, and IMAP) since no
decoding is required for each encoding scheme.
SMTP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the head of the sent
queue, thus preventing it from being resent, via 552 SMTP response and the connection is terminated.
POP3
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the POP3 server via
'DELE' command and the connection is terminated. Continuation of message downloads following
termination requires the user to re-initiate the download process on their POP3 client in order to download
the rest of the messages from the POP3 server.
Note: POP3 client behavior varies from one client to the next. SonicWALL GAV attempts to determine the type
of POP3 client being used, and to compensate for behavioral differences. In rare cases, some clients
may require special GAV settings - these settings have been made available in the /diag.html page.
• Disable Gateway AV POP3 Auto Deletion - When a POP3 client is identified as Outlook Express,
DELE (delete) message sequencing is tailored to Outlook Express' behavior. This setting can resolve
problems caused by misidentification that are encountered during the deletion of virus-infected
emails.
• Disable Gateway AV POP3 UIDL Rewriting - Certain Netscape POP3 clients have difficulty with the
UIDL (unique ID listing - RFC1939) command. When a POP3 client is recognized as Netscape, UIDL
messages are suppressed, which is allowable because they are optional. This setting can resolve
problems caused by misidentification that are encountered during the message retrieval process.
IMAP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from downloading the mail
containing the violation. The user must manually mark the mail deleted and purge it from the server.
Page 14 SonicWALL Gateway Anti-Virus Administrator’s Guide
HTTP
Capabilities: zip (including archives), gzip and deflate decompression. Deflate decompression method is
not supported when HTTP response is Chunk Encoded. All HTTP traffic is inspected, not just TCP port
80. Suppresses the use of HTTP Byte-Range requests to prevent the sectional retrieval and reassembly
of potentially malicious content.
Note: Suppression of HTTP Byte-Range requests may inhibit the use of certain download accelerator
programs that attempt to retrieve files as multiple simultaneous requests.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
FTP
Capabilities: zip (including archives) and gzip decompression. FTP stateful code follows data port
negotiations, allowing FTP data to be inspected across any operating TCP port. Suppresses the use of
the FTP 'REST' (restart) request to prevent the sectional retrieval and reassembly of potentially malicious
content. "The suppression of the 'REST' request can be overridden from the /diag.html page with the
option 'Enable FTP 'REST' requests with Gateway AV’.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
IM, P2P and Proprietary Protocols
Capabilities: zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
Deploying SonicWALL GAV
SonicWALL GAV is designed to provide comprehensive virus protection with minimal configuration. The
following sections provide the key information you need to successfully activate, configure, and administer
SonicWALL GAV on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher):
• “Activating SonicWALL GAV” on page 15 - provides instructions for activating the SonicWALL GAV
license on your SonicWALL security appliance via the management interface. If you already have
SonicWALL GAV activated on your SonicWALL security appliance, skip this section.
• “Setting Up SonicWALL GAV Protection” on page 19 - provides instructions for essential
configuration of SonicWALL IPS to protect your network against the most dangerous and disruptive
attacks.
Alert! After activating your SonicWALL GAV license, you must enable SonicWALL GAV on the SonicWALL
management interface before anti-virus protection are applied to your network traffic.
• “Configuring Client Alerts and an Exclusion List” on page 23 - provides instructions for configuring
SonicWALL GAV client notification alerts and creating a SonicWALL GAV exclusion list.
• “Restricting File Transfers” on page 24 - provides instructions on preventing files with specific
attributes from being transferred.
Page 15
Activating SonicWALL GAV
If you do not have SonicWALL GAV installed on your SonicWALL security appliance, the Security
Services > Gateway Anti-Virus page indicates an upgrade is required and includes a link to activiate it
from your SonicWALL security appliance management interface.
SonicWALL GAV is part of the unified SonicWALL Gateway Anti-Virus/Intrusion Prevention Service that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is also activated.
To activate a SonicWALL Gateway Anti-Virus/Intrusion Prevention Service on your SonicWALL security
appliance, you need the following:
• SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license. You need to purchase a
SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license from a SonicWALL reseller or
through your mySonicWALL.com account (limited to customers in the USA and Canada).
• mySonicWALL.com account. Creating a mySonicWALL.com account is fast, simple, and FREE.
Simply complete an online registration form from your SonicWALL security appliance management
interface. Your mySonicWALL.com account is also accessible at
from any Internet connection with a Web browser.
• Registered SonicWALL security appliance with active Internet connection. Registering your
SonicWALL security appliance is a simple procedure done directly from the management interface.
• SonicOS Standard 3.0 or SonicOS Enhanced 3.0. Your SonicWALL security appliance must be
running SonicOS Standard 3.0 or SonicOS Enhanced 3.0 for SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service.
Tip! If your SonicWALL security appliance is connected to the Internet and registered at
mySonicWALL.com, you can activate a 30-day FREE TRIAL of SonicWALL IPS.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
If you activated SonicWALL GAV at , SonicWALL GAV activation is
automatically enabled on your SonicWALL within 24-hours or you can click the Synchronize button on
the Security Services > Summary page to update your SonicWALL security appliance.
Page 16 SonicWALL Gateway Anti-Virus Administrator’s Guide
Creating a mySonicWALL.com Account
Creating a mySonicWALL.com account is fast, simple, and FREE. Simply complete an online
registration form in the SonicWALL security appliance management interface.
Note: If you already have a mysonicWALL.com account, go to “Registering Your SonicWALL Security
Appliance” on page 17.
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displayed in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link in Your
SonicWALL is not registered. Click here to Register your SonicWALL.
4. In the mySonicWALL.com Login page, click the here link in If you do not have a mySonicWALL
account, please click here to create one.
5. In the MySonicWall Account page, enter in your information in the Account Information, Personal
Information and Preferences fields. All fields marked with an asterisk (*) are required fields.
Note: Remember your username and password to access your mySonicWALL.com account.
6. Click Submit after completing the MySonicWALL Account form.
7. When the mySonicWALL.com server has finished processing your account, you will see a page
saying that your account has been created. Click Continue.
Congratulations. Your mySonicWALL.com account is activated.
Now you need to log into mySonicWALL.com to register your SonicWALL security appliance.
Note: mySonicWALL.com registration information is not sold or shared with any other company.
Page 17
Registering Your SonicWALL Security Appliance
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displaying in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link. The
mySonicWALL.com Login page is displayed.
4. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit.
5. The next several pages inform you about the free trials available to you for SonicWALL’s Security
Services:
• Gateway Anti-Virus - Delivers real-time virus protection for your entire network.
• Network Anti Virus - Provides desktop and server anti-virus protection with software running on
each computer.
• Premium Content Filtering Service - Enhances productivity by limiting access to objectionable
Web content.
• Intrusion Prevention Service - Protects your network against worms, Trojans, and application
layer attacks.
Click Continue on each page.
6. At the top of the Product Survey page, Enter a “friendly name” for your SonicWALL content security
appliance in the Friendly Name field. The friendly name allows you to easily identify your
SonicWALL content security appliance in your mySonicWALL.com account.
7. Please complete the Product Survey. SonicWALL uses this information to further tailor services to fit
your needs.
8. Click Submit.
9. When the mySonicWALL.com server has finished processing your registration, a page is displayed
informing you that the SonicWALL security appliance is registered. Click Continue, and the
System > Licenses page is displayed showing you the available services. You can activate the
service from this page or the specific service page under the Security Services left-navigation
menu in the management interface.
Page 18 SonicWALL Gateway Anti-Virus Administrator’s Guide
Activating SonicWALL GAV
If you do not have a SonicWALL GAV license activated on your SonicWALL security appliance, you must
purchase it from a SonicWALL reseller or through your mySonicWALL.com account (limited to customers
in the USA and Canada).
SonicWALL GAV is part of SonicWALL Gateway Anti-Virus/Intrusion Prevention Service. The Activation
Key you receive is for both SonicWALL GAV and SonicWALL Intrusion Prevention Service. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is automatically activated.
If you have an Activation Key for SonicWALL Gateway Anti-Virus/Intrusion Prevention Service, perform
these steps to activate the combined services:
1. On the Security Services > Intrusion Prevention page, click the SonicWALL Intrusion
Prevention Service Subscription link. The mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already registered to your
mySonicWALL.com account, the System > Licenses page appears.
3. Click Activate or Renew in the Manage Service column in the Manage Services Online table.
4. Type in the Activation Key in the New License Key field and click Submit. Your SonicWALL GAV
subscription is activated on your SonicWALL security appliance.
If you activated the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service subscription on
mySonicWALL.com, the activation is automatically enabled on your SonicWALL security appliance within
24-hours or you can click the Synchronize button on the Security Services > Summary page to
immediately update your SonicWALL security appliance.
Activating the SonicWALL GAV FREE TRIAL
To try a FREE TRIAL of SonicWALL GAV, perform these steps:
1. Click the FREE TRIAL link on the Security Services > Gateway Anti-Virus page. The
mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already connected to your
mySonicWALL.com account, the System > Licenses page appears after you click the FREE TRIAL
link.
3. Click Try in the FREE TRIAL column in the Manage Services Online table. Your SonicWALL GAV
trial subscription is activated on your SonicWALL security appliance.
Page 19
Setting Up SonicWALL GAV Protection
The Security Services > Gateway Anti-Virus page provides the settings for configuring SonicWALL
GAV on your SonicWALL security appliance.
Enabling SonicWALL GAV
You must select Enable Gateway Anti-Virus check box in the Gateway Anti-Virus Global Settings
section to enable SonicWALL GAV on your SonicWALL security appliance. If your SonicWALL security
appliance is running SonicOS Standard 3.0, you must also specify the interfaces you want to apply
SonicWALL GAV protection. If your SonicWALL security appliance is running SonicOS Enhanced 3.0,
you must specify the Zones you want to SonicWALL GAV protection on the Network > Zones page.
Applying SonicWALL GAV Protection on Interfaces
If your SonicWALL security appliance is running SonicOS Standard 3.0, you also need to specify the
interface that you want to enable SonicWALL GAV protection. Depending on the SonicWALL security
appliance model you are using, you can choose the WAN, LAN, DMZ, OPT or WLAN port, depending on
your SonicWALL security appliance model. After selecting the interface(s), click Apply.It is recommended
you select the WAN and LAN interfaces.
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you apply SonicWALL GAV to
Zones on the Network > Zones page.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 20 SonicWALL Gateway Anti-Virus Administrator’s Guide
Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you can enforce SonicWALL
GAV not only between each network zone and the WAN, but also between internal zones. For example,
enabling SonicWALL GAV on the LAN zone enforces anti-virus protection on all incoming and outgoing
LAN traffic.
1. In the SonicWALL security appliance management interface, select Network > Zones or from the
Gateway Anti-Virus Status section, on the Security Services > Gateway Anti-Virus page, click the
Network > Zones link. The Network > Zones page is displayed.
2. In the Configure column in the Zone Settings table, click the edit icon . The Edit Zone window
is displayed.
3. Click the Enable Gateway Anti-Virus Service checkbox. A checkmark appears. To disable Gateway
Anti-Virus Service, uncheck the box.
4. Click OK.
Page 21
Note: You also enable SonicWALL GAV protection for new zones you create on the Network > Zones page.
Clicking the Add button displays the Add Zone window, which includes the same settings as the Edit
Zone window.
Viewing SonicWALL GAV Status Information
The Gateway Anti-Virus Status section shows the state of the anti-virus signature database, including
the database's timestamp, and the time the SonicWALL signature servers were last checked for the most
current database version. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
The Gateway Anti-Virus Status section displays the following information:
• Signature Database indicates whether the signature database needs to be downloaded or has been
downloaded.
• Signature Database Timestamp displays the last update to the SonicWALL GAV signature
database, not the last update to your SonicWALL security appliance.
• Last Checked indicates the last time the SonicWALL security appliance checked the signature
database for updates. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
• Gateway Anti-Virus Expiration Date indicates the date when the SonicWALL GAV service expires.
If your SonicWALL GAV subscription expires, the SonicWALL IPS inspection is stopped and the
SonicWALL GAV configuration settings are removed from the SonicWALL security appliance. These
settings are automatically restored after renewing your SonicWALL GAV license to the previously
configured state.
If your SonicWALL security appliance is running SonicOS Standard 3.0 and no interfaces are specified in
the Gateway Anti-Virus Global Settings section, the message: Warning: No interfaces have Gateway
Anti-Virus enabled is displayed in the Gateway Anti-Virus Status section. You must check the Enable
Gateway Anti-Virus on Interface and specify the interface(s) you want to apply anti-virus scanning.
If your SonicWALL security appliance you are using SonicOS Enhanced 3.0, the Gateway Anti-Virus
Status section displays Note: Enable the Gateway Anti-Virus per zone from the Network > Zones
page. Clicking on the Network > Zones link displays the Network > Zones page for applying SonicWALL
GAV on Zones.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 22 SonicWALL Gateway Anti-Virus Administrator’s Guide
Updating SonicWALL GAV Signatures
By default, the SonicWALL security appliance running SonicWALL GAV automatically checks the
SonicWALL signature servers once an hour. There is no need for an administrator to constantly check for
new signature updates. You can also manually update your SonicWALL GAV database at any time by
clicking the Update button located in the Gateway Anti-Virus Status section.
SonicWALL GAV signature updates are secured. The SonicWALL security appliance must first
authenticate itself with a pre-shared secret, created during the SonicWALL Distributed Enforcement
Architecture licensing registration. The signature request is transported through HTTPS, along with full
server certificate verification.
Specifying Protocol Filtering
Application-level awareness of the type of protocol that is transporting the violation allows SonicWALL
GAV to perform specific actions within the context of the application to gracefully handle the rejection of
the payload.
By default, SonicWALL GAV inspects all inbound HTTP, FTP, IMAP, SMTP and POP3 traffic. Generic
TCP Stream can optionally be enabled to inspect all other TCP based traffic, such as
non-standard ports of operation for SMTP and POP3, and IM and P2P protocols.
Note: Refer to “Protocol Handling” on page 13 for detailed descriptions of how SonicWALL GAV handles
protocol traffic.
Enabling Inbound Inspection
Within the context of SonicWALL GAV, the Enable Inbound Inspection protocol traffic handling refers
to the following:
• Non-SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to any Zone.
• Non-SMTP traffic from a Public Zone destined to an Untrusted Zone.
• SMTP traffic initiating from a non-Trusted Zone destined to a Trusted, Wireless, Encrypted, or Public
Zone.
• SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to a Trusted, Wireless,
or Encrypted Zone.
Page 23
The Enable Inbound Inspection protocol traffic handling represented as a table:
Enabling Outbound SMTP Inspection
The Enable Outbound Inspection feature is available for SMTP traffic, such as for a mail server that
might be hosted on the DMZ. Enabling outbound inspection for SMTP scans mail that is delivered to the
internally hosted SMTP server for viruses.
Configuring Client Alerts and an Exclusion List
Clicking the Configure Gateway AV Settings button in the Gateway Anti-Virus Global Settings section
displays the Gateway AV Config View window, which allows you to configure client notification alerts and
create a SonicWALL GAV exclusion list.
Configuring Client Alerts
If you want clients on your network to receive notifications on their desktop when a HTTP file download is
blocked by GAV, check the Enable Client Notification Alerts (desktop client installation is required)
box. You must install the client software included on the Resource CD for your SonicWALL security
appliance for the client to receive these notifications from SonicWALL GAV.
Page 24 SonicWALL Gateway Anti-Virus Administrator’s Guide
If you want to suppress the sending of e-mail messages (SMTP) to clients from SonicWALL GAV when a
virus is detected in an e-mail or attachment, check the Disable SMTP Responses box.
Configuring a SonicWALL GAV Exclusion List
Any IP addresses listed in the exclusion list bypass virus scanning on their traffic.The Gateway AV
Exclusion List section provides the ability to define a range of IP addresses whose traffic will be excluded
from SonicWALL GAV scanning.
Alert! Use caution when specifying exclusions to SonicWALL GAV protection.
To add an IP address range for exclusion, perform these steps:
1. Click the Enable Gateway AV Exclusion List checkbox to enable the exclusion list.
2. Click the Add button. The Add GAV Range Entry window is displayed.
3. Enter the IP address range in the IP Address Form and IP Address To fields, then click OK. You IP
address range appears in the Gateway AV Exclusion List table. Click the edit icon in the Configure
column to change an entry or click the trashcan icon to delete an entry.
4. Click OK to exit the Gateway AV Config View window.
Restricting File Transfers
The restrict transfer settings listed under the Configure Gateway AV Settings button in the
Gateway Anti-Virus Global Settings section, if enabled, prevent files with specific attributes from being
transferred.
These restrict transfer settings include:
• Restrict Transfer of password-protected Zip files - Disables the transfer of password protected
ZIP files over any enabled protocol. This option only functions on protocols (e.g. HTTP, FTP, SMTP)
that are enabled for inspection.
• Restrict Transfer of MS-Office type files containing macros (VBA 5 and above) - Disables the
transfers of any MS Office 97 and above files that contain VBA macros.
• Restrict Transfer of packed executable files (UPX, FSG, etc.) - Disables the transfer of packed
executable files. Packers are utilities which compress and sometimes encrypt executables. Although
there are legitimate applications for these, they are also sometimes used with the intent of
obfuscation, so as to make the executables less detectable by anti-virus applications. The packer
adds a header that expands the file in memory, and then executes that file. SonicWALL Gateway
Anti-Virus currently recognizes the most common packed formats: UPX, FSG, PKLite32, Petite, and
ASPack. additional formats are dynamically added along with SonicWALL GAV signature updates.
Page 25
Viewing SonicWALL GAV Signatures
The Gateway Anti-Virus Signatures section allows you to view the contents of the SonicWALL GAV
signature database. All the entries displayed in the Gateway Anti-Virus Signatures table are from the
SonicWALL GAV signature database downloaded to your SonicWALL security appliance.
Note: Signature entries in the database change over time in response to new threats.
Displaying Signatures
You can display the signatures in a variety of views using the View Style menu.
• Use Search String - Allows you to display signatures containing a specified string entered in the
Lookup Signatures Containing String field.
• All Signatures - Displays all the signatures in the table, 50 to a page.
• 0 - 9 - Displays signature names beginning with the number you select from the menu.
• A-Z - Displays signature names beginning with the letter you select from menu.
Navigating the Gateway Anti-Virus Signatures Table
The SonicWALL GAV signatures are displayed fifty to a page in the Gateway Anti-Virus Signatures
table. The Items field displays the table number of the first signature. If your displaying the first page of a
signature table, the entry might be Items 1 to 50 (of 58). Use the navigation buttons to navigate the table.
Page 26 SonicWALL Gateway Anti-Virus Administrator’s Guide
Searching the Gateway Anti-Virus Signature Database
You can search the signature database by entering a search string in the Lookup Signatures
Containing String field, then clicking the edit (Notepad) icon.
The signatures that match the specified string are displayed in the Gateway Anti-Virus Signatures table.
Glossary
• Deep Packet Inspection - looking at the data portion of the packet. Enables the firewall to investigate
farther into the protocol to examine information at the application layer and defend against attacks
targeting application vulnerabilities.
• Distributed Enforcement Architecture - SonicWALL’s unified threat management technology that
delivers automated signature updates that provide real-time protection from current and emerging
threats.
• False Positive - a falsely identified attack traffic pattern.
• Signature - code written to detect and prevent viruses, worms, application exploits, and other
malicious code.
• Stateful Packet Inspection - examines the contents of individual packets at all layers of the OSI
model, from network layer to application layer.
Page 27
Index
A
activating Gateway Anti-Virus
overview 15
free trial version 18
activating Gateway Anti-Virus
activation key 18
C
client alerts
configuring 23
concurrency limitations 12
PRO 1260 12
PRO 2040 12
PRO 3060 12
PRO 4060 12
PRO 5060 12
TZ 150 Series 12
TZ 170 Series 12
creating a mysonicwall.com account 16
D
deploying SonicWALL GAV 14
disabling GAV/IPS engine 12
displaying signatures 25
all signatures 25
signatures beginning with letter 25
signatures beginning with number 25
using search strings 25
E
Edit Zone window 20
enable inbound inspection 22
enable outbound SMTP inspection 23
enabling inbound inspection 22
exclusion list
configuring 24
G
Gateway AV Config View window 23
GAV/IPS
real-time scanning 6
GAV/IPS features
application control 6
deep packet inspection 6
distributed enforcement architecture 6
file based scanning protocol support 6
file decompression technology 6
granular management 7
inter-zone scanning 6
logging and reporting 7
real-time scanning 6
glossary 26
deep packet inspection 26
Distributed Enforcement Architecture 26
false positive 26
signature 26
stateful packet inspection 26
H
how DPIv2.0 works
11
protocol handling 13
HTTP file downloads protection 9
I
internal network protection 9
N
navigating signatures table 25
P
protocol handling
FTP 14
HTTP 14
IM, P2P, proprietary 14
IMAP 13
POP3 13
SMTP 13
R
registering your SonicWALL security appliance 17
remote site protection 8
restrict 24
restrict file transfer
MS-Office files 24
packed executable files 24
password protected ZIP files 24
S
searching signature database 26
server protection 10
setting up GAV protection
applying to infaces (SonicOS Standard 3.0) 19
applying to zones (SonicOS Enhanced) 20
enabling 19
overview 19
signatures table 25
SonicWALL Gateway Anti-Virus
overview 5
SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service
overview 5
specifying protocol filtering 22
specifying protocols 22
status information
expiration date 21
last checked 21
overview 21
signature database 21
signature database timestamp 21
surpress SMTP messages 24
U
updating signatures 22
Page 28 SonicWALL Gateway Anti-Virus Administrator’s Guide
© 2005 SonicWALL, I n c . SonicWALL is a registered trademark of SonicWALL, I n c . Other product and company names mentioned herein may be
t rademarks and/ or registered trademarks of their respective companies. Specifications and descriptions subject to change with out notice.
T: 408.745.9600
F: 408.745.9300
www.sonicwall.com
SonicWALL,Inc.
1143 Borregas Avenue
Sunnyvale,CA 94089-1306
P/ N 232- 000610- 00
Rev E 01/05COMPREHENSIVE INTERNET SECURITY™
S SSSSSSSSo n i c WALL Gateway Anti-Virus
Administrator's Guide
Page 1
Table of Contents
Preface .................................................................................................. 1
Copyright Notice ..............................................................................1
Trademarks......................................................................................1
Limited Warranty..............................................................................1
About this Guide.................................................................................... 3
Guide Conventions .......................................................................... 3
Icons Used in this Guide............................................................. 3
SonicWALL Technical Support ........................................................ 4
North America Telephone Support ............................................. 4
International Telephone Support ................................................ 4
SonicWALL Gateway Anti-Virus Overview............................................ 5
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features ...... 6
SonicWALL GAV Multi-Layered Approach............................................ 7
Remote Site Protection ....................................................................8
Internal Network Protection.............................................................. 9
HTTP File Downloads ...................................................................... 9
Server Protection ...........................................................................10
SonicWALL GAV Architecture............................................................. 11
Stream Concurrency Limitations
by SonicWALL Security Appliance................................................. 12
Disabling the SonicWALL GAV/IPS Engine................................... 12
Protocol Handling...........................................................................13
SMTP........................................................................................ 13
POP3 ........................................................................................ 13
IMAP......................................................................................... 13
HTTP ........................................................................................ 14
FTP........................................................................................... 14
IM, P2P and Proprietary Protocols ........................................... 14
Deploying SonicWALL GAV................................................................ 14
Activating SonicWALL GAV ................................................................ 15
Creating a mySonicWALL.com Account ........................................ 16
Registering Your SonicWALL Security Appliance.......................... 17
Activating SonicWALL GAV........................................................... 18
Activating the SonicWALL GAV FREE TRIAL ............................... 18
Setting Up SonicWALL GAV Protection .............................................. 19
Enabling SonicWALL GAV............................................................. 19
Applying SonicWALL GAV Protection on Interfaces...................... 19
Applying SonicWALL GAV Protection on Zones
(SonicOS Enhanced 3.0) ............................................................... 20
Viewing SonicWALL GAV Status Information................................ 21
Updating SonicWALL GAV Signatures .......................................... 22
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
Specifying Protocol Filtering ................................................................22
Enabling Inbound Inspection ..........................................................22
Enabling Outbound SMTP Inspection ............................................23
Configuring Client Alerts and an Exclusion List ...................................23
Configuring Client Alerts.................................................................23
Configuring a SonicWALL GAV Exclusion List...............................24
Restricting File Transfers.....................................................................24
Viewing SonicWALL GAV Signatures..................................................25
Displaying Signatures.....................................................................25
Navigating the Gateway Anti-Virus Signatures Table ....................25
Searching the Gateway Anti-Virus Signature Database.................26
Glossary...............................................................................................26
Index ....................................................................................................27
Page 1 SonicWALL Gateway Anti-Virus Administrator’s Guide
Preface
Copyright Notice
© 2005 SonicWALL, Inc.
All rights reserved.
Under the copyright laws, this manual or the software described within, can not be copied, in whole or part,
without the written consent of the manufacturer, except in the normal use of the software to make a backup
copy. The same proprietary and copyright notices must be affixed to any permitted copies as were affixed
to the original. This exception does not allow copies to be made for others, whether or not sold, but all of
the material purchased (with all backup copies) can be sold, given, or loaned to another person. Under
the law, copying includes translating into another language or format.
Specifications and descriptions subject to change without notice.
Trademarks
SonicWALL is a registered trademark of SonicWALL, Inc.
Microsoft Windows 98, Windows NT, Windows 2000, Windows XP, Windows Server 2003, Internet
Explorer, and Active Directory are trademarks or registered trademarks of Microsoft Corporation.
Netscape is a registered trademark of Netscape Communications Corporation in the U.S. and other
countries. Netscape Navigator and Netscape Communicator are also trademarks of Netscape
Communications Corporation and may be registered outside the U.S.
Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems
Incorporated in the U.S. and/or other countries.
Other product and company names mentioned herein may be trademarks and/or registered trademarks
of their respective companies and are the sole property of their respective manufacturers.
Limited Warranty
SonicWALL, Inc. warrants that commencing from the delivery date to Customer (but in any case
commencing not more than ninety (90) days after the original shipment by SonicWALL), and continuing
for a period of twelve (12) months, that the product will be free from defects in materials and workmanship
under normal use. This Limited Warranty is not transferable and applies only to the original end user of
the product. SonicWALL and its suppliers' entire liability and Customer's sole and exclusive remedy under
this limited warranty will be shipment of a replacement product. At SonicWALL's discretion the
replacement product may be of equal or greater functionality and may be of either new or like-new quality.
SonicWALL's obligations under this warranty are contingent upon the return of the defective product
according to the terms of SonicWALL's then-current Support Services policies.
This warranty does not apply if the product has been subjected to abnormal electrical stress, damaged by
accident, abuse, misuse or misapplication, or has been modified without the written permission of
SonicWALL.
DISCLAIMER OF WARRANTY. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR
IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT
LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, NONINFRINGEMENT, SATISFACTORY QUALITY OR ARISING FROM A
COURSE OF DEALING, LAW, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE
MAXIMUM EXTENT ALLOWED BY APPLICABLE LAW. TO THE EXTENT AN IMPLIED WARRANTY
CANNOT BE EXCLUDED, SUCH WARRANTY IS LIMITED IN DURATION TO THE WARRANTY
PERIOD. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW
LONG AN IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. THIS
WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, AND YOU MAY ALSO HAVE OTHER RIGHTS
WHICH VARY FROM JURISDICTION TO JURISDICTION. This disclaimer and exclusion shall apply
even if the express warranty set forth above fails of its essential purpose.
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
DISCLAIMER OF LIABILITY. SONICWALL'S SOLE LIABILITY IS THE SHIPMENT OF A
REPLACEMENT PRODUCT AS DESCRIBED IN THE ABOVE LIMITED WARRANTY. IN NO EVENT
SHALL SONICWALL OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER,
INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS
INTERRUPTION, LOSS OF INFORMATION, OR OTHER PECUNIARY LOSS ARISING OUT OF THE
USE OR INABILITY TO USE THE PRODUCT, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL,
INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY
OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE HARDWARE OR SOFTWARE
EVEN IF SONICWALL OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. In no event shall SonicWALL or its suppliers' liability to Customer, whether in contract, tort
(including negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shall
apply even if the above-stated warranty fails of its essential purpose. BECAUSE SOME STATES OR
JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR
INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.
Page 3
About this Guide
Welcome to the SonicWALL Gateway Anti-Virus Administrator’s Guide. This manual provides the
information you need to successfully activate, configure, and administer SonicWALL Gateway Anti-Virus
(SonicWALL (GAV) on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher). The audience for this guide is administrators that are familiar with the
features, functions, and operating characteristics of SonicWALL security appliances.
Note: This guide assumes your SonicWALL security appliance is operational with Internet connectivity. If your
SonicWALL security appliance is not setup, refer to the Getting Started Guide for your SonicWALL
security appliance located on the SonicWALL Web site:
.
SonicWALL GAV is part of the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service solution that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate a SonicWALL GAV license, SonicWALL Intrusion Prevention Service is included and activated.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the complete
instructions on configuring SonicWALL Intrusion Prevention Service 2.0, located on the SonicWALL
Web site: .
Guide Conventions
Conventions used in this guide are as follows:
Icons Used in this Guide
These special messages refer to noteworthy information, and include a symbol for quick identification:
Alert! Important information that cautions about features affecting SonicWALL Gateway Anti-Virus
performance, security features, or causing potential problems with your SonicWALL security appliance.
Tip! Useful information about security features and configurations for your SonicWALL Gateway Anti-Virus
running on a SonicWALL security appliance.
Convention Use
Bold Highlights items you can select on the SonicWALL
management interface.
Italic Highlights a value to enter into a field. For example, “type
192.168.168.168 in the IP Address field.”
Top Level Menu Button >
Submenu Item
Indicates a multiple step Management Interface menu
choice. For example, Security Services > Gateway Anti-
Virus means select Security Services, then select
Gateway Anti-Virus.
Page 4 SonicWALL Gateway Anti-Virus Administrator’s Guide
Note: Important information on a feature that requires callout for special attention or reference to other related
resources.
SonicWALL Technical Support
For timely resolution of technical support questions, visit SonicWALL on the Internet at
. Web-based resources are available to help you
resolve most technical issues or contact SonicWALL Technical Support.
To contact SonicWALL telephone support, see the telephone numbers listed below:
North America Telephone Support
U.S./Canada - 888.777.1476 or +1 408.752.7819
International Telephone Support
Australia - + 1800.35.1642
Austria - + 43(0)820.400.105
EMEA - +31(0)411.617.810
France - + 33(0)1.4933.7414
Germany - + 49(0)1805.0800.22
Hong Kong - + 1.800.93.0997
India - + 8026556828
Italy - +39.02.7541.9803
Japan - + 81(0)3.5460.5356
New Zealand - + 0800.446489
Singapore - + 800.110.1441
Spain - + 34(0)9137.53035
Switzerland - +41.1.308.3.977
UK - +44(0)1344.668.484
Note: Please visit for the latest technical support telephone
numbers.
Page 5
SonicWALL Gateway Anti-Virus Overview
SonicWALL Gateway Anti-Virus (SonicWALL GAV) is part of the SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service solution that provides unified threat management. The integration of gateway
anti-virus and intrusion prevention delivers intelligent, real-time network security protection against
sophisticated application layer and content-based attacks. Utilizing a configurable, high-performance
deep packet inspection architecture, SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
secures the network from the core to the perimeter against a comprehensive array of dynamic threats
including viruses, worms, Trojans, and software vulnerabilities, such as buffer overflows, as well as peerto-
peer and instant messenger applications, backdoor exploits, and other malicious code.
SonicWALL GAV delivers real-time virus protection directly on the SonicWALL security appliance by
using SonicWALL’s IPS-Deep Packet Inspection v2.0 engine to inspect all traffic that traverses the
SonicWALL gateway. Building on SonicWALL’s reassembly-free architecture, SonicWALL GAV inspects
multiple application protocols, as well as generic TCP streams, and compressed traffic. Because
SonicWALL GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also performed on a
single-pass, per-packet basis.
SonicWALL GAV delivers threat protection directly on the SonicWALL security appliance by matching
downloaded or e-mailed files against an extensive and dynamically updated database of threat virus
signatures. Virus attacks are caught and suppressed before they travel to desktops. New signatures are
created and added to the database by a combination of SonicWALL’s SonicAlert Team, third-party virus
analysts, open source developers and other sources.
SonicWALL GAV can be configured to protect against internal threats as well as those originating outside
the network. It operates over a multitude of protocols including SMTP, POP3, IMAP, HTTP, FTP,
NetBIOS, instant messaging and peer-to-peer applications and dozens of other stream-based protocols,
to provide administrators with comprehensive network threat prevention and control. Because files
containing malicious code and viruses can also be compressed and therefore inaccessible to
conventional anti-virus solutions, SonicWALL GAV integrates advanced decompression technology that
automatically decompresses and scans files on a per packet basis.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
Page 6 SonicWALL Gateway Anti-Virus Administrator’s Guide
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features
• Integrated Deep Packet Inspection Technology - SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service features a configurable, high-performance deep packet inspection architecture
that uses parallel searching algorithms up through the application layer to deliver increased
application layer, Web and e-mail attack prevention. Parallel processing reduces the performance
impact on the firewall and maximizes available memory for exceptional throughput on SonicWALL
integrated security gateways.
• Real-Time Anti-Virus Gateway Scanning - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers intelligent file-based virus and malicious code prevention by scanning in real-time for
decompressed and compressed files containing viruses, Trojans, worms and other Internet threats
over the corporate network.
• Powerful Intrusion Prevention - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
provides complete protection from a comprehensive array of network-based application layer threats
by scanning packet payloads for worms, Trojans, software vulnerabilities such as buffer overflows,
peer-to-peer and instant messenger applications, backdoor exploits, and other malicious code.
• Ultimate Scalability and Performance - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a per packet scanning engine, making SonicWALL’s solution unique in its ability to
handle unlimited file size and virtually unlimited concurrent downloads, offering ultimate scalability
and performance for today’s networked environment.
• Day Zero Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service ensures
incredibly fast time-to-protection by employing a dynamically-updated database of signatures created
by a combination of SonicWALL’s SonicAlert Team, third-party virus analysts and developers, and
open source databases of known threats.
• Extensive Virus Signature List - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
utilizes an extensive database of thousands of attack and vulnerability signatures written to detect and
prevent intrusions, viruses, worms, Tojans, application exploits, and malicious applications.
• Distributed Enforcement Architecture - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a distributed enforcement architecture to deliver automated signature updates,
providing real-time protection from emerging threats and lowering total cost of ownership.
• Inter-zone Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides
application layer attack protection against malicious code and other threats originating from the
Internet or from internal sources. Administrators have the ability to enforce intrusion prevention and
anti-virus scanning not only between each network zone and the Internet, but also between internal
network zones for added security (Requires SonicOS Enhanced).
• Advanced File Decompression Technology - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service includes advanced decompression technology that can automatically decompress and scan
files on a per packet basis to search for viruses, Trojans, worms and malware. Supported
compression formats include: ZIP, Deflate and GZIP.
• File-Based Scanning Protocol Support - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers protection for high threat viruses and malware by inspecting the most common
protocols used in today’s networked environments, including SMTP, POP3, IMAP, HTTP, FTP,
NETBIOS, instant messaging and peer-to-peer applications, and dozens of other stream-based
protocols. This closes potential backdoors that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Application Control - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides the
ability to prevent instant messaging and peer-to-peer file sharing programs from operating through
the firewall, closing a potential back door that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Simplified Deployment and Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service allows network administrators to create global policies between security zones and group
attacks by priority, simplifying deployment and management across a distributed network.
Page 7
• Granular Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides an
intuitive user interface and granular policy tools, allowing network administrators to configure a
custom set of detection or prevention policies for their specific network environment and reduce the
number of false policies while identifying immediate threats.
• Logging and Reporting - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service offers
comprehensive logging of all intrusion attempts with the ability to filter logs based on priority level,
enabling administrators to highlight high priority attacks. Granular reporting based on attack source,
destination and type of intrusion is available through SonicWALL ViewPoint and Global Management
System.
SonicWALL GAV Multi-Layered Approach
SonicWALL GAV delivers comprehensive, multi-layered anti-virus protection for networks at the desktop,
the network, and at remote sites. SonicWALL GAV enforces anti-virus policies at the gateway to ensure
all users have the latest updates and monitors files as they come into the network.
Page 8 SonicWALL Gateway Anti-Virus Administrator’s Guide
Remote Site Protection
1. Users send typical e-mail and files between remote sites and the corporate office.
2. SonicWALL GAV scans and analyzes files and e-mail messages on the SonicWALL security
appliance.
3. Viruses are found and blocked before infecting remote desktop.
4. Virus is logged and alert is sent to administrator.
Page 9
Internal Network Protection
1. Internal user contracts a virus and releases it internally.
2. All files are scanned at the gateway before being received by other network users.
3. If virus is found, file is discarded.
4. Virus is logged and alert is sent to administrator.
HTTP File Downloads
1. Client makes a request to download a file from the Web.
2. File is downloaded through the Internet.
3. File is analyzed the SonicWALL GAV engine for malicious code and viruses
4. If virus found, file discarded.
5. Virus is logged and alert sent to administrator.
Page 10 SonicWALL Gateway Anti-Virus Administrator’s Guide
Server Protection
1. Outside user sends an incoming e-mail.
2. E-mail is analyzed the SonicWALL GAV engine for malicious code and viruses before received by email
server.
3. If virus found, threat prevented.
4. E-mail is returned to sender, virus is logged, and alert sent to administrator.
Page 11
SonicWALL GAV Architecture
SonicWALL GAV is based on SonicWALL's high performance DPIv2.0 engine (Deep Packet Inspection
version 2.0) engine, which performs all scanning directly on the SonicWALL security appliance.
SonicWALL GAV includes advanced decompression technology that can automatically decompress and
scan files on a per packet basis to search for viruses and malware. The SonicWALL GAV engine can
perform base64 decoding without ever reassembling the entire base64 encoded mail stream. Because
SonicWALL's GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding and ZIP, LHZ, and GZIP (LZ77) decompression are also performed
on a single-pass, per-packet basis. Reassembly free virus scanning functionality of the SonicWALL GAV
engine is inherited from the Deep Packet Inspection engine, which is capable of scanning streams without
ever buffering any of the bytes within the stream.
Building on SonicWALL's reassembly-free architecture, GAV has the ability to inspect multiple application
protocols, as well as generic TCP streams, and compressed traffic. SonicWALL GAV protocol inspection
is based on high performance state machines which are specific to each supported protocol. SonicWALL
GAV delivers protection by inspecting over the most common protocols used in today's networked
environments, including SMTP, POP3, IMAP, HTTP, FTP, NetBIOS, instant messaging and peer-to-peer
applications and dozens of other stream-based protocols. This closes potential backdoors that can be
used to compromise the network while also improving employee productivity and conserving Internet
bandwidth.
Page 12 SonicWALL Gateway Anti-Virus Administrator’s Guide
Stream Concurrency Limitations by SonicWALL Security Appliance
Because SonicWALL GAV does not have to perform reassembly, there are no file-size limitations
imposed by the scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also
performed on a single-pass, per-packet basis. Stream-concurrency are platform dependent as follows:.
Disabling the SonicWALL GAV/IPS Engine
In the unlikely event that SonicWALL Gateway Anti-Virus/Intrusion Prevention Service is not enabled on
your SonicWALL security appliance, the SonicWALL GAV/IPS engine itself can be disabled, and the
resources can be reallocated to the SPI connection cache.
To disable the SonicWALL GAV/IPS engine:
1. Select the Firewall > Advanced page.
2. Select the Disable Gateway AV and IPS Engine (increases maximum SPI connections)
checkbox. This presents an alert informing you that the SonicWALL security appliance must be
rebooted for the change to take effect.
3. Restart your SonicWALL security appliance.
Platform
GAV-Disabled
Connections
Cache Size
GAV-Enabled
Connections
Cache Size
(Concurrent File
Downloads)
Concurrent
Compressed
File Downloads
with GAV
GAV Signatures
TZ 150
Series
2,048 2,048 100 4,500
TZ 170
Series
6,144 6,144 100 4,500
PRO 1260 6,144 6,144 100 4,500
PRO 2040 32,768 16,384 300 25,000
PRO 3060 131,072 65,536 1,000 25,000
PRO 4060 524,288 131,072 1,500 25,000
PRO 5060 750,000 393,216 3,000 25,000
Page 13
Protocol Handling
SonicWALL GAV functionality supports the following protocols: HTTP, SMTP, IMAP, POP3, FTP and the
scanning of generic TCP streams for viruses.
If malicious traffic is detected, appropriate actions are taken based on the protocol. For generic TCP
streams, the traffic is dropped and the connection is reset. If so configured, an encrypted and hashed
message explaining the action is sent to the user's Global Security Client (requires version 2.0 or higher)
and to the user's 'Security Action Notification Applet', and displayed to the user if either application is
active. Application level awareness of the type of protocol that was transporting the violation allows for
very specific actions to be taken to gracefully handle the rejection of the payload:
Note: 8-bit encoding is handled natively for all email based protocols (SMTP, POP3, and IMAP) since no
decoding is required for each encoding scheme.
SMTP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the head of the sent
queue, thus preventing it from being resent, via 552 SMTP response and the connection is terminated.
POP3
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the POP3 server via
'DELE' command and the connection is terminated. Continuation of message downloads following
termination requires the user to re-initiate the download process on their POP3 client in order to download
the rest of the messages from the POP3 server.
Note: POP3 client behavior varies from one client to the next. SonicWALL GAV attempts to determine the type
of POP3 client being used, and to compensate for behavioral differences. In rare cases, some clients
may require special GAV settings - these settings have been made available in the /diag.html page.
• Disable Gateway AV POP3 Auto Deletion - When a POP3 client is identified as Outlook Express,
DELE (delete) message sequencing is tailored to Outlook Express' behavior. This setting can resolve
problems caused by misidentification that are encountered during the deletion of virus-infected
emails.
• Disable Gateway AV POP3 UIDL Rewriting - Certain Netscape POP3 clients have difficulty with the
UIDL (unique ID listing - RFC1939) command. When a POP3 client is recognized as Netscape, UIDL
messages are suppressed, which is allowable because they are optional. This setting can resolve
problems caused by misidentification that are encountered during the message retrieval process.
IMAP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from downloading the mail
containing the violation. The user must manually mark the mail deleted and purge it from the server.
Page 14 SonicWALL Gateway Anti-Virus Administrator’s Guide
HTTP
Capabilities: zip (including archives), gzip and deflate decompression. Deflate decompression method is
not supported when HTTP response is Chunk Encoded. All HTTP traffic is inspected, not just TCP port
80. Suppresses the use of HTTP Byte-Range requests to prevent the sectional retrieval and reassembly
of potentially malicious content.
Note: Suppression of HTTP Byte-Range requests may inhibit the use of certain download accelerator
programs that attempt to retrieve files as multiple simultaneous requests.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
FTP
Capabilities: zip (including archives) and gzip decompression. FTP stateful code follows data port
negotiations, allowing FTP data to be inspected across any operating TCP port. Suppresses the use of
the FTP 'REST' (restart) request to prevent the sectional retrieval and reassembly of potentially malicious
content. "The suppression of the 'REST' request can be overridden from the /diag.html page with the
option 'Enable FTP 'REST' requests with Gateway AV’.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
IM, P2P and Proprietary Protocols
Capabilities: zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
Deploying SonicWALL GAV
SonicWALL GAV is designed to provide comprehensive virus protection with minimal configuration. The
following sections provide the key information you need to successfully activate, configure, and administer
SonicWALL GAV on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher):
• “Activating SonicWALL GAV” on page 15 - provides instructions for activating the SonicWALL GAV
license on your SonicWALL security appliance via the management interface. If you already have
SonicWALL GAV activated on your SonicWALL security appliance, skip this section.
• “Setting Up SonicWALL GAV Protection” on page 19 - provides instructions for essential
configuration of SonicWALL IPS to protect your network against the most dangerous and disruptive
attacks.
Alert! After activating your SonicWALL GAV license, you must enable SonicWALL GAV on the SonicWALL
management interface before anti-virus protection are applied to your network traffic.
• “Configuring Client Alerts and an Exclusion List” on page 23 - provides instructions for configuring
SonicWALL GAV client notification alerts and creating a SonicWALL GAV exclusion list.
• “Restricting File Transfers” on page 24 - provides instructions on preventing files with specific
attributes from being transferred.
Page 15
Activating SonicWALL GAV
If you do not have SonicWALL GAV installed on your SonicWALL security appliance, the Security
Services > Gateway Anti-Virus page indicates an upgrade is required and includes a link to activiate it
from your SonicWALL security appliance management interface.
SonicWALL GAV is part of the unified SonicWALL Gateway Anti-Virus/Intrusion Prevention Service that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is also activated.
To activate a SonicWALL Gateway Anti-Virus/Intrusion Prevention Service on your SonicWALL security
appliance, you need the following:
• SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license. You need to purchase a
SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license from a SonicWALL reseller or
through your mySonicWALL.com account (limited to customers in the USA and Canada).
• mySonicWALL.com account. Creating a mySonicWALL.com account is fast, simple, and FREE.
Simply complete an online registration form from your SonicWALL security appliance management
interface. Your mySonicWALL.com account is also accessible at
from any Internet connection with a Web browser.
• Registered SonicWALL security appliance with active Internet connection. Registering your
SonicWALL security appliance is a simple procedure done directly from the management interface.
• SonicOS Standard 3.0 or SonicOS Enhanced 3.0. Your SonicWALL security appliance must be
running SonicOS Standard 3.0 or SonicOS Enhanced 3.0 for SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service.
Tip! If your SonicWALL security appliance is connected to the Internet and registered at
mySonicWALL.com, you can activate a 30-day FREE TRIAL of SonicWALL IPS.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
If you activated SonicWALL GAV at , SonicWALL GAV activation is
automatically enabled on your SonicWALL within 24-hours or you can click the Synchronize button on
the Security Services > Summary page to update your SonicWALL security appliance.
Page 16 SonicWALL Gateway Anti-Virus Administrator’s Guide
Creating a mySonicWALL.com Account
Creating a mySonicWALL.com account is fast, simple, and FREE. Simply complete an online
registration form in the SonicWALL security appliance management interface.
Note: If you already have a mysonicWALL.com account, go to “Registering Your SonicWALL Security
Appliance” on page 17.
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displayed in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link in Your
SonicWALL is not registered. Click here to Register your SonicWALL.
4. In the mySonicWALL.com Login page, click the here link in If you do not have a mySonicWALL
account, please click here to create one.
5. In the MySonicWall Account page, enter in your information in the Account Information, Personal
Information and Preferences fields. All fields marked with an asterisk (*) are required fields.
Note: Remember your username and password to access your mySonicWALL.com account.
6. Click Submit after completing the MySonicWALL Account form.
7. When the mySonicWALL.com server has finished processing your account, you will see a page
saying that your account has been created. Click Continue.
Congratulations. Your mySonicWALL.com account is activated.
Now you need to log into mySonicWALL.com to register your SonicWALL security appliance.
Note: mySonicWALL.com registration information is not sold or shared with any other company.
Page 17
Registering Your SonicWALL Security Appliance
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displaying in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link. The
mySonicWALL.com Login page is displayed.
4. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit.
5. The next several pages inform you about the free trials available to you for SonicWALL’s Security
Services:
• Gateway Anti-Virus - Delivers real-time virus protection for your entire network.
• Network Anti Virus - Provides desktop and server anti-virus protection with software running on
each computer.
• Premium Content Filtering Service - Enhances productivity by limiting access to objectionable
Web content.
• Intrusion Prevention Service - Protects your network against worms, Trojans, and application
layer attacks.
Click Continue on each page.
6. At the top of the Product Survey page, Enter a “friendly name” for your SonicWALL content security
appliance in the Friendly Name field. The friendly name allows you to easily identify your
SonicWALL content security appliance in your mySonicWALL.com account.
7. Please complete the Product Survey. SonicWALL uses this information to further tailor services to fit
your needs.
8. Click Submit.
9. When the mySonicWALL.com server has finished processing your registration, a page is displayed
informing you that the SonicWALL security appliance is registered. Click Continue, and the
System > Licenses page is displayed showing you the available services. You can activate the
service from this page or the specific service page under the Security Services left-navigation
menu in the management interface.
Page 18 SonicWALL Gateway Anti-Virus Administrator’s Guide
Activating SonicWALL GAV
If you do not have a SonicWALL GAV license activated on your SonicWALL security appliance, you must
purchase it from a SonicWALL reseller or through your mySonicWALL.com account (limited to customers
in the USA and Canada).
SonicWALL GAV is part of SonicWALL Gateway Anti-Virus/Intrusion Prevention Service. The Activation
Key you receive is for both SonicWALL GAV and SonicWALL Intrusion Prevention Service. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is automatically activated.
If you have an Activation Key for SonicWALL Gateway Anti-Virus/Intrusion Prevention Service, perform
these steps to activate the combined services:
1. On the Security Services > Intrusion Prevention page, click the SonicWALL Intrusion
Prevention Service Subscription link. The mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already registered to your
mySonicWALL.com account, the System > Licenses page appears.
3. Click Activate or Renew in the Manage Service column in the Manage Services Online table.
4. Type in the Activation Key in the New License Key field and click Submit. Your SonicWALL GAV
subscription is activated on your SonicWALL security appliance.
If you activated the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service subscription on
mySonicWALL.com, the activation is automatically enabled on your SonicWALL security appliance within
24-hours or you can click the Synchronize button on the Security Services > Summary page to
immediately update your SonicWALL security appliance.
Activating the SonicWALL GAV FREE TRIAL
To try a FREE TRIAL of SonicWALL GAV, perform these steps:
1. Click the FREE TRIAL link on the Security Services > Gateway Anti-Virus page. The
mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already connected to your
mySonicWALL.com account, the System > Licenses page appears after you click the FREE TRIAL
link.
3. Click Try in the FREE TRIAL column in the Manage Services Online table. Your SonicWALL GAV
trial subscription is activated on your SonicWALL security appliance.
Page 19
Setting Up SonicWALL GAV Protection
The Security Services > Gateway Anti-Virus page provides the settings for configuring SonicWALL
GAV on your SonicWALL security appliance.
Enabling SonicWALL GAV
You must select Enable Gateway Anti-Virus check box in the Gateway Anti-Virus Global Settings
section to enable SonicWALL GAV on your SonicWALL security appliance. If your SonicWALL security
appliance is running SonicOS Standard 3.0, you must also specify the interfaces you want to apply
SonicWALL GAV protection. If your SonicWALL security appliance is running SonicOS Enhanced 3.0,
you must specify the Zones you want to SonicWALL GAV protection on the Network > Zones page.
Applying SonicWALL GAV Protection on Interfaces
If your SonicWALL security appliance is running SonicOS Standard 3.0, you also need to specify the
interface that you want to enable SonicWALL GAV protection. Depending on the SonicWALL security
appliance model you are using, you can choose the WAN, LAN, DMZ, OPT or WLAN port, depending on
your SonicWALL security appliance model. After selecting the interface(s), click Apply.It is recommended
you select the WAN and LAN interfaces.
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you apply SonicWALL GAV to
Zones on the Network > Zones page.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 20 SonicWALL Gateway Anti-Virus Administrator’s Guide
Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you can enforce SonicWALL
GAV not only between each network zone and the WAN, but also between internal zones. For example,
enabling SonicWALL GAV on the LAN zone enforces anti-virus protection on all incoming and outgoing
LAN traffic.
1. In the SonicWALL security appliance management interface, select Network > Zones or from the
Gateway Anti-Virus Status section, on the Security Services > Gateway Anti-Virus page, click the
Network > Zones link. The Network > Zones page is displayed.
2. In the Configure column in the Zone Settings table, click the edit icon . The Edit Zone window
is displayed.
3. Click the Enable Gateway Anti-Virus Service checkbox. A checkmark appears. To disable Gateway
Anti-Virus Service, uncheck the box.
4. Click OK.
Page 21
Note: You also enable SonicWALL GAV protection for new zones you create on the Network > Zones page.
Clicking the Add button displays the Add Zone window, which includes the same settings as the Edit
Zone window.
Viewing SonicWALL GAV Status Information
The Gateway Anti-Virus Status section shows the state of the anti-virus signature database, including
the database's timestamp, and the time the SonicWALL signature servers were last checked for the most
current database version. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
The Gateway Anti-Virus Status section displays the following information:
• Signature Database indicates whether the signature database needs to be downloaded or has been
downloaded.
• Signature Database Timestamp displays the last update to the SonicWALL GAV signature
database, not the last update to your SonicWALL security appliance.
• Last Checked indicates the last time the SonicWALL security appliance checked the signature
database for updates. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
• Gateway Anti-Virus Expiration Date indicates the date when the SonicWALL GAV service expires.
If your SonicWALL GAV subscription expires, the SonicWALL IPS inspection is stopped and the
SonicWALL GAV configuration settings are removed from the SonicWALL security appliance. These
settings are automatically restored after renewing your SonicWALL GAV license to the previously
configured state.
If your SonicWALL security appliance is running SonicOS Standard 3.0 and no interfaces are specified in
the Gateway Anti-Virus Global Settings section, the message: Warning: No interfaces have Gateway
Anti-Virus enabled is displayed in the Gateway Anti-Virus Status section. You must check the Enable
Gateway Anti-Virus on Interface and specify the interface(s) you want to apply anti-virus scanning.
If your SonicWALL security appliance you are using SonicOS Enhanced 3.0, the Gateway Anti-Virus
Status section displays Note: Enable the Gateway Anti-Virus per zone from the Network > Zones
page. Clicking on the Network > Zones link displays the Network > Zones page for applying SonicWALL
GAV on Zones.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 22 SonicWALL Gateway Anti-Virus Administrator’s Guide
Updating SonicWALL GAV Signatures
By default, the SonicWALL security appliance running SonicWALL GAV automatically checks the
SonicWALL signature servers once an hour. There is no need for an administrator to constantly check for
new signature updates. You can also manually update your SonicWALL GAV database at any time by
clicking the Update button located in the Gateway Anti-Virus Status section.
SonicWALL GAV signature updates are secured. The SonicWALL security appliance must first
authenticate itself with a pre-shared secret, created during the SonicWALL Distributed Enforcement
Architecture licensing registration. The signature request is transported through HTTPS, along with full
server certificate verification.
Specifying Protocol Filtering
Application-level awareness of the type of protocol that is transporting the violation allows SonicWALL
GAV to perform specific actions within the context of the application to gracefully handle the rejection of
the payload.
By default, SonicWALL GAV inspects all inbound HTTP, FTP, IMAP, SMTP and POP3 traffic. Generic
TCP Stream can optionally be enabled to inspect all other TCP based traffic, such as
non-standard ports of operation for SMTP and POP3, and IM and P2P protocols.
Note: Refer to “Protocol Handling” on page 13 for detailed descriptions of how SonicWALL GAV handles
protocol traffic.
Enabling Inbound Inspection
Within the context of SonicWALL GAV, the Enable Inbound Inspection protocol traffic handling refers
to the following:
• Non-SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to any Zone.
• Non-SMTP traffic from a Public Zone destined to an Untrusted Zone.
• SMTP traffic initiating from a non-Trusted Zone destined to a Trusted, Wireless, Encrypted, or Public
Zone.
• SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to a Trusted, Wireless,
or Encrypted Zone.
Page 23
The Enable Inbound Inspection protocol traffic handling represented as a table:
Enabling Outbound SMTP Inspection
The Enable Outbound Inspection feature is available for SMTP traffic, such as for a mail server that
might be hosted on the DMZ. Enabling outbound inspection for SMTP scans mail that is delivered to the
internally hosted SMTP server for viruses.
Configuring Client Alerts and an Exclusion List
Clicking the Configure Gateway AV Settings button in the Gateway Anti-Virus Global Settings section
displays the Gateway AV Config View window, which allows you to configure client notification alerts and
create a SonicWALL GAV exclusion list.
Configuring Client Alerts
If you want clients on your network to receive notifications on their desktop when a HTTP file download is
blocked by GAV, check the Enable Client Notification Alerts (desktop client installation is required)
box. You must install the client software included on the Resource CD for your SonicWALL security
appliance for the client to receive these notifications from SonicWALL GAV.
Page 24 SonicWALL Gateway Anti-Virus Administrator’s Guide
If you want to suppress the sending of e-mail messages (SMTP) to clients from SonicWALL GAV when a
virus is detected in an e-mail or attachment, check the Disable SMTP Responses box.
Configuring a SonicWALL GAV Exclusion List
Any IP addresses listed in the exclusion list bypass virus scanning on their traffic.The Gateway AV
Exclusion List section provides the ability to define a range of IP addresses whose traffic will be excluded
from SonicWALL GAV scanning.
Alert! Use caution when specifying exclusions to SonicWALL GAV protection.
To add an IP address range for exclusion, perform these steps:
1. Click the Enable Gateway AV Exclusion List checkbox to enable the exclusion list.
2. Click the Add button. The Add GAV Range Entry window is displayed.
3. Enter the IP address range in the IP Address Form and IP Address To fields, then click OK. You IP
address range appears in the Gateway AV Exclusion List table. Click the edit icon in the Configure
column to change an entry or click the trashcan icon to delete an entry.
4. Click OK to exit the Gateway AV Config View window.
Restricting File Transfers
The restrict transfer settings listed under the Configure Gateway AV Settings button in the
Gateway Anti-Virus Global Settings section, if enabled, prevent files with specific attributes from being
transferred.
These restrict transfer settings include:
• Restrict Transfer of password-protected Zip files - Disables the transfer of password protected
ZIP files over any enabled protocol. This option only functions on protocols (e.g. HTTP, FTP, SMTP)
that are enabled for inspection.
• Restrict Transfer of MS-Office type files containing macros (VBA 5 and above) - Disables the
transfers of any MS Office 97 and above files that contain VBA macros.
• Restrict Transfer of packed executable files (UPX, FSG, etc.) - Disables the transfer of packed
executable files. Packers are utilities which compress and sometimes encrypt executables. Although
there are legitimate applications for these, they are also sometimes used with the intent of
obfuscation, so as to make the executables less detectable by anti-virus applications. The packer
adds a header that expands the file in memory, and then executes that file. SonicWALL Gateway
Anti-Virus currently recognizes the most common packed formats: UPX, FSG, PKLite32, Petite, and
ASPack. additional formats are dynamically added along with SonicWALL GAV signature updates.
Page 25
Viewing SonicWALL GAV Signatures
The Gateway Anti-Virus Signatures section allows you to view the contents of the SonicWALL GAV
signature database. All the entries displayed in the Gateway Anti-Virus Signatures table are from the
SonicWALL GAV signature database downloaded to your SonicWALL security appliance.
Note: Signature entries in the database change over time in response to new threats.
Displaying Signatures
You can display the signatures in a variety of views using the View Style menu.
• Use Search String - Allows you to display signatures containing a specified string entered in the
Lookup Signatures Containing String field.
• All Signatures - Displays all the signatures in the table, 50 to a page.
• 0 - 9 - Displays signature names beginning with the number you select from the menu.
• A-Z - Displays signature names beginning with the letter you select from menu.
Navigating the Gateway Anti-Virus Signatures Table
The SonicWALL GAV signatures are displayed fifty to a page in the Gateway Anti-Virus Signatures
table. The Items field displays the table number of the first signature. If your displaying the first page of a
signature table, the entry might be Items 1 to 50 (of 58). Use the navigation buttons to navigate the table.
Page 26 SonicWALL Gateway Anti-Virus Administrator’s Guide
Searching the Gateway Anti-Virus Signature Database
You can search the signature database by entering a search string in the Lookup Signatures
Containing String field, then clicking the edit (Notepad) icon.
The signatures that match the specified string are displayed in the Gateway Anti-Virus Signatures table.
Glossary
• Deep Packet Inspection - looking at the data portion of the packet. Enables the firewall to investigate
farther into the protocol to examine information at the application layer and defend against attacks
targeting application vulnerabilities.
• Distributed Enforcement Architecture - SonicWALL’s unified threat management technology that
delivers automated signature updates that provide real-time protection from current and emerging
threats.
• False Positive - a falsely identified attack traffic pattern.
• Signature - code written to detect and prevent viruses, worms, application exploits, and other
malicious code.
• Stateful Packet Inspection - examines the contents of individual packets at all layers of the OSI
model, from network layer to application layer.
Page 27
Index
A
activating Gateway Anti-Virus
overview 15
free trial version 18
activating Gateway Anti-Virus
activation key 18
C
client alerts
configuring 23
concurrency limitations 12
PRO 1260 12
PRO 2040 12
PRO 3060 12
PRO 4060 12
PRO 5060 12
TZ 150 Series 12
TZ 170 Series 12
creating a mysonicwall.com account 16
D
deploying SonicWALL GAV 14
disabling GAV/IPS engine 12
displaying signatures 25
all signatures 25
signatures beginning with letter 25
signatures beginning with number 25
using search strings 25
E
Edit Zone window 20
enable inbound inspection 22
enable outbound SMTP inspection 23
enabling inbound inspection 22
exclusion list
configuring 24
G
Gateway AV Config View window 23
GAV/IPS
real-time scanning 6
GAV/IPS features
application control 6
deep packet inspection 6
distributed enforcement architecture 6
file based scanning protocol support 6
file decompression technology 6
granular management 7
inter-zone scanning 6
logging and reporting 7
real-time scanning 6
glossary 26
deep packet inspection 26
Distributed Enforcement Architecture 26
false positive 26
signature 26
stateful packet inspection 26
H
how DPIv2.0 works
11
protocol handling 13
HTTP file downloads protection 9
I
internal network protection 9
N
navigating signatures table 25
P
protocol handling
FTP 14
HTTP 14
IM, P2P, proprietary 14
IMAP 13
POP3 13
SMTP 13
R
registering your SonicWALL security appliance 17
remote site protection 8
restrict 24
restrict file transfer
MS-Office files 24
packed executable files 24
password protected ZIP files 24
S
searching signature database 26
server protection 10
setting up GAV protection
applying to infaces (SonicOS Standard 3.0) 19
applying to zones (SonicOS Enhanced) 20
enabling 19
overview 19
signatures table 25
SonicWALL Gateway Anti-Virus
overview 5
SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service
overview 5
specifying protocol filtering 22
specifying protocols 22
status information
expiration date 21
last checked 21
overview 21
signature database 21
signature database timestamp 21
surpress SMTP messages 24
U
updating signatures 22
Page 28 SonicWALL Gateway Anti-Virus Administrator’s Guide
© 2005 SonicWALL, I n c . SonicWALL is a registered trademark of SonicWALL, I n c . Other product and company names mentioned herein may be
t rademarks and/ or registered trademarks of their respective companies. Specifications and descriptions subject to change with out notice.
T: 408.745.9600
F: 408.745.9300
www.sonicwall.com
SonicWALL,Inc.
1143 Borregas Avenue
Sunnyvale,CA 94089-1306
P/ N 232- 000610- 00
Rev E 01/05COMPREHENSIVE INTERNET SECURITY™
S SSSSSSSSo n i c WALL Gateway Anti-Virus
Administrator's Guide
Page 1
Table of Contents
Preface .................................................................................................. 1
Copyright Notice ..............................................................................1
Trademarks......................................................................................1
Limited Warranty..............................................................................1
About this Guide.................................................................................... 3
Guide Conventions .......................................................................... 3
Icons Used in this Guide............................................................. 3
SonicWALL Technical Support ........................................................ 4
North America Telephone Support ............................................. 4
International Telephone Support ................................................ 4
SonicWALL Gateway Anti-Virus Overview............................................ 5
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features ...... 6
SonicWALL GAV Multi-Layered Approach............................................ 7
Remote Site Protection ....................................................................8
Internal Network Protection.............................................................. 9
HTTP File Downloads ...................................................................... 9
Server Protection ...........................................................................10
SonicWALL GAV Architecture............................................................. 11
Stream Concurrency Limitations
by SonicWALL Security Appliance................................................. 12
Disabling the SonicWALL GAV/IPS Engine................................... 12
Protocol Handling...........................................................................13
SMTP........................................................................................ 13
POP3 ........................................................................................ 13
IMAP......................................................................................... 13
HTTP ........................................................................................ 14
FTP........................................................................................... 14
IM, P2P and Proprietary Protocols ........................................... 14
Deploying SonicWALL GAV................................................................ 14
Activating SonicWALL GAV ................................................................ 15
Creating a mySonicWALL.com Account ........................................ 16
Registering Your SonicWALL Security Appliance.......................... 17
Activating SonicWALL GAV........................................................... 18
Activating the SonicWALL GAV FREE TRIAL ............................... 18
Setting Up SonicWALL GAV Protection .............................................. 19
Enabling SonicWALL GAV............................................................. 19
Applying SonicWALL GAV Protection on Interfaces...................... 19
Applying SonicWALL GAV Protection on Zones
(SonicOS Enhanced 3.0) ............................................................... 20
Viewing SonicWALL GAV Status Information................................ 21
Updating SonicWALL GAV Signatures .......................................... 22
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
Specifying Protocol Filtering ................................................................22
Enabling Inbound Inspection ..........................................................22
Enabling Outbound SMTP Inspection ............................................23
Configuring Client Alerts and an Exclusion List ...................................23
Configuring Client Alerts.................................................................23
Configuring a SonicWALL GAV Exclusion List...............................24
Restricting File Transfers.....................................................................24
Viewing SonicWALL GAV Signatures..................................................25
Displaying Signatures.....................................................................25
Navigating the Gateway Anti-Virus Signatures Table ....................25
Searching the Gateway Anti-Virus Signature Database.................26
Glossary...............................................................................................26
Index ....................................................................................................27
Page 1 SonicWALL Gateway Anti-Virus Administrator’s Guide
Preface
Copyright Notice
© 2005 SonicWALL, Inc.
All rights reserved.
Under the copyright laws, this manual or the software described within, can not be copied, in whole or part,
without the written consent of the manufacturer, except in the normal use of the software to make a backup
copy. The same proprietary and copyright notices must be affixed to any permitted copies as were affixed
to the original. This exception does not allow copies to be made for others, whether or not sold, but all of
the material purchased (with all backup copies) can be sold, given, or loaned to another person. Under
the law, copying includes translating into another language or format.
Specifications and descriptions subject to change without notice.
Trademarks
SonicWALL is a registered trademark of SonicWALL, Inc.
Microsoft Windows 98, Windows NT, Windows 2000, Windows XP, Windows Server 2003, Internet
Explorer, and Active Directory are trademarks or registered trademarks of Microsoft Corporation.
Netscape is a registered trademark of Netscape Communications Corporation in the U.S. and other
countries. Netscape Navigator and Netscape Communicator are also trademarks of Netscape
Communications Corporation and may be registered outside the U.S.
Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems
Incorporated in the U.S. and/or other countries.
Other product and company names mentioned herein may be trademarks and/or registered trademarks
of their respective companies and are the sole property of their respective manufacturers.
Limited Warranty
SonicWALL, Inc. warrants that commencing from the delivery date to Customer (but in any case
commencing not more than ninety (90) days after the original shipment by SonicWALL), and continuing
for a period of twelve (12) months, that the product will be free from defects in materials and workmanship
under normal use. This Limited Warranty is not transferable and applies only to the original end user of
the product. SonicWALL and its suppliers' entire liability and Customer's sole and exclusive remedy under
this limited warranty will be shipment of a replacement product. At SonicWALL's discretion the
replacement product may be of equal or greater functionality and may be of either new or like-new quality.
SonicWALL's obligations under this warranty are contingent upon the return of the defective product
according to the terms of SonicWALL's then-current Support Services policies.
This warranty does not apply if the product has been subjected to abnormal electrical stress, damaged by
accident, abuse, misuse or misapplication, or has been modified without the written permission of
SonicWALL.
DISCLAIMER OF WARRANTY. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR
IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT
LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, NONINFRINGEMENT, SATISFACTORY QUALITY OR ARISING FROM A
COURSE OF DEALING, LAW, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE
MAXIMUM EXTENT ALLOWED BY APPLICABLE LAW. TO THE EXTENT AN IMPLIED WARRANTY
CANNOT BE EXCLUDED, SUCH WARRANTY IS LIMITED IN DURATION TO THE WARRANTY
PERIOD. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW
LONG AN IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. THIS
WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, AND YOU MAY ALSO HAVE OTHER RIGHTS
WHICH VARY FROM JURISDICTION TO JURISDICTION. This disclaimer and exclusion shall apply
even if the express warranty set forth above fails of its essential purpose.
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
DISCLAIMER OF LIABILITY. SONICWALL'S SOLE LIABILITY IS THE SHIPMENT OF A
REPLACEMENT PRODUCT AS DESCRIBED IN THE ABOVE LIMITED WARRANTY. IN NO EVENT
SHALL SONICWALL OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER,
INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS
INTERRUPTION, LOSS OF INFORMATION, OR OTHER PECUNIARY LOSS ARISING OUT OF THE
USE OR INABILITY TO USE THE PRODUCT, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL,
INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY
OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE HARDWARE OR SOFTWARE
EVEN IF SONICWALL OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. In no event shall SonicWALL or its suppliers' liability to Customer, whether in contract, tort
(including negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shall
apply even if the above-stated warranty fails of its essential purpose. BECAUSE SOME STATES OR
JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR
INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.
Page 3
About this Guide
Welcome to the SonicWALL Gateway Anti-Virus Administrator’s Guide. This manual provides the
information you need to successfully activate, configure, and administer SonicWALL Gateway Anti-Virus
(SonicWALL (GAV) on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher). The audience for this guide is administrators that are familiar with the
features, functions, and operating characteristics of SonicWALL security appliances.
Note: This guide assumes your SonicWALL security appliance is operational with Internet connectivity. If your
SonicWALL security appliance is not setup, refer to the Getting Started Guide for your SonicWALL
security appliance located on the SonicWALL Web site:
.
SonicWALL GAV is part of the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service solution that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate a SonicWALL GAV license, SonicWALL Intrusion Prevention Service is included and activated.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the complete
instructions on configuring SonicWALL Intrusion Prevention Service 2.0, located on the SonicWALL
Web site: .
Guide Conventions
Conventions used in this guide are as follows:
Icons Used in this Guide
These special messages refer to noteworthy information, and include a symbol for quick identification:
Alert! Important information that cautions about features affecting SonicWALL Gateway Anti-Virus
performance, security features, or causing potential problems with your SonicWALL security appliance.
Tip! Useful information about security features and configurations for your SonicWALL Gateway Anti-Virus
running on a SonicWALL security appliance.
Convention Use
Bold Highlights items you can select on the SonicWALL
management interface.
Italic Highlights a value to enter into a field. For example, “type
192.168.168.168 in the IP Address field.”
Top Level Menu Button >
Submenu Item
Indicates a multiple step Management Interface menu
choice. For example, Security Services > Gateway Anti-
Virus means select Security Services, then select
Gateway Anti-Virus.
Page 4 SonicWALL Gateway Anti-Virus Administrator’s Guide
Note: Important information on a feature that requires callout for special attention or reference to other related
resources.
SonicWALL Technical Support
For timely resolution of technical support questions, visit SonicWALL on the Internet at
. Web-based resources are available to help you
resolve most technical issues or contact SonicWALL Technical Support.
To contact SonicWALL telephone support, see the telephone numbers listed below:
North America Telephone Support
U.S./Canada - 888.777.1476 or +1 408.752.7819
International Telephone Support
Australia - + 1800.35.1642
Austria - + 43(0)820.400.105
EMEA - +31(0)411.617.810
France - + 33(0)1.4933.7414
Germany - + 49(0)1805.0800.22
Hong Kong - + 1.800.93.0997
India - + 8026556828
Italy - +39.02.7541.9803
Japan - + 81(0)3.5460.5356
New Zealand - + 0800.446489
Singapore - + 800.110.1441
Spain - + 34(0)9137.53035
Switzerland - +41.1.308.3.977
UK - +44(0)1344.668.484
Note: Please visit for the latest technical support telephone
numbers.
Page 5
SonicWALL Gateway Anti-Virus Overview
SonicWALL Gateway Anti-Virus (SonicWALL GAV) is part of the SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service solution that provides unified threat management. The integration of gateway
anti-virus and intrusion prevention delivers intelligent, real-time network security protection against
sophisticated application layer and content-based attacks. Utilizing a configurable, high-performance
deep packet inspection architecture, SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
secures the network from the core to the perimeter against a comprehensive array of dynamic threats
including viruses, worms, Trojans, and software vulnerabilities, such as buffer overflows, as well as peerto-
peer and instant messenger applications, backdoor exploits, and other malicious code.
SonicWALL GAV delivers real-time virus protection directly on the SonicWALL security appliance by
using SonicWALL’s IPS-Deep Packet Inspection v2.0 engine to inspect all traffic that traverses the
SonicWALL gateway. Building on SonicWALL’s reassembly-free architecture, SonicWALL GAV inspects
multiple application protocols, as well as generic TCP streams, and compressed traffic. Because
SonicWALL GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also performed on a
single-pass, per-packet basis.
SonicWALL GAV delivers threat protection directly on the SonicWALL security appliance by matching
downloaded or e-mailed files against an extensive and dynamically updated database of threat virus
signatures. Virus attacks are caught and suppressed before they travel to desktops. New signatures are
created and added to the database by a combination of SonicWALL’s SonicAlert Team, third-party virus
analysts, open source developers and other sources.
SonicWALL GAV can be configured to protect against internal threats as well as those originating outside
the network. It operates over a multitude of protocols including SMTP, POP3, IMAP, HTTP, FTP,
NetBIOS, instant messaging and peer-to-peer applications and dozens of other stream-based protocols,
to provide administrators with comprehensive network threat prevention and control. Because files
containing malicious code and viruses can also be compressed and therefore inaccessible to
conventional anti-virus solutions, SonicWALL GAV integrates advanced decompression technology that
automatically decompresses and scans files on a per packet basis.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
Page 6 SonicWALL Gateway Anti-Virus Administrator’s Guide
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features
• Integrated Deep Packet Inspection Technology - SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service features a configurable, high-performance deep packet inspection architecture
that uses parallel searching algorithms up through the application layer to deliver increased
application layer, Web and e-mail attack prevention. Parallel processing reduces the performance
impact on the firewall and maximizes available memory for exceptional throughput on SonicWALL
integrated security gateways.
• Real-Time Anti-Virus Gateway Scanning - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers intelligent file-based virus and malicious code prevention by scanning in real-time for
decompressed and compressed files containing viruses, Trojans, worms and other Internet threats
over the corporate network.
• Powerful Intrusion Prevention - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
provides complete protection from a comprehensive array of network-based application layer threats
by scanning packet payloads for worms, Trojans, software vulnerabilities such as buffer overflows,
peer-to-peer and instant messenger applications, backdoor exploits, and other malicious code.
• Ultimate Scalability and Performance - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a per packet scanning engine, making SonicWALL’s solution unique in its ability to
handle unlimited file size and virtually unlimited concurrent downloads, offering ultimate scalability
and performance for today’s networked environment.
• Day Zero Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service ensures
incredibly fast time-to-protection by employing a dynamically-updated database of signatures created
by a combination of SonicWALL’s SonicAlert Team, third-party virus analysts and developers, and
open source databases of known threats.
• Extensive Virus Signature List - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
utilizes an extensive database of thousands of attack and vulnerability signatures written to detect and
prevent intrusions, viruses, worms, Tojans, application exploits, and malicious applications.
• Distributed Enforcement Architecture - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a distributed enforcement architecture to deliver automated signature updates,
providing real-time protection from emerging threats and lowering total cost of ownership.
• Inter-zone Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides
application layer attack protection against malicious code and other threats originating from the
Internet or from internal sources. Administrators have the ability to enforce intrusion prevention and
anti-virus scanning not only between each network zone and the Internet, but also between internal
network zones for added security (Requires SonicOS Enhanced).
• Advanced File Decompression Technology - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service includes advanced decompression technology that can automatically decompress and scan
files on a per packet basis to search for viruses, Trojans, worms and malware. Supported
compression formats include: ZIP, Deflate and GZIP.
• File-Based Scanning Protocol Support - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers protection for high threat viruses and malware by inspecting the most common
protocols used in today’s networked environments, including SMTP, POP3, IMAP, HTTP, FTP,
NETBIOS, instant messaging and peer-to-peer applications, and dozens of other stream-based
protocols. This closes potential backdoors that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Application Control - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides the
ability to prevent instant messaging and peer-to-peer file sharing programs from operating through
the firewall, closing a potential back door that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Simplified Deployment and Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service allows network administrators to create global policies between security zones and group
attacks by priority, simplifying deployment and management across a distributed network.
Page 7
• Granular Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides an
intuitive user interface and granular policy tools, allowing network administrators to configure a
custom set of detection or prevention policies for their specific network environment and reduce the
number of false policies while identifying immediate threats.
• Logging and Reporting - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service offers
comprehensive logging of all intrusion attempts with the ability to filter logs based on priority level,
enabling administrators to highlight high priority attacks. Granular reporting based on attack source,
destination and type of intrusion is available through SonicWALL ViewPoint and Global Management
System.
SonicWALL GAV Multi-Layered Approach
SonicWALL GAV delivers comprehensive, multi-layered anti-virus protection for networks at the desktop,
the network, and at remote sites. SonicWALL GAV enforces anti-virus policies at the gateway to ensure
all users have the latest updates and monitors files as they come into the network.
Page 8 SonicWALL Gateway Anti-Virus Administrator’s Guide
Remote Site Protection
1. Users send typical e-mail and files between remote sites and the corporate office.
2. SonicWALL GAV scans and analyzes files and e-mail messages on the SonicWALL security
appliance.
3. Viruses are found and blocked before infecting remote desktop.
4. Virus is logged and alert is sent to administrator.
Page 9
Internal Network Protection
1. Internal user contracts a virus and releases it internally.
2. All files are scanned at the gateway before being received by other network users.
3. If virus is found, file is discarded.
4. Virus is logged and alert is sent to administrator.
HTTP File Downloads
1. Client makes a request to download a file from the Web.
2. File is downloaded through the Internet.
3. File is analyzed the SonicWALL GAV engine for malicious code and viruses
4. If virus found, file discarded.
5. Virus is logged and alert sent to administrator.
Page 10 SonicWALL Gateway Anti-Virus Administrator’s Guide
Server Protection
1. Outside user sends an incoming e-mail.
2. E-mail is analyzed the SonicWALL GAV engine for malicious code and viruses before received by email
server.
3. If virus found, threat prevented.
4. E-mail is returned to sender, virus is logged, and alert sent to administrator.
Page 11
SonicWALL GAV Architecture
SonicWALL GAV is based on SonicWALL's high performance DPIv2.0 engine (Deep Packet Inspection
version 2.0) engine, which performs all scanning directly on the SonicWALL security appliance.
SonicWALL GAV includes advanced decompression technology that can automatically decompress and
scan files on a per packet basis to search for viruses and malware. The SonicWALL GAV engine can
perform base64 decoding without ever reassembling the entire base64 encoded mail stream. Because
SonicWALL's GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding and ZIP, LHZ, and GZIP (LZ77) decompression are also performed
on a single-pass, per-packet basis. Reassembly free virus scanning functionality of the SonicWALL GAV
engine is inherited from the Deep Packet Inspection engine, which is capable of scanning streams without
ever buffering any of the bytes within the stream.
Building on SonicWALL's reassembly-free architecture, GAV has the ability to inspect multiple application
protocols, as well as generic TCP streams, and compressed traffic. SonicWALL GAV protocol inspection
is based on high performance state machines which are specific to each supported protocol. SonicWALL
GAV delivers protection by inspecting over the most common protocols used in today's networked
environments, including SMTP, POP3, IMAP, HTTP, FTP, NetBIOS, instant messaging and peer-to-peer
applications and dozens of other stream-based protocols. This closes potential backdoors that can be
used to compromise the network while also improving employee productivity and conserving Internet
bandwidth.
Page 12 SonicWALL Gateway Anti-Virus Administrator’s Guide
Stream Concurrency Limitations by SonicWALL Security Appliance
Because SonicWALL GAV does not have to perform reassembly, there are no file-size limitations
imposed by the scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also
performed on a single-pass, per-packet basis. Stream-concurrency are platform dependent as follows:.
Disabling the SonicWALL GAV/IPS Engine
In the unlikely event that SonicWALL Gateway Anti-Virus/Intrusion Prevention Service is not enabled on
your SonicWALL security appliance, the SonicWALL GAV/IPS engine itself can be disabled, and the
resources can be reallocated to the SPI connection cache.
To disable the SonicWALL GAV/IPS engine:
1. Select the Firewall > Advanced page.
2. Select the Disable Gateway AV and IPS Engine (increases maximum SPI connections)
checkbox. This presents an alert informing you that the SonicWALL security appliance must be
rebooted for the change to take effect.
3. Restart your SonicWALL security appliance.
Platform
GAV-Disabled
Connections
Cache Size
GAV-Enabled
Connections
Cache Size
(Concurrent File
Downloads)
Concurrent
Compressed
File Downloads
with GAV
GAV Signatures
TZ 150
Series
2,048 2,048 100 4,500
TZ 170
Series
6,144 6,144 100 4,500
PRO 1260 6,144 6,144 100 4,500
PRO 2040 32,768 16,384 300 25,000
PRO 3060 131,072 65,536 1,000 25,000
PRO 4060 524,288 131,072 1,500 25,000
PRO 5060 750,000 393,216 3,000 25,000
Page 13
Protocol Handling
SonicWALL GAV functionality supports the following protocols: HTTP, SMTP, IMAP, POP3, FTP and the
scanning of generic TCP streams for viruses.
If malicious traffic is detected, appropriate actions are taken based on the protocol. For generic TCP
streams, the traffic is dropped and the connection is reset. If so configured, an encrypted and hashed
message explaining the action is sent to the user's Global Security Client (requires version 2.0 or higher)
and to the user's 'Security Action Notification Applet', and displayed to the user if either application is
active. Application level awareness of the type of protocol that was transporting the violation allows for
very specific actions to be taken to gracefully handle the rejection of the payload:
Note: 8-bit encoding is handled natively for all email based protocols (SMTP, POP3, and IMAP) since no
decoding is required for each encoding scheme.
SMTP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the head of the sent
queue, thus preventing it from being resent, via 552 SMTP response and the connection is terminated.
POP3
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the POP3 server via
'DELE' command and the connection is terminated. Continuation of message downloads following
termination requires the user to re-initiate the download process on their POP3 client in order to download
the rest of the messages from the POP3 server.
Note: POP3 client behavior varies from one client to the next. SonicWALL GAV attempts to determine the type
of POP3 client being used, and to compensate for behavioral differences. In rare cases, some clients
may require special GAV settings - these settings have been made available in the /diag.html page.
• Disable Gateway AV POP3 Auto Deletion - When a POP3 client is identified as Outlook Express,
DELE (delete) message sequencing is tailored to Outlook Express' behavior. This setting can resolve
problems caused by misidentification that are encountered during the deletion of virus-infected
emails.
• Disable Gateway AV POP3 UIDL Rewriting - Certain Netscape POP3 clients have difficulty with the
UIDL (unique ID listing - RFC1939) command. When a POP3 client is recognized as Netscape, UIDL
messages are suppressed, which is allowable because they are optional. This setting can resolve
problems caused by misidentification that are encountered during the message retrieval process.
IMAP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from downloading the mail
containing the violation. The user must manually mark the mail deleted and purge it from the server.
Page 14 SonicWALL Gateway Anti-Virus Administrator’s Guide
HTTP
Capabilities: zip (including archives), gzip and deflate decompression. Deflate decompression method is
not supported when HTTP response is Chunk Encoded. All HTTP traffic is inspected, not just TCP port
80. Suppresses the use of HTTP Byte-Range requests to prevent the sectional retrieval and reassembly
of potentially malicious content.
Note: Suppression of HTTP Byte-Range requests may inhibit the use of certain download accelerator
programs that attempt to retrieve files as multiple simultaneous requests.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
FTP
Capabilities: zip (including archives) and gzip decompression. FTP stateful code follows data port
negotiations, allowing FTP data to be inspected across any operating TCP port. Suppresses the use of
the FTP 'REST' (restart) request to prevent the sectional retrieval and reassembly of potentially malicious
content. "The suppression of the 'REST' request can be overridden from the /diag.html page with the
option 'Enable FTP 'REST' requests with Gateway AV’.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
IM, P2P and Proprietary Protocols
Capabilities: zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
Deploying SonicWALL GAV
SonicWALL GAV is designed to provide comprehensive virus protection with minimal configuration. The
following sections provide the key information you need to successfully activate, configure, and administer
SonicWALL GAV on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher):
• “Activating SonicWALL GAV” on page 15 - provides instructions for activating the SonicWALL GAV
license on your SonicWALL security appliance via the management interface. If you already have
SonicWALL GAV activated on your SonicWALL security appliance, skip this section.
• “Setting Up SonicWALL GAV Protection” on page 19 - provides instructions for essential
configuration of SonicWALL IPS to protect your network against the most dangerous and disruptive
attacks.
Alert! After activating your SonicWALL GAV license, you must enable SonicWALL GAV on the SonicWALL
management interface before anti-virus protection are applied to your network traffic.
• “Configuring Client Alerts and an Exclusion List” on page 23 - provides instructions for configuring
SonicWALL GAV client notification alerts and creating a SonicWALL GAV exclusion list.
• “Restricting File Transfers” on page 24 - provides instructions on preventing files with specific
attributes from being transferred.
Page 15
Activating SonicWALL GAV
If you do not have SonicWALL GAV installed on your SonicWALL security appliance, the Security
Services > Gateway Anti-Virus page indicates an upgrade is required and includes a link to activiate it
from your SonicWALL security appliance management interface.
SonicWALL GAV is part of the unified SonicWALL Gateway Anti-Virus/Intrusion Prevention Service that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is also activated.
To activate a SonicWALL Gateway Anti-Virus/Intrusion Prevention Service on your SonicWALL security
appliance, you need the following:
• SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license. You need to purchase a
SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license from a SonicWALL reseller or
through your mySonicWALL.com account (limited to customers in the USA and Canada).
• mySonicWALL.com account. Creating a mySonicWALL.com account is fast, simple, and FREE.
Simply complete an online registration form from your SonicWALL security appliance management
interface. Your mySonicWALL.com account is also accessible at
from any Internet connection with a Web browser.
• Registered SonicWALL security appliance with active Internet connection. Registering your
SonicWALL security appliance is a simple procedure done directly from the management interface.
• SonicOS Standard 3.0 or SonicOS Enhanced 3.0. Your SonicWALL security appliance must be
running SonicOS Standard 3.0 or SonicOS Enhanced 3.0 for SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service.
Tip! If your SonicWALL security appliance is connected to the Internet and registered at
mySonicWALL.com, you can activate a 30-day FREE TRIAL of SonicWALL IPS.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
If you activated SonicWALL GAV at , SonicWALL GAV activation is
automatically enabled on your SonicWALL within 24-hours or you can click the Synchronize button on
the Security Services > Summary page to update your SonicWALL security appliance.
Page 16 SonicWALL Gateway Anti-Virus Administrator’s Guide
Creating a mySonicWALL.com Account
Creating a mySonicWALL.com account is fast, simple, and FREE. Simply complete an online
registration form in the SonicWALL security appliance management interface.
Note: If you already have a mysonicWALL.com account, go to “Registering Your SonicWALL Security
Appliance” on page 17.
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displayed in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link in Your
SonicWALL is not registered. Click here to Register your SonicWALL.
4. In the mySonicWALL.com Login page, click the here link in If you do not have a mySonicWALL
account, please click here to create one.
5. In the MySonicWall Account page, enter in your information in the Account Information, Personal
Information and Preferences fields. All fields marked with an asterisk (*) are required fields.
Note: Remember your username and password to access your mySonicWALL.com account.
6. Click Submit after completing the MySonicWALL Account form.
7. When the mySonicWALL.com server has finished processing your account, you will see a page
saying that your account has been created. Click Continue.
Congratulations. Your mySonicWALL.com account is activated.
Now you need to log into mySonicWALL.com to register your SonicWALL security appliance.
Note: mySonicWALL.com registration information is not sold or shared with any other company.
Page 17
Registering Your SonicWALL Security Appliance
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displaying in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link. The
mySonicWALL.com Login page is displayed.
4. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit.
5. The next several pages inform you about the free trials available to you for SonicWALL’s Security
Services:
• Gateway Anti-Virus - Delivers real-time virus protection for your entire network.
• Network Anti Virus - Provides desktop and server anti-virus protection with software running on
each computer.
• Premium Content Filtering Service - Enhances productivity by limiting access to objectionable
Web content.
• Intrusion Prevention Service - Protects your network against worms, Trojans, and application
layer attacks.
Click Continue on each page.
6. At the top of the Product Survey page, Enter a “friendly name” for your SonicWALL content security
appliance in the Friendly Name field. The friendly name allows you to easily identify your
SonicWALL content security appliance in your mySonicWALL.com account.
7. Please complete the Product Survey. SonicWALL uses this information to further tailor services to fit
your needs.
8. Click Submit.
9. When the mySonicWALL.com server has finished processing your registration, a page is displayed
informing you that the SonicWALL security appliance is registered. Click Continue, and the
System > Licenses page is displayed showing you the available services. You can activate the
service from this page or the specific service page under the Security Services left-navigation
menu in the management interface.
Page 18 SonicWALL Gateway Anti-Virus Administrator’s Guide
Activating SonicWALL GAV
If you do not have a SonicWALL GAV license activated on your SonicWALL security appliance, you must
purchase it from a SonicWALL reseller or through your mySonicWALL.com account (limited to customers
in the USA and Canada).
SonicWALL GAV is part of SonicWALL Gateway Anti-Virus/Intrusion Prevention Service. The Activation
Key you receive is for both SonicWALL GAV and SonicWALL Intrusion Prevention Service. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is automatically activated.
If you have an Activation Key for SonicWALL Gateway Anti-Virus/Intrusion Prevention Service, perform
these steps to activate the combined services:
1. On the Security Services > Intrusion Prevention page, click the SonicWALL Intrusion
Prevention Service Subscription link. The mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already registered to your
mySonicWALL.com account, the System > Licenses page appears.
3. Click Activate or Renew in the Manage Service column in the Manage Services Online table.
4. Type in the Activation Key in the New License Key field and click Submit. Your SonicWALL GAV
subscription is activated on your SonicWALL security appliance.
If you activated the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service subscription on
mySonicWALL.com, the activation is automatically enabled on your SonicWALL security appliance within
24-hours or you can click the Synchronize button on the Security Services > Summary page to
immediately update your SonicWALL security appliance.
Activating the SonicWALL GAV FREE TRIAL
To try a FREE TRIAL of SonicWALL GAV, perform these steps:
1. Click the FREE TRIAL link on the Security Services > Gateway Anti-Virus page. The
mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already connected to your
mySonicWALL.com account, the System > Licenses page appears after you click the FREE TRIAL
link.
3. Click Try in the FREE TRIAL column in the Manage Services Online table. Your SonicWALL GAV
trial subscription is activated on your SonicWALL security appliance.
Page 19
Setting Up SonicWALL GAV Protection
The Security Services > Gateway Anti-Virus page provides the settings for configuring SonicWALL
GAV on your SonicWALL security appliance.
Enabling SonicWALL GAV
You must select Enable Gateway Anti-Virus check box in the Gateway Anti-Virus Global Settings
section to enable SonicWALL GAV on your SonicWALL security appliance. If your SonicWALL security
appliance is running SonicOS Standard 3.0, you must also specify the interfaces you want to apply
SonicWALL GAV protection. If your SonicWALL security appliance is running SonicOS Enhanced 3.0,
you must specify the Zones you want to SonicWALL GAV protection on the Network > Zones page.
Applying SonicWALL GAV Protection on Interfaces
If your SonicWALL security appliance is running SonicOS Standard 3.0, you also need to specify the
interface that you want to enable SonicWALL GAV protection. Depending on the SonicWALL security
appliance model you are using, you can choose the WAN, LAN, DMZ, OPT or WLAN port, depending on
your SonicWALL security appliance model. After selecting the interface(s), click Apply.It is recommended
you select the WAN and LAN interfaces.
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you apply SonicWALL GAV to
Zones on the Network > Zones page.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 20 SonicWALL Gateway Anti-Virus Administrator’s Guide
Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you can enforce SonicWALL
GAV not only between each network zone and the WAN, but also between internal zones. For example,
enabling SonicWALL GAV on the LAN zone enforces anti-virus protection on all incoming and outgoing
LAN traffic.
1. In the SonicWALL security appliance management interface, select Network > Zones or from the
Gateway Anti-Virus Status section, on the Security Services > Gateway Anti-Virus page, click the
Network > Zones link. The Network > Zones page is displayed.
2. In the Configure column in the Zone Settings table, click the edit icon . The Edit Zone window
is displayed.
3. Click the Enable Gateway Anti-Virus Service checkbox. A checkmark appears. To disable Gateway
Anti-Virus Service, uncheck the box.
4. Click OK.
Page 21
Note: You also enable SonicWALL GAV protection for new zones you create on the Network > Zones page.
Clicking the Add button displays the Add Zone window, which includes the same settings as the Edit
Zone window.
Viewing SonicWALL GAV Status Information
The Gateway Anti-Virus Status section shows the state of the anti-virus signature database, including
the database's timestamp, and the time the SonicWALL signature servers were last checked for the most
current database version. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
The Gateway Anti-Virus Status section displays the following information:
• Signature Database indicates whether the signature database needs to be downloaded or has been
downloaded.
• Signature Database Timestamp displays the last update to the SonicWALL GAV signature
database, not the last update to your SonicWALL security appliance.
• Last Checked indicates the last time the SonicWALL security appliance checked the signature
database for updates. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
• Gateway Anti-Virus Expiration Date indicates the date when the SonicWALL GAV service expires.
If your SonicWALL GAV subscription expires, the SonicWALL IPS inspection is stopped and the
SonicWALL GAV configuration settings are removed from the SonicWALL security appliance. These
settings are automatically restored after renewing your SonicWALL GAV license to the previously
configured state.
If your SonicWALL security appliance is running SonicOS Standard 3.0 and no interfaces are specified in
the Gateway Anti-Virus Global Settings section, the message: Warning: No interfaces have Gateway
Anti-Virus enabled is displayed in the Gateway Anti-Virus Status section. You must check the Enable
Gateway Anti-Virus on Interface and specify the interface(s) you want to apply anti-virus scanning.
If your SonicWALL security appliance you are using SonicOS Enhanced 3.0, the Gateway Anti-Virus
Status section displays Note: Enable the Gateway Anti-Virus per zone from the Network > Zones
page. Clicking on the Network > Zones link displays the Network > Zones page for applying SonicWALL
GAV on Zones.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 22 SonicWALL Gateway Anti-Virus Administrator’s Guide
Updating SonicWALL GAV Signatures
By default, the SonicWALL security appliance running SonicWALL GAV automatically checks the
SonicWALL signature servers once an hour. There is no need for an administrator to constantly check for
new signature updates. You can also manually update your SonicWALL GAV database at any time by
clicking the Update button located in the Gateway Anti-Virus Status section.
SonicWALL GAV signature updates are secured. The SonicWALL security appliance must first
authenticate itself with a pre-shared secret, created during the SonicWALL Distributed Enforcement
Architecture licensing registration. The signature request is transported through HTTPS, along with full
server certificate verification.
Specifying Protocol Filtering
Application-level awareness of the type of protocol that is transporting the violation allows SonicWALL
GAV to perform specific actions within the context of the application to gracefully handle the rejection of
the payload.
By default, SonicWALL GAV inspects all inbound HTTP, FTP, IMAP, SMTP and POP3 traffic. Generic
TCP Stream can optionally be enabled to inspect all other TCP based traffic, such as
non-standard ports of operation for SMTP and POP3, and IM and P2P protocols.
Note: Refer to “Protocol Handling” on page 13 for detailed descriptions of how SonicWALL GAV handles
protocol traffic.
Enabling Inbound Inspection
Within the context of SonicWALL GAV, the Enable Inbound Inspection protocol traffic handling refers
to the following:
• Non-SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to any Zone.
• Non-SMTP traffic from a Public Zone destined to an Untrusted Zone.
• SMTP traffic initiating from a non-Trusted Zone destined to a Trusted, Wireless, Encrypted, or Public
Zone.
• SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to a Trusted, Wireless,
or Encrypted Zone.
Page 23
The Enable Inbound Inspection protocol traffic handling represented as a table:
Enabling Outbound SMTP Inspection
The Enable Outbound Inspection feature is available for SMTP traffic, such as for a mail server that
might be hosted on the DMZ. Enabling outbound inspection for SMTP scans mail that is delivered to the
internally hosted SMTP server for viruses.
Configuring Client Alerts and an Exclusion List
Clicking the Configure Gateway AV Settings button in the Gateway Anti-Virus Global Settings section
displays the Gateway AV Config View window, which allows you to configure client notification alerts and
create a SonicWALL GAV exclusion list.
Configuring Client Alerts
If you want clients on your network to receive notifications on their desktop when a HTTP file download is
blocked by GAV, check the Enable Client Notification Alerts (desktop client installation is required)
box. You must install the client software included on the Resource CD for your SonicWALL security
appliance for the client to receive these notifications from SonicWALL GAV.
Page 24 SonicWALL Gateway Anti-Virus Administrator’s Guide
If you want to suppress the sending of e-mail messages (SMTP) to clients from SonicWALL GAV when a
virus is detected in an e-mail or attachment, check the Disable SMTP Responses box.
Configuring a SonicWALL GAV Exclusion List
Any IP addresses listed in the exclusion list bypass virus scanning on their traffic.The Gateway AV
Exclusion List section provides the ability to define a range of IP addresses whose traffic will be excluded
from SonicWALL GAV scanning.
Alert! Use caution when specifying exclusions to SonicWALL GAV protection.
To add an IP address range for exclusion, perform these steps:
1. Click the Enable Gateway AV Exclusion List checkbox to enable the exclusion list.
2. Click the Add button. The Add GAV Range Entry window is displayed.
3. Enter the IP address range in the IP Address Form and IP Address To fields, then click OK. You IP
address range appears in the Gateway AV Exclusion List table. Click the edit icon in the Configure
column to change an entry or click the trashcan icon to delete an entry.
4. Click OK to exit the Gateway AV Config View window.
Restricting File Transfers
The restrict transfer settings listed under the Configure Gateway AV Settings button in the
Gateway Anti-Virus Global Settings section, if enabled, prevent files with specific attributes from being
transferred.
These restrict transfer settings include:
• Restrict Transfer of password-protected Zip files - Disables the transfer of password protected
ZIP files over any enabled protocol. This option only functions on protocols (e.g. HTTP, FTP, SMTP)
that are enabled for inspection.
• Restrict Transfer of MS-Office type files containing macros (VBA 5 and above) - Disables the
transfers of any MS Office 97 and above files that contain VBA macros.
• Restrict Transfer of packed executable files (UPX, FSG, etc.) - Disables the transfer of packed
executable files. Packers are utilities which compress and sometimes encrypt executables. Although
there are legitimate applications for these, they are also sometimes used with the intent of
obfuscation, so as to make the executables less detectable by anti-virus applications. The packer
adds a header that expands the file in memory, and then executes that file. SonicWALL Gateway
Anti-Virus currently recognizes the most common packed formats: UPX, FSG, PKLite32, Petite, and
ASPack. additional formats are dynamically added along with SonicWALL GAV signature updates.
Page 25
Viewing SonicWALL GAV Signatures
The Gateway Anti-Virus Signatures section allows you to view the contents of the SonicWALL GAV
signature database. All the entries displayed in the Gateway Anti-Virus Signatures table are from the
SonicWALL GAV signature database downloaded to your SonicWALL security appliance.
Note: Signature entries in the database change over time in response to new threats.
Displaying Signatures
You can display the signatures in a variety of views using the View Style menu.
• Use Search String - Allows you to display signatures containing a specified string entered in the
Lookup Signatures Containing String field.
• All Signatures - Displays all the signatures in the table, 50 to a page.
• 0 - 9 - Displays signature names beginning with the number you select from the menu.
• A-Z - Displays signature names beginning with the letter you select from menu.
Navigating the Gateway Anti-Virus Signatures Table
The SonicWALL GAV signatures are displayed fifty to a page in the Gateway Anti-Virus Signatures
table. The Items field displays the table number of the first signature. If your displaying the first page of a
signature table, the entry might be Items 1 to 50 (of 58). Use the navigation buttons to navigate the table.
Page 26 SonicWALL Gateway Anti-Virus Administrator’s Guide
Searching the Gateway Anti-Virus Signature Database
You can search the signature database by entering a search string in the Lookup Signatures
Containing String field, then clicking the edit (Notepad) icon.
The signatures that match the specified string are displayed in the Gateway Anti-Virus Signatures table.
Glossary
• Deep Packet Inspection - looking at the data portion of the packet. Enables the firewall to investigate
farther into the protocol to examine information at the application layer and defend against attacks
targeting application vulnerabilities.
• Distributed Enforcement Architecture - SonicWALL’s unified threat management technology that
delivers automated signature updates that provide real-time protection from current and emerging
threats.
• False Positive - a falsely identified attack traffic pattern.
• Signature - code written to detect and prevent viruses, worms, application exploits, and other
malicious code.
• Stateful Packet Inspection - examines the contents of individual packets at all layers of the OSI
model, from network layer to application layer.
Page 27
Index
A
activating Gateway Anti-Virus
overview 15
free trial version 18
activating Gateway Anti-Virus
activation key 18
C
client alerts
configuring 23
concurrency limitations 12
PRO 1260 12
PRO 2040 12
PRO 3060 12
PRO 4060 12
PRO 5060 12
TZ 150 Series 12
TZ 170 Series 12
creating a mysonicwall.com account 16
D
deploying SonicWALL GAV 14
disabling GAV/IPS engine 12
displaying signatures 25
all signatures 25
signatures beginning with letter 25
signatures beginning with number 25
using search strings 25
E
Edit Zone window 20
enable inbound inspection 22
enable outbound SMTP inspection 23
enabling inbound inspection 22
exclusion list
configuring 24
G
Gateway AV Config View window 23
GAV/IPS
real-time scanning 6
GAV/IPS features
application control 6
deep packet inspection 6
distributed enforcement architecture 6
file based scanning protocol support 6
file decompression technology 6
granular management 7
inter-zone scanning 6
logging and reporting 7
real-time scanning 6
glossary 26
deep packet inspection 26
Distributed Enforcement Architecture 26
false positive 26
signature 26
stateful packet inspection 26
H
how DPIv2.0 works
11
protocol handling 13
HTTP file downloads protection 9
I
internal network protection 9
N
navigating signatures table 25
P
protocol handling
FTP 14
HTTP 14
IM, P2P, proprietary 14
IMAP 13
POP3 13
SMTP 13
R
registering your SonicWALL security appliance 17
remote site protection 8
restrict 24
restrict file transfer
MS-Office files 24
packed executable files 24
password protected ZIP files 24
S
searching signature database 26
server protection 10
setting up GAV protection
applying to infaces (SonicOS Standard 3.0) 19
applying to zones (SonicOS Enhanced) 20
enabling 19
overview 19
signatures table 25
SonicWALL Gateway Anti-Virus
overview 5
SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service
overview 5
specifying protocol filtering 22
specifying protocols 22
status information
expiration date 21
last checked 21
overview 21
signature database 21
signature database timestamp 21
surpress SMTP messages 24
U
updating signatures 22
Page 28 SonicWALL Gateway Anti-Virus Administrator’s Guide
© 2005 SonicWALL, I n c . SonicWALL is a registered trademark of SonicWALL, I n c . Other product and company names mentioned herein may be
t rademarks and/ or registered trademarks of their respective companies. Specifications and descriptions subject to change with out notice.
T: 408.745.9600
F: 408.745.9300
www.sonicwall.com
SonicWALL,Inc.
1143 Borregas Avenue
Sunnyvale,CA 94089-1306
P/ N 232- 000610- 00
Rev E 01/05COMPREHENSIVE INTERNET SECURITY™
S SSSSSSSSo n i c WALL Gateway Anti-Virus
Administrator's Guide
Page 1
Table of Contents
Preface .................................................................................................. 1
Copyright Notice ..............................................................................1
Trademarks......................................................................................1
Limited Warranty..............................................................................1
About this Guide.................................................................................... 3
Guide Conventions .......................................................................... 3
Icons Used in this Guide............................................................. 3
SonicWALL Technical Support ........................................................ 4
North America Telephone Support ............................................. 4
International Telephone Support ................................................ 4
SonicWALL Gateway Anti-Virus Overview............................................ 5
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features ...... 6
SonicWALL GAV Multi-Layered Approach............................................ 7
Remote Site Protection ....................................................................8
Internal Network Protection.............................................................. 9
HTTP File Downloads ...................................................................... 9
Server Protection ...........................................................................10
SonicWALL GAV Architecture............................................................. 11
Stream Concurrency Limitations
by SonicWALL Security Appliance................................................. 12
Disabling the SonicWALL GAV/IPS Engine................................... 12
Protocol Handling...........................................................................13
SMTP........................................................................................ 13
POP3 ........................................................................................ 13
IMAP......................................................................................... 13
HTTP ........................................................................................ 14
FTP........................................................................................... 14
IM, P2P and Proprietary Protocols ........................................... 14
Deploying SonicWALL GAV................................................................ 14
Activating SonicWALL GAV ................................................................ 15
Creating a mySonicWALL.com Account ........................................ 16
Registering Your SonicWALL Security Appliance.......................... 17
Activating SonicWALL GAV........................................................... 18
Activating the SonicWALL GAV FREE TRIAL ............................... 18
Setting Up SonicWALL GAV Protection .............................................. 19
Enabling SonicWALL GAV............................................................. 19
Applying SonicWALL GAV Protection on Interfaces...................... 19
Applying SonicWALL GAV Protection on Zones
(SonicOS Enhanced 3.0) ............................................................... 20
Viewing SonicWALL GAV Status Information................................ 21
Updating SonicWALL GAV Signatures .......................................... 22
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
Specifying Protocol Filtering ................................................................22
Enabling Inbound Inspection ..........................................................22
Enabling Outbound SMTP Inspection ............................................23
Configuring Client Alerts and an Exclusion List ...................................23
Configuring Client Alerts.................................................................23
Configuring a SonicWALL GAV Exclusion List...............................24
Restricting File Transfers.....................................................................24
Viewing SonicWALL GAV Signatures..................................................25
Displaying Signatures.....................................................................25
Navigating the Gateway Anti-Virus Signatures Table ....................25
Searching the Gateway Anti-Virus Signature Database.................26
Glossary...............................................................................................26
Index ....................................................................................................27
Page 1 SonicWALL Gateway Anti-Virus Administrator’s Guide
Preface
Copyright Notice
© 2005 SonicWALL, Inc.
All rights reserved.
Under the copyright laws, this manual or the software described within, can not be copied, in whole or part,
without the written consent of the manufacturer, except in the normal use of the software to make a backup
copy. The same proprietary and copyright notices must be affixed to any permitted copies as were affixed
to the original. This exception does not allow copies to be made for others, whether or not sold, but all of
the material purchased (with all backup copies) can be sold, given, or loaned to another person. Under
the law, copying includes translating into another language or format.
Specifications and descriptions subject to change without notice.
Trademarks
SonicWALL is a registered trademark of SonicWALL, Inc.
Microsoft Windows 98, Windows NT, Windows 2000, Windows XP, Windows Server 2003, Internet
Explorer, and Active Directory are trademarks or registered trademarks of Microsoft Corporation.
Netscape is a registered trademark of Netscape Communications Corporation in the U.S. and other
countries. Netscape Navigator and Netscape Communicator are also trademarks of Netscape
Communications Corporation and may be registered outside the U.S.
Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems
Incorporated in the U.S. and/or other countries.
Other product and company names mentioned herein may be trademarks and/or registered trademarks
of their respective companies and are the sole property of their respective manufacturers.
Limited Warranty
SonicWALL, Inc. warrants that commencing from the delivery date to Customer (but in any case
commencing not more than ninety (90) days after the original shipment by SonicWALL), and continuing
for a period of twelve (12) months, that the product will be free from defects in materials and workmanship
under normal use. This Limited Warranty is not transferable and applies only to the original end user of
the product. SonicWALL and its suppliers' entire liability and Customer's sole and exclusive remedy under
this limited warranty will be shipment of a replacement product. At SonicWALL's discretion the
replacement product may be of equal or greater functionality and may be of either new or like-new quality.
SonicWALL's obligations under this warranty are contingent upon the return of the defective product
according to the terms of SonicWALL's then-current Support Services policies.
This warranty does not apply if the product has been subjected to abnormal electrical stress, damaged by
accident, abuse, misuse or misapplication, or has been modified without the written permission of
SonicWALL.
DISCLAIMER OF WARRANTY. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR
IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT
LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, NONINFRINGEMENT, SATISFACTORY QUALITY OR ARISING FROM A
COURSE OF DEALING, LAW, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE
MAXIMUM EXTENT ALLOWED BY APPLICABLE LAW. TO THE EXTENT AN IMPLIED WARRANTY
CANNOT BE EXCLUDED, SUCH WARRANTY IS LIMITED IN DURATION TO THE WARRANTY
PERIOD. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW
LONG AN IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. THIS
WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, AND YOU MAY ALSO HAVE OTHER RIGHTS
WHICH VARY FROM JURISDICTION TO JURISDICTION. This disclaimer and exclusion shall apply
even if the express warranty set forth above fails of its essential purpose.
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
DISCLAIMER OF LIABILITY. SONICWALL'S SOLE LIABILITY IS THE SHIPMENT OF A
REPLACEMENT PRODUCT AS DESCRIBED IN THE ABOVE LIMITED WARRANTY. IN NO EVENT
SHALL SONICWALL OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER,
INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS
INTERRUPTION, LOSS OF INFORMATION, OR OTHER PECUNIARY LOSS ARISING OUT OF THE
USE OR INABILITY TO USE THE PRODUCT, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL,
INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY
OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE HARDWARE OR SOFTWARE
EVEN IF SONICWALL OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. In no event shall SonicWALL or its suppliers' liability to Customer, whether in contract, tort
(including negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shall
apply even if the above-stated warranty fails of its essential purpose. BECAUSE SOME STATES OR
JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR
INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.
Page 3
About this Guide
Welcome to the SonicWALL Gateway Anti-Virus Administrator’s Guide. This manual provides the
information you need to successfully activate, configure, and administer SonicWALL Gateway Anti-Virus
(SonicWALL (GAV) on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher). The audience for this guide is administrators that are familiar with the
features, functions, and operating characteristics of SonicWALL security appliances.
Note: This guide assumes your SonicWALL security appliance is operational with Internet connectivity. If your
SonicWALL security appliance is not setup, refer to the Getting Started Guide for your SonicWALL
security appliance located on the SonicWALL Web site:
.
SonicWALL GAV is part of the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service solution that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate a SonicWALL GAV license, SonicWALL Intrusion Prevention Service is included and activated.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the complete
instructions on configuring SonicWALL Intrusion Prevention Service 2.0, located on the SonicWALL
Web site: .
Guide Conventions
Conventions used in this guide are as follows:
Icons Used in this Guide
These special messages refer to noteworthy information, and include a symbol for quick identification:
Alert! Important information that cautions about features affecting SonicWALL Gateway Anti-Virus
performance, security features, or causing potential problems with your SonicWALL security appliance.
Tip! Useful information about security features and configurations for your SonicWALL Gateway Anti-Virus
running on a SonicWALL security appliance.
Convention Use
Bold Highlights items you can select on the SonicWALL
management interface.
Italic Highlights a value to enter into a field. For example, “type
192.168.168.168 in the IP Address field.”
Top Level Menu Button >
Submenu Item
Indicates a multiple step Management Interface menu
choice. For example, Security Services > Gateway Anti-
Virus means select Security Services, then select
Gateway Anti-Virus.
Page 4 SonicWALL Gateway Anti-Virus Administrator’s Guide
Note: Important information on a feature that requires callout for special attention or reference to other related
resources.
SonicWALL Technical Support
For timely resolution of technical support questions, visit SonicWALL on the Internet at
. Web-based resources are available to help you
resolve most technical issues or contact SonicWALL Technical Support.
To contact SonicWALL telephone support, see the telephone numbers listed below:
North America Telephone Support
U.S./Canada - 888.777.1476 or +1 408.752.7819
International Telephone Support
Australia - + 1800.35.1642
Austria - + 43(0)820.400.105
EMEA - +31(0)411.617.810
France - + 33(0)1.4933.7414
Germany - + 49(0)1805.0800.22
Hong Kong - + 1.800.93.0997
India - + 8026556828
Italy - +39.02.7541.9803
Japan - + 81(0)3.5460.5356
New Zealand - + 0800.446489
Singapore - + 800.110.1441
Spain - + 34(0)9137.53035
Switzerland - +41.1.308.3.977
UK - +44(0)1344.668.484
Note: Please visit for the latest technical support telephone
numbers.
Page 5
SonicWALL Gateway Anti-Virus Overview
SonicWALL Gateway Anti-Virus (SonicWALL GAV) is part of the SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service solution that provides unified threat management. The integration of gateway
anti-virus and intrusion prevention delivers intelligent, real-time network security protection against
sophisticated application layer and content-based attacks. Utilizing a configurable, high-performance
deep packet inspection architecture, SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
secures the network from the core to the perimeter against a comprehensive array of dynamic threats
including viruses, worms, Trojans, and software vulnerabilities, such as buffer overflows, as well as peerto-
peer and instant messenger applications, backdoor exploits, and other malicious code.
SonicWALL GAV delivers real-time virus protection directly on the SonicWALL security appliance by
using SonicWALL’s IPS-Deep Packet Inspection v2.0 engine to inspect all traffic that traverses the
SonicWALL gateway. Building on SonicWALL’s reassembly-free architecture, SonicWALL GAV inspects
multiple application protocols, as well as generic TCP streams, and compressed traffic. Because
SonicWALL GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also performed on a
single-pass, per-packet basis.
SonicWALL GAV delivers threat protection directly on the SonicWALL security appliance by matching
downloaded or e-mailed files against an extensive and dynamically updated database of threat virus
signatures. Virus attacks are caught and suppressed before they travel to desktops. New signatures are
created and added to the database by a combination of SonicWALL’s SonicAlert Team, third-party virus
analysts, open source developers and other sources.
SonicWALL GAV can be configured to protect against internal threats as well as those originating outside
the network. It operates over a multitude of protocols including SMTP, POP3, IMAP, HTTP, FTP,
NetBIOS, instant messaging and peer-to-peer applications and dozens of other stream-based protocols,
to provide administrators with comprehensive network threat prevention and control. Because files
containing malicious code and viruses can also be compressed and therefore inaccessible to
conventional anti-virus solutions, SonicWALL GAV integrates advanced decompression technology that
automatically decompresses and scans files on a per packet basis.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
Page 6 SonicWALL Gateway Anti-Virus Administrator’s Guide
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features
• Integrated Deep Packet Inspection Technology - SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service features a configurable, high-performance deep packet inspection architecture
that uses parallel searching algorithms up through the application layer to deliver increased
application layer, Web and e-mail attack prevention. Parallel processing reduces the performance
impact on the firewall and maximizes available memory for exceptional throughput on SonicWALL
integrated security gateways.
• Real-Time Anti-Virus Gateway Scanning - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers intelligent file-based virus and malicious code prevention by scanning in real-time for
decompressed and compressed files containing viruses, Trojans, worms and other Internet threats
over the corporate network.
• Powerful Intrusion Prevention - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
provides complete protection from a comprehensive array of network-based application layer threats
by scanning packet payloads for worms, Trojans, software vulnerabilities such as buffer overflows,
peer-to-peer and instant messenger applications, backdoor exploits, and other malicious code.
• Ultimate Scalability and Performance - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a per packet scanning engine, making SonicWALL’s solution unique in its ability to
handle unlimited file size and virtually unlimited concurrent downloads, offering ultimate scalability
and performance for today’s networked environment.
• Day Zero Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service ensures
incredibly fast time-to-protection by employing a dynamically-updated database of signatures created
by a combination of SonicWALL’s SonicAlert Team, third-party virus analysts and developers, and
open source databases of known threats.
• Extensive Virus Signature List - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
utilizes an extensive database of thousands of attack and vulnerability signatures written to detect and
prevent intrusions, viruses, worms, Tojans, application exploits, and malicious applications.
• Distributed Enforcement Architecture - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a distributed enforcement architecture to deliver automated signature updates,
providing real-time protection from emerging threats and lowering total cost of ownership.
• Inter-zone Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides
application layer attack protection against malicious code and other threats originating from the
Internet or from internal sources. Administrators have the ability to enforce intrusion prevention and
anti-virus scanning not only between each network zone and the Internet, but also between internal
network zones for added security (Requires SonicOS Enhanced).
• Advanced File Decompression Technology - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service includes advanced decompression technology that can automatically decompress and scan
files on a per packet basis to search for viruses, Trojans, worms and malware. Supported
compression formats include: ZIP, Deflate and GZIP.
• File-Based Scanning Protocol Support - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers protection for high threat viruses and malware by inspecting the most common
protocols used in today’s networked environments, including SMTP, POP3, IMAP, HTTP, FTP,
NETBIOS, instant messaging and peer-to-peer applications, and dozens of other stream-based
protocols. This closes potential backdoors that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Application Control - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides the
ability to prevent instant messaging and peer-to-peer file sharing programs from operating through
the firewall, closing a potential back door that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Simplified Deployment and Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service allows network administrators to create global policies between security zones and group
attacks by priority, simplifying deployment and management across a distributed network.
Page 7
• Granular Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides an
intuitive user interface and granular policy tools, allowing network administrators to configure a
custom set of detection or prevention policies for their specific network environment and reduce the
number of false policies while identifying immediate threats.
• Logging and Reporting - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service offers
comprehensive logging of all intrusion attempts with the ability to filter logs based on priority level,
enabling administrators to highlight high priority attacks. Granular reporting based on attack source,
destination and type of intrusion is available through SonicWALL ViewPoint and Global Management
System.
SonicWALL GAV Multi-Layered Approach
SonicWALL GAV delivers comprehensive, multi-layered anti-virus protection for networks at the desktop,
the network, and at remote sites. SonicWALL GAV enforces anti-virus policies at the gateway to ensure
all users have the latest updates and monitors files as they come into the network.
Page 8 SonicWALL Gateway Anti-Virus Administrator’s Guide
Remote Site Protection
1. Users send typical e-mail and files between remote sites and the corporate office.
2. SonicWALL GAV scans and analyzes files and e-mail messages on the SonicWALL security
appliance.
3. Viruses are found and blocked before infecting remote desktop.
4. Virus is logged and alert is sent to administrator.
Page 9
Internal Network Protection
1. Internal user contracts a virus and releases it internally.
2. All files are scanned at the gateway before being received by other network users.
3. If virus is found, file is discarded.
4. Virus is logged and alert is sent to administrator.
HTTP File Downloads
1. Client makes a request to download a file from the Web.
2. File is downloaded through the Internet.
3. File is analyzed the SonicWALL GAV engine for malicious code and viruses
4. If virus found, file discarded.
5. Virus is logged and alert sent to administrator.
Page 10 SonicWALL Gateway Anti-Virus Administrator’s Guide
Server Protection
1. Outside user sends an incoming e-mail.
2. E-mail is analyzed the SonicWALL GAV engine for malicious code and viruses before received by email
server.
3. If virus found, threat prevented.
4. E-mail is returned to sender, virus is logged, and alert sent to administrator.
Page 11
SonicWALL GAV Architecture
SonicWALL GAV is based on SonicWALL's high performance DPIv2.0 engine (Deep Packet Inspection
version 2.0) engine, which performs all scanning directly on the SonicWALL security appliance.
SonicWALL GAV includes advanced decompression technology that can automatically decompress and
scan files on a per packet basis to search for viruses and malware. The SonicWALL GAV engine can
perform base64 decoding without ever reassembling the entire base64 encoded mail stream. Because
SonicWALL's GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding and ZIP, LHZ, and GZIP (LZ77) decompression are also performed
on a single-pass, per-packet basis. Reassembly free virus scanning functionality of the SonicWALL GAV
engine is inherited from the Deep Packet Inspection engine, which is capable of scanning streams without
ever buffering any of the bytes within the stream.
Building on SonicWALL's reassembly-free architecture, GAV has the ability to inspect multiple application
protocols, as well as generic TCP streams, and compressed traffic. SonicWALL GAV protocol inspection
is based on high performance state machines which are specific to each supported protocol. SonicWALL
GAV delivers protection by inspecting over the most common protocols used in today's networked
environments, including SMTP, POP3, IMAP, HTTP, FTP, NetBIOS, instant messaging and peer-to-peer
applications and dozens of other stream-based protocols. This closes potential backdoors that can be
used to compromise the network while also improving employee productivity and conserving Internet
bandwidth.
Page 12 SonicWALL Gateway Anti-Virus Administrator’s Guide
Stream Concurrency Limitations by SonicWALL Security Appliance
Because SonicWALL GAV does not have to perform reassembly, there are no file-size limitations
imposed by the scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also
performed on a single-pass, per-packet basis. Stream-concurrency are platform dependent as follows:.
Disabling the SonicWALL GAV/IPS Engine
In the unlikely event that SonicWALL Gateway Anti-Virus/Intrusion Prevention Service is not enabled on
your SonicWALL security appliance, the SonicWALL GAV/IPS engine itself can be disabled, and the
resources can be reallocated to the SPI connection cache.
To disable the SonicWALL GAV/IPS engine:
1. Select the Firewall > Advanced page.
2. Select the Disable Gateway AV and IPS Engine (increases maximum SPI connections)
checkbox. This presents an alert informing you that the SonicWALL security appliance must be
rebooted for the change to take effect.
3. Restart your SonicWALL security appliance.
Platform
GAV-Disabled
Connections
Cache Size
GAV-Enabled
Connections
Cache Size
(Concurrent File
Downloads)
Concurrent
Compressed
File Downloads
with GAV
GAV Signatures
TZ 150
Series
2,048 2,048 100 4,500
TZ 170
Series
6,144 6,144 100 4,500
PRO 1260 6,144 6,144 100 4,500
PRO 2040 32,768 16,384 300 25,000
PRO 3060 131,072 65,536 1,000 25,000
PRO 4060 524,288 131,072 1,500 25,000
PRO 5060 750,000 393,216 3,000 25,000
Page 13
Protocol Handling
SonicWALL GAV functionality supports the following protocols: HTTP, SMTP, IMAP, POP3, FTP and the
scanning of generic TCP streams for viruses.
If malicious traffic is detected, appropriate actions are taken based on the protocol. For generic TCP
streams, the traffic is dropped and the connection is reset. If so configured, an encrypted and hashed
message explaining the action is sent to the user's Global Security Client (requires version 2.0 or higher)
and to the user's 'Security Action Notification Applet', and displayed to the user if either application is
active. Application level awareness of the type of protocol that was transporting the violation allows for
very specific actions to be taken to gracefully handle the rejection of the payload:
Note: 8-bit encoding is handled natively for all email based protocols (SMTP, POP3, and IMAP) since no
decoding is required for each encoding scheme.
SMTP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the head of the sent
queue, thus preventing it from being resent, via 552 SMTP response and the connection is terminated.
POP3
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the POP3 server via
'DELE' command and the connection is terminated. Continuation of message downloads following
termination requires the user to re-initiate the download process on their POP3 client in order to download
the rest of the messages from the POP3 server.
Note: POP3 client behavior varies from one client to the next. SonicWALL GAV attempts to determine the type
of POP3 client being used, and to compensate for behavioral differences. In rare cases, some clients
may require special GAV settings - these settings have been made available in the /diag.html page.
• Disable Gateway AV POP3 Auto Deletion - When a POP3 client is identified as Outlook Express,
DELE (delete) message sequencing is tailored to Outlook Express' behavior. This setting can resolve
problems caused by misidentification that are encountered during the deletion of virus-infected
emails.
• Disable Gateway AV POP3 UIDL Rewriting - Certain Netscape POP3 clients have difficulty with the
UIDL (unique ID listing - RFC1939) command. When a POP3 client is recognized as Netscape, UIDL
messages are suppressed, which is allowable because they are optional. This setting can resolve
problems caused by misidentification that are encountered during the message retrieval process.
IMAP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from downloading the mail
containing the violation. The user must manually mark the mail deleted and purge it from the server.
Page 14 SonicWALL Gateway Anti-Virus Administrator’s Guide
HTTP
Capabilities: zip (including archives), gzip and deflate decompression. Deflate decompression method is
not supported when HTTP response is Chunk Encoded. All HTTP traffic is inspected, not just TCP port
80. Suppresses the use of HTTP Byte-Range requests to prevent the sectional retrieval and reassembly
of potentially malicious content.
Note: Suppression of HTTP Byte-Range requests may inhibit the use of certain download accelerator
programs that attempt to retrieve files as multiple simultaneous requests.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
FTP
Capabilities: zip (including archives) and gzip decompression. FTP stateful code follows data port
negotiations, allowing FTP data to be inspected across any operating TCP port. Suppresses the use of
the FTP 'REST' (restart) request to prevent the sectional retrieval and reassembly of potentially malicious
content. "The suppression of the 'REST' request can be overridden from the /diag.html page with the
option 'Enable FTP 'REST' requests with Gateway AV’.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
IM, P2P and Proprietary Protocols
Capabilities: zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
Deploying SonicWALL GAV
SonicWALL GAV is designed to provide comprehensive virus protection with minimal configuration. The
following sections provide the key information you need to successfully activate, configure, and administer
SonicWALL GAV on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher):
• “Activating SonicWALL GAV” on page 15 - provides instructions for activating the SonicWALL GAV
license on your SonicWALL security appliance via the management interface. If you already have
SonicWALL GAV activated on your SonicWALL security appliance, skip this section.
• “Setting Up SonicWALL GAV Protection” on page 19 - provides instructions for essential
configuration of SonicWALL IPS to protect your network against the most dangerous and disruptive
attacks.
Alert! After activating your SonicWALL GAV license, you must enable SonicWALL GAV on the SonicWALL
management interface before anti-virus protection are applied to your network traffic.
• “Configuring Client Alerts and an Exclusion List” on page 23 - provides instructions for configuring
SonicWALL GAV client notification alerts and creating a SonicWALL GAV exclusion list.
• “Restricting File Transfers” on page 24 - provides instructions on preventing files with specific
attributes from being transferred.
Page 15
Activating SonicWALL GAV
If you do not have SonicWALL GAV installed on your SonicWALL security appliance, the Security
Services > Gateway Anti-Virus page indicates an upgrade is required and includes a link to activiate it
from your SonicWALL security appliance management interface.
SonicWALL GAV is part of the unified SonicWALL Gateway Anti-Virus/Intrusion Prevention Service that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is also activated.
To activate a SonicWALL Gateway Anti-Virus/Intrusion Prevention Service on your SonicWALL security
appliance, you need the following:
• SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license. You need to purchase a
SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license from a SonicWALL reseller or
through your mySonicWALL.com account (limited to customers in the USA and Canada).
• mySonicWALL.com account. Creating a mySonicWALL.com account is fast, simple, and FREE.
Simply complete an online registration form from your SonicWALL security appliance management
interface. Your mySonicWALL.com account is also accessible at
from any Internet connection with a Web browser.
• Registered SonicWALL security appliance with active Internet connection. Registering your
SonicWALL security appliance is a simple procedure done directly from the management interface.
• SonicOS Standard 3.0 or SonicOS Enhanced 3.0. Your SonicWALL security appliance must be
running SonicOS Standard 3.0 or SonicOS Enhanced 3.0 for SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service.
Tip! If your SonicWALL security appliance is connected to the Internet and registered at
mySonicWALL.com, you can activate a 30-day FREE TRIAL of SonicWALL IPS.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
If you activated SonicWALL GAV at , SonicWALL GAV activation is
automatically enabled on your SonicWALL within 24-hours or you can click the Synchronize button on
the Security Services > Summary page to update your SonicWALL security appliance.
Page 16 SonicWALL Gateway Anti-Virus Administrator’s Guide
Creating a mySonicWALL.com Account
Creating a mySonicWALL.com account is fast, simple, and FREE. Simply complete an online
registration form in the SonicWALL security appliance management interface.
Note: If you already have a mysonicWALL.com account, go to “Registering Your SonicWALL Security
Appliance” on page 17.
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displayed in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link in Your
SonicWALL is not registered. Click here to Register your SonicWALL.
4. In the mySonicWALL.com Login page, click the here link in If you do not have a mySonicWALL
account, please click here to create one.
5. In the MySonicWall Account page, enter in your information in the Account Information, Personal
Information and Preferences fields. All fields marked with an asterisk (*) are required fields.
Note: Remember your username and password to access your mySonicWALL.com account.
6. Click Submit after completing the MySonicWALL Account form.
7. When the mySonicWALL.com server has finished processing your account, you will see a page
saying that your account has been created. Click Continue.
Congratulations. Your mySonicWALL.com account is activated.
Now you need to log into mySonicWALL.com to register your SonicWALL security appliance.
Note: mySonicWALL.com registration information is not sold or shared with any other company.
Page 17
Registering Your SonicWALL Security Appliance
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displaying in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link. The
mySonicWALL.com Login page is displayed.
4. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit.
5. The next several pages inform you about the free trials available to you for SonicWALL’s Security
Services:
• Gateway Anti-Virus - Delivers real-time virus protection for your entire network.
• Network Anti Virus - Provides desktop and server anti-virus protection with software running on
each computer.
• Premium Content Filtering Service - Enhances productivity by limiting access to objectionable
Web content.
• Intrusion Prevention Service - Protects your network against worms, Trojans, and application
layer attacks.
Click Continue on each page.
6. At the top of the Product Survey page, Enter a “friendly name” for your SonicWALL content security
appliance in the Friendly Name field. The friendly name allows you to easily identify your
SonicWALL content security appliance in your mySonicWALL.com account.
7. Please complete the Product Survey. SonicWALL uses this information to further tailor services to fit
your needs.
8. Click Submit.
9. When the mySonicWALL.com server has finished processing your registration, a page is displayed
informing you that the SonicWALL security appliance is registered. Click Continue, and the
System > Licenses page is displayed showing you the available services. You can activate the
service from this page or the specific service page under the Security Services left-navigation
menu in the management interface.
Page 18 SonicWALL Gateway Anti-Virus Administrator’s Guide
Activating SonicWALL GAV
If you do not have a SonicWALL GAV license activated on your SonicWALL security appliance, you must
purchase it from a SonicWALL reseller or through your mySonicWALL.com account (limited to customers
in the USA and Canada).
SonicWALL GAV is part of SonicWALL Gateway Anti-Virus/Intrusion Prevention Service. The Activation
Key you receive is for both SonicWALL GAV and SonicWALL Intrusion Prevention Service. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is automatically activated.
If you have an Activation Key for SonicWALL Gateway Anti-Virus/Intrusion Prevention Service, perform
these steps to activate the combined services:
1. On the Security Services > Intrusion Prevention page, click the SonicWALL Intrusion
Prevention Service Subscription link. The mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already registered to your
mySonicWALL.com account, the System > Licenses page appears.
3. Click Activate or Renew in the Manage Service column in the Manage Services Online table.
4. Type in the Activation Key in the New License Key field and click Submit. Your SonicWALL GAV
subscription is activated on your SonicWALL security appliance.
If you activated the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service subscription on
mySonicWALL.com, the activation is automatically enabled on your SonicWALL security appliance within
24-hours or you can click the Synchronize button on the Security Services > Summary page to
immediately update your SonicWALL security appliance.
Activating the SonicWALL GAV FREE TRIAL
To try a FREE TRIAL of SonicWALL GAV, perform these steps:
1. Click the FREE TRIAL link on the Security Services > Gateway Anti-Virus page. The
mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already connected to your
mySonicWALL.com account, the System > Licenses page appears after you click the FREE TRIAL
link.
3. Click Try in the FREE TRIAL column in the Manage Services Online table. Your SonicWALL GAV
trial subscription is activated on your SonicWALL security appliance.
Page 19
Setting Up SonicWALL GAV Protection
The Security Services > Gateway Anti-Virus page provides the settings for configuring SonicWALL
GAV on your SonicWALL security appliance.
Enabling SonicWALL GAV
You must select Enable Gateway Anti-Virus check box in the Gateway Anti-Virus Global Settings
section to enable SonicWALL GAV on your SonicWALL security appliance. If your SonicWALL security
appliance is running SonicOS Standard 3.0, you must also specify the interfaces you want to apply
SonicWALL GAV protection. If your SonicWALL security appliance is running SonicOS Enhanced 3.0,
you must specify the Zones you want to SonicWALL GAV protection on the Network > Zones page.
Applying SonicWALL GAV Protection on Interfaces
If your SonicWALL security appliance is running SonicOS Standard 3.0, you also need to specify the
interface that you want to enable SonicWALL GAV protection. Depending on the SonicWALL security
appliance model you are using, you can choose the WAN, LAN, DMZ, OPT or WLAN port, depending on
your SonicWALL security appliance model. After selecting the interface(s), click Apply.It is recommended
you select the WAN and LAN interfaces.
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you apply SonicWALL GAV to
Zones on the Network > Zones page.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 20 SonicWALL Gateway Anti-Virus Administrator’s Guide
Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you can enforce SonicWALL
GAV not only between each network zone and the WAN, but also between internal zones. For example,
enabling SonicWALL GAV on the LAN zone enforces anti-virus protection on all incoming and outgoing
LAN traffic.
1. In the SonicWALL security appliance management interface, select Network > Zones or from the
Gateway Anti-Virus Status section, on the Security Services > Gateway Anti-Virus page, click the
Network > Zones link. The Network > Zones page is displayed.
2. In the Configure column in the Zone Settings table, click the edit icon . The Edit Zone window
is displayed.
3. Click the Enable Gateway Anti-Virus Service checkbox. A checkmark appears. To disable Gateway
Anti-Virus Service, uncheck the box.
4. Click OK.
Page 21
Note: You also enable SonicWALL GAV protection for new zones you create on the Network > Zones page.
Clicking the Add button displays the Add Zone window, which includes the same settings as the Edit
Zone window.
Viewing SonicWALL GAV Status Information
The Gateway Anti-Virus Status section shows the state of the anti-virus signature database, including
the database's timestamp, and the time the SonicWALL signature servers were last checked for the most
current database version. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
The Gateway Anti-Virus Status section displays the following information:
• Signature Database indicates whether the signature database needs to be downloaded or has been
downloaded.
• Signature Database Timestamp displays the last update to the SonicWALL GAV signature
database, not the last update to your SonicWALL security appliance.
• Last Checked indicates the last time the SonicWALL security appliance checked the signature
database for updates. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
• Gateway Anti-Virus Expiration Date indicates the date when the SonicWALL GAV service expires.
If your SonicWALL GAV subscription expires, the SonicWALL IPS inspection is stopped and the
SonicWALL GAV configuration settings are removed from the SonicWALL security appliance. These
settings are automatically restored after renewing your SonicWALL GAV license to the previously
configured state.
If your SonicWALL security appliance is running SonicOS Standard 3.0 and no interfaces are specified in
the Gateway Anti-Virus Global Settings section, the message: Warning: No interfaces have Gateway
Anti-Virus enabled is displayed in the Gateway Anti-Virus Status section. You must check the Enable
Gateway Anti-Virus on Interface and specify the interface(s) you want to apply anti-virus scanning.
If your SonicWALL security appliance you are using SonicOS Enhanced 3.0, the Gateway Anti-Virus
Status section displays Note: Enable the Gateway Anti-Virus per zone from the Network > Zones
page. Clicking on the Network > Zones link displays the Network > Zones page for applying SonicWALL
GAV on Zones.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 22 SonicWALL Gateway Anti-Virus Administrator’s Guide
Updating SonicWALL GAV Signatures
By default, the SonicWALL security appliance running SonicWALL GAV automatically checks the
SonicWALL signature servers once an hour. There is no need for an administrator to constantly check for
new signature updates. You can also manually update your SonicWALL GAV database at any time by
clicking the Update button located in the Gateway Anti-Virus Status section.
SonicWALL GAV signature updates are secured. The SonicWALL security appliance must first
authenticate itself with a pre-shared secret, created during the SonicWALL Distributed Enforcement
Architecture licensing registration. The signature request is transported through HTTPS, along with full
server certificate verification.
Specifying Protocol Filtering
Application-level awareness of the type of protocol that is transporting the violation allows SonicWALL
GAV to perform specific actions within the context of the application to gracefully handle the rejection of
the payload.
By default, SonicWALL GAV inspects all inbound HTTP, FTP, IMAP, SMTP and POP3 traffic. Generic
TCP Stream can optionally be enabled to inspect all other TCP based traffic, such as
non-standard ports of operation for SMTP and POP3, and IM and P2P protocols.
Note: Refer to “Protocol Handling” on page 13 for detailed descriptions of how SonicWALL GAV handles
protocol traffic.
Enabling Inbound Inspection
Within the context of SonicWALL GAV, the Enable Inbound Inspection protocol traffic handling refers
to the following:
• Non-SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to any Zone.
• Non-SMTP traffic from a Public Zone destined to an Untrusted Zone.
• SMTP traffic initiating from a non-Trusted Zone destined to a Trusted, Wireless, Encrypted, or Public
Zone.
• SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to a Trusted, Wireless,
or Encrypted Zone.
Page 23
The Enable Inbound Inspection protocol traffic handling represented as a table:
Enabling Outbound SMTP Inspection
The Enable Outbound Inspection feature is available for SMTP traffic, such as for a mail server that
might be hosted on the DMZ. Enabling outbound inspection for SMTP scans mail that is delivered to the
internally hosted SMTP server for viruses.
Configuring Client Alerts and an Exclusion List
Clicking the Configure Gateway AV Settings button in the Gateway Anti-Virus Global Settings section
displays the Gateway AV Config View window, which allows you to configure client notification alerts and
create a SonicWALL GAV exclusion list.
Configuring Client Alerts
If you want clients on your network to receive notifications on their desktop when a HTTP file download is
blocked by GAV, check the Enable Client Notification Alerts (desktop client installation is required)
box. You must install the client software included on the Resource CD for your SonicWALL security
appliance for the client to receive these notifications from SonicWALL GAV.
Page 24 SonicWALL Gateway Anti-Virus Administrator’s Guide
If you want to suppress the sending of e-mail messages (SMTP) to clients from SonicWALL GAV when a
virus is detected in an e-mail or attachment, check the Disable SMTP Responses box.
Configuring a SonicWALL GAV Exclusion List
Any IP addresses listed in the exclusion list bypass virus scanning on their traffic.The Gateway AV
Exclusion List section provides the ability to define a range of IP addresses whose traffic will be excluded
from SonicWALL GAV scanning.
Alert! Use caution when specifying exclusions to SonicWALL GAV protection.
To add an IP address range for exclusion, perform these steps:
1. Click the Enable Gateway AV Exclusion List checkbox to enable the exclusion list.
2. Click the Add button. The Add GAV Range Entry window is displayed.
3. Enter the IP address range in the IP Address Form and IP Address To fields, then click OK. You IP
address range appears in the Gateway AV Exclusion List table. Click the edit icon in the Configure
column to change an entry or click the trashcan icon to delete an entry.
4. Click OK to exit the Gateway AV Config View window.
Restricting File Transfers
The restrict transfer settings listed under the Configure Gateway AV Settings button in the
Gateway Anti-Virus Global Settings section, if enabled, prevent files with specific attributes from being
transferred.
These restrict transfer settings include:
• Restrict Transfer of password-protected Zip files - Disables the transfer of password protected
ZIP files over any enabled protocol. This option only functions on protocols (e.g. HTTP, FTP, SMTP)
that are enabled for inspection.
• Restrict Transfer of MS-Office type files containing macros (VBA 5 and above) - Disables the
transfers of any MS Office 97 and above files that contain VBA macros.
• Restrict Transfer of packed executable files (UPX, FSG, etc.) - Disables the transfer of packed
executable files. Packers are utilities which compress and sometimes encrypt executables. Although
there are legitimate applications for these, they are also sometimes used with the intent of
obfuscation, so as to make the executables less detectable by anti-virus applications. The packer
adds a header that expands the file in memory, and then executes that file. SonicWALL Gateway
Anti-Virus currently recognizes the most common packed formats: UPX, FSG, PKLite32, Petite, and
ASPack. additional formats are dynamically added along with SonicWALL GAV signature updates.
Page 25
Viewing SonicWALL GAV Signatures
The Gateway Anti-Virus Signatures section allows you to view the contents of the SonicWALL GAV
signature database. All the entries displayed in the Gateway Anti-Virus Signatures table are from the
SonicWALL GAV signature database downloaded to your SonicWALL security appliance.
Note: Signature entries in the database change over time in response to new threats.
Displaying Signatures
You can display the signatures in a variety of views using the View Style menu.
• Use Search String - Allows you to display signatures containing a specified string entered in the
Lookup Signatures Containing String field.
• All Signatures - Displays all the signatures in the table, 50 to a page.
• 0 - 9 - Displays signature names beginning with the number you select from the menu.
• A-Z - Displays signature names beginning with the letter you select from menu.
Navigating the Gateway Anti-Virus Signatures Table
The SonicWALL GAV signatures are displayed fifty to a page in the Gateway Anti-Virus Signatures
table. The Items field displays the table number of the first signature. If your displaying the first page of a
signature table, the entry might be Items 1 to 50 (of 58). Use the navigation buttons to navigate the table.
Page 26 SonicWALL Gateway Anti-Virus Administrator’s Guide
Searching the Gateway Anti-Virus Signature Database
You can search the signature database by entering a search string in the Lookup Signatures
Containing String field, then clicking the edit (Notepad) icon.
The signatures that match the specified string are displayed in the Gateway Anti-Virus Signatures table.
Glossary
• Deep Packet Inspection - looking at the data portion of the packet. Enables the firewall to investigate
farther into the protocol to examine information at the application layer and defend against attacks
targeting application vulnerabilities.
• Distributed Enforcement Architecture - SonicWALL’s unified threat management technology that
delivers automated signature updates that provide real-time protection from current and emerging
threats.
• False Positive - a falsely identified attack traffic pattern.
• Signature - code written to detect and prevent viruses, worms, application exploits, and other
malicious code.
• Stateful Packet Inspection - examines the contents of individual packets at all layers of the OSI
model, from network layer to application layer.
Page 27
Index
A
activating Gateway Anti-Virus
overview 15
free trial version 18
activating Gateway Anti-Virus
activation key 18
C
client alerts
configuring 23
concurrency limitations 12
PRO 1260 12
PRO 2040 12
PRO 3060 12
PRO 4060 12
PRO 5060 12
TZ 150 Series 12
TZ 170 Series 12
creating a mysonicwall.com account 16
D
deploying SonicWALL GAV 14
disabling GAV/IPS engine 12
displaying signatures 25
all signatures 25
signatures beginning with letter 25
signatures beginning with number 25
using search strings 25
E
Edit Zone window 20
enable inbound inspection 22
enable outbound SMTP inspection 23
enabling inbound inspection 22
exclusion list
configuring 24
G
Gateway AV Config View window 23
GAV/IPS
real-time scanning 6
GAV/IPS features
application control 6
deep packet inspection 6
distributed enforcement architecture 6
file based scanning protocol support 6
file decompression technology 6
granular management 7
inter-zone scanning 6
logging and reporting 7
real-time scanning 6
glossary 26
deep packet inspection 26
Distributed Enforcement Architecture 26
false positive 26
signature 26
stateful packet inspection 26
H
how DPIv2.0 works
11
protocol handling 13
HTTP file downloads protection 9
I
internal network protection 9
N
navigating signatures table 25
P
protocol handling
FTP 14
HTTP 14
IM, P2P, proprietary 14
IMAP 13
POP3 13
SMTP 13
R
registering your SonicWALL security appliance 17
remote site protection 8
restrict 24
restrict file transfer
MS-Office files 24
packed executable files 24
password protected ZIP files 24
S
searching signature database 26
server protection 10
setting up GAV protection
applying to infaces (SonicOS Standard 3.0) 19
applying to zones (SonicOS Enhanced) 20
enabling 19
overview 19
signatures table 25
SonicWALL Gateway Anti-Virus
overview 5
SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service
overview 5
specifying protocol filtering 22
specifying protocols 22
status information
expiration date 21
last checked 21
overview 21
signature database 21
signature database timestamp 21
surpress SMTP messages 24
U
updating signatures 22
Page 28 SonicWALL Gateway Anti-Virus Administrator’s Guide
© 2005 SonicWALL, I n c . SonicWALL is a registered trademark of SonicWALL, I n c . Other product and company names mentioned herein may be
t rademarks and/ or registered trademarks of their respective companies. Specifications and descriptions subject to change with out notice.
T: 408.745.9600
F: 408.745.9300
www.sonicwall.com
SonicWALL,Inc.
1143 Borregas Avenue
Sunnyvale,CA 94089-1306
P/ N 232- 000610- 00
Rev E 01/05COMPREHENSIVE INTERNET SECURITY™
S SSSSSSSSo n i c WALL Gateway Anti-Virus
Administrator's Guide
Page 1
Table of Contents
Preface .................................................................................................. 1
Copyright Notice ..............................................................................1
Trademarks......................................................................................1
Limited Warranty..............................................................................1
About this Guide.................................................................................... 3
Guide Conventions .......................................................................... 3
Icons Used in this Guide............................................................. 3
SonicWALL Technical Support ........................................................ 4
North America Telephone Support ............................................. 4
International Telephone Support ................................................ 4
SonicWALL Gateway Anti-Virus Overview............................................ 5
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features ...... 6
SonicWALL GAV Multi-Layered Approach............................................ 7
Remote Site Protection ....................................................................8
Internal Network Protection.............................................................. 9
HTTP File Downloads ...................................................................... 9
Server Protection ...........................................................................10
SonicWALL GAV Architecture............................................................. 11
Stream Concurrency Limitations
by SonicWALL Security Appliance................................................. 12
Disabling the SonicWALL GAV/IPS Engine................................... 12
Protocol Handling...........................................................................13
SMTP........................................................................................ 13
POP3 ........................................................................................ 13
IMAP......................................................................................... 13
HTTP ........................................................................................ 14
FTP........................................................................................... 14
IM, P2P and Proprietary Protocols ........................................... 14
Deploying SonicWALL GAV................................................................ 14
Activating SonicWALL GAV ................................................................ 15
Creating a mySonicWALL.com Account ........................................ 16
Registering Your SonicWALL Security Appliance.......................... 17
Activating SonicWALL GAV........................................................... 18
Activating the SonicWALL GAV FREE TRIAL ............................... 18
Setting Up SonicWALL GAV Protection .............................................. 19
Enabling SonicWALL GAV............................................................. 19
Applying SonicWALL GAV Protection on Interfaces...................... 19
Applying SonicWALL GAV Protection on Zones
(SonicOS Enhanced 3.0) ............................................................... 20
Viewing SonicWALL GAV Status Information................................ 21
Updating SonicWALL GAV Signatures .......................................... 22
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
Specifying Protocol Filtering ................................................................22
Enabling Inbound Inspection ..........................................................22
Enabling Outbound SMTP Inspection ............................................23
Configuring Client Alerts and an Exclusion List ...................................23
Configuring Client Alerts.................................................................23
Configuring a SonicWALL GAV Exclusion List...............................24
Restricting File Transfers.....................................................................24
Viewing SonicWALL GAV Signatures..................................................25
Displaying Signatures.....................................................................25
Navigating the Gateway Anti-Virus Signatures Table ....................25
Searching the Gateway Anti-Virus Signature Database.................26
Glossary...............................................................................................26
Index ....................................................................................................27
Page 1 SonicWALL Gateway Anti-Virus Administrator’s Guide
Preface
Copyright Notice
© 2005 SonicWALL, Inc.
All rights reserved.
Under the copyright laws, this manual or the software described within, can not be copied, in whole or part,
without the written consent of the manufacturer, except in the normal use of the software to make a backup
copy. The same proprietary and copyright notices must be affixed to any permitted copies as were affixed
to the original. This exception does not allow copies to be made for others, whether or not sold, but all of
the material purchased (with all backup copies) can be sold, given, or loaned to another person. Under
the law, copying includes translating into another language or format.
Specifications and descriptions subject to change without notice.
Trademarks
SonicWALL is a registered trademark of SonicWALL, Inc.
Microsoft Windows 98, Windows NT, Windows 2000, Windows XP, Windows Server 2003, Internet
Explorer, and Active Directory are trademarks or registered trademarks of Microsoft Corporation.
Netscape is a registered trademark of Netscape Communications Corporation in the U.S. and other
countries. Netscape Navigator and Netscape Communicator are also trademarks of Netscape
Communications Corporation and may be registered outside the U.S.
Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems
Incorporated in the U.S. and/or other countries.
Other product and company names mentioned herein may be trademarks and/or registered trademarks
of their respective companies and are the sole property of their respective manufacturers.
Limited Warranty
SonicWALL, Inc. warrants that commencing from the delivery date to Customer (but in any case
commencing not more than ninety (90) days after the original shipment by SonicWALL), and continuing
for a period of twelve (12) months, that the product will be free from defects in materials and workmanship
under normal use. This Limited Warranty is not transferable and applies only to the original end user of
the product. SonicWALL and its suppliers' entire liability and Customer's sole and exclusive remedy under
this limited warranty will be shipment of a replacement product. At SonicWALL's discretion the
replacement product may be of equal or greater functionality and may be of either new or like-new quality.
SonicWALL's obligations under this warranty are contingent upon the return of the defective product
according to the terms of SonicWALL's then-current Support Services policies.
This warranty does not apply if the product has been subjected to abnormal electrical stress, damaged by
accident, abuse, misuse or misapplication, or has been modified without the written permission of
SonicWALL.
DISCLAIMER OF WARRANTY. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR
IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT
LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, NONINFRINGEMENT, SATISFACTORY QUALITY OR ARISING FROM A
COURSE OF DEALING, LAW, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE
MAXIMUM EXTENT ALLOWED BY APPLICABLE LAW. TO THE EXTENT AN IMPLIED WARRANTY
CANNOT BE EXCLUDED, SUCH WARRANTY IS LIMITED IN DURATION TO THE WARRANTY
PERIOD. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW
LONG AN IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. THIS
WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, AND YOU MAY ALSO HAVE OTHER RIGHTS
WHICH VARY FROM JURISDICTION TO JURISDICTION. This disclaimer and exclusion shall apply
even if the express warranty set forth above fails of its essential purpose.
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
DISCLAIMER OF LIABILITY. SONICWALL'S SOLE LIABILITY IS THE SHIPMENT OF A
REPLACEMENT PRODUCT AS DESCRIBED IN THE ABOVE LIMITED WARRANTY. IN NO EVENT
SHALL SONICWALL OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER,
INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS
INTERRUPTION, LOSS OF INFORMATION, OR OTHER PECUNIARY LOSS ARISING OUT OF THE
USE OR INABILITY TO USE THE PRODUCT, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL,
INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY
OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE HARDWARE OR SOFTWARE
EVEN IF SONICWALL OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. In no event shall SonicWALL or its suppliers' liability to Customer, whether in contract, tort
(including negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shall
apply even if the above-stated warranty fails of its essential purpose. BECAUSE SOME STATES OR
JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR
INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.
Page 3
About this Guide
Welcome to the SonicWALL Gateway Anti-Virus Administrator’s Guide. This manual provides the
information you need to successfully activate, configure, and administer SonicWALL Gateway Anti-Virus
(SonicWALL (GAV) on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher). The audience for this guide is administrators that are familiar with the
features, functions, and operating characteristics of SonicWALL security appliances.
Note: This guide assumes your SonicWALL security appliance is operational with Internet connectivity. If your
SonicWALL security appliance is not setup, refer to the Getting Started Guide for your SonicWALL
security appliance located on the SonicWALL Web site:
.
SonicWALL GAV is part of the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service solution that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate a SonicWALL GAV license, SonicWALL Intrusion Prevention Service is included and activated.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the complete
instructions on configuring SonicWALL Intrusion Prevention Service 2.0, located on the SonicWALL
Web site: .
Guide Conventions
Conventions used in this guide are as follows:
Icons Used in this Guide
These special messages refer to noteworthy information, and include a symbol for quick identification:
Alert! Important information that cautions about features affecting SonicWALL Gateway Anti-Virus
performance, security features, or causing potential problems with your SonicWALL security appliance.
Tip! Useful information about security features and configurations for your SonicWALL Gateway Anti-Virus
running on a SonicWALL security appliance.
Convention Use
Bold Highlights items you can select on the SonicWALL
management interface.
Italic Highlights a value to enter into a field. For example, “type
192.168.168.168 in the IP Address field.”
Top Level Menu Button >
Submenu Item
Indicates a multiple step Management Interface menu
choice. For example, Security Services > Gateway Anti-
Virus means select Security Services, then select
Gateway Anti-Virus.
Page 4 SonicWALL Gateway Anti-Virus Administrator’s Guide
Note: Important information on a feature that requires callout for special attention or reference to other related
resources.
SonicWALL Technical Support
For timely resolution of technical support questions, visit SonicWALL on the Internet at
. Web-based resources are available to help you
resolve most technical issues or contact SonicWALL Technical Support.
To contact SonicWALL telephone support, see the telephone numbers listed below:
North America Telephone Support
U.S./Canada - 888.777.1476 or +1 408.752.7819
International Telephone Support
Australia - + 1800.35.1642
Austria - + 43(0)820.400.105
EMEA - +31(0)411.617.810
France - + 33(0)1.4933.7414
Germany - + 49(0)1805.0800.22
Hong Kong - + 1.800.93.0997
India - + 8026556828
Italy - +39.02.7541.9803
Japan - + 81(0)3.5460.5356
New Zealand - + 0800.446489
Singapore - + 800.110.1441
Spain - + 34(0)9137.53035
Switzerland - +41.1.308.3.977
UK - +44(0)1344.668.484
Note: Please visit for the latest technical support telephone
numbers.
Page 5
SonicWALL Gateway Anti-Virus Overview
SonicWALL Gateway Anti-Virus (SonicWALL GAV) is part of the SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service solution that provides unified threat management. The integration of gateway
anti-virus and intrusion prevention delivers intelligent, real-time network security protection against
sophisticated application layer and content-based attacks. Utilizing a configurable, high-performance
deep packet inspection architecture, SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
secures the network from the core to the perimeter against a comprehensive array of dynamic threats
including viruses, worms, Trojans, and software vulnerabilities, such as buffer overflows, as well as peerto-
peer and instant messenger applications, backdoor exploits, and other malicious code.
SonicWALL GAV delivers real-time virus protection directly on the SonicWALL security appliance by
using SonicWALL’s IPS-Deep Packet Inspection v2.0 engine to inspect all traffic that traverses the
SonicWALL gateway. Building on SonicWALL’s reassembly-free architecture, SonicWALL GAV inspects
multiple application protocols, as well as generic TCP streams, and compressed traffic. Because
SonicWALL GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also performed on a
single-pass, per-packet basis.
SonicWALL GAV delivers threat protection directly on the SonicWALL security appliance by matching
downloaded or e-mailed files against an extensive and dynamically updated database of threat virus
signatures. Virus attacks are caught and suppressed before they travel to desktops. New signatures are
created and added to the database by a combination of SonicWALL’s SonicAlert Team, third-party virus
analysts, open source developers and other sources.
SonicWALL GAV can be configured to protect against internal threats as well as those originating outside
the network. It operates over a multitude of protocols including SMTP, POP3, IMAP, HTTP, FTP,
NetBIOS, instant messaging and peer-to-peer applications and dozens of other stream-based protocols,
to provide administrators with comprehensive network threat prevention and control. Because files
containing malicious code and viruses can also be compressed and therefore inaccessible to
conventional anti-virus solutions, SonicWALL GAV integrates advanced decompression technology that
automatically decompresses and scans files on a per packet basis.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
Page 6 SonicWALL Gateway Anti-Virus Administrator’s Guide
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features
• Integrated Deep Packet Inspection Technology - SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service features a configurable, high-performance deep packet inspection architecture
that uses parallel searching algorithms up through the application layer to deliver increased
application layer, Web and e-mail attack prevention. Parallel processing reduces the performance
impact on the firewall and maximizes available memory for exceptional throughput on SonicWALL
integrated security gateways.
• Real-Time Anti-Virus Gateway Scanning - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers intelligent file-based virus and malicious code prevention by scanning in real-time for
decompressed and compressed files containing viruses, Trojans, worms and other Internet threats
over the corporate network.
• Powerful Intrusion Prevention - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
provides complete protection from a comprehensive array of network-based application layer threats
by scanning packet payloads for worms, Trojans, software vulnerabilities such as buffer overflows,
peer-to-peer and instant messenger applications, backdoor exploits, and other malicious code.
• Ultimate Scalability and Performance - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a per packet scanning engine, making SonicWALL’s solution unique in its ability to
handle unlimited file size and virtually unlimited concurrent downloads, offering ultimate scalability
and performance for today’s networked environment.
• Day Zero Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service ensures
incredibly fast time-to-protection by employing a dynamically-updated database of signatures created
by a combination of SonicWALL’s SonicAlert Team, third-party virus analysts and developers, and
open source databases of known threats.
• Extensive Virus Signature List - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
utilizes an extensive database of thousands of attack and vulnerability signatures written to detect and
prevent intrusions, viruses, worms, Tojans, application exploits, and malicious applications.
• Distributed Enforcement Architecture - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a distributed enforcement architecture to deliver automated signature updates,
providing real-time protection from emerging threats and lowering total cost of ownership.
• Inter-zone Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides
application layer attack protection against malicious code and other threats originating from the
Internet or from internal sources. Administrators have the ability to enforce intrusion prevention and
anti-virus scanning not only between each network zone and the Internet, but also between internal
network zones for added security (Requires SonicOS Enhanced).
• Advanced File Decompression Technology - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service includes advanced decompression technology that can automatically decompress and scan
files on a per packet basis to search for viruses, Trojans, worms and malware. Supported
compression formats include: ZIP, Deflate and GZIP.
• File-Based Scanning Protocol Support - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers protection for high threat viruses and malware by inspecting the most common
protocols used in today’s networked environments, including SMTP, POP3, IMAP, HTTP, FTP,
NETBIOS, instant messaging and peer-to-peer applications, and dozens of other stream-based
protocols. This closes potential backdoors that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Application Control - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides the
ability to prevent instant messaging and peer-to-peer file sharing programs from operating through
the firewall, closing a potential back door that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Simplified Deployment and Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service allows network administrators to create global policies between security zones and group
attacks by priority, simplifying deployment and management across a distributed network.
Page 7
• Granular Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides an
intuitive user interface and granular policy tools, allowing network administrators to configure a
custom set of detection or prevention policies for their specific network environment and reduce the
number of false policies while identifying immediate threats.
• Logging and Reporting - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service offers
comprehensive logging of all intrusion attempts with the ability to filter logs based on priority level,
enabling administrators to highlight high priority attacks. Granular reporting based on attack source,
destination and type of intrusion is available through SonicWALL ViewPoint and Global Management
System.
SonicWALL GAV Multi-Layered Approach
SonicWALL GAV delivers comprehensive, multi-layered anti-virus protection for networks at the desktop,
the network, and at remote sites. SonicWALL GAV enforces anti-virus policies at the gateway to ensure
all users have the latest updates and monitors files as they come into the network.
Page 8 SonicWALL Gateway Anti-Virus Administrator’s Guide
Remote Site Protection
1. Users send typical e-mail and files between remote sites and the corporate office.
2. SonicWALL GAV scans and analyzes files and e-mail messages on the SonicWALL security
appliance.
3. Viruses are found and blocked before infecting remote desktop.
4. Virus is logged and alert is sent to administrator.
Page 9
Internal Network Protection
1. Internal user contracts a virus and releases it internally.
2. All files are scanned at the gateway before being received by other network users.
3. If virus is found, file is discarded.
4. Virus is logged and alert is sent to administrator.
HTTP File Downloads
1. Client makes a request to download a file from the Web.
2. File is downloaded through the Internet.
3. File is analyzed the SonicWALL GAV engine for malicious code and viruses
4. If virus found, file discarded.
5. Virus is logged and alert sent to administrator.
Page 10 SonicWALL Gateway Anti-Virus Administrator’s Guide
Server Protection
1. Outside user sends an incoming e-mail.
2. E-mail is analyzed the SonicWALL GAV engine for malicious code and viruses before received by email
server.
3. If virus found, threat prevented.
4. E-mail is returned to sender, virus is logged, and alert sent to administrator.
Page 11
SonicWALL GAV Architecture
SonicWALL GAV is based on SonicWALL's high performance DPIv2.0 engine (Deep Packet Inspection
version 2.0) engine, which performs all scanning directly on the SonicWALL security appliance.
SonicWALL GAV includes advanced decompression technology that can automatically decompress and
scan files on a per packet basis to search for viruses and malware. The SonicWALL GAV engine can
perform base64 decoding without ever reassembling the entire base64 encoded mail stream. Because
SonicWALL's GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding and ZIP, LHZ, and GZIP (LZ77) decompression are also performed
on a single-pass, per-packet basis. Reassembly free virus scanning functionality of the SonicWALL GAV
engine is inherited from the Deep Packet Inspection engine, which is capable of scanning streams without
ever buffering any of the bytes within the stream.
Building on SonicWALL's reassembly-free architecture, GAV has the ability to inspect multiple application
protocols, as well as generic TCP streams, and compressed traffic. SonicWALL GAV protocol inspection
is based on high performance state machines which are specific to each supported protocol. SonicWALL
GAV delivers protection by inspecting over the most common protocols used in today's networked
environments, including SMTP, POP3, IMAP, HTTP, FTP, NetBIOS, instant messaging and peer-to-peer
applications and dozens of other stream-based protocols. This closes potential backdoors that can be
used to compromise the network while also improving employee productivity and conserving Internet
bandwidth.
Page 12 SonicWALL Gateway Anti-Virus Administrator’s Guide
Stream Concurrency Limitations by SonicWALL Security Appliance
Because SonicWALL GAV does not have to perform reassembly, there are no file-size limitations
imposed by the scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also
performed on a single-pass, per-packet basis. Stream-concurrency are platform dependent as follows:.
Disabling the SonicWALL GAV/IPS Engine
In the unlikely event that SonicWALL Gateway Anti-Virus/Intrusion Prevention Service is not enabled on
your SonicWALL security appliance, the SonicWALL GAV/IPS engine itself can be disabled, and the
resources can be reallocated to the SPI connection cache.
To disable the SonicWALL GAV/IPS engine:
1. Select the Firewall > Advanced page.
2. Select the Disable Gateway AV and IPS Engine (increases maximum SPI connections)
checkbox. This presents an alert informing you that the SonicWALL security appliance must be
rebooted for the change to take effect.
3. Restart your SonicWALL security appliance.
Platform
GAV-Disabled
Connections
Cache Size
GAV-Enabled
Connections
Cache Size
(Concurrent File
Downloads)
Concurrent
Compressed
File Downloads
with GAV
GAV Signatures
TZ 150
Series
2,048 2,048 100 4,500
TZ 170
Series
6,144 6,144 100 4,500
PRO 1260 6,144 6,144 100 4,500
PRO 2040 32,768 16,384 300 25,000
PRO 3060 131,072 65,536 1,000 25,000
PRO 4060 524,288 131,072 1,500 25,000
PRO 5060 750,000 393,216 3,000 25,000
Page 13
Protocol Handling
SonicWALL GAV functionality supports the following protocols: HTTP, SMTP, IMAP, POP3, FTP and the
scanning of generic TCP streams for viruses.
If malicious traffic is detected, appropriate actions are taken based on the protocol. For generic TCP
streams, the traffic is dropped and the connection is reset. If so configured, an encrypted and hashed
message explaining the action is sent to the user's Global Security Client (requires version 2.0 or higher)
and to the user's 'Security Action Notification Applet', and displayed to the user if either application is
active. Application level awareness of the type of protocol that was transporting the violation allows for
very specific actions to be taken to gracefully handle the rejection of the payload:
Note: 8-bit encoding is handled natively for all email based protocols (SMTP, POP3, and IMAP) since no
decoding is required for each encoding scheme.
SMTP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the head of the sent
queue, thus preventing it from being resent, via 552 SMTP response and the connection is terminated.
POP3
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the POP3 server via
'DELE' command and the connection is terminated. Continuation of message downloads following
termination requires the user to re-initiate the download process on their POP3 client in order to download
the rest of the messages from the POP3 server.
Note: POP3 client behavior varies from one client to the next. SonicWALL GAV attempts to determine the type
of POP3 client being used, and to compensate for behavioral differences. In rare cases, some clients
may require special GAV settings - these settings have been made available in the /diag.html page.
• Disable Gateway AV POP3 Auto Deletion - When a POP3 client is identified as Outlook Express,
DELE (delete) message sequencing is tailored to Outlook Express' behavior. This setting can resolve
problems caused by misidentification that are encountered during the deletion of virus-infected
emails.
• Disable Gateway AV POP3 UIDL Rewriting - Certain Netscape POP3 clients have difficulty with the
UIDL (unique ID listing - RFC1939) command. When a POP3 client is recognized as Netscape, UIDL
messages are suppressed, which is allowable because they are optional. This setting can resolve
problems caused by misidentification that are encountered during the message retrieval process.
IMAP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from downloading the mail
containing the violation. The user must manually mark the mail deleted and purge it from the server.
Page 14 SonicWALL Gateway Anti-Virus Administrator’s Guide
HTTP
Capabilities: zip (including archives), gzip and deflate decompression. Deflate decompression method is
not supported when HTTP response is Chunk Encoded. All HTTP traffic is inspected, not just TCP port
80. Suppresses the use of HTTP Byte-Range requests to prevent the sectional retrieval and reassembly
of potentially malicious content.
Note: Suppression of HTTP Byte-Range requests may inhibit the use of certain download accelerator
programs that attempt to retrieve files as multiple simultaneous requests.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
FTP
Capabilities: zip (including archives) and gzip decompression. FTP stateful code follows data port
negotiations, allowing FTP data to be inspected across any operating TCP port. Suppresses the use of
the FTP 'REST' (restart) request to prevent the sectional retrieval and reassembly of potentially malicious
content. "The suppression of the 'REST' request can be overridden from the /diag.html page with the
option 'Enable FTP 'REST' requests with Gateway AV’.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
IM, P2P and Proprietary Protocols
Capabilities: zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
Deploying SonicWALL GAV
SonicWALL GAV is designed to provide comprehensive virus protection with minimal configuration. The
following sections provide the key information you need to successfully activate, configure, and administer
SonicWALL GAV on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher):
• “Activating SonicWALL GAV” on page 15 - provides instructions for activating the SonicWALL GAV
license on your SonicWALL security appliance via the management interface. If you already have
SonicWALL GAV activated on your SonicWALL security appliance, skip this section.
• “Setting Up SonicWALL GAV Protection” on page 19 - provides instructions for essential
configuration of SonicWALL IPS to protect your network against the most dangerous and disruptive
attacks.
Alert! After activating your SonicWALL GAV license, you must enable SonicWALL GAV on the SonicWALL
management interface before anti-virus protection are applied to your network traffic.
• “Configuring Client Alerts and an Exclusion List” on page 23 - provides instructions for configuring
SonicWALL GAV client notification alerts and creating a SonicWALL GAV exclusion list.
• “Restricting File Transfers” on page 24 - provides instructions on preventing files with specific
attributes from being transferred.
Page 15
Activating SonicWALL GAV
If you do not have SonicWALL GAV installed on your SonicWALL security appliance, the Security
Services > Gateway Anti-Virus page indicates an upgrade is required and includes a link to activiate it
from your SonicWALL security appliance management interface.
SonicWALL GAV is part of the unified SonicWALL Gateway Anti-Virus/Intrusion Prevention Service that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is also activated.
To activate a SonicWALL Gateway Anti-Virus/Intrusion Prevention Service on your SonicWALL security
appliance, you need the following:
• SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license. You need to purchase a
SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license from a SonicWALL reseller or
through your mySonicWALL.com account (limited to customers in the USA and Canada).
• mySonicWALL.com account. Creating a mySonicWALL.com account is fast, simple, and FREE.
Simply complete an online registration form from your SonicWALL security appliance management
interface. Your mySonicWALL.com account is also accessible at
from any Internet connection with a Web browser.
• Registered SonicWALL security appliance with active Internet connection. Registering your
SonicWALL security appliance is a simple procedure done directly from the management interface.
• SonicOS Standard 3.0 or SonicOS Enhanced 3.0. Your SonicWALL security appliance must be
running SonicOS Standard 3.0 or SonicOS Enhanced 3.0 for SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service.
Tip! If your SonicWALL security appliance is connected to the Internet and registered at
mySonicWALL.com, you can activate a 30-day FREE TRIAL of SonicWALL IPS.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
If you activated SonicWALL GAV at , SonicWALL GAV activation is
automatically enabled on your SonicWALL within 24-hours or you can click the Synchronize button on
the Security Services > Summary page to update your SonicWALL security appliance.
Page 16 SonicWALL Gateway Anti-Virus Administrator’s Guide
Creating a mySonicWALL.com Account
Creating a mySonicWALL.com account is fast, simple, and FREE. Simply complete an online
registration form in the SonicWALL security appliance management interface.
Note: If you already have a mysonicWALL.com account, go to “Registering Your SonicWALL Security
Appliance” on page 17.
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displayed in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link in Your
SonicWALL is not registered. Click here to Register your SonicWALL.
4. In the mySonicWALL.com Login page, click the here link in If you do not have a mySonicWALL
account, please click here to create one.
5. In the MySonicWall Account page, enter in your information in the Account Information, Personal
Information and Preferences fields. All fields marked with an asterisk (*) are required fields.
Note: Remember your username and password to access your mySonicWALL.com account.
6. Click Submit after completing the MySonicWALL Account form.
7. When the mySonicWALL.com server has finished processing your account, you will see a page
saying that your account has been created. Click Continue.
Congratulations. Your mySonicWALL.com account is activated.
Now you need to log into mySonicWALL.com to register your SonicWALL security appliance.
Note: mySonicWALL.com registration information is not sold or shared with any other company.
Page 17
Registering Your SonicWALL Security Appliance
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displaying in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link. The
mySonicWALL.com Login page is displayed.
4. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit.
5. The next several pages inform you about the free trials available to you for SonicWALL’s Security
Services:
• Gateway Anti-Virus - Delivers real-time virus protection for your entire network.
• Network Anti Virus - Provides desktop and server anti-virus protection with software running on
each computer.
• Premium Content Filtering Service - Enhances productivity by limiting access to objectionable
Web content.
• Intrusion Prevention Service - Protects your network against worms, Trojans, and application
layer attacks.
Click Continue on each page.
6. At the top of the Product Survey page, Enter a “friendly name” for your SonicWALL content security
appliance in the Friendly Name field. The friendly name allows you to easily identify your
SonicWALL content security appliance in your mySonicWALL.com account.
7. Please complete the Product Survey. SonicWALL uses this information to further tailor services to fit
your needs.
8. Click Submit.
9. When the mySonicWALL.com server has finished processing your registration, a page is displayed
informing you that the SonicWALL security appliance is registered. Click Continue, and the
System > Licenses page is displayed showing you the available services. You can activate the
service from this page or the specific service page under the Security Services left-navigation
menu in the management interface.
Page 18 SonicWALL Gateway Anti-Virus Administrator’s Guide
Activating SonicWALL GAV
If you do not have a SonicWALL GAV license activated on your SonicWALL security appliance, you must
purchase it from a SonicWALL reseller or through your mySonicWALL.com account (limited to customers
in the USA and Canada).
SonicWALL GAV is part of SonicWALL Gateway Anti-Virus/Intrusion Prevention Service. The Activation
Key you receive is for both SonicWALL GAV and SonicWALL Intrusion Prevention Service. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is automatically activated.
If you have an Activation Key for SonicWALL Gateway Anti-Virus/Intrusion Prevention Service, perform
these steps to activate the combined services:
1. On the Security Services > Intrusion Prevention page, click the SonicWALL Intrusion
Prevention Service Subscription link. The mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already registered to your
mySonicWALL.com account, the System > Licenses page appears.
3. Click Activate or Renew in the Manage Service column in the Manage Services Online table.
4. Type in the Activation Key in the New License Key field and click Submit. Your SonicWALL GAV
subscription is activated on your SonicWALL security appliance.
If you activated the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service subscription on
mySonicWALL.com, the activation is automatically enabled on your SonicWALL security appliance within
24-hours or you can click the Synchronize button on the Security Services > Summary page to
immediately update your SonicWALL security appliance.
Activating the SonicWALL GAV FREE TRIAL
To try a FREE TRIAL of SonicWALL GAV, perform these steps:
1. Click the FREE TRIAL link on the Security Services > Gateway Anti-Virus page. The
mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already connected to your
mySonicWALL.com account, the System > Licenses page appears after you click the FREE TRIAL
link.
3. Click Try in the FREE TRIAL column in the Manage Services Online table. Your SonicWALL GAV
trial subscription is activated on your SonicWALL security appliance.
Page 19
Setting Up SonicWALL GAV Protection
The Security Services > Gateway Anti-Virus page provides the settings for configuring SonicWALL
GAV on your SonicWALL security appliance.
Enabling SonicWALL GAV
You must select Enable Gateway Anti-Virus check box in the Gateway Anti-Virus Global Settings
section to enable SonicWALL GAV on your SonicWALL security appliance. If your SonicWALL security
appliance is running SonicOS Standard 3.0, you must also specify the interfaces you want to apply
SonicWALL GAV protection. If your SonicWALL security appliance is running SonicOS Enhanced 3.0,
you must specify the Zones you want to SonicWALL GAV protection on the Network > Zones page.
Applying SonicWALL GAV Protection on Interfaces
If your SonicWALL security appliance is running SonicOS Standard 3.0, you also need to specify the
interface that you want to enable SonicWALL GAV protection. Depending on the SonicWALL security
appliance model you are using, you can choose the WAN, LAN, DMZ, OPT or WLAN port, depending on
your SonicWALL security appliance model. After selecting the interface(s), click Apply.It is recommended
you select the WAN and LAN interfaces.
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you apply SonicWALL GAV to
Zones on the Network > Zones page.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 20 SonicWALL Gateway Anti-Virus Administrator’s Guide
Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you can enforce SonicWALL
GAV not only between each network zone and the WAN, but also between internal zones. For example,
enabling SonicWALL GAV on the LAN zone enforces anti-virus protection on all incoming and outgoing
LAN traffic.
1. In the SonicWALL security appliance management interface, select Network > Zones or from the
Gateway Anti-Virus Status section, on the Security Services > Gateway Anti-Virus page, click the
Network > Zones link. The Network > Zones page is displayed.
2. In the Configure column in the Zone Settings table, click the edit icon . The Edit Zone window
is displayed.
3. Click the Enable Gateway Anti-Virus Service checkbox. A checkmark appears. To disable Gateway
Anti-Virus Service, uncheck the box.
4. Click OK.
Page 21
Note: You also enable SonicWALL GAV protection for new zones you create on the Network > Zones page.
Clicking the Add button displays the Add Zone window, which includes the same settings as the Edit
Zone window.
Viewing SonicWALL GAV Status Information
The Gateway Anti-Virus Status section shows the state of the anti-virus signature database, including
the database's timestamp, and the time the SonicWALL signature servers were last checked for the most
current database version. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
The Gateway Anti-Virus Status section displays the following information:
• Signature Database indicates whether the signature database needs to be downloaded or has been
downloaded.
• Signature Database Timestamp displays the last update to the SonicWALL GAV signature
database, not the last update to your SonicWALL security appliance.
• Last Checked indicates the last time the SonicWALL security appliance checked the signature
database for updates. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
• Gateway Anti-Virus Expiration Date indicates the date when the SonicWALL GAV service expires.
If your SonicWALL GAV subscription expires, the SonicWALL IPS inspection is stopped and the
SonicWALL GAV configuration settings are removed from the SonicWALL security appliance. These
settings are automatically restored after renewing your SonicWALL GAV license to the previously
configured state.
If your SonicWALL security appliance is running SonicOS Standard 3.0 and no interfaces are specified in
the Gateway Anti-Virus Global Settings section, the message: Warning: No interfaces have Gateway
Anti-Virus enabled is displayed in the Gateway Anti-Virus Status section. You must check the Enable
Gateway Anti-Virus on Interface and specify the interface(s) you want to apply anti-virus scanning.
If your SonicWALL security appliance you are using SonicOS Enhanced 3.0, the Gateway Anti-Virus
Status section displays Note: Enable the Gateway Anti-Virus per zone from the Network > Zones
page. Clicking on the Network > Zones link displays the Network > Zones page for applying SonicWALL
GAV on Zones.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 22 SonicWALL Gateway Anti-Virus Administrator’s Guide
Updating SonicWALL GAV Signatures
By default, the SonicWALL security appliance running SonicWALL GAV automatically checks the
SonicWALL signature servers once an hour. There is no need for an administrator to constantly check for
new signature updates. You can also manually update your SonicWALL GAV database at any time by
clicking the Update button located in the Gateway Anti-Virus Status section.
SonicWALL GAV signature updates are secured. The SonicWALL security appliance must first
authenticate itself with a pre-shared secret, created during the SonicWALL Distributed Enforcement
Architecture licensing registration. The signature request is transported through HTTPS, along with full
server certificate verification.
Specifying Protocol Filtering
Application-level awareness of the type of protocol that is transporting the violation allows SonicWALL
GAV to perform specific actions within the context of the application to gracefully handle the rejection of
the payload.
By default, SonicWALL GAV inspects all inbound HTTP, FTP, IMAP, SMTP and POP3 traffic. Generic
TCP Stream can optionally be enabled to inspect all other TCP based traffic, such as
non-standard ports of operation for SMTP and POP3, and IM and P2P protocols.
Note: Refer to “Protocol Handling” on page 13 for detailed descriptions of how SonicWALL GAV handles
protocol traffic.
Enabling Inbound Inspection
Within the context of SonicWALL GAV, the Enable Inbound Inspection protocol traffic handling refers
to the following:
• Non-SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to any Zone.
• Non-SMTP traffic from a Public Zone destined to an Untrusted Zone.
• SMTP traffic initiating from a non-Trusted Zone destined to a Trusted, Wireless, Encrypted, or Public
Zone.
• SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to a Trusted, Wireless,
or Encrypted Zone.
Page 23
The Enable Inbound Inspection protocol traffic handling represented as a table:
Enabling Outbound SMTP Inspection
The Enable Outbound Inspection feature is available for SMTP traffic, such as for a mail server that
might be hosted on the DMZ. Enabling outbound inspection for SMTP scans mail that is delivered to the
internally hosted SMTP server for viruses.
Configuring Client Alerts and an Exclusion List
Clicking the Configure Gateway AV Settings button in the Gateway Anti-Virus Global Settings section
displays the Gateway AV Config View window, which allows you to configure client notification alerts and
create a SonicWALL GAV exclusion list.
Configuring Client Alerts
If you want clients on your network to receive notifications on their desktop when a HTTP file download is
blocked by GAV, check the Enable Client Notification Alerts (desktop client installation is required)
box. You must install the client software included on the Resource CD for your SonicWALL security
appliance for the client to receive these notifications from SonicWALL GAV.
Page 24 SonicWALL Gateway Anti-Virus Administrator’s Guide
If you want to suppress the sending of e-mail messages (SMTP) to clients from SonicWALL GAV when a
virus is detected in an e-mail or attachment, check the Disable SMTP Responses box.
Configuring a SonicWALL GAV Exclusion List
Any IP addresses listed in the exclusion list bypass virus scanning on their traffic.The Gateway AV
Exclusion List section provides the ability to define a range of IP addresses whose traffic will be excluded
from SonicWALL GAV scanning.
Alert! Use caution when specifying exclusions to SonicWALL GAV protection.
To add an IP address range for exclusion, perform these steps:
1. Click the Enable Gateway AV Exclusion List checkbox to enable the exclusion list.
2. Click the Add button. The Add GAV Range Entry window is displayed.
3. Enter the IP address range in the IP Address Form and IP Address To fields, then click OK. You IP
address range appears in the Gateway AV Exclusion List table. Click the edit icon in the Configure
column to change an entry or click the trashcan icon to delete an entry.
4. Click OK to exit the Gateway AV Config View window.
Restricting File Transfers
The restrict transfer settings listed under the Configure Gateway AV Settings button in the
Gateway Anti-Virus Global Settings section, if enabled, prevent files with specific attributes from being
transferred.
These restrict transfer settings include:
• Restrict Transfer of password-protected Zip files - Disables the transfer of password protected
ZIP files over any enabled protocol. This option only functions on protocols (e.g. HTTP, FTP, SMTP)
that are enabled for inspection.
• Restrict Transfer of MS-Office type files containing macros (VBA 5 and above) - Disables the
transfers of any MS Office 97 and above files that contain VBA macros.
• Restrict Transfer of packed executable files (UPX, FSG, etc.) - Disables the transfer of packed
executable files. Packers are utilities which compress and sometimes encrypt executables. Although
there are legitimate applications for these, they are also sometimes used with the intent of
obfuscation, so as to make the executables less detectable by anti-virus applications. The packer
adds a header that expands the file in memory, and then executes that file. SonicWALL Gateway
Anti-Virus currently recognizes the most common packed formats: UPX, FSG, PKLite32, Petite, and
ASPack. additional formats are dynamically added along with SonicWALL GAV signature updates.
Page 25
Viewing SonicWALL GAV Signatures
The Gateway Anti-Virus Signatures section allows you to view the contents of the SonicWALL GAV
signature database. All the entries displayed in the Gateway Anti-Virus Signatures table are from the
SonicWALL GAV signature database downloaded to your SonicWALL security appliance.
Note: Signature entries in the database change over time in response to new threats.
Displaying Signatures
You can display the signatures in a variety of views using the View Style menu.
• Use Search String - Allows you to display signatures containing a specified string entered in the
Lookup Signatures Containing String field.
• All Signatures - Displays all the signatures in the table, 50 to a page.
• 0 - 9 - Displays signature names beginning with the number you select from the menu.
• A-Z - Displays signature names beginning with the letter you select from menu.
Navigating the Gateway Anti-Virus Signatures Table
The SonicWALL GAV signatures are displayed fifty to a page in the Gateway Anti-Virus Signatures
table. The Items field displays the table number of the first signature. If your displaying the first page of a
signature table, the entry might be Items 1 to 50 (of 58). Use the navigation buttons to navigate the table.
Page 26 SonicWALL Gateway Anti-Virus Administrator’s Guide
Searching the Gateway Anti-Virus Signature Database
You can search the signature database by entering a search string in the Lookup Signatures
Containing String field, then clicking the edit (Notepad) icon.
The signatures that match the specified string are displayed in the Gateway Anti-Virus Signatures table.
Glossary
• Deep Packet Inspection - looking at the data portion of the packet. Enables the firewall to investigate
farther into the protocol to examine information at the application layer and defend against attacks
targeting application vulnerabilities.
• Distributed Enforcement Architecture - SonicWALL’s unified threat management technology that
delivers automated signature updates that provide real-time protection from current and emerging
threats.
• False Positive - a falsely identified attack traffic pattern.
• Signature - code written to detect and prevent viruses, worms, application exploits, and other
malicious code.
• Stateful Packet Inspection - examines the contents of individual packets at all layers of the OSI
model, from network layer to application layer.
Page 27
Index
A
activating Gateway Anti-Virus
overview 15
free trial version 18
activating Gateway Anti-Virus
activation key 18
C
client alerts
configuring 23
concurrency limitations 12
PRO 1260 12
PRO 2040 12
PRO 3060 12
PRO 4060 12
PRO 5060 12
TZ 150 Series 12
TZ 170 Series 12
creating a mysonicwall.com account 16
D
deploying SonicWALL GAV 14
disabling GAV/IPS engine 12
displaying signatures 25
all signatures 25
signatures beginning with letter 25
signatures beginning with number 25
using search strings 25
E
Edit Zone window 20
enable inbound inspection 22
enable outbound SMTP inspection 23
enabling inbound inspection 22
exclusion list
configuring 24
G
Gateway AV Config View window 23
GAV/IPS
real-time scanning 6
GAV/IPS features
application control 6
deep packet inspection 6
distributed enforcement architecture 6
file based scanning protocol support 6
file decompression technology 6
granular management 7
inter-zone scanning 6
logging and reporting 7
real-time scanning 6
glossary 26
deep packet inspection 26
Distributed Enforcement Architecture 26
false positive 26
signature 26
stateful packet inspection 26
H
how DPIv2.0 works
11
protocol handling 13
HTTP file downloads protection 9
I
internal network protection 9
N
navigating signatures table 25
P
protocol handling
FTP 14
HTTP 14
IM, P2P, proprietary 14
IMAP 13
POP3 13
SMTP 13
R
registering your SonicWALL security appliance 17
remote site protection 8
restrict 24
restrict file transfer
MS-Office files 24
packed executable files 24
password protected ZIP files 24
S
searching signature database 26
server protection 10
setting up GAV protection
applying to infaces (SonicOS Standard 3.0) 19
applying to zones (SonicOS Enhanced) 20
enabling 19
overview 19
signatures table 25
SonicWALL Gateway Anti-Virus
overview 5
SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service
overview 5
specifying protocol filtering 22
specifying protocols 22
status information
expiration date 21
last checked 21
overview 21
signature database 21
signature database timestamp 21
surpress SMTP messages 24
U
updating signatures 22
Page 28 SonicWALL Gateway Anti-Virus Administrator’s Guide
© 2005 SonicWALL, I n c . SonicWALL is a registered trademark of SonicWALL, I n c . Other product and company names mentioned herein may be
t rademarks and/ or registered trademarks of their respective companies. Specifications and descriptions subject to change with out notice.
T: 408.745.9600
F: 408.745.9300
www.sonicwall.com
SonicWALL,Inc.
1143 Borregas Avenue
Sunnyvale,CA 94089-1306
P/ N 232- 000610- 00
Rev E 01/05COMPREHENSIVE INTERNET SECURITY™
S SSSSSSSSo n i c WALL Gateway Anti-Virus
Administrator's Guide
Page 1
Table of Contents
Preface .................................................................................................. 1
Copyright Notice ..............................................................................1
Trademarks......................................................................................1
Limited Warranty..............................................................................1
About this Guide.................................................................................... 3
Guide Conventions .......................................................................... 3
Icons Used in this Guide............................................................. 3
SonicWALL Technical Support ........................................................ 4
North America Telephone Support ............................................. 4
International Telephone Support ................................................ 4
SonicWALL Gateway Anti-Virus Overview............................................ 5
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features ...... 6
SonicWALL GAV Multi-Layered Approach............................................ 7
Remote Site Protection ....................................................................8
Internal Network Protection.............................................................. 9
HTTP File Downloads ...................................................................... 9
Server Protection ...........................................................................10
SonicWALL GAV Architecture............................................................. 11
Stream Concurrency Limitations
by SonicWALL Security Appliance................................................. 12
Disabling the SonicWALL GAV/IPS Engine................................... 12
Protocol Handling...........................................................................13
SMTP........................................................................................ 13
POP3 ........................................................................................ 13
IMAP......................................................................................... 13
HTTP ........................................................................................ 14
FTP........................................................................................... 14
IM, P2P and Proprietary Protocols ........................................... 14
Deploying SonicWALL GAV................................................................ 14
Activating SonicWALL GAV ................................................................ 15
Creating a mySonicWALL.com Account ........................................ 16
Registering Your SonicWALL Security Appliance.......................... 17
Activating SonicWALL GAV........................................................... 18
Activating the SonicWALL GAV FREE TRIAL ............................... 18
Setting Up SonicWALL GAV Protection .............................................. 19
Enabling SonicWALL GAV............................................................. 19
Applying SonicWALL GAV Protection on Interfaces...................... 19
Applying SonicWALL GAV Protection on Zones
(SonicOS Enhanced 3.0) ............................................................... 20
Viewing SonicWALL GAV Status Information................................ 21
Updating SonicWALL GAV Signatures .......................................... 22
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
Specifying Protocol Filtering ................................................................22
Enabling Inbound Inspection ..........................................................22
Enabling Outbound SMTP Inspection ............................................23
Configuring Client Alerts and an Exclusion List ...................................23
Configuring Client Alerts.................................................................23
Configuring a SonicWALL GAV Exclusion List...............................24
Restricting File Transfers.....................................................................24
Viewing SonicWALL GAV Signatures..................................................25
Displaying Signatures.....................................................................25
Navigating the Gateway Anti-Virus Signatures Table ....................25
Searching the Gateway Anti-Virus Signature Database.................26
Glossary...............................................................................................26
Index ....................................................................................................27
Page 1 SonicWALL Gateway Anti-Virus Administrator’s Guide
Preface
Copyright Notice
© 2005 SonicWALL, Inc.
All rights reserved.
Under the copyright laws, this manual or the software described within, can not be copied, in whole or part,
without the written consent of the manufacturer, except in the normal use of the software to make a backup
copy. The same proprietary and copyright notices must be affixed to any permitted copies as were affixed
to the original. This exception does not allow copies to be made for others, whether or not sold, but all of
the material purchased (with all backup copies) can be sold, given, or loaned to another person. Under
the law, copying includes translating into another language or format.
Specifications and descriptions subject to change without notice.
Trademarks
SonicWALL is a registered trademark of SonicWALL, Inc.
Microsoft Windows 98, Windows NT, Windows 2000, Windows XP, Windows Server 2003, Internet
Explorer, and Active Directory are trademarks or registered trademarks of Microsoft Corporation.
Netscape is a registered trademark of Netscape Communications Corporation in the U.S. and other
countries. Netscape Navigator and Netscape Communicator are also trademarks of Netscape
Communications Corporation and may be registered outside the U.S.
Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems
Incorporated in the U.S. and/or other countries.
Other product and company names mentioned herein may be trademarks and/or registered trademarks
of their respective companies and are the sole property of their respective manufacturers.
Limited Warranty
SonicWALL, Inc. warrants that commencing from the delivery date to Customer (but in any case
commencing not more than ninety (90) days after the original shipment by SonicWALL), and continuing
for a period of twelve (12) months, that the product will be free from defects in materials and workmanship
under normal use. This Limited Warranty is not transferable and applies only to the original end user of
the product. SonicWALL and its suppliers' entire liability and Customer's sole and exclusive remedy under
this limited warranty will be shipment of a replacement product. At SonicWALL's discretion the
replacement product may be of equal or greater functionality and may be of either new or like-new quality.
SonicWALL's obligations under this warranty are contingent upon the return of the defective product
according to the terms of SonicWALL's then-current Support Services policies.
This warranty does not apply if the product has been subjected to abnormal electrical stress, damaged by
accident, abuse, misuse or misapplication, or has been modified without the written permission of
SonicWALL.
DISCLAIMER OF WARRANTY. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR
IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT
LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, NONINFRINGEMENT, SATISFACTORY QUALITY OR ARISING FROM A
COURSE OF DEALING, LAW, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE
MAXIMUM EXTENT ALLOWED BY APPLICABLE LAW. TO THE EXTENT AN IMPLIED WARRANTY
CANNOT BE EXCLUDED, SUCH WARRANTY IS LIMITED IN DURATION TO THE WARRANTY
PERIOD. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW
LONG AN IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. THIS
WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, AND YOU MAY ALSO HAVE OTHER RIGHTS
WHICH VARY FROM JURISDICTION TO JURISDICTION. This disclaimer and exclusion shall apply
even if the express warranty set forth above fails of its essential purpose.
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
DISCLAIMER OF LIABILITY. SONICWALL'S SOLE LIABILITY IS THE SHIPMENT OF A
REPLACEMENT PRODUCT AS DESCRIBED IN THE ABOVE LIMITED WARRANTY. IN NO EVENT
SHALL SONICWALL OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER,
INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS
INTERRUPTION, LOSS OF INFORMATION, OR OTHER PECUNIARY LOSS ARISING OUT OF THE
USE OR INABILITY TO USE THE PRODUCT, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL,
INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY
OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE HARDWARE OR SOFTWARE
EVEN IF SONICWALL OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. In no event shall SonicWALL or its suppliers' liability to Customer, whether in contract, tort
(including negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shall
apply even if the above-stated warranty fails of its essential purpose. BECAUSE SOME STATES OR
JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR
INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.
Page 3
About this Guide
Welcome to the SonicWALL Gateway Anti-Virus Administrator’s Guide. This manual provides the
information you need to successfully activate, configure, and administer SonicWALL Gateway Anti-Virus
(SonicWALL (GAV) on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher). The audience for this guide is administrators that are familiar with the
features, functions, and operating characteristics of SonicWALL security appliances.
Note: This guide assumes your SonicWALL security appliance is operational with Internet connectivity. If your
SonicWALL security appliance is not setup, refer to the Getting Started Guide for your SonicWALL
security appliance located on the SonicWALL Web site:
.
SonicWALL GAV is part of the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service solution that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate a SonicWALL GAV license, SonicWALL Intrusion Prevention Service is included and activated.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the complete
instructions on configuring SonicWALL Intrusion Prevention Service 2.0, located on the SonicWALL
Web site: .
Guide Conventions
Conventions used in this guide are as follows:
Icons Used in this Guide
These special messages refer to noteworthy information, and include a symbol for quick identification:
Alert! Important information that cautions about features affecting SonicWALL Gateway Anti-Virus
performance, security features, or causing potential problems with your SonicWALL security appliance.
Tip! Useful information about security features and configurations for your SonicWALL Gateway Anti-Virus
running on a SonicWALL security appliance.
Convention Use
Bold Highlights items you can select on the SonicWALL
management interface.
Italic Highlights a value to enter into a field. For example, “type
192.168.168.168 in the IP Address field.”
Top Level Menu Button >
Submenu Item
Indicates a multiple step Management Interface menu
choice. For example, Security Services > Gateway Anti-
Virus means select Security Services, then select
Gateway Anti-Virus.
Page 4 SonicWALL Gateway Anti-Virus Administrator’s Guide
Note: Important information on a feature that requires callout for special attention or reference to other related
resources.
SonicWALL Technical Support
For timely resolution of technical support questions, visit SonicWALL on the Internet at
. Web-based resources are available to help you
resolve most technical issues or contact SonicWALL Technical Support.
To contact SonicWALL telephone support, see the telephone numbers listed below:
North America Telephone Support
U.S./Canada - 888.777.1476 or +1 408.752.7819
International Telephone Support
Australia - + 1800.35.1642
Austria - + 43(0)820.400.105
EMEA - +31(0)411.617.810
France - + 33(0)1.4933.7414
Germany - + 49(0)1805.0800.22
Hong Kong - + 1.800.93.0997
India - + 8026556828
Italy - +39.02.7541.9803
Japan - + 81(0)3.5460.5356
New Zealand - + 0800.446489
Singapore - + 800.110.1441
Spain - + 34(0)9137.53035
Switzerland - +41.1.308.3.977
UK - +44(0)1344.668.484
Note: Please visit for the latest technical support telephone
numbers.
Page 5
SonicWALL Gateway Anti-Virus Overview
SonicWALL Gateway Anti-Virus (SonicWALL GAV) is part of the SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service solution that provides unified threat management. The integration of gateway
anti-virus and intrusion prevention delivers intelligent, real-time network security protection against
sophisticated application layer and content-based attacks. Utilizing a configurable, high-performance
deep packet inspection architecture, SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
secures the network from the core to the perimeter against a comprehensive array of dynamic threats
including viruses, worms, Trojans, and software vulnerabilities, such as buffer overflows, as well as peerto-
peer and instant messenger applications, backdoor exploits, and other malicious code.
SonicWALL GAV delivers real-time virus protection directly on the SonicWALL security appliance by
using SonicWALL’s IPS-Deep Packet Inspection v2.0 engine to inspect all traffic that traverses the
SonicWALL gateway. Building on SonicWALL’s reassembly-free architecture, SonicWALL GAV inspects
multiple application protocols, as well as generic TCP streams, and compressed traffic. Because
SonicWALL GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also performed on a
single-pass, per-packet basis.
SonicWALL GAV delivers threat protection directly on the SonicWALL security appliance by matching
downloaded or e-mailed files against an extensive and dynamically updated database of threat virus
signatures. Virus attacks are caught and suppressed before they travel to desktops. New signatures are
created and added to the database by a combination of SonicWALL’s SonicAlert Team, third-party virus
analysts, open source developers and other sources.
SonicWALL GAV can be configured to protect against internal threats as well as those originating outside
the network. It operates over a multitude of protocols including SMTP, POP3, IMAP, HTTP, FTP,
NetBIOS, instant messaging and peer-to-peer applications and dozens of other stream-based protocols,
to provide administrators with comprehensive network threat prevention and control. Because files
containing malicious code and viruses can also be compressed and therefore inaccessible to
conventional anti-virus solutions, SonicWALL GAV integrates advanced decompression technology that
automatically decompresses and scans files on a per packet basis.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
Page 6 SonicWALL Gateway Anti-Virus Administrator’s Guide
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features
• Integrated Deep Packet Inspection Technology - SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service features a configurable, high-performance deep packet inspection architecture
that uses parallel searching algorithms up through the application layer to deliver increased
application layer, Web and e-mail attack prevention. Parallel processing reduces the performance
impact on the firewall and maximizes available memory for exceptional throughput on SonicWALL
integrated security gateways.
• Real-Time Anti-Virus Gateway Scanning - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers intelligent file-based virus and malicious code prevention by scanning in real-time for
decompressed and compressed files containing viruses, Trojans, worms and other Internet threats
over the corporate network.
• Powerful Intrusion Prevention - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
provides complete protection from a comprehensive array of network-based application layer threats
by scanning packet payloads for worms, Trojans, software vulnerabilities such as buffer overflows,
peer-to-peer and instant messenger applications, backdoor exploits, and other malicious code.
• Ultimate Scalability and Performance - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a per packet scanning engine, making SonicWALL’s solution unique in its ability to
handle unlimited file size and virtually unlimited concurrent downloads, offering ultimate scalability
and performance for today’s networked environment.
• Day Zero Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service ensures
incredibly fast time-to-protection by employing a dynamically-updated database of signatures created
by a combination of SonicWALL’s SonicAlert Team, third-party virus analysts and developers, and
open source databases of known threats.
• Extensive Virus Signature List - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
utilizes an extensive database of thousands of attack and vulnerability signatures written to detect and
prevent intrusions, viruses, worms, Tojans, application exploits, and malicious applications.
• Distributed Enforcement Architecture - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a distributed enforcement architecture to deliver automated signature updates,
providing real-time protection from emerging threats and lowering total cost of ownership.
• Inter-zone Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides
application layer attack protection against malicious code and other threats originating from the
Internet or from internal sources. Administrators have the ability to enforce intrusion prevention and
anti-virus scanning not only between each network zone and the Internet, but also between internal
network zones for added security (Requires SonicOS Enhanced).
• Advanced File Decompression Technology - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service includes advanced decompression technology that can automatically decompress and scan
files on a per packet basis to search for viruses, Trojans, worms and malware. Supported
compression formats include: ZIP, Deflate and GZIP.
• File-Based Scanning Protocol Support - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers protection for high threat viruses and malware by inspecting the most common
protocols used in today’s networked environments, including SMTP, POP3, IMAP, HTTP, FTP,
NETBIOS, instant messaging and peer-to-peer applications, and dozens of other stream-based
protocols. This closes potential backdoors that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Application Control - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides the
ability to prevent instant messaging and peer-to-peer file sharing programs from operating through
the firewall, closing a potential back door that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Simplified Deployment and Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service allows network administrators to create global policies between security zones and group
attacks by priority, simplifying deployment and management across a distributed network.
Page 7
• Granular Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides an
intuitive user interface and granular policy tools, allowing network administrators to configure a
custom set of detection or prevention policies for their specific network environment and reduce the
number of false policies while identifying immediate threats.
• Logging and Reporting - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service offers
comprehensive logging of all intrusion attempts with the ability to filter logs based on priority level,
enabling administrators to highlight high priority attacks. Granular reporting based on attack source,
destination and type of intrusion is available through SonicWALL ViewPoint and Global Management
System.
SonicWALL GAV Multi-Layered Approach
SonicWALL GAV delivers comprehensive, multi-layered anti-virus protection for networks at the desktop,
the network, and at remote sites. SonicWALL GAV enforces anti-virus policies at the gateway to ensure
all users have the latest updates and monitors files as they come into the network.
Page 8 SonicWALL Gateway Anti-Virus Administrator’s Guide
Remote Site Protection
1. Users send typical e-mail and files between remote sites and the corporate office.
2. SonicWALL GAV scans and analyzes files and e-mail messages on the SonicWALL security
appliance.
3. Viruses are found and blocked before infecting remote desktop.
4. Virus is logged and alert is sent to administrator.
Page 9
Internal Network Protection
1. Internal user contracts a virus and releases it internally.
2. All files are scanned at the gateway before being received by other network users.
3. If virus is found, file is discarded.
4. Virus is logged and alert is sent to administrator.
HTTP File Downloads
1. Client makes a request to download a file from the Web.
2. File is downloaded through the Internet.
3. File is analyzed the SonicWALL GAV engine for malicious code and viruses
4. If virus found, file discarded.
5. Virus is logged and alert sent to administrator.
Page 10 SonicWALL Gateway Anti-Virus Administrator’s Guide
Server Protection
1. Outside user sends an incoming e-mail.
2. E-mail is analyzed the SonicWALL GAV engine for malicious code and viruses before received by email
server.
3. If virus found, threat prevented.
4. E-mail is returned to sender, virus is logged, and alert sent to administrator.
Page 11
SonicWALL GAV Architecture
SonicWALL GAV is based on SonicWALL's high performance DPIv2.0 engine (Deep Packet Inspection
version 2.0) engine, which performs all scanning directly on the SonicWALL security appliance.
SonicWALL GAV includes advanced decompression technology that can automatically decompress and
scan files on a per packet basis to search for viruses and malware. The SonicWALL GAV engine can
perform base64 decoding without ever reassembling the entire base64 encoded mail stream. Because
SonicWALL's GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding and ZIP, LHZ, and GZIP (LZ77) decompression are also performed
on a single-pass, per-packet basis. Reassembly free virus scanning functionality of the SonicWALL GAV
engine is inherited from the Deep Packet Inspection engine, which is capable of scanning streams without
ever buffering any of the bytes within the stream.
Building on SonicWALL's reassembly-free architecture, GAV has the ability to inspect multiple application
protocols, as well as generic TCP streams, and compressed traffic. SonicWALL GAV protocol inspection
is based on high performance state machines which are specific to each supported protocol. SonicWALL
GAV delivers protection by inspecting over the most common protocols used in today's networked
environments, including SMTP, POP3, IMAP, HTTP, FTP, NetBIOS, instant messaging and peer-to-peer
applications and dozens of other stream-based protocols. This closes potential backdoors that can be
used to compromise the network while also improving employee productivity and conserving Internet
bandwidth.
Page 12 SonicWALL Gateway Anti-Virus Administrator’s Guide
Stream Concurrency Limitations by SonicWALL Security Appliance
Because SonicWALL GAV does not have to perform reassembly, there are no file-size limitations
imposed by the scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also
performed on a single-pass, per-packet basis. Stream-concurrency are platform dependent as follows:.
Disabling the SonicWALL GAV/IPS Engine
In the unlikely event that SonicWALL Gateway Anti-Virus/Intrusion Prevention Service is not enabled on
your SonicWALL security appliance, the SonicWALL GAV/IPS engine itself can be disabled, and the
resources can be reallocated to the SPI connection cache.
To disable the SonicWALL GAV/IPS engine:
1. Select the Firewall > Advanced page.
2. Select the Disable Gateway AV and IPS Engine (increases maximum SPI connections)
checkbox. This presents an alert informing you that the SonicWALL security appliance must be
rebooted for the change to take effect.
3. Restart your SonicWALL security appliance.
Platform
GAV-Disabled
Connections
Cache Size
GAV-Enabled
Connections
Cache Size
(Concurrent File
Downloads)
Concurrent
Compressed
File Downloads
with GAV
GAV Signatures
TZ 150
Series
2,048 2,048 100 4,500
TZ 170
Series
6,144 6,144 100 4,500
PRO 1260 6,144 6,144 100 4,500
PRO 2040 32,768 16,384 300 25,000
PRO 3060 131,072 65,536 1,000 25,000
PRO 4060 524,288 131,072 1,500 25,000
PRO 5060 750,000 393,216 3,000 25,000
Page 13
Protocol Handling
SonicWALL GAV functionality supports the following protocols: HTTP, SMTP, IMAP, POP3, FTP and the
scanning of generic TCP streams for viruses.
If malicious traffic is detected, appropriate actions are taken based on the protocol. For generic TCP
streams, the traffic is dropped and the connection is reset. If so configured, an encrypted and hashed
message explaining the action is sent to the user's Global Security Client (requires version 2.0 or higher)
and to the user's 'Security Action Notification Applet', and displayed to the user if either application is
active. Application level awareness of the type of protocol that was transporting the violation allows for
very specific actions to be taken to gracefully handle the rejection of the payload:
Note: 8-bit encoding is handled natively for all email based protocols (SMTP, POP3, and IMAP) since no
decoding is required for each encoding scheme.
SMTP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the head of the sent
queue, thus preventing it from being resent, via 552 SMTP response and the connection is terminated.
POP3
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the POP3 server via
'DELE' command and the connection is terminated. Continuation of message downloads following
termination requires the user to re-initiate the download process on their POP3 client in order to download
the rest of the messages from the POP3 server.
Note: POP3 client behavior varies from one client to the next. SonicWALL GAV attempts to determine the type
of POP3 client being used, and to compensate for behavioral differences. In rare cases, some clients
may require special GAV settings - these settings have been made available in the /diag.html page.
• Disable Gateway AV POP3 Auto Deletion - When a POP3 client is identified as Outlook Express,
DELE (delete) message sequencing is tailored to Outlook Express' behavior. This setting can resolve
problems caused by misidentification that are encountered during the deletion of virus-infected
emails.
• Disable Gateway AV POP3 UIDL Rewriting - Certain Netscape POP3 clients have difficulty with the
UIDL (unique ID listing - RFC1939) command. When a POP3 client is recognized as Netscape, UIDL
messages are suppressed, which is allowable because they are optional. This setting can resolve
problems caused by misidentification that are encountered during the message retrieval process.
IMAP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from downloading the mail
containing the violation. The user must manually mark the mail deleted and purge it from the server.
Page 14 SonicWALL Gateway Anti-Virus Administrator’s Guide
HTTP
Capabilities: zip (including archives), gzip and deflate decompression. Deflate decompression method is
not supported when HTTP response is Chunk Encoded. All HTTP traffic is inspected, not just TCP port
80. Suppresses the use of HTTP Byte-Range requests to prevent the sectional retrieval and reassembly
of potentially malicious content.
Note: Suppression of HTTP Byte-Range requests may inhibit the use of certain download accelerator
programs that attempt to retrieve files as multiple simultaneous requests.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
FTP
Capabilities: zip (including archives) and gzip decompression. FTP stateful code follows data port
negotiations, allowing FTP data to be inspected across any operating TCP port. Suppresses the use of
the FTP 'REST' (restart) request to prevent the sectional retrieval and reassembly of potentially malicious
content. "The suppression of the 'REST' request can be overridden from the /diag.html page with the
option 'Enable FTP 'REST' requests with Gateway AV’.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
IM, P2P and Proprietary Protocols
Capabilities: zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
Deploying SonicWALL GAV
SonicWALL GAV is designed to provide comprehensive virus protection with minimal configuration. The
following sections provide the key information you need to successfully activate, configure, and administer
SonicWALL GAV on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher):
• “Activating SonicWALL GAV” on page 15 - provides instructions for activating the SonicWALL GAV
license on your SonicWALL security appliance via the management interface. If you already have
SonicWALL GAV activated on your SonicWALL security appliance, skip this section.
• “Setting Up SonicWALL GAV Protection” on page 19 - provides instructions for essential
configuration of SonicWALL IPS to protect your network against the most dangerous and disruptive
attacks.
Alert! After activating your SonicWALL GAV license, you must enable SonicWALL GAV on the SonicWALL
management interface before anti-virus protection are applied to your network traffic.
• “Configuring Client Alerts and an Exclusion List” on page 23 - provides instructions for configuring
SonicWALL GAV client notification alerts and creating a SonicWALL GAV exclusion list.
• “Restricting File Transfers” on page 24 - provides instructions on preventing files with specific
attributes from being transferred.
Page 15
Activating SonicWALL GAV
If you do not have SonicWALL GAV installed on your SonicWALL security appliance, the Security
Services > Gateway Anti-Virus page indicates an upgrade is required and includes a link to activiate it
from your SonicWALL security appliance management interface.
SonicWALL GAV is part of the unified SonicWALL Gateway Anti-Virus/Intrusion Prevention Service that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is also activated.
To activate a SonicWALL Gateway Anti-Virus/Intrusion Prevention Service on your SonicWALL security
appliance, you need the following:
• SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license. You need to purchase a
SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license from a SonicWALL reseller or
through your mySonicWALL.com account (limited to customers in the USA and Canada).
• mySonicWALL.com account. Creating a mySonicWALL.com account is fast, simple, and FREE.
Simply complete an online registration form from your SonicWALL security appliance management
interface. Your mySonicWALL.com account is also accessible at
from any Internet connection with a Web browser.
• Registered SonicWALL security appliance with active Internet connection. Registering your
SonicWALL security appliance is a simple procedure done directly from the management interface.
• SonicOS Standard 3.0 or SonicOS Enhanced 3.0. Your SonicWALL security appliance must be
running SonicOS Standard 3.0 or SonicOS Enhanced 3.0 for SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service.
Tip! If your SonicWALL security appliance is connected to the Internet and registered at
mySonicWALL.com, you can activate a 30-day FREE TRIAL of SonicWALL IPS.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
If you activated SonicWALL GAV at , SonicWALL GAV activation is
automatically enabled on your SonicWALL within 24-hours or you can click the Synchronize button on
the Security Services > Summary page to update your SonicWALL security appliance.
Page 16 SonicWALL Gateway Anti-Virus Administrator’s Guide
Creating a mySonicWALL.com Account
Creating a mySonicWALL.com account is fast, simple, and FREE. Simply complete an online
registration form in the SonicWALL security appliance management interface.
Note: If you already have a mysonicWALL.com account, go to “Registering Your SonicWALL Security
Appliance” on page 17.
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displayed in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link in Your
SonicWALL is not registered. Click here to Register your SonicWALL.
4. In the mySonicWALL.com Login page, click the here link in If you do not have a mySonicWALL
account, please click here to create one.
5. In the MySonicWall Account page, enter in your information in the Account Information, Personal
Information and Preferences fields. All fields marked with an asterisk (*) are required fields.
Note: Remember your username and password to access your mySonicWALL.com account.
6. Click Submit after completing the MySonicWALL Account form.
7. When the mySonicWALL.com server has finished processing your account, you will see a page
saying that your account has been created. Click Continue.
Congratulations. Your mySonicWALL.com account is activated.
Now you need to log into mySonicWALL.com to register your SonicWALL security appliance.
Note: mySonicWALL.com registration information is not sold or shared with any other company.
Page 17
Registering Your SonicWALL Security Appliance
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displaying in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link. The
mySonicWALL.com Login page is displayed.
4. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit.
5. The next several pages inform you about the free trials available to you for SonicWALL’s Security
Services:
• Gateway Anti-Virus - Delivers real-time virus protection for your entire network.
• Network Anti Virus - Provides desktop and server anti-virus protection with software running on
each computer.
• Premium Content Filtering Service - Enhances productivity by limiting access to objectionable
Web content.
• Intrusion Prevention Service - Protects your network against worms, Trojans, and application
layer attacks.
Click Continue on each page.
6. At the top of the Product Survey page, Enter a “friendly name” for your SonicWALL content security
appliance in the Friendly Name field. The friendly name allows you to easily identify your
SonicWALL content security appliance in your mySonicWALL.com account.
7. Please complete the Product Survey. SonicWALL uses this information to further tailor services to fit
your needs.
8. Click Submit.
9. When the mySonicWALL.com server has finished processing your registration, a page is displayed
informing you that the SonicWALL security appliance is registered. Click Continue, and the
System > Licenses page is displayed showing you the available services. You can activate the
service from this page or the specific service page under the Security Services left-navigation
menu in the management interface.
Page 18 SonicWALL Gateway Anti-Virus Administrator’s Guide
Activating SonicWALL GAV
If you do not have a SonicWALL GAV license activated on your SonicWALL security appliance, you must
purchase it from a SonicWALL reseller or through your mySonicWALL.com account (limited to customers
in the USA and Canada).
SonicWALL GAV is part of SonicWALL Gateway Anti-Virus/Intrusion Prevention Service. The Activation
Key you receive is for both SonicWALL GAV and SonicWALL Intrusion Prevention Service. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is automatically activated.
If you have an Activation Key for SonicWALL Gateway Anti-Virus/Intrusion Prevention Service, perform
these steps to activate the combined services:
1. On the Security Services > Intrusion Prevention page, click the SonicWALL Intrusion
Prevention Service Subscription link. The mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already registered to your
mySonicWALL.com account, the System > Licenses page appears.
3. Click Activate or Renew in the Manage Service column in the Manage Services Online table.
4. Type in the Activation Key in the New License Key field and click Submit. Your SonicWALL GAV
subscription is activated on your SonicWALL security appliance.
If you activated the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service subscription on
mySonicWALL.com, the activation is automatically enabled on your SonicWALL security appliance within
24-hours or you can click the Synchronize button on the Security Services > Summary page to
immediately update your SonicWALL security appliance.
Activating the SonicWALL GAV FREE TRIAL
To try a FREE TRIAL of SonicWALL GAV, perform these steps:
1. Click the FREE TRIAL link on the Security Services > Gateway Anti-Virus page. The
mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already connected to your
mySonicWALL.com account, the System > Licenses page appears after you click the FREE TRIAL
link.
3. Click Try in the FREE TRIAL column in the Manage Services Online table. Your SonicWALL GAV
trial subscription is activated on your SonicWALL security appliance.
Page 19
Setting Up SonicWALL GAV Protection
The Security Services > Gateway Anti-Virus page provides the settings for configuring SonicWALL
GAV on your SonicWALL security appliance.
Enabling SonicWALL GAV
You must select Enable Gateway Anti-Virus check box in the Gateway Anti-Virus Global Settings
section to enable SonicWALL GAV on your SonicWALL security appliance. If your SonicWALL security
appliance is running SonicOS Standard 3.0, you must also specify the interfaces you want to apply
SonicWALL GAV protection. If your SonicWALL security appliance is running SonicOS Enhanced 3.0,
you must specify the Zones you want to SonicWALL GAV protection on the Network > Zones page.
Applying SonicWALL GAV Protection on Interfaces
If your SonicWALL security appliance is running SonicOS Standard 3.0, you also need to specify the
interface that you want to enable SonicWALL GAV protection. Depending on the SonicWALL security
appliance model you are using, you can choose the WAN, LAN, DMZ, OPT or WLAN port, depending on
your SonicWALL security appliance model. After selecting the interface(s), click Apply.It is recommended
you select the WAN and LAN interfaces.
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you apply SonicWALL GAV to
Zones on the Network > Zones page.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 20 SonicWALL Gateway Anti-Virus Administrator’s Guide
Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you can enforce SonicWALL
GAV not only between each network zone and the WAN, but also between internal zones. For example,
enabling SonicWALL GAV on the LAN zone enforces anti-virus protection on all incoming and outgoing
LAN traffic.
1. In the SonicWALL security appliance management interface, select Network > Zones or from the
Gateway Anti-Virus Status section, on the Security Services > Gateway Anti-Virus page, click the
Network > Zones link. The Network > Zones page is displayed.
2. In the Configure column in the Zone Settings table, click the edit icon . The Edit Zone window
is displayed.
3. Click the Enable Gateway Anti-Virus Service checkbox. A checkmark appears. To disable Gateway
Anti-Virus Service, uncheck the box.
4. Click OK.
Page 21
Note: You also enable SonicWALL GAV protection for new zones you create on the Network > Zones page.
Clicking the Add button displays the Add Zone window, which includes the same settings as the Edit
Zone window.
Viewing SonicWALL GAV Status Information
The Gateway Anti-Virus Status section shows the state of the anti-virus signature database, including
the database's timestamp, and the time the SonicWALL signature servers were last checked for the most
current database version. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
The Gateway Anti-Virus Status section displays the following information:
• Signature Database indicates whether the signature database needs to be downloaded or has been
downloaded.
• Signature Database Timestamp displays the last update to the SonicWALL GAV signature
database, not the last update to your SonicWALL security appliance.
• Last Checked indicates the last time the SonicWALL security appliance checked the signature
database for updates. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
• Gateway Anti-Virus Expiration Date indicates the date when the SonicWALL GAV service expires.
If your SonicWALL GAV subscription expires, the SonicWALL IPS inspection is stopped and the
SonicWALL GAV configuration settings are removed from the SonicWALL security appliance. These
settings are automatically restored after renewing your SonicWALL GAV license to the previously
configured state.
If your SonicWALL security appliance is running SonicOS Standard 3.0 and no interfaces are specified in
the Gateway Anti-Virus Global Settings section, the message: Warning: No interfaces have Gateway
Anti-Virus enabled is displayed in the Gateway Anti-Virus Status section. You must check the Enable
Gateway Anti-Virus on Interface and specify the interface(s) you want to apply anti-virus scanning.
If your SonicWALL security appliance you are using SonicOS Enhanced 3.0, the Gateway Anti-Virus
Status section displays Note: Enable the Gateway Anti-Virus per zone from the Network > Zones
page. Clicking on the Network > Zones link displays the Network > Zones page for applying SonicWALL
GAV on Zones.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 22 SonicWALL Gateway Anti-Virus Administrator’s Guide
Updating SonicWALL GAV Signatures
By default, the SonicWALL security appliance running SonicWALL GAV automatically checks the
SonicWALL signature servers once an hour. There is no need for an administrator to constantly check for
new signature updates. You can also manually update your SonicWALL GAV database at any time by
clicking the Update button located in the Gateway Anti-Virus Status section.
SonicWALL GAV signature updates are secured. The SonicWALL security appliance must first
authenticate itself with a pre-shared secret, created during the SonicWALL Distributed Enforcement
Architecture licensing registration. The signature request is transported through HTTPS, along with full
server certificate verification.
Specifying Protocol Filtering
Application-level awareness of the type of protocol that is transporting the violation allows SonicWALL
GAV to perform specific actions within the context of the application to gracefully handle the rejection of
the payload.
By default, SonicWALL GAV inspects all inbound HTTP, FTP, IMAP, SMTP and POP3 traffic. Generic
TCP Stream can optionally be enabled to inspect all other TCP based traffic, such as
non-standard ports of operation for SMTP and POP3, and IM and P2P protocols.
Note: Refer to “Protocol Handling” on page 13 for detailed descriptions of how SonicWALL GAV handles
protocol traffic.
Enabling Inbound Inspection
Within the context of SonicWALL GAV, the Enable Inbound Inspection protocol traffic handling refers
to the following:
• Non-SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to any Zone.
• Non-SMTP traffic from a Public Zone destined to an Untrusted Zone.
• SMTP traffic initiating from a non-Trusted Zone destined to a Trusted, Wireless, Encrypted, or Public
Zone.
• SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to a Trusted, Wireless,
or Encrypted Zone.
Page 23
The Enable Inbound Inspection protocol traffic handling represented as a table:
Enabling Outbound SMTP Inspection
The Enable Outbound Inspection feature is available for SMTP traffic, such as for a mail server that
might be hosted on the DMZ. Enabling outbound inspection for SMTP scans mail that is delivered to the
internally hosted SMTP server for viruses.
Configuring Client Alerts and an Exclusion List
Clicking the Configure Gateway AV Settings button in the Gateway Anti-Virus Global Settings section
displays the Gateway AV Config View window, which allows you to configure client notification alerts and
create a SonicWALL GAV exclusion list.
Configuring Client Alerts
If you want clients on your network to receive notifications on their desktop when a HTTP file download is
blocked by GAV, check the Enable Client Notification Alerts (desktop client installation is required)
box. You must install the client software included on the Resource CD for your SonicWALL security
appliance for the client to receive these notifications from SonicWALL GAV.
Page 24 SonicWALL Gateway Anti-Virus Administrator’s Guide
If you want to suppress the sending of e-mail messages (SMTP) to clients from SonicWALL GAV when a
virus is detected in an e-mail or attachment, check the Disable SMTP Responses box.
Configuring a SonicWALL GAV Exclusion List
Any IP addresses listed in the exclusion list bypass virus scanning on their traffic.The Gateway AV
Exclusion List section provides the ability to define a range of IP addresses whose traffic will be excluded
from SonicWALL GAV scanning.
Alert! Use caution when specifying exclusions to SonicWALL GAV protection.
To add an IP address range for exclusion, perform these steps:
1. Click the Enable Gateway AV Exclusion List checkbox to enable the exclusion list.
2. Click the Add button. The Add GAV Range Entry window is displayed.
3. Enter the IP address range in the IP Address Form and IP Address To fields, then click OK. You IP
address range appears in the Gateway AV Exclusion List table. Click the edit icon in the Configure
column to change an entry or click the trashcan icon to delete an entry.
4. Click OK to exit the Gateway AV Config View window.
Restricting File Transfers
The restrict transfer settings listed under the Configure Gateway AV Settings button in the
Gateway Anti-Virus Global Settings section, if enabled, prevent files with specific attributes from being
transferred.
These restrict transfer settings include:
• Restrict Transfer of password-protected Zip files - Disables the transfer of password protected
ZIP files over any enabled protocol. This option only functions on protocols (e.g. HTTP, FTP, SMTP)
that are enabled for inspection.
• Restrict Transfer of MS-Office type files containing macros (VBA 5 and above) - Disables the
transfers of any MS Office 97 and above files that contain VBA macros.
• Restrict Transfer of packed executable files (UPX, FSG, etc.) - Disables the transfer of packed
executable files. Packers are utilities which compress and sometimes encrypt executables. Although
there are legitimate applications for these, they are also sometimes used with the intent of
obfuscation, so as to make the executables less detectable by anti-virus applications. The packer
adds a header that expands the file in memory, and then executes that file. SonicWALL Gateway
Anti-Virus currently recognizes the most common packed formats: UPX, FSG, PKLite32, Petite, and
ASPack. additional formats are dynamically added along with SonicWALL GAV signature updates.
Page 25
Viewing SonicWALL GAV Signatures
The Gateway Anti-Virus Signatures section allows you to view the contents of the SonicWALL GAV
signature database. All the entries displayed in the Gateway Anti-Virus Signatures table are from the
SonicWALL GAV signature database downloaded to your SonicWALL security appliance.
Note: Signature entries in the database change over time in response to new threats.
Displaying Signatures
You can display the signatures in a variety of views using the View Style menu.
• Use Search String - Allows you to display signatures containing a specified string entered in the
Lookup Signatures Containing String field.
• All Signatures - Displays all the signatures in the table, 50 to a page.
• 0 - 9 - Displays signature names beginning with the number you select from the menu.
• A-Z - Displays signature names beginning with the letter you select from menu.
Navigating the Gateway Anti-Virus Signatures Table
The SonicWALL GAV signatures are displayed fifty to a page in the Gateway Anti-Virus Signatures
table. The Items field displays the table number of the first signature. If your displaying the first page of a
signature table, the entry might be Items 1 to 50 (of 58). Use the navigation buttons to navigate the table.
Page 26 SonicWALL Gateway Anti-Virus Administrator’s Guide
Searching the Gateway Anti-Virus Signature Database
You can search the signature database by entering a search string in the Lookup Signatures
Containing String field, then clicking the edit (Notepad) icon.
The signatures that match the specified string are displayed in the Gateway Anti-Virus Signatures table.
Glossary
• Deep Packet Inspection - looking at the data portion of the packet. Enables the firewall to investigate
farther into the protocol to examine information at the application layer and defend against attacks
targeting application vulnerabilities.
• Distributed Enforcement Architecture - SonicWALL’s unified threat management technology that
delivers automated signature updates that provide real-time protection from current and emerging
threats.
• False Positive - a falsely identified attack traffic pattern.
• Signature - code written to detect and prevent viruses, worms, application exploits, and other
malicious code.
• Stateful Packet Inspection - examines the contents of individual packets at all layers of the OSI
model, from network layer to application layer.
Page 27
Index
A
activating Gateway Anti-Virus
overview 15
free trial version 18
activating Gateway Anti-Virus
activation key 18
C
client alerts
configuring 23
concurrency limitations 12
PRO 1260 12
PRO 2040 12
PRO 3060 12
PRO 4060 12
PRO 5060 12
TZ 150 Series 12
TZ 170 Series 12
creating a mysonicwall.com account 16
D
deploying SonicWALL GAV 14
disabling GAV/IPS engine 12
displaying signatures 25
all signatures 25
signatures beginning with letter 25
signatures beginning with number 25
using search strings 25
E
Edit Zone window 20
enable inbound inspection 22
enable outbound SMTP inspection 23
enabling inbound inspection 22
exclusion list
configuring 24
G
Gateway AV Config View window 23
GAV/IPS
real-time scanning 6
GAV/IPS features
application control 6
deep packet inspection 6
distributed enforcement architecture 6
file based scanning protocol support 6
file decompression technology 6
granular management 7
inter-zone scanning 6
logging and reporting 7
real-time scanning 6
glossary 26
deep packet inspection 26
Distributed Enforcement Architecture 26
false positive 26
signature 26
stateful packet inspection 26
H
how DPIv2.0 works
11
protocol handling 13
HTTP file downloads protection 9
I
internal network protection 9
N
navigating signatures table 25
P
protocol handling
FTP 14
HTTP 14
IM, P2P, proprietary 14
IMAP 13
POP3 13
SMTP 13
R
registering your SonicWALL security appliance 17
remote site protection 8
restrict 24
restrict file transfer
MS-Office files 24
packed executable files 24
password protected ZIP files 24
S
searching signature database 26
server protection 10
setting up GAV protection
applying to infaces (SonicOS Standard 3.0) 19
applying to zones (SonicOS Enhanced) 20
enabling 19
overview 19
signatures table 25
SonicWALL Gateway Anti-Virus
overview 5
SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service
overview 5
specifying protocol filtering 22
specifying protocols 22
status information
expiration date 21
last checked 21
overview 21
signature database 21
signature database timestamp 21
surpress SMTP messages 24
U
updating signatures 22
Page 28 SonicWALL Gateway Anti-Virus Administrator’s Guide
© 2005 SonicWALL, I n c . SonicWALL is a registered trademark of SonicWALL, I n c . Other product and company names mentioned herein may be
t rademarks and/ or registered trademarks of their respective companies. Specifications and descriptions subject to change with out notice.
T: 408.745.9600
F: 408.745.9300
www.sonicwall.com
SonicWALL,Inc.
1143 Borregas Avenue
Sunnyvale,CA 94089-1306
P/ N 232- 000610- 00
Rev E 01/05COMPREHENSIVE INTERNET SECURITY™
S SSSSSSSSo n i c WALL Gateway Anti-Virus
Administrator's Guide
Page 1
Table of Contents
Preface .................................................................................................. 1
Copyright Notice ..............................................................................1
Trademarks......................................................................................1
Limited Warranty..............................................................................1
About this Guide.................................................................................... 3
Guide Conventions .......................................................................... 3
Icons Used in this Guide............................................................. 3
SonicWALL Technical Support ........................................................ 4
North America Telephone Support ............................................. 4
International Telephone Support ................................................ 4
SonicWALL Gateway Anti-Virus Overview............................................ 5
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features ...... 6
SonicWALL GAV Multi-Layered Approach............................................ 7
Remote Site Protection ....................................................................8
Internal Network Protection.............................................................. 9
HTTP File Downloads ...................................................................... 9
Server Protection ...........................................................................10
SonicWALL GAV Architecture............................................................. 11
Stream Concurrency Limitations
by SonicWALL Security Appliance................................................. 12
Disabling the SonicWALL GAV/IPS Engine................................... 12
Protocol Handling...........................................................................13
SMTP........................................................................................ 13
POP3 ........................................................................................ 13
IMAP......................................................................................... 13
HTTP ........................................................................................ 14
FTP........................................................................................... 14
IM, P2P and Proprietary Protocols ........................................... 14
Deploying SonicWALL GAV................................................................ 14
Activating SonicWALL GAV ................................................................ 15
Creating a mySonicWALL.com Account ........................................ 16
Registering Your SonicWALL Security Appliance.......................... 17
Activating SonicWALL GAV........................................................... 18
Activating the SonicWALL GAV FREE TRIAL ............................... 18
Setting Up SonicWALL GAV Protection .............................................. 19
Enabling SonicWALL GAV............................................................. 19
Applying SonicWALL GAV Protection on Interfaces...................... 19
Applying SonicWALL GAV Protection on Zones
(SonicOS Enhanced 3.0) ............................................................... 20
Viewing SonicWALL GAV Status Information................................ 21
Updating SonicWALL GAV Signatures .......................................... 22
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
Specifying Protocol Filtering ................................................................22
Enabling Inbound Inspection ..........................................................22
Enabling Outbound SMTP Inspection ............................................23
Configuring Client Alerts and an Exclusion List ...................................23
Configuring Client Alerts.................................................................23
Configuring a SonicWALL GAV Exclusion List...............................24
Restricting File Transfers.....................................................................24
Viewing SonicWALL GAV Signatures..................................................25
Displaying Signatures.....................................................................25
Navigating the Gateway Anti-Virus Signatures Table ....................25
Searching the Gateway Anti-Virus Signature Database.................26
Glossary...............................................................................................26
Index ....................................................................................................27
Page 1 SonicWALL Gateway Anti-Virus Administrator’s Guide
Preface
Copyright Notice
© 2005 SonicWALL, Inc.
All rights reserved.
Under the copyright laws, this manual or the software described within, can not be copied, in whole or part,
without the written consent of the manufacturer, except in the normal use of the software to make a backup
copy. The same proprietary and copyright notices must be affixed to any permitted copies as were affixed
to the original. This exception does not allow copies to be made for others, whether or not sold, but all of
the material purchased (with all backup copies) can be sold, given, or loaned to another person. Under
the law, copying includes translating into another language or format.
Specifications and descriptions subject to change without notice.
Trademarks
SonicWALL is a registered trademark of SonicWALL, Inc.
Microsoft Windows 98, Windows NT, Windows 2000, Windows XP, Windows Server 2003, Internet
Explorer, and Active Directory are trademarks or registered trademarks of Microsoft Corporation.
Netscape is a registered trademark of Netscape Communications Corporation in the U.S. and other
countries. Netscape Navigator and Netscape Communicator are also trademarks of Netscape
Communications Corporation and may be registered outside the U.S.
Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems
Incorporated in the U.S. and/or other countries.
Other product and company names mentioned herein may be trademarks and/or registered trademarks
of their respective companies and are the sole property of their respective manufacturers.
Limited Warranty
SonicWALL, Inc. warrants that commencing from the delivery date to Customer (but in any case
commencing not more than ninety (90) days after the original shipment by SonicWALL), and continuing
for a period of twelve (12) months, that the product will be free from defects in materials and workmanship
under normal use. This Limited Warranty is not transferable and applies only to the original end user of
the product. SonicWALL and its suppliers' entire liability and Customer's sole and exclusive remedy under
this limited warranty will be shipment of a replacement product. At SonicWALL's discretion the
replacement product may be of equal or greater functionality and may be of either new or like-new quality.
SonicWALL's obligations under this warranty are contingent upon the return of the defective product
according to the terms of SonicWALL's then-current Support Services policies.
This warranty does not apply if the product has been subjected to abnormal electrical stress, damaged by
accident, abuse, misuse or misapplication, or has been modified without the written permission of
SonicWALL.
DISCLAIMER OF WARRANTY. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR
IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT
LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, NONINFRINGEMENT, SATISFACTORY QUALITY OR ARISING FROM A
COURSE OF DEALING, LAW, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE
MAXIMUM EXTENT ALLOWED BY APPLICABLE LAW. TO THE EXTENT AN IMPLIED WARRANTY
CANNOT BE EXCLUDED, SUCH WARRANTY IS LIMITED IN DURATION TO THE WARRANTY
PERIOD. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW
LONG AN IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. THIS
WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, AND YOU MAY ALSO HAVE OTHER RIGHTS
WHICH VARY FROM JURISDICTION TO JURISDICTION. This disclaimer and exclusion shall apply
even if the express warranty set forth above fails of its essential purpose.
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
DISCLAIMER OF LIABILITY. SONICWALL'S SOLE LIABILITY IS THE SHIPMENT OF A
REPLACEMENT PRODUCT AS DESCRIBED IN THE ABOVE LIMITED WARRANTY. IN NO EVENT
SHALL SONICWALL OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER,
INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS
INTERRUPTION, LOSS OF INFORMATION, OR OTHER PECUNIARY LOSS ARISING OUT OF THE
USE OR INABILITY TO USE THE PRODUCT, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL,
INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY
OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE HARDWARE OR SOFTWARE
EVEN IF SONICWALL OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. In no event shall SonicWALL or its suppliers' liability to Customer, whether in contract, tort
(including negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shall
apply even if the above-stated warranty fails of its essential purpose. BECAUSE SOME STATES OR
JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR
INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.
Page 3
About this Guide
Welcome to the SonicWALL Gateway Anti-Virus Administrator’s Guide. This manual provides the
information you need to successfully activate, configure, and administer SonicWALL Gateway Anti-Virus
(SonicWALL (GAV) on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher). The audience for this guide is administrators that are familiar with the
features, functions, and operating characteristics of SonicWALL security appliances.
Note: This guide assumes your SonicWALL security appliance is operational with Internet connectivity. If your
SonicWALL security appliance is not setup, refer to the Getting Started Guide for your SonicWALL
security appliance located on the SonicWALL Web site:
.
SonicWALL GAV is part of the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service solution that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate a SonicWALL GAV license, SonicWALL Intrusion Prevention Service is included and activated.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the complete
instructions on configuring SonicWALL Intrusion Prevention Service 2.0, located on the SonicWALL
Web site: .
Guide Conventions
Conventions used in this guide are as follows:
Icons Used in this Guide
These special messages refer to noteworthy information, and include a symbol for quick identification:
Alert! Important information that cautions about features affecting SonicWALL Gateway Anti-Virus
performance, security features, or causing potential problems with your SonicWALL security appliance.
Tip! Useful information about security features and configurations for your SonicWALL Gateway Anti-Virus
running on a SonicWALL security appliance.
Convention Use
Bold Highlights items you can select on the SonicWALL
management interface.
Italic Highlights a value to enter into a field. For example, “type
192.168.168.168 in the IP Address field.”
Top Level Menu Button >
Submenu Item
Indicates a multiple step Management Interface menu
choice. For example, Security Services > Gateway Anti-
Virus means select Security Services, then select
Gateway Anti-Virus.
Page 4 SonicWALL Gateway Anti-Virus Administrator’s Guide
Note: Important information on a feature that requires callout for special attention or reference to other related
resources.
SonicWALL Technical Support
For timely resolution of technical support questions, visit SonicWALL on the Internet at
. Web-based resources are available to help you
resolve most technical issues or contact SonicWALL Technical Support.
To contact SonicWALL telephone support, see the telephone numbers listed below:
North America Telephone Support
U.S./Canada - 888.777.1476 or +1 408.752.7819
International Telephone Support
Australia - + 1800.35.1642
Austria - + 43(0)820.400.105
EMEA - +31(0)411.617.810
France - + 33(0)1.4933.7414
Germany - + 49(0)1805.0800.22
Hong Kong - + 1.800.93.0997
India - + 8026556828
Italy - +39.02.7541.9803
Japan - + 81(0)3.5460.5356
New Zealand - + 0800.446489
Singapore - + 800.110.1441
Spain - + 34(0)9137.53035
Switzerland - +41.1.308.3.977
UK - +44(0)1344.668.484
Note: Please visit for the latest technical support telephone
numbers.
Page 5
SonicWALL Gateway Anti-Virus Overview
SonicWALL Gateway Anti-Virus (SonicWALL GAV) is part of the SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service solution that provides unified threat management. The integration of gateway
anti-virus and intrusion prevention delivers intelligent, real-time network security protection against
sophisticated application layer and content-based attacks. Utilizing a configurable, high-performance
deep packet inspection architecture, SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
secures the network from the core to the perimeter against a comprehensive array of dynamic threats
including viruses, worms, Trojans, and software vulnerabilities, such as buffer overflows, as well as peerto-
peer and instant messenger applications, backdoor exploits, and other malicious code.
SonicWALL GAV delivers real-time virus protection directly on the SonicWALL security appliance by
using SonicWALL’s IPS-Deep Packet Inspection v2.0 engine to inspect all traffic that traverses the
SonicWALL gateway. Building on SonicWALL’s reassembly-free architecture, SonicWALL GAV inspects
multiple application protocols, as well as generic TCP streams, and compressed traffic. Because
SonicWALL GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also performed on a
single-pass, per-packet basis.
SonicWALL GAV delivers threat protection directly on the SonicWALL security appliance by matching
downloaded or e-mailed files against an extensive and dynamically updated database of threat virus
signatures. Virus attacks are caught and suppressed before they travel to desktops. New signatures are
created and added to the database by a combination of SonicWALL’s SonicAlert Team, third-party virus
analysts, open source developers and other sources.
SonicWALL GAV can be configured to protect against internal threats as well as those originating outside
the network. It operates over a multitude of protocols including SMTP, POP3, IMAP, HTTP, FTP,
NetBIOS, instant messaging and peer-to-peer applications and dozens of other stream-based protocols,
to provide administrators with comprehensive network threat prevention and control. Because files
containing malicious code and viruses can also be compressed and therefore inaccessible to
conventional anti-virus solutions, SonicWALL GAV integrates advanced decompression technology that
automatically decompresses and scans files on a per packet basis.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
Page 6 SonicWALL Gateway Anti-Virus Administrator’s Guide
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features
• Integrated Deep Packet Inspection Technology - SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service features a configurable, high-performance deep packet inspection architecture
that uses parallel searching algorithms up through the application layer to deliver increased
application layer, Web and e-mail attack prevention. Parallel processing reduces the performance
impact on the firewall and maximizes available memory for exceptional throughput on SonicWALL
integrated security gateways.
• Real-Time Anti-Virus Gateway Scanning - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers intelligent file-based virus and malicious code prevention by scanning in real-time for
decompressed and compressed files containing viruses, Trojans, worms and other Internet threats
over the corporate network.
• Powerful Intrusion Prevention - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
provides complete protection from a comprehensive array of network-based application layer threats
by scanning packet payloads for worms, Trojans, software vulnerabilities such as buffer overflows,
peer-to-peer and instant messenger applications, backdoor exploits, and other malicious code.
• Ultimate Scalability and Performance - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a per packet scanning engine, making SonicWALL’s solution unique in its ability to
handle unlimited file size and virtually unlimited concurrent downloads, offering ultimate scalability
and performance for today’s networked environment.
• Day Zero Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service ensures
incredibly fast time-to-protection by employing a dynamically-updated database of signatures created
by a combination of SonicWALL’s SonicAlert Team, third-party virus analysts and developers, and
open source databases of known threats.
• Extensive Virus Signature List - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
utilizes an extensive database of thousands of attack and vulnerability signatures written to detect and
prevent intrusions, viruses, worms, Tojans, application exploits, and malicious applications.
• Distributed Enforcement Architecture - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a distributed enforcement architecture to deliver automated signature updates,
providing real-time protection from emerging threats and lowering total cost of ownership.
• Inter-zone Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides
application layer attack protection against malicious code and other threats originating from the
Internet or from internal sources. Administrators have the ability to enforce intrusion prevention and
anti-virus scanning not only between each network zone and the Internet, but also between internal
network zones for added security (Requires SonicOS Enhanced).
• Advanced File Decompression Technology - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service includes advanced decompression technology that can automatically decompress and scan
files on a per packet basis to search for viruses, Trojans, worms and malware. Supported
compression formats include: ZIP, Deflate and GZIP.
• File-Based Scanning Protocol Support - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers protection for high threat viruses and malware by inspecting the most common
protocols used in today’s networked environments, including SMTP, POP3, IMAP, HTTP, FTP,
NETBIOS, instant messaging and peer-to-peer applications, and dozens of other stream-based
protocols. This closes potential backdoors that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Application Control - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides the
ability to prevent instant messaging and peer-to-peer file sharing programs from operating through
the firewall, closing a potential back door that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Simplified Deployment and Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service allows network administrators to create global policies between security zones and group
attacks by priority, simplifying deployment and management across a distributed network.
Page 7
• Granular Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides an
intuitive user interface and granular policy tools, allowing network administrators to configure a
custom set of detection or prevention policies for their specific network environment and reduce the
number of false policies while identifying immediate threats.
• Logging and Reporting - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service offers
comprehensive logging of all intrusion attempts with the ability to filter logs based on priority level,
enabling administrators to highlight high priority attacks. Granular reporting based on attack source,
destination and type of intrusion is available through SonicWALL ViewPoint and Global Management
System.
SonicWALL GAV Multi-Layered Approach
SonicWALL GAV delivers comprehensive, multi-layered anti-virus protection for networks at the desktop,
the network, and at remote sites. SonicWALL GAV enforces anti-virus policies at the gateway to ensure
all users have the latest updates and monitors files as they come into the network.
Page 8 SonicWALL Gateway Anti-Virus Administrator’s Guide
Remote Site Protection
1. Users send typical e-mail and files between remote sites and the corporate office.
2. SonicWALL GAV scans and analyzes files and e-mail messages on the SonicWALL security
appliance.
3. Viruses are found and blocked before infecting remote desktop.
4. Virus is logged and alert is sent to administrator.
Page 9
Internal Network Protection
1. Internal user contracts a virus and releases it internally.
2. All files are scanned at the gateway before being received by other network users.
3. If virus is found, file is discarded.
4. Virus is logged and alert is sent to administrator.
HTTP File Downloads
1. Client makes a request to download a file from the Web.
2. File is downloaded through the Internet.
3. File is analyzed the SonicWALL GAV engine for malicious code and viruses
4. If virus found, file discarded.
5. Virus is logged and alert sent to administrator.
Page 10 SonicWALL Gateway Anti-Virus Administrator’s Guide
Server Protection
1. Outside user sends an incoming e-mail.
2. E-mail is analyzed the SonicWALL GAV engine for malicious code and viruses before received by email
server.
3. If virus found, threat prevented.
4. E-mail is returned to sender, virus is logged, and alert sent to administrator.
Page 11
SonicWALL GAV Architecture
SonicWALL GAV is based on SonicWALL's high performance DPIv2.0 engine (Deep Packet Inspection
version 2.0) engine, which performs all scanning directly on the SonicWALL security appliance.
SonicWALL GAV includes advanced decompression technology that can automatically decompress and
scan files on a per packet basis to search for viruses and malware. The SonicWALL GAV engine can
perform base64 decoding without ever reassembling the entire base64 encoded mail stream. Because
SonicWALL's GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding and ZIP, LHZ, and GZIP (LZ77) decompression are also performed
on a single-pass, per-packet basis. Reassembly free virus scanning functionality of the SonicWALL GAV
engine is inherited from the Deep Packet Inspection engine, which is capable of scanning streams without
ever buffering any of the bytes within the stream.
Building on SonicWALL's reassembly-free architecture, GAV has the ability to inspect multiple application
protocols, as well as generic TCP streams, and compressed traffic. SonicWALL GAV protocol inspection
is based on high performance state machines which are specific to each supported protocol. SonicWALL
GAV delivers protection by inspecting over the most common protocols used in today's networked
environments, including SMTP, POP3, IMAP, HTTP, FTP, NetBIOS, instant messaging and peer-to-peer
applications and dozens of other stream-based protocols. This closes potential backdoors that can be
used to compromise the network while also improving employee productivity and conserving Internet
bandwidth.
Page 12 SonicWALL Gateway Anti-Virus Administrator’s Guide
Stream Concurrency Limitations by SonicWALL Security Appliance
Because SonicWALL GAV does not have to perform reassembly, there are no file-size limitations
imposed by the scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also
performed on a single-pass, per-packet basis. Stream-concurrency are platform dependent as follows:.
Disabling the SonicWALL GAV/IPS Engine
In the unlikely event that SonicWALL Gateway Anti-Virus/Intrusion Prevention Service is not enabled on
your SonicWALL security appliance, the SonicWALL GAV/IPS engine itself can be disabled, and the
resources can be reallocated to the SPI connection cache.
To disable the SonicWALL GAV/IPS engine:
1. Select the Firewall > Advanced page.
2. Select the Disable Gateway AV and IPS Engine (increases maximum SPI connections)
checkbox. This presents an alert informing you that the SonicWALL security appliance must be
rebooted for the change to take effect.
3. Restart your SonicWALL security appliance.
Platform
GAV-Disabled
Connections
Cache Size
GAV-Enabled
Connections
Cache Size
(Concurrent File
Downloads)
Concurrent
Compressed
File Downloads
with GAV
GAV Signatures
TZ 150
Series
2,048 2,048 100 4,500
TZ 170
Series
6,144 6,144 100 4,500
PRO 1260 6,144 6,144 100 4,500
PRO 2040 32,768 16,384 300 25,000
PRO 3060 131,072 65,536 1,000 25,000
PRO 4060 524,288 131,072 1,500 25,000
PRO 5060 750,000 393,216 3,000 25,000
Page 13
Protocol Handling
SonicWALL GAV functionality supports the following protocols: HTTP, SMTP, IMAP, POP3, FTP and the
scanning of generic TCP streams for viruses.
If malicious traffic is detected, appropriate actions are taken based on the protocol. For generic TCP
streams, the traffic is dropped and the connection is reset. If so configured, an encrypted and hashed
message explaining the action is sent to the user's Global Security Client (requires version 2.0 or higher)
and to the user's 'Security Action Notification Applet', and displayed to the user if either application is
active. Application level awareness of the type of protocol that was transporting the violation allows for
very specific actions to be taken to gracefully handle the rejection of the payload:
Note: 8-bit encoding is handled natively for all email based protocols (SMTP, POP3, and IMAP) since no
decoding is required for each encoding scheme.
SMTP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the head of the sent
queue, thus preventing it from being resent, via 552 SMTP response and the connection is terminated.
POP3
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the POP3 server via
'DELE' command and the connection is terminated. Continuation of message downloads following
termination requires the user to re-initiate the download process on their POP3 client in order to download
the rest of the messages from the POP3 server.
Note: POP3 client behavior varies from one client to the next. SonicWALL GAV attempts to determine the type
of POP3 client being used, and to compensate for behavioral differences. In rare cases, some clients
may require special GAV settings - these settings have been made available in the /diag.html page.
• Disable Gateway AV POP3 Auto Deletion - When a POP3 client is identified as Outlook Express,
DELE (delete) message sequencing is tailored to Outlook Express' behavior. This setting can resolve
problems caused by misidentification that are encountered during the deletion of virus-infected
emails.
• Disable Gateway AV POP3 UIDL Rewriting - Certain Netscape POP3 clients have difficulty with the
UIDL (unique ID listing - RFC1939) command. When a POP3 client is recognized as Netscape, UIDL
messages are suppressed, which is allowable because they are optional. This setting can resolve
problems caused by misidentification that are encountered during the message retrieval process.
IMAP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from downloading the mail
containing the violation. The user must manually mark the mail deleted and purge it from the server.
Page 14 SonicWALL Gateway Anti-Virus Administrator’s Guide
HTTP
Capabilities: zip (including archives), gzip and deflate decompression. Deflate decompression method is
not supported when HTTP response is Chunk Encoded. All HTTP traffic is inspected, not just TCP port
80. Suppresses the use of HTTP Byte-Range requests to prevent the sectional retrieval and reassembly
of potentially malicious content.
Note: Suppression of HTTP Byte-Range requests may inhibit the use of certain download accelerator
programs that attempt to retrieve files as multiple simultaneous requests.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
FTP
Capabilities: zip (including archives) and gzip decompression. FTP stateful code follows data port
negotiations, allowing FTP data to be inspected across any operating TCP port. Suppresses the use of
the FTP 'REST' (restart) request to prevent the sectional retrieval and reassembly of potentially malicious
content. "The suppression of the 'REST' request can be overridden from the /diag.html page with the
option 'Enable FTP 'REST' requests with Gateway AV’.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
IM, P2P and Proprietary Protocols
Capabilities: zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
Deploying SonicWALL GAV
SonicWALL GAV is designed to provide comprehensive virus protection with minimal configuration. The
following sections provide the key information you need to successfully activate, configure, and administer
SonicWALL GAV on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher):
• “Activating SonicWALL GAV” on page 15 - provides instructions for activating the SonicWALL GAV
license on your SonicWALL security appliance via the management interface. If you already have
SonicWALL GAV activated on your SonicWALL security appliance, skip this section.
• “Setting Up SonicWALL GAV Protection” on page 19 - provides instructions for essential
configuration of SonicWALL IPS to protect your network against the most dangerous and disruptive
attacks.
Alert! After activating your SonicWALL GAV license, you must enable SonicWALL GAV on the SonicWALL
management interface before anti-virus protection are applied to your network traffic.
• “Configuring Client Alerts and an Exclusion List” on page 23 - provides instructions for configuring
SonicWALL GAV client notification alerts and creating a SonicWALL GAV exclusion list.
• “Restricting File Transfers” on page 24 - provides instructions on preventing files with specific
attributes from being transferred.
Page 15
Activating SonicWALL GAV
If you do not have SonicWALL GAV installed on your SonicWALL security appliance, the Security
Services > Gateway Anti-Virus page indicates an upgrade is required and includes a link to activiate it
from your SonicWALL security appliance management interface.
SonicWALL GAV is part of the unified SonicWALL Gateway Anti-Virus/Intrusion Prevention Service that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is also activated.
To activate a SonicWALL Gateway Anti-Virus/Intrusion Prevention Service on your SonicWALL security
appliance, you need the following:
• SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license. You need to purchase a
SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license from a SonicWALL reseller or
through your mySonicWALL.com account (limited to customers in the USA and Canada).
• mySonicWALL.com account. Creating a mySonicWALL.com account is fast, simple, and FREE.
Simply complete an online registration form from your SonicWALL security appliance management
interface. Your mySonicWALL.com account is also accessible at
from any Internet connection with a Web browser.
• Registered SonicWALL security appliance with active Internet connection. Registering your
SonicWALL security appliance is a simple procedure done directly from the management interface.
• SonicOS Standard 3.0 or SonicOS Enhanced 3.0. Your SonicWALL security appliance must be
running SonicOS Standard 3.0 or SonicOS Enhanced 3.0 for SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service.
Tip! If your SonicWALL security appliance is connected to the Internet and registered at
mySonicWALL.com, you can activate a 30-day FREE TRIAL of SonicWALL IPS.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
If you activated SonicWALL GAV at , SonicWALL GAV activation is
automatically enabled on your SonicWALL within 24-hours or you can click the Synchronize button on
the Security Services > Summary page to update your SonicWALL security appliance.
Page 16 SonicWALL Gateway Anti-Virus Administrator’s Guide
Creating a mySonicWALL.com Account
Creating a mySonicWALL.com account is fast, simple, and FREE. Simply complete an online
registration form in the SonicWALL security appliance management interface.
Note: If you already have a mysonicWALL.com account, go to “Registering Your SonicWALL Security
Appliance” on page 17.
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displayed in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link in Your
SonicWALL is not registered. Click here to Register your SonicWALL.
4. In the mySonicWALL.com Login page, click the here link in If you do not have a mySonicWALL
account, please click here to create one.
5. In the MySonicWall Account page, enter in your information in the Account Information, Personal
Information and Preferences fields. All fields marked with an asterisk (*) are required fields.
Note: Remember your username and password to access your mySonicWALL.com account.
6. Click Submit after completing the MySonicWALL Account form.
7. When the mySonicWALL.com server has finished processing your account, you will see a page
saying that your account has been created. Click Continue.
Congratulations. Your mySonicWALL.com account is activated.
Now you need to log into mySonicWALL.com to register your SonicWALL security appliance.
Note: mySonicWALL.com registration information is not sold or shared with any other company.
Page 17
Registering Your SonicWALL Security Appliance
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displaying in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link. The
mySonicWALL.com Login page is displayed.
4. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit.
5. The next several pages inform you about the free trials available to you for SonicWALL’s Security
Services:
• Gateway Anti-Virus - Delivers real-time virus protection for your entire network.
• Network Anti Virus - Provides desktop and server anti-virus protection with software running on
each computer.
• Premium Content Filtering Service - Enhances productivity by limiting access to objectionable
Web content.
• Intrusion Prevention Service - Protects your network against worms, Trojans, and application
layer attacks.
Click Continue on each page.
6. At the top of the Product Survey page, Enter a “friendly name” for your SonicWALL content security
appliance in the Friendly Name field. The friendly name allows you to easily identify your
SonicWALL content security appliance in your mySonicWALL.com account.
7. Please complete the Product Survey. SonicWALL uses this information to further tailor services to fit
your needs.
8. Click Submit.
9. When the mySonicWALL.com server has finished processing your registration, a page is displayed
informing you that the SonicWALL security appliance is registered. Click Continue, and the
System > Licenses page is displayed showing you the available services. You can activate the
service from this page or the specific service page under the Security Services left-navigation
menu in the management interface.
Page 18 SonicWALL Gateway Anti-Virus Administrator’s Guide
Activating SonicWALL GAV
If you do not have a SonicWALL GAV license activated on your SonicWALL security appliance, you must
purchase it from a SonicWALL reseller or through your mySonicWALL.com account (limited to customers
in the USA and Canada).
SonicWALL GAV is part of SonicWALL Gateway Anti-Virus/Intrusion Prevention Service. The Activation
Key you receive is for both SonicWALL GAV and SonicWALL Intrusion Prevention Service. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is automatically activated.
If you have an Activation Key for SonicWALL Gateway Anti-Virus/Intrusion Prevention Service, perform
these steps to activate the combined services:
1. On the Security Services > Intrusion Prevention page, click the SonicWALL Intrusion
Prevention Service Subscription link. The mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already registered to your
mySonicWALL.com account, the System > Licenses page appears.
3. Click Activate or Renew in the Manage Service column in the Manage Services Online table.
4. Type in the Activation Key in the New License Key field and click Submit. Your SonicWALL GAV
subscription is activated on your SonicWALL security appliance.
If you activated the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service subscription on
mySonicWALL.com, the activation is automatically enabled on your SonicWALL security appliance within
24-hours or you can click the Synchronize button on the Security Services > Summary page to
immediately update your SonicWALL security appliance.
Activating the SonicWALL GAV FREE TRIAL
To try a FREE TRIAL of SonicWALL GAV, perform these steps:
1. Click the FREE TRIAL link on the Security Services > Gateway Anti-Virus page. The
mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already connected to your
mySonicWALL.com account, the System > Licenses page appears after you click the FREE TRIAL
link.
3. Click Try in the FREE TRIAL column in the Manage Services Online table. Your SonicWALL GAV
trial subscription is activated on your SonicWALL security appliance.
Page 19
Setting Up SonicWALL GAV Protection
The Security Services > Gateway Anti-Virus page provides the settings for configuring SonicWALL
GAV on your SonicWALL security appliance.
Enabling SonicWALL GAV
You must select Enable Gateway Anti-Virus check box in the Gateway Anti-Virus Global Settings
section to enable SonicWALL GAV on your SonicWALL security appliance. If your SonicWALL security
appliance is running SonicOS Standard 3.0, you must also specify the interfaces you want to apply
SonicWALL GAV protection. If your SonicWALL security appliance is running SonicOS Enhanced 3.0,
you must specify the Zones you want to SonicWALL GAV protection on the Network > Zones page.
Applying SonicWALL GAV Protection on Interfaces
If your SonicWALL security appliance is running SonicOS Standard 3.0, you also need to specify the
interface that you want to enable SonicWALL GAV protection. Depending on the SonicWALL security
appliance model you are using, you can choose the WAN, LAN, DMZ, OPT or WLAN port, depending on
your SonicWALL security appliance model. After selecting the interface(s), click Apply.It is recommended
you select the WAN and LAN interfaces.
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you apply SonicWALL GAV to
Zones on the Network > Zones page.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 20 SonicWALL Gateway Anti-Virus Administrator’s Guide
Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you can enforce SonicWALL
GAV not only between each network zone and the WAN, but also between internal zones. For example,
enabling SonicWALL GAV on the LAN zone enforces anti-virus protection on all incoming and outgoing
LAN traffic.
1. In the SonicWALL security appliance management interface, select Network > Zones or from the
Gateway Anti-Virus Status section, on the Security Services > Gateway Anti-Virus page, click the
Network > Zones link. The Network > Zones page is displayed.
2. In the Configure column in the Zone Settings table, click the edit icon . The Edit Zone window
is displayed.
3. Click the Enable Gateway Anti-Virus Service checkbox. A checkmark appears. To disable Gateway
Anti-Virus Service, uncheck the box.
4. Click OK.
Page 21
Note: You also enable SonicWALL GAV protection for new zones you create on the Network > Zones page.
Clicking the Add button displays the Add Zone window, which includes the same settings as the Edit
Zone window.
Viewing SonicWALL GAV Status Information
The Gateway Anti-Virus Status section shows the state of the anti-virus signature database, including
the database's timestamp, and the time the SonicWALL signature servers were last checked for the most
current database version. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
The Gateway Anti-Virus Status section displays the following information:
• Signature Database indicates whether the signature database needs to be downloaded or has been
downloaded.
• Signature Database Timestamp displays the last update to the SonicWALL GAV signature
database, not the last update to your SonicWALL security appliance.
• Last Checked indicates the last time the SonicWALL security appliance checked the signature
database for updates. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
• Gateway Anti-Virus Expiration Date indicates the date when the SonicWALL GAV service expires.
If your SonicWALL GAV subscription expires, the SonicWALL IPS inspection is stopped and the
SonicWALL GAV configuration settings are removed from the SonicWALL security appliance. These
settings are automatically restored after renewing your SonicWALL GAV license to the previously
configured state.
If your SonicWALL security appliance is running SonicOS Standard 3.0 and no interfaces are specified in
the Gateway Anti-Virus Global Settings section, the message: Warning: No interfaces have Gateway
Anti-Virus enabled is displayed in the Gateway Anti-Virus Status section. You must check the Enable
Gateway Anti-Virus on Interface and specify the interface(s) you want to apply anti-virus scanning.
If your SonicWALL security appliance you are using SonicOS Enhanced 3.0, the Gateway Anti-Virus
Status section displays Note: Enable the Gateway Anti-Virus per zone from the Network > Zones
page. Clicking on the Network > Zones link displays the Network > Zones page for applying SonicWALL
GAV on Zones.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 22 SonicWALL Gateway Anti-Virus Administrator’s Guide
Updating SonicWALL GAV Signatures
By default, the SonicWALL security appliance running SonicWALL GAV automatically checks the
SonicWALL signature servers once an hour. There is no need for an administrator to constantly check for
new signature updates. You can also manually update your SonicWALL GAV database at any time by
clicking the Update button located in the Gateway Anti-Virus Status section.
SonicWALL GAV signature updates are secured. The SonicWALL security appliance must first
authenticate itself with a pre-shared secret, created during the SonicWALL Distributed Enforcement
Architecture licensing registration. The signature request is transported through HTTPS, along with full
server certificate verification.
Specifying Protocol Filtering
Application-level awareness of the type of protocol that is transporting the violation allows SonicWALL
GAV to perform specific actions within the context of the application to gracefully handle the rejection of
the payload.
By default, SonicWALL GAV inspects all inbound HTTP, FTP, IMAP, SMTP and POP3 traffic. Generic
TCP Stream can optionally be enabled to inspect all other TCP based traffic, such as
non-standard ports of operation for SMTP and POP3, and IM and P2P protocols.
Note: Refer to “Protocol Handling” on page 13 for detailed descriptions of how SonicWALL GAV handles
protocol traffic.
Enabling Inbound Inspection
Within the context of SonicWALL GAV, the Enable Inbound Inspection protocol traffic handling refers
to the following:
• Non-SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to any Zone.
• Non-SMTP traffic from a Public Zone destined to an Untrusted Zone.
• SMTP traffic initiating from a non-Trusted Zone destined to a Trusted, Wireless, Encrypted, or Public
Zone.
• SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to a Trusted, Wireless,
or Encrypted Zone.
Page 23
The Enable Inbound Inspection protocol traffic handling represented as a table:
Enabling Outbound SMTP Inspection
The Enable Outbound Inspection feature is available for SMTP traffic, such as for a mail server that
might be hosted on the DMZ. Enabling outbound inspection for SMTP scans mail that is delivered to the
internally hosted SMTP server for viruses.
Configuring Client Alerts and an Exclusion List
Clicking the Configure Gateway AV Settings button in the Gateway Anti-Virus Global Settings section
displays the Gateway AV Config View window, which allows you to configure client notification alerts and
create a SonicWALL GAV exclusion list.
Configuring Client Alerts
If you want clients on your network to receive notifications on their desktop when a HTTP file download is
blocked by GAV, check the Enable Client Notification Alerts (desktop client installation is required)
box. You must install the client software included on the Resource CD for your SonicWALL security
appliance for the client to receive these notifications from SonicWALL GAV.
Page 24 SonicWALL Gateway Anti-Virus Administrator’s Guide
If you want to suppress the sending of e-mail messages (SMTP) to clients from SonicWALL GAV when a
virus is detected in an e-mail or attachment, check the Disable SMTP Responses box.
Configuring a SonicWALL GAV Exclusion List
Any IP addresses listed in the exclusion list bypass virus scanning on their traffic.The Gateway AV
Exclusion List section provides the ability to define a range of IP addresses whose traffic will be excluded
from SonicWALL GAV scanning.
Alert! Use caution when specifying exclusions to SonicWALL GAV protection.
To add an IP address range for exclusion, perform these steps:
1. Click the Enable Gateway AV Exclusion List checkbox to enable the exclusion list.
2. Click the Add button. The Add GAV Range Entry window is displayed.
3. Enter the IP address range in the IP Address Form and IP Address To fields, then click OK. You IP
address range appears in the Gateway AV Exclusion List table. Click the edit icon in the Configure
column to change an entry or click the trashcan icon to delete an entry.
4. Click OK to exit the Gateway AV Config View window.
Restricting File Transfers
The restrict transfer settings listed under the Configure Gateway AV Settings button in the
Gateway Anti-Virus Global Settings section, if enabled, prevent files with specific attributes from being
transferred.
These restrict transfer settings include:
• Restrict Transfer of password-protected Zip files - Disables the transfer of password protected
ZIP files over any enabled protocol. This option only functions on protocols (e.g. HTTP, FTP, SMTP)
that are enabled for inspection.
• Restrict Transfer of MS-Office type files containing macros (VBA 5 and above) - Disables the
transfers of any MS Office 97 and above files that contain VBA macros.
• Restrict Transfer of packed executable files (UPX, FSG, etc.) - Disables the transfer of packed
executable files. Packers are utilities which compress and sometimes encrypt executables. Although
there are legitimate applications for these, they are also sometimes used with the intent of
obfuscation, so as to make the executables less detectable by anti-virus applications. The packer
adds a header that expands the file in memory, and then executes that file. SonicWALL Gateway
Anti-Virus currently recognizes the most common packed formats: UPX, FSG, PKLite32, Petite, and
ASPack. additional formats are dynamically added along with SonicWALL GAV signature updates.
Page 25
Viewing SonicWALL GAV Signatures
The Gateway Anti-Virus Signatures section allows you to view the contents of the SonicWALL GAV
signature database. All the entries displayed in the Gateway Anti-Virus Signatures table are from the
SonicWALL GAV signature database downloaded to your SonicWALL security appliance.
Note: Signature entries in the database change over time in response to new threats.
Displaying Signatures
You can display the signatures in a variety of views using the View Style menu.
• Use Search String - Allows you to display signatures containing a specified string entered in the
Lookup Signatures Containing String field.
• All Signatures - Displays all the signatures in the table, 50 to a page.
• 0 - 9 - Displays signature names beginning with the number you select from the menu.
• A-Z - Displays signature names beginning with the letter you select from menu.
Navigating the Gateway Anti-Virus Signatures Table
The SonicWALL GAV signatures are displayed fifty to a page in the Gateway Anti-Virus Signatures
table. The Items field displays the table number of the first signature. If your displaying the first page of a
signature table, the entry might be Items 1 to 50 (of 58). Use the navigation buttons to navigate the table.
Page 26 SonicWALL Gateway Anti-Virus Administrator’s Guide
Searching the Gateway Anti-Virus Signature Database
You can search the signature database by entering a search string in the Lookup Signatures
Containing String field, then clicking the edit (Notepad) icon.
The signatures that match the specified string are displayed in the Gateway Anti-Virus Signatures table.
Glossary
• Deep Packet Inspection - looking at the data portion of the packet. Enables the firewall to investigate
farther into the protocol to examine information at the application layer and defend against attacks
targeting application vulnerabilities.
• Distributed Enforcement Architecture - SonicWALL’s unified threat management technology that
delivers automated signature updates that provide real-time protection from current and emerging
threats.
• False Positive - a falsely identified attack traffic pattern.
• Signature - code written to detect and prevent viruses, worms, application exploits, and other
malicious code.
• Stateful Packet Inspection - examines the contents of individual packets at all layers of the OSI
model, from network layer to application layer.
Page 27
Index
A
activating Gateway Anti-Virus
overview 15
free trial version 18
activating Gateway Anti-Virus
activation key 18
C
client alerts
configuring 23
concurrency limitations 12
PRO 1260 12
PRO 2040 12
PRO 3060 12
PRO 4060 12
PRO 5060 12
TZ 150 Series 12
TZ 170 Series 12
creating a mysonicwall.com account 16
D
deploying SonicWALL GAV 14
disabling GAV/IPS engine 12
displaying signatures 25
all signatures 25
signatures beginning with letter 25
signatures beginning with number 25
using search strings 25
E
Edit Zone window 20
enable inbound inspection 22
enable outbound SMTP inspection 23
enabling inbound inspection 22
exclusion list
configuring 24
G
Gateway AV Config View window 23
GAV/IPS
real-time scanning 6
GAV/IPS features
application control 6
deep packet inspection 6
distributed enforcement architecture 6
file based scanning protocol support 6
file decompression technology 6
granular management 7
inter-zone scanning 6
logging and reporting 7
real-time scanning 6
glossary 26
deep packet inspection 26
Distributed Enforcement Architecture 26
false positive 26
signature 26
stateful packet inspection 26
H
how DPIv2.0 works
11
protocol handling 13
HTTP file downloads protection 9
I
internal network protection 9
N
navigating signatures table 25
P
protocol handling
FTP 14
HTTP 14
IM, P2P, proprietary 14
IMAP 13
POP3 13
SMTP 13
R
registering your SonicWALL security appliance 17
remote site protection 8
restrict 24
restrict file transfer
MS-Office files 24
packed executable files 24
password protected ZIP files 24
S
searching signature database 26
server protection 10
setting up GAV protection
applying to infaces (SonicOS Standard 3.0) 19
applying to zones (SonicOS Enhanced) 20
enabling 19
overview 19
signatures table 25
SonicWALL Gateway Anti-Virus
overview 5
SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service
overview 5
specifying protocol filtering 22
specifying protocols 22
status information
expiration date 21
last checked 21
overview 21
signature database 21
signature database timestamp 21
surpress SMTP messages 24
U
updating signatures 22
Page 28 SonicWALL Gateway Anti-Virus Administrator’s Guide
© 2005 SonicWALL, I n c . SonicWALL is a registered trademark of SonicWALL, I n c . Other product and company names mentioned herein may be
t rademarks and/ or registered trademarks of their respective companies. Specifications and descriptions subject to change with out notice.
T: 408.745.9600
F: 408.745.9300
www.sonicwall.com
SonicWALL,Inc.
1143 Borregas Avenue
Sunnyvale,CA 94089-1306
P/ N 232- 000610- 00
Rev E 01/05COMPREHENSIVE INTERNET SECURITY™
S SSSSSSSSo n i c WALL Gateway Anti-Virus
Administrator's Guide
Page 1
Table of Contents
Preface .................................................................................................. 1
Copyright Notice ..............................................................................1
Trademarks......................................................................................1
Limited Warranty..............................................................................1
About this Guide.................................................................................... 3
Guide Conventions .......................................................................... 3
Icons Used in this Guide............................................................. 3
SonicWALL Technical Support ........................................................ 4
North America Telephone Support ............................................. 4
International Telephone Support ................................................ 4
SonicWALL Gateway Anti-Virus Overview............................................ 5
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features ...... 6
SonicWALL GAV Multi-Layered Approach............................................ 7
Remote Site Protection ....................................................................8
Internal Network Protection.............................................................. 9
HTTP File Downloads ...................................................................... 9
Server Protection ...........................................................................10
SonicWALL GAV Architecture............................................................. 11
Stream Concurrency Limitations
by SonicWALL Security Appliance................................................. 12
Disabling the SonicWALL GAV/IPS Engine................................... 12
Protocol Handling...........................................................................13
SMTP........................................................................................ 13
POP3 ........................................................................................ 13
IMAP......................................................................................... 13
HTTP ........................................................................................ 14
FTP........................................................................................... 14
IM, P2P and Proprietary Protocols ........................................... 14
Deploying SonicWALL GAV................................................................ 14
Activating SonicWALL GAV ................................................................ 15
Creating a mySonicWALL.com Account ........................................ 16
Registering Your SonicWALL Security Appliance.......................... 17
Activating SonicWALL GAV........................................................... 18
Activating the SonicWALL GAV FREE TRIAL ............................... 18
Setting Up SonicWALL GAV Protection .............................................. 19
Enabling SonicWALL GAV............................................................. 19
Applying SonicWALL GAV Protection on Interfaces...................... 19
Applying SonicWALL GAV Protection on Zones
(SonicOS Enhanced 3.0) ............................................................... 20
Viewing SonicWALL GAV Status Information................................ 21
Updating SonicWALL GAV Signatures .......................................... 22
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
Specifying Protocol Filtering ................................................................22
Enabling Inbound Inspection ..........................................................22
Enabling Outbound SMTP Inspection ............................................23
Configuring Client Alerts and an Exclusion List ...................................23
Configuring Client Alerts.................................................................23
Configuring a SonicWALL GAV Exclusion List...............................24
Restricting File Transfers.....................................................................24
Viewing SonicWALL GAV Signatures..................................................25
Displaying Signatures.....................................................................25
Navigating the Gateway Anti-Virus Signatures Table ....................25
Searching the Gateway Anti-Virus Signature Database.................26
Glossary...............................................................................................26
Index ....................................................................................................27
Page 1 SonicWALL Gateway Anti-Virus Administrator’s Guide
Preface
Copyright Notice
© 2005 SonicWALL, Inc.
All rights reserved.
Under the copyright laws, this manual or the software described within, can not be copied, in whole or part,
without the written consent of the manufacturer, except in the normal use of the software to make a backup
copy. The same proprietary and copyright notices must be affixed to any permitted copies as were affixed
to the original. This exception does not allow copies to be made for others, whether or not sold, but all of
the material purchased (with all backup copies) can be sold, given, or loaned to another person. Under
the law, copying includes translating into another language or format.
Specifications and descriptions subject to change without notice.
Trademarks
SonicWALL is a registered trademark of SonicWALL, Inc.
Microsoft Windows 98, Windows NT, Windows 2000, Windows XP, Windows Server 2003, Internet
Explorer, and Active Directory are trademarks or registered trademarks of Microsoft Corporation.
Netscape is a registered trademark of Netscape Communications Corporation in the U.S. and other
countries. Netscape Navigator and Netscape Communicator are also trademarks of Netscape
Communications Corporation and may be registered outside the U.S.
Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems
Incorporated in the U.S. and/or other countries.
Other product and company names mentioned herein may be trademarks and/or registered trademarks
of their respective companies and are the sole property of their respective manufacturers.
Limited Warranty
SonicWALL, Inc. warrants that commencing from the delivery date to Customer (but in any case
commencing not more than ninety (90) days after the original shipment by SonicWALL), and continuing
for a period of twelve (12) months, that the product will be free from defects in materials and workmanship
under normal use. This Limited Warranty is not transferable and applies only to the original end user of
the product. SonicWALL and its suppliers' entire liability and Customer's sole and exclusive remedy under
this limited warranty will be shipment of a replacement product. At SonicWALL's discretion the
replacement product may be of equal or greater functionality and may be of either new or like-new quality.
SonicWALL's obligations under this warranty are contingent upon the return of the defective product
according to the terms of SonicWALL's then-current Support Services policies.
This warranty does not apply if the product has been subjected to abnormal electrical stress, damaged by
accident, abuse, misuse or misapplication, or has been modified without the written permission of
SonicWALL.
DISCLAIMER OF WARRANTY. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR
IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT
LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, NONINFRINGEMENT, SATISFACTORY QUALITY OR ARISING FROM A
COURSE OF DEALING, LAW, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE
MAXIMUM EXTENT ALLOWED BY APPLICABLE LAW. TO THE EXTENT AN IMPLIED WARRANTY
CANNOT BE EXCLUDED, SUCH WARRANTY IS LIMITED IN DURATION TO THE WARRANTY
PERIOD. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW
LONG AN IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. THIS
WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, AND YOU MAY ALSO HAVE OTHER RIGHTS
WHICH VARY FROM JURISDICTION TO JURISDICTION. This disclaimer and exclusion shall apply
even if the express warranty set forth above fails of its essential purpose.
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
DISCLAIMER OF LIABILITY. SONICWALL'S SOLE LIABILITY IS THE SHIPMENT OF A
REPLACEMENT PRODUCT AS DESCRIBED IN THE ABOVE LIMITED WARRANTY. IN NO EVENT
SHALL SONICWALL OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER,
INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS
INTERRUPTION, LOSS OF INFORMATION, OR OTHER PECUNIARY LOSS ARISING OUT OF THE
USE OR INABILITY TO USE THE PRODUCT, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL,
INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY
OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE HARDWARE OR SOFTWARE
EVEN IF SONICWALL OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. In no event shall SonicWALL or its suppliers' liability to Customer, whether in contract, tort
(including negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shall
apply even if the above-stated warranty fails of its essential purpose. BECAUSE SOME STATES OR
JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR
INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.
Page 3
About this Guide
Welcome to the SonicWALL Gateway Anti-Virus Administrator’s Guide. This manual provides the
information you need to successfully activate, configure, and administer SonicWALL Gateway Anti-Virus
(SonicWALL (GAV) on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher). The audience for this guide is administrators that are familiar with the
features, functions, and operating characteristics of SonicWALL security appliances.
Note: This guide assumes your SonicWALL security appliance is operational with Internet connectivity. If your
SonicWALL security appliance is not setup, refer to the Getting Started Guide for your SonicWALL
security appliance located on the SonicWALL Web site:
.
SonicWALL GAV is part of the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service solution that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate a SonicWALL GAV license, SonicWALL Intrusion Prevention Service is included and activated.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the complete
instructions on configuring SonicWALL Intrusion Prevention Service 2.0, located on the SonicWALL
Web site: .
Guide Conventions
Conventions used in this guide are as follows:
Icons Used in this Guide
These special messages refer to noteworthy information, and include a symbol for quick identification:
Alert! Important information that cautions about features affecting SonicWALL Gateway Anti-Virus
performance, security features, or causing potential problems with your SonicWALL security appliance.
Tip! Useful information about security features and configurations for your SonicWALL Gateway Anti-Virus
running on a SonicWALL security appliance.
Convention Use
Bold Highlights items you can select on the SonicWALL
management interface.
Italic Highlights a value to enter into a field. For example, “type
192.168.168.168 in the IP Address field.”
Top Level Menu Button >
Submenu Item
Indicates a multiple step Management Interface menu
choice. For example, Security Services > Gateway Anti-
Virus means select Security Services, then select
Gateway Anti-Virus.
Page 4 SonicWALL Gateway Anti-Virus Administrator’s Guide
Note: Important information on a feature that requires callout for special attention or reference to other related
resources.
SonicWALL Technical Support
For timely resolution of technical support questions, visit SonicWALL on the Internet at
. Web-based resources are available to help you
resolve most technical issues or contact SonicWALL Technical Support.
To contact SonicWALL telephone support, see the telephone numbers listed below:
North America Telephone Support
U.S./Canada - 888.777.1476 or +1 408.752.7819
International Telephone Support
Australia - + 1800.35.1642
Austria - + 43(0)820.400.105
EMEA - +31(0)411.617.810
France - + 33(0)1.4933.7414
Germany - + 49(0)1805.0800.22
Hong Kong - + 1.800.93.0997
India - + 8026556828
Italy - +39.02.7541.9803
Japan - + 81(0)3.5460.5356
New Zealand - + 0800.446489
Singapore - + 800.110.1441
Spain - + 34(0)9137.53035
Switzerland - +41.1.308.3.977
UK - +44(0)1344.668.484
Note: Please visit for the latest technical support telephone
numbers.
Page 5
SonicWALL Gateway Anti-Virus Overview
SonicWALL Gateway Anti-Virus (SonicWALL GAV) is part of the SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service solution that provides unified threat management. The integration of gateway
anti-virus and intrusion prevention delivers intelligent, real-time network security protection against
sophisticated application layer and content-based attacks. Utilizing a configurable, high-performance
deep packet inspection architecture, SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
secures the network from the core to the perimeter against a comprehensive array of dynamic threats
including viruses, worms, Trojans, and software vulnerabilities, such as buffer overflows, as well as peerto-
peer and instant messenger applications, backdoor exploits, and other malicious code.
SonicWALL GAV delivers real-time virus protection directly on the SonicWALL security appliance by
using SonicWALL’s IPS-Deep Packet Inspection v2.0 engine to inspect all traffic that traverses the
SonicWALL gateway. Building on SonicWALL’s reassembly-free architecture, SonicWALL GAV inspects
multiple application protocols, as well as generic TCP streams, and compressed traffic. Because
SonicWALL GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also performed on a
single-pass, per-packet basis.
SonicWALL GAV delivers threat protection directly on the SonicWALL security appliance by matching
downloaded or e-mailed files against an extensive and dynamically updated database of threat virus
signatures. Virus attacks are caught and suppressed before they travel to desktops. New signatures are
created and added to the database by a combination of SonicWALL’s SonicAlert Team, third-party virus
analysts, open source developers and other sources.
SonicWALL GAV can be configured to protect against internal threats as well as those originating outside
the network. It operates over a multitude of protocols including SMTP, POP3, IMAP, HTTP, FTP,
NetBIOS, instant messaging and peer-to-peer applications and dozens of other stream-based protocols,
to provide administrators with comprehensive network threat prevention and control. Because files
containing malicious code and viruses can also be compressed and therefore inaccessible to
conventional anti-virus solutions, SonicWALL GAV integrates advanced decompression technology that
automatically decompresses and scans files on a per packet basis.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
Page 6 SonicWALL Gateway Anti-Virus Administrator’s Guide
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features
• Integrated Deep Packet Inspection Technology - SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service features a configurable, high-performance deep packet inspection architecture
that uses parallel searching algorithms up through the application layer to deliver increased
application layer, Web and e-mail attack prevention. Parallel processing reduces the performance
impact on the firewall and maximizes available memory for exceptional throughput on SonicWALL
integrated security gateways.
• Real-Time Anti-Virus Gateway Scanning - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers intelligent file-based virus and malicious code prevention by scanning in real-time for
decompressed and compressed files containing viruses, Trojans, worms and other Internet threats
over the corporate network.
• Powerful Intrusion Prevention - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
provides complete protection from a comprehensive array of network-based application layer threats
by scanning packet payloads for worms, Trojans, software vulnerabilities such as buffer overflows,
peer-to-peer and instant messenger applications, backdoor exploits, and other malicious code.
• Ultimate Scalability and Performance - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a per packet scanning engine, making SonicWALL’s solution unique in its ability to
handle unlimited file size and virtually unlimited concurrent downloads, offering ultimate scalability
and performance for today’s networked environment.
• Day Zero Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service ensures
incredibly fast time-to-protection by employing a dynamically-updated database of signatures created
by a combination of SonicWALL’s SonicAlert Team, third-party virus analysts and developers, and
open source databases of known threats.
• Extensive Virus Signature List - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
utilizes an extensive database of thousands of attack and vulnerability signatures written to detect and
prevent intrusions, viruses, worms, Tojans, application exploits, and malicious applications.
• Distributed Enforcement Architecture - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a distributed enforcement architecture to deliver automated signature updates,
providing real-time protection from emerging threats and lowering total cost of ownership.
• Inter-zone Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides
application layer attack protection against malicious code and other threats originating from the
Internet or from internal sources. Administrators have the ability to enforce intrusion prevention and
anti-virus scanning not only between each network zone and the Internet, but also between internal
network zones for added security (Requires SonicOS Enhanced).
• Advanced File Decompression Technology - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service includes advanced decompression technology that can automatically decompress and scan
files on a per packet basis to search for viruses, Trojans, worms and malware. Supported
compression formats include: ZIP, Deflate and GZIP.
• File-Based Scanning Protocol Support - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers protection for high threat viruses and malware by inspecting the most common
protocols used in today’s networked environments, including SMTP, POP3, IMAP, HTTP, FTP,
NETBIOS, instant messaging and peer-to-peer applications, and dozens of other stream-based
protocols. This closes potential backdoors that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Application Control - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides the
ability to prevent instant messaging and peer-to-peer file sharing programs from operating through
the firewall, closing a potential back door that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Simplified Deployment and Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service allows network administrators to create global policies between security zones and group
attacks by priority, simplifying deployment and management across a distributed network.
Page 7
• Granular Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides an
intuitive user interface and granular policy tools, allowing network administrators to configure a
custom set of detection or prevention policies for their specific network environment and reduce the
number of false policies while identifying immediate threats.
• Logging and Reporting - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service offers
comprehensive logging of all intrusion attempts with the ability to filter logs based on priority level,
enabling administrators to highlight high priority attacks. Granular reporting based on attack source,
destination and type of intrusion is available through SonicWALL ViewPoint and Global Management
System.
SonicWALL GAV Multi-Layered Approach
SonicWALL GAV delivers comprehensive, multi-layered anti-virus protection for networks at the desktop,
the network, and at remote sites. SonicWALL GAV enforces anti-virus policies at the gateway to ensure
all users have the latest updates and monitors files as they come into the network.
Page 8 SonicWALL Gateway Anti-Virus Administrator’s Guide
Remote Site Protection
1. Users send typical e-mail and files between remote sites and the corporate office.
2. SonicWALL GAV scans and analyzes files and e-mail messages on the SonicWALL security
appliance.
3. Viruses are found and blocked before infecting remote desktop.
4. Virus is logged and alert is sent to administrator.
Page 9
Internal Network Protection
1. Internal user contracts a virus and releases it internally.
2. All files are scanned at the gateway before being received by other network users.
3. If virus is found, file is discarded.
4. Virus is logged and alert is sent to administrator.
HTTP File Downloads
1. Client makes a request to download a file from the Web.
2. File is downloaded through the Internet.
3. File is analyzed the SonicWALL GAV engine for malicious code and viruses
4. If virus found, file discarded.
5. Virus is logged and alert sent to administrator.
Page 10 SonicWALL Gateway Anti-Virus Administrator’s Guide
Server Protection
1. Outside user sends an incoming e-mail.
2. E-mail is analyzed the SonicWALL GAV engine for malicious code and viruses before received by email
server.
3. If virus found, threat prevented.
4. E-mail is returned to sender, virus is logged, and alert sent to administrator.
Page 11
SonicWALL GAV Architecture
SonicWALL GAV is based on SonicWALL's high performance DPIv2.0 engine (Deep Packet Inspection
version 2.0) engine, which performs all scanning directly on the SonicWALL security appliance.
SonicWALL GAV includes advanced decompression technology that can automatically decompress and
scan files on a per packet basis to search for viruses and malware. The SonicWALL GAV engine can
perform base64 decoding without ever reassembling the entire base64 encoded mail stream. Because
SonicWALL's GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding and ZIP, LHZ, and GZIP (LZ77) decompression are also performed
on a single-pass, per-packet basis. Reassembly free virus scanning functionality of the SonicWALL GAV
engine is inherited from the Deep Packet Inspection engine, which is capable of scanning streams without
ever buffering any of the bytes within the stream.
Building on SonicWALL's reassembly-free architecture, GAV has the ability to inspect multiple application
protocols, as well as generic TCP streams, and compressed traffic. SonicWALL GAV protocol inspection
is based on high performance state machines which are specific to each supported protocol. SonicWALL
GAV delivers protection by inspecting over the most common protocols used in today's networked
environments, including SMTP, POP3, IMAP, HTTP, FTP, NetBIOS, instant messaging and peer-to-peer
applications and dozens of other stream-based protocols. This closes potential backdoors that can be
used to compromise the network while also improving employee productivity and conserving Internet
bandwidth.
Page 12 SonicWALL Gateway Anti-Virus Administrator’s Guide
Stream Concurrency Limitations by SonicWALL Security Appliance
Because SonicWALL GAV does not have to perform reassembly, there are no file-size limitations
imposed by the scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also
performed on a single-pass, per-packet basis. Stream-concurrency are platform dependent as follows:.
Disabling the SonicWALL GAV/IPS Engine
In the unlikely event that SonicWALL Gateway Anti-Virus/Intrusion Prevention Service is not enabled on
your SonicWALL security appliance, the SonicWALL GAV/IPS engine itself can be disabled, and the
resources can be reallocated to the SPI connection cache.
To disable the SonicWALL GAV/IPS engine:
1. Select the Firewall > Advanced page.
2. Select the Disable Gateway AV and IPS Engine (increases maximum SPI connections)
checkbox. This presents an alert informing you that the SonicWALL security appliance must be
rebooted for the change to take effect.
3. Restart your SonicWALL security appliance.
Platform
GAV-Disabled
Connections
Cache Size
GAV-Enabled
Connections
Cache Size
(Concurrent File
Downloads)
Concurrent
Compressed
File Downloads
with GAV
GAV Signatures
TZ 150
Series
2,048 2,048 100 4,500
TZ 170
Series
6,144 6,144 100 4,500
PRO 1260 6,144 6,144 100 4,500
PRO 2040 32,768 16,384 300 25,000
PRO 3060 131,072 65,536 1,000 25,000
PRO 4060 524,288 131,072 1,500 25,000
PRO 5060 750,000 393,216 3,000 25,000
Page 13
Protocol Handling
SonicWALL GAV functionality supports the following protocols: HTTP, SMTP, IMAP, POP3, FTP and the
scanning of generic TCP streams for viruses.
If malicious traffic is detected, appropriate actions are taken based on the protocol. For generic TCP
streams, the traffic is dropped and the connection is reset. If so configured, an encrypted and hashed
message explaining the action is sent to the user's Global Security Client (requires version 2.0 or higher)
and to the user's 'Security Action Notification Applet', and displayed to the user if either application is
active. Application level awareness of the type of protocol that was transporting the violation allows for
very specific actions to be taken to gracefully handle the rejection of the payload:
Note: 8-bit encoding is handled natively for all email based protocols (SMTP, POP3, and IMAP) since no
decoding is required for each encoding scheme.
SMTP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the head of the sent
queue, thus preventing it from being resent, via 552 SMTP response and the connection is terminated.
POP3
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the POP3 server via
'DELE' command and the connection is terminated. Continuation of message downloads following
termination requires the user to re-initiate the download process on their POP3 client in order to download
the rest of the messages from the POP3 server.
Note: POP3 client behavior varies from one client to the next. SonicWALL GAV attempts to determine the type
of POP3 client being used, and to compensate for behavioral differences. In rare cases, some clients
may require special GAV settings - these settings have been made available in the /diag.html page.
• Disable Gateway AV POP3 Auto Deletion - When a POP3 client is identified as Outlook Express,
DELE (delete) message sequencing is tailored to Outlook Express' behavior. This setting can resolve
problems caused by misidentification that are encountered during the deletion of virus-infected
emails.
• Disable Gateway AV POP3 UIDL Rewriting - Certain Netscape POP3 clients have difficulty with the
UIDL (unique ID listing - RFC1939) command. When a POP3 client is recognized as Netscape, UIDL
messages are suppressed, which is allowable because they are optional. This setting can resolve
problems caused by misidentification that are encountered during the message retrieval process.
IMAP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from downloading the mail
containing the violation. The user must manually mark the mail deleted and purge it from the server.
Page 14 SonicWALL Gateway Anti-Virus Administrator’s Guide
HTTP
Capabilities: zip (including archives), gzip and deflate decompression. Deflate decompression method is
not supported when HTTP response is Chunk Encoded. All HTTP traffic is inspected, not just TCP port
80. Suppresses the use of HTTP Byte-Range requests to prevent the sectional retrieval and reassembly
of potentially malicious content.
Note: Suppression of HTTP Byte-Range requests may inhibit the use of certain download accelerator
programs that attempt to retrieve files as multiple simultaneous requests.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
FTP
Capabilities: zip (including archives) and gzip decompression. FTP stateful code follows data port
negotiations, allowing FTP data to be inspected across any operating TCP port. Suppresses the use of
the FTP 'REST' (restart) request to prevent the sectional retrieval and reassembly of potentially malicious
content. "The suppression of the 'REST' request can be overridden from the /diag.html page with the
option 'Enable FTP 'REST' requests with Gateway AV’.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
IM, P2P and Proprietary Protocols
Capabilities: zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
Deploying SonicWALL GAV
SonicWALL GAV is designed to provide comprehensive virus protection with minimal configuration. The
following sections provide the key information you need to successfully activate, configure, and administer
SonicWALL GAV on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher):
• “Activating SonicWALL GAV” on page 15 - provides instructions for activating the SonicWALL GAV
license on your SonicWALL security appliance via the management interface. If you already have
SonicWALL GAV activated on your SonicWALL security appliance, skip this section.
• “Setting Up SonicWALL GAV Protection” on page 19 - provides instructions for essential
configuration of SonicWALL IPS to protect your network against the most dangerous and disruptive
attacks.
Alert! After activating your SonicWALL GAV license, you must enable SonicWALL GAV on the SonicWALL
management interface before anti-virus protection are applied to your network traffic.
• “Configuring Client Alerts and an Exclusion List” on page 23 - provides instructions for configuring
SonicWALL GAV client notification alerts and creating a SonicWALL GAV exclusion list.
• “Restricting File Transfers” on page 24 - provides instructions on preventing files with specific
attributes from being transferred.
Page 15
Activating SonicWALL GAV
If you do not have SonicWALL GAV installed on your SonicWALL security appliance, the Security
Services > Gateway Anti-Virus page indicates an upgrade is required and includes a link to activiate it
from your SonicWALL security appliance management interface.
SonicWALL GAV is part of the unified SonicWALL Gateway Anti-Virus/Intrusion Prevention Service that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is also activated.
To activate a SonicWALL Gateway Anti-Virus/Intrusion Prevention Service on your SonicWALL security
appliance, you need the following:
• SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license. You need to purchase a
SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license from a SonicWALL reseller or
through your mySonicWALL.com account (limited to customers in the USA and Canada).
• mySonicWALL.com account. Creating a mySonicWALL.com account is fast, simple, and FREE.
Simply complete an online registration form from your SonicWALL security appliance management
interface. Your mySonicWALL.com account is also accessible at
from any Internet connection with a Web browser.
• Registered SonicWALL security appliance with active Internet connection. Registering your
SonicWALL security appliance is a simple procedure done directly from the management interface.
• SonicOS Standard 3.0 or SonicOS Enhanced 3.0. Your SonicWALL security appliance must be
running SonicOS Standard 3.0 or SonicOS Enhanced 3.0 for SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service.
Tip! If your SonicWALL security appliance is connected to the Internet and registered at
mySonicWALL.com, you can activate a 30-day FREE TRIAL of SonicWALL IPS.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
If you activated SonicWALL GAV at , SonicWALL GAV activation is
automatically enabled on your SonicWALL within 24-hours or you can click the Synchronize button on
the Security Services > Summary page to update your SonicWALL security appliance.
Page 16 SonicWALL Gateway Anti-Virus Administrator’s Guide
Creating a mySonicWALL.com Account
Creating a mySonicWALL.com account is fast, simple, and FREE. Simply complete an online
registration form in the SonicWALL security appliance management interface.
Note: If you already have a mysonicWALL.com account, go to “Registering Your SonicWALL Security
Appliance” on page 17.
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displayed in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link in Your
SonicWALL is not registered. Click here to Register your SonicWALL.
4. In the mySonicWALL.com Login page, click the here link in If you do not have a mySonicWALL
account, please click here to create one.
5. In the MySonicWall Account page, enter in your information in the Account Information, Personal
Information and Preferences fields. All fields marked with an asterisk (*) are required fields.
Note: Remember your username and password to access your mySonicWALL.com account.
6. Click Submit after completing the MySonicWALL Account form.
7. When the mySonicWALL.com server has finished processing your account, you will see a page
saying that your account has been created. Click Continue.
Congratulations. Your mySonicWALL.com account is activated.
Now you need to log into mySonicWALL.com to register your SonicWALL security appliance.
Note: mySonicWALL.com registration information is not sold or shared with any other company.
Page 17
Registering Your SonicWALL Security Appliance
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displaying in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link. The
mySonicWALL.com Login page is displayed.
4. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit.
5. The next several pages inform you about the free trials available to you for SonicWALL’s Security
Services:
• Gateway Anti-Virus - Delivers real-time virus protection for your entire network.
• Network Anti Virus - Provides desktop and server anti-virus protection with software running on
each computer.
• Premium Content Filtering Service - Enhances productivity by limiting access to objectionable
Web content.
• Intrusion Prevention Service - Protects your network against worms, Trojans, and application
layer attacks.
Click Continue on each page.
6. At the top of the Product Survey page, Enter a “friendly name” for your SonicWALL content security
appliance in the Friendly Name field. The friendly name allows you to easily identify your
SonicWALL content security appliance in your mySonicWALL.com account.
7. Please complete the Product Survey. SonicWALL uses this information to further tailor services to fit
your needs.
8. Click Submit.
9. When the mySonicWALL.com server has finished processing your registration, a page is displayed
informing you that the SonicWALL security appliance is registered. Click Continue, and the
System > Licenses page is displayed showing you the available services. You can activate the
service from this page or the specific service page under the Security Services left-navigation
menu in the management interface.
Page 18 SonicWALL Gateway Anti-Virus Administrator’s Guide
Activating SonicWALL GAV
If you do not have a SonicWALL GAV license activated on your SonicWALL security appliance, you must
purchase it from a SonicWALL reseller or through your mySonicWALL.com account (limited to customers
in the USA and Canada).
SonicWALL GAV is part of SonicWALL Gateway Anti-Virus/Intrusion Prevention Service. The Activation
Key you receive is for both SonicWALL GAV and SonicWALL Intrusion Prevention Service. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is automatically activated.
If you have an Activation Key for SonicWALL Gateway Anti-Virus/Intrusion Prevention Service, perform
these steps to activate the combined services:
1. On the Security Services > Intrusion Prevention page, click the SonicWALL Intrusion
Prevention Service Subscription link. The mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already registered to your
mySonicWALL.com account, the System > Licenses page appears.
3. Click Activate or Renew in the Manage Service column in the Manage Services Online table.
4. Type in the Activation Key in the New License Key field and click Submit. Your SonicWALL GAV
subscription is activated on your SonicWALL security appliance.
If you activated the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service subscription on
mySonicWALL.com, the activation is automatically enabled on your SonicWALL security appliance within
24-hours or you can click the Synchronize button on the Security Services > Summary page to
immediately update your SonicWALL security appliance.
Activating the SonicWALL GAV FREE TRIAL
To try a FREE TRIAL of SonicWALL GAV, perform these steps:
1. Click the FREE TRIAL link on the Security Services > Gateway Anti-Virus page. The
mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already connected to your
mySonicWALL.com account, the System > Licenses page appears after you click the FREE TRIAL
link.
3. Click Try in the FREE TRIAL column in the Manage Services Online table. Your SonicWALL GAV
trial subscription is activated on your SonicWALL security appliance.
Page 19
Setting Up SonicWALL GAV Protection
The Security Services > Gateway Anti-Virus page provides the settings for configuring SonicWALL
GAV on your SonicWALL security appliance.
Enabling SonicWALL GAV
You must select Enable Gateway Anti-Virus check box in the Gateway Anti-Virus Global Settings
section to enable SonicWALL GAV on your SonicWALL security appliance. If your SonicWALL security
appliance is running SonicOS Standard 3.0, you must also specify the interfaces you want to apply
SonicWALL GAV protection. If your SonicWALL security appliance is running SonicOS Enhanced 3.0,
you must specify the Zones you want to SonicWALL GAV protection on the Network > Zones page.
Applying SonicWALL GAV Protection on Interfaces
If your SonicWALL security appliance is running SonicOS Standard 3.0, you also need to specify the
interface that you want to enable SonicWALL GAV protection. Depending on the SonicWALL security
appliance model you are using, you can choose the WAN, LAN, DMZ, OPT or WLAN port, depending on
your SonicWALL security appliance model. After selecting the interface(s), click Apply.It is recommended
you select the WAN and LAN interfaces.
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you apply SonicWALL GAV to
Zones on the Network > Zones page.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 20 SonicWALL Gateway Anti-Virus Administrator’s Guide
Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you can enforce SonicWALL
GAV not only between each network zone and the WAN, but also between internal zones. For example,
enabling SonicWALL GAV on the LAN zone enforces anti-virus protection on all incoming and outgoing
LAN traffic.
1. In the SonicWALL security appliance management interface, select Network > Zones or from the
Gateway Anti-Virus Status section, on the Security Services > Gateway Anti-Virus page, click the
Network > Zones link. The Network > Zones page is displayed.
2. In the Configure column in the Zone Settings table, click the edit icon . The Edit Zone window
is displayed.
3. Click the Enable Gateway Anti-Virus Service checkbox. A checkmark appears. To disable Gateway
Anti-Virus Service, uncheck the box.
4. Click OK.
Page 21
Note: You also enable SonicWALL GAV protection for new zones you create on the Network > Zones page.
Clicking the Add button displays the Add Zone window, which includes the same settings as the Edit
Zone window.
Viewing SonicWALL GAV Status Information
The Gateway Anti-Virus Status section shows the state of the anti-virus signature database, including
the database's timestamp, and the time the SonicWALL signature servers were last checked for the most
current database version. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
The Gateway Anti-Virus Status section displays the following information:
• Signature Database indicates whether the signature database needs to be downloaded or has been
downloaded.
• Signature Database Timestamp displays the last update to the SonicWALL GAV signature
database, not the last update to your SonicWALL security appliance.
• Last Checked indicates the last time the SonicWALL security appliance checked the signature
database for updates. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
• Gateway Anti-Virus Expiration Date indicates the date when the SonicWALL GAV service expires.
If your SonicWALL GAV subscription expires, the SonicWALL IPS inspection is stopped and the
SonicWALL GAV configuration settings are removed from the SonicWALL security appliance. These
settings are automatically restored after renewing your SonicWALL GAV license to the previously
configured state.
If your SonicWALL security appliance is running SonicOS Standard 3.0 and no interfaces are specified in
the Gateway Anti-Virus Global Settings section, the message: Warning: No interfaces have Gateway
Anti-Virus enabled is displayed in the Gateway Anti-Virus Status section. You must check the Enable
Gateway Anti-Virus on Interface and specify the interface(s) you want to apply anti-virus scanning.
If your SonicWALL security appliance you are using SonicOS Enhanced 3.0, the Gateway Anti-Virus
Status section displays Note: Enable the Gateway Anti-Virus per zone from the Network > Zones
page. Clicking on the Network > Zones link displays the Network > Zones page for applying SonicWALL
GAV on Zones.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 22 SonicWALL Gateway Anti-Virus Administrator’s Guide
Updating SonicWALL GAV Signatures
By default, the SonicWALL security appliance running SonicWALL GAV automatically checks the
SonicWALL signature servers once an hour. There is no need for an administrator to constantly check for
new signature updates. You can also manually update your SonicWALL GAV database at any time by
clicking the Update button located in the Gateway Anti-Virus Status section.
SonicWALL GAV signature updates are secured. The SonicWALL security appliance must first
authenticate itself with a pre-shared secret, created during the SonicWALL Distributed Enforcement
Architecture licensing registration. The signature request is transported through HTTPS, along with full
server certificate verification.
Specifying Protocol Filtering
Application-level awareness of the type of protocol that is transporting the violation allows SonicWALL
GAV to perform specific actions within the context of the application to gracefully handle the rejection of
the payload.
By default, SonicWALL GAV inspects all inbound HTTP, FTP, IMAP, SMTP and POP3 traffic. Generic
TCP Stream can optionally be enabled to inspect all other TCP based traffic, such as
non-standard ports of operation for SMTP and POP3, and IM and P2P protocols.
Note: Refer to “Protocol Handling” on page 13 for detailed descriptions of how SonicWALL GAV handles
protocol traffic.
Enabling Inbound Inspection
Within the context of SonicWALL GAV, the Enable Inbound Inspection protocol traffic handling refers
to the following:
• Non-SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to any Zone.
• Non-SMTP traffic from a Public Zone destined to an Untrusted Zone.
• SMTP traffic initiating from a non-Trusted Zone destined to a Trusted, Wireless, Encrypted, or Public
Zone.
• SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to a Trusted, Wireless,
or Encrypted Zone.
Page 23
The Enable Inbound Inspection protocol traffic handling represented as a table:
Enabling Outbound SMTP Inspection
The Enable Outbound Inspection feature is available for SMTP traffic, such as for a mail server that
might be hosted on the DMZ. Enabling outbound inspection for SMTP scans mail that is delivered to the
internally hosted SMTP server for viruses.
Configuring Client Alerts and an Exclusion List
Clicking the Configure Gateway AV Settings button in the Gateway Anti-Virus Global Settings section
displays the Gateway AV Config View window, which allows you to configure client notification alerts and
create a SonicWALL GAV exclusion list.
Configuring Client Alerts
If you want clients on your network to receive notifications on their desktop when a HTTP file download is
blocked by GAV, check the Enable Client Notification Alerts (desktop client installation is required)
box. You must install the client software included on the Resource CD for your SonicWALL security
appliance for the client to receive these notifications from SonicWALL GAV.
Page 24 SonicWALL Gateway Anti-Virus Administrator’s Guide
If you want to suppress the sending of e-mail messages (SMTP) to clients from SonicWALL GAV when a
virus is detected in an e-mail or attachment, check the Disable SMTP Responses box.
Configuring a SonicWALL GAV Exclusion List
Any IP addresses listed in the exclusion list bypass virus scanning on their traffic.The Gateway AV
Exclusion List section provides the ability to define a range of IP addresses whose traffic will be excluded
from SonicWALL GAV scanning.
Alert! Use caution when specifying exclusions to SonicWALL GAV protection.
To add an IP address range for exclusion, perform these steps:
1. Click the Enable Gateway AV Exclusion List checkbox to enable the exclusion list.
2. Click the Add button. The Add GAV Range Entry window is displayed.
3. Enter the IP address range in the IP Address Form and IP Address To fields, then click OK. You IP
address range appears in the Gateway AV Exclusion List table. Click the edit icon in the Configure
column to change an entry or click the trashcan icon to delete an entry.
4. Click OK to exit the Gateway AV Config View window.
Restricting File Transfers
The restrict transfer settings listed under the Configure Gateway AV Settings button in the
Gateway Anti-Virus Global Settings section, if enabled, prevent files with specific attributes from being
transferred.
These restrict transfer settings include:
• Restrict Transfer of password-protected Zip files - Disables the transfer of password protected
ZIP files over any enabled protocol. This option only functions on protocols (e.g. HTTP, FTP, SMTP)
that are enabled for inspection.
• Restrict Transfer of MS-Office type files containing macros (VBA 5 and above) - Disables the
transfers of any MS Office 97 and above files that contain VBA macros.
• Restrict Transfer of packed executable files (UPX, FSG, etc.) - Disables the transfer of packed
executable files. Packers are utilities which compress and sometimes encrypt executables. Although
there are legitimate applications for these, they are also sometimes used with the intent of
obfuscation, so as to make the executables less detectable by anti-virus applications. The packer
adds a header that expands the file in memory, and then executes that file. SonicWALL Gateway
Anti-Virus currently recognizes the most common packed formats: UPX, FSG, PKLite32, Petite, and
ASPack. additional formats are dynamically added along with SonicWALL GAV signature updates.
Page 25
Viewing SonicWALL GAV Signatures
The Gateway Anti-Virus Signatures section allows you to view the contents of the SonicWALL GAV
signature database. All the entries displayed in the Gateway Anti-Virus Signatures table are from the
SonicWALL GAV signature database downloaded to your SonicWALL security appliance.
Note: Signature entries in the database change over time in response to new threats.
Displaying Signatures
You can display the signatures in a variety of views using the View Style menu.
• Use Search String - Allows you to display signatures containing a specified string entered in the
Lookup Signatures Containing String field.
• All Signatures - Displays all the signatures in the table, 50 to a page.
• 0 - 9 - Displays signature names beginning with the number you select from the menu.
• A-Z - Displays signature names beginning with the letter you select from menu.
Navigating the Gateway Anti-Virus Signatures Table
The SonicWALL GAV signatures are displayed fifty to a page in the Gateway Anti-Virus Signatures
table. The Items field displays the table number of the first signature. If your displaying the first page of a
signature table, the entry might be Items 1 to 50 (of 58). Use the navigation buttons to navigate the table.
Page 26 SonicWALL Gateway Anti-Virus Administrator’s Guide
Searching the Gateway Anti-Virus Signature Database
You can search the signature database by entering a search string in the Lookup Signatures
Containing String field, then clicking the edit (Notepad) icon.
The signatures that match the specified string are displayed in the Gateway Anti-Virus Signatures table.
Glossary
• Deep Packet Inspection - looking at the data portion of the packet. Enables the firewall to investigate
farther into the protocol to examine information at the application layer and defend against attacks
targeting application vulnerabilities.
• Distributed Enforcement Architecture - SonicWALL’s unified threat management technology that
delivers automated signature updates that provide real-time protection from current and emerging
threats.
• False Positive - a falsely identified attack traffic pattern.
• Signature - code written to detect and prevent viruses, worms, application exploits, and other
malicious code.
• Stateful Packet Inspection - examines the contents of individual packets at all layers of the OSI
model, from network layer to application layer.
Page 27
Index
A
activating Gateway Anti-Virus
overview 15
free trial version 18
activating Gateway Anti-Virus
activation key 18
C
client alerts
configuring 23
concurrency limitations 12
PRO 1260 12
PRO 2040 12
PRO 3060 12
PRO 4060 12
PRO 5060 12
TZ 150 Series 12
TZ 170 Series 12
creating a mysonicwall.com account 16
D
deploying SonicWALL GAV 14
disabling GAV/IPS engine 12
displaying signatures 25
all signatures 25
signatures beginning with letter 25
signatures beginning with number 25
using search strings 25
E
Edit Zone window 20
enable inbound inspection 22
enable outbound SMTP inspection 23
enabling inbound inspection 22
exclusion list
configuring 24
G
Gateway AV Config View window 23
GAV/IPS
real-time scanning 6
GAV/IPS features
application control 6
deep packet inspection 6
distributed enforcement architecture 6
file based scanning protocol support 6
file decompression technology 6
granular management 7
inter-zone scanning 6
logging and reporting 7
real-time scanning 6
glossary 26
deep packet inspection 26
Distributed Enforcement Architecture 26
false positive 26
signature 26
stateful packet inspection 26
H
how DPIv2.0 works
11
protocol handling 13
HTTP file downloads protection 9
I
internal network protection 9
N
navigating signatures table 25
P
protocol handling
FTP 14
HTTP 14
IM, P2P, proprietary 14
IMAP 13
POP3 13
SMTP 13
R
registering your SonicWALL security appliance 17
remote site protection 8
restrict 24
restrict file transfer
MS-Office files 24
packed executable files 24
password protected ZIP files 24
S
searching signature database 26
server protection 10
setting up GAV protection
applying to infaces (SonicOS Standard 3.0) 19
applying to zones (SonicOS Enhanced) 20
enabling 19
overview 19
signatures table 25
SonicWALL Gateway Anti-Virus
overview 5
SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service
overview 5
specifying protocol filtering 22
specifying protocols 22
status information
expiration date 21
last checked 21
overview 21
signature database 21
signature database timestamp 21
surpress SMTP messages 24
U
updating signatures 22
Page 28 SonicWALL Gateway Anti-Virus Administrator’s Guide
© 2005 SonicWALL, I n c . SonicWALL is a registered trademark of SonicWALL, I n c . Other product and company names mentioned herein may be
t rademarks and/ or registered trademarks of their respective companies. Specifications and descriptions subject to change with out notice.
T: 408.745.9600
F: 408.745.9300
www.sonicwall.com
SonicWALL,Inc.
1143 Borregas Avenue
Sunnyvale,CA 94089-1306
P/ N 232- 000610- 00
Rev E 01/05COMPREHENSIVE INTERNET SECURITY™
S SSSSSSSSo n i c WALL Gateway Anti-Virus
Administrator's Guide
Page 1
Table of Contents
Preface .................................................................................................. 1
Copyright Notice ..............................................................................1
Trademarks......................................................................................1
Limited Warranty..............................................................................1
About this Guide.................................................................................... 3
Guide Conventions .......................................................................... 3
Icons Used in this Guide............................................................. 3
SonicWALL Technical Support ........................................................ 4
North America Telephone Support ............................................. 4
International Telephone Support ................................................ 4
SonicWALL Gateway Anti-Virus Overview............................................ 5
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features ...... 6
SonicWALL GAV Multi-Layered Approach............................................ 7
Remote Site Protection ....................................................................8
Internal Network Protection.............................................................. 9
HTTP File Downloads ...................................................................... 9
Server Protection ...........................................................................10
SonicWALL GAV Architecture............................................................. 11
Stream Concurrency Limitations
by SonicWALL Security Appliance................................................. 12
Disabling the SonicWALL GAV/IPS Engine................................... 12
Protocol Handling...........................................................................13
SMTP........................................................................................ 13
POP3 ........................................................................................ 13
IMAP......................................................................................... 13
HTTP ........................................................................................ 14
FTP........................................................................................... 14
IM, P2P and Proprietary Protocols ........................................... 14
Deploying SonicWALL GAV................................................................ 14
Activating SonicWALL GAV ................................................................ 15
Creating a mySonicWALL.com Account ........................................ 16
Registering Your SonicWALL Security Appliance.......................... 17
Activating SonicWALL GAV........................................................... 18
Activating the SonicWALL GAV FREE TRIAL ............................... 18
Setting Up SonicWALL GAV Protection .............................................. 19
Enabling SonicWALL GAV............................................................. 19
Applying SonicWALL GAV Protection on Interfaces...................... 19
Applying SonicWALL GAV Protection on Zones
(SonicOS Enhanced 3.0) ............................................................... 20
Viewing SonicWALL GAV Status Information................................ 21
Updating SonicWALL GAV Signatures .......................................... 22
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
Specifying Protocol Filtering ................................................................22
Enabling Inbound Inspection ..........................................................22
Enabling Outbound SMTP Inspection ............................................23
Configuring Client Alerts and an Exclusion List ...................................23
Configuring Client Alerts.................................................................23
Configuring a SonicWALL GAV Exclusion List...............................24
Restricting File Transfers.....................................................................24
Viewing SonicWALL GAV Signatures..................................................25
Displaying Signatures.....................................................................25
Navigating the Gateway Anti-Virus Signatures Table ....................25
Searching the Gateway Anti-Virus Signature Database.................26
Glossary...............................................................................................26
Index ....................................................................................................27
Page 1 SonicWALL Gateway Anti-Virus Administrator’s Guide
Preface
Copyright Notice
© 2005 SonicWALL, Inc.
All rights reserved.
Under the copyright laws, this manual or the software described within, can not be copied, in whole or part,
without the written consent of the manufacturer, except in the normal use of the software to make a backup
copy. The same proprietary and copyright notices must be affixed to any permitted copies as were affixed
to the original. This exception does not allow copies to be made for others, whether or not sold, but all of
the material purchased (with all backup copies) can be sold, given, or loaned to another person. Under
the law, copying includes translating into another language or format.
Specifications and descriptions subject to change without notice.
Trademarks
SonicWALL is a registered trademark of SonicWALL, Inc.
Microsoft Windows 98, Windows NT, Windows 2000, Windows XP, Windows Server 2003, Internet
Explorer, and Active Directory are trademarks or registered trademarks of Microsoft Corporation.
Netscape is a registered trademark of Netscape Communications Corporation in the U.S. and other
countries. Netscape Navigator and Netscape Communicator are also trademarks of Netscape
Communications Corporation and may be registered outside the U.S.
Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems
Incorporated in the U.S. and/or other countries.
Other product and company names mentioned herein may be trademarks and/or registered trademarks
of their respective companies and are the sole property of their respective manufacturers.
Limited Warranty
SonicWALL, Inc. warrants that commencing from the delivery date to Customer (but in any case
commencing not more than ninety (90) days after the original shipment by SonicWALL), and continuing
for a period of twelve (12) months, that the product will be free from defects in materials and workmanship
under normal use. This Limited Warranty is not transferable and applies only to the original end user of
the product. SonicWALL and its suppliers' entire liability and Customer's sole and exclusive remedy under
this limited warranty will be shipment of a replacement product. At SonicWALL's discretion the
replacement product may be of equal or greater functionality and may be of either new or like-new quality.
SonicWALL's obligations under this warranty are contingent upon the return of the defective product
according to the terms of SonicWALL's then-current Support Services policies.
This warranty does not apply if the product has been subjected to abnormal electrical stress, damaged by
accident, abuse, misuse or misapplication, or has been modified without the written permission of
SonicWALL.
DISCLAIMER OF WARRANTY. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR
IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT
LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, NONINFRINGEMENT, SATISFACTORY QUALITY OR ARISING FROM A
COURSE OF DEALING, LAW, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE
MAXIMUM EXTENT ALLOWED BY APPLICABLE LAW. TO THE EXTENT AN IMPLIED WARRANTY
CANNOT BE EXCLUDED, SUCH WARRANTY IS LIMITED IN DURATION TO THE WARRANTY
PERIOD. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW
LONG AN IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. THIS
WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, AND YOU MAY ALSO HAVE OTHER RIGHTS
WHICH VARY FROM JURISDICTION TO JURISDICTION. This disclaimer and exclusion shall apply
even if the express warranty set forth above fails of its essential purpose.
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
DISCLAIMER OF LIABILITY. SONICWALL'S SOLE LIABILITY IS THE SHIPMENT OF A
REPLACEMENT PRODUCT AS DESCRIBED IN THE ABOVE LIMITED WARRANTY. IN NO EVENT
SHALL SONICWALL OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER,
INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS
INTERRUPTION, LOSS OF INFORMATION, OR OTHER PECUNIARY LOSS ARISING OUT OF THE
USE OR INABILITY TO USE THE PRODUCT, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL,
INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY
OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE HARDWARE OR SOFTWARE
EVEN IF SONICWALL OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. In no event shall SonicWALL or its suppliers' liability to Customer, whether in contract, tort
(including negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shall
apply even if the above-stated warranty fails of its essential purpose. BECAUSE SOME STATES OR
JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR
INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.
Page 3
About this Guide
Welcome to the SonicWALL Gateway Anti-Virus Administrator’s Guide. This manual provides the
information you need to successfully activate, configure, and administer SonicWALL Gateway Anti-Virus
(SonicWALL (GAV) on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher). The audience for this guide is administrators that are familiar with the
features, functions, and operating characteristics of SonicWALL security appliances.
Note: This guide assumes your SonicWALL security appliance is operational with Internet connectivity. If your
SonicWALL security appliance is not setup, refer to the Getting Started Guide for your SonicWALL
security appliance located on the SonicWALL Web site:
.
SonicWALL GAV is part of the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service solution that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate a SonicWALL GAV license, SonicWALL Intrusion Prevention Service is included and activated.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the complete
instructions on configuring SonicWALL Intrusion Prevention Service 2.0, located on the SonicWALL
Web site: .
Guide Conventions
Conventions used in this guide are as follows:
Icons Used in this Guide
These special messages refer to noteworthy information, and include a symbol for quick identification:
Alert! Important information that cautions about features affecting SonicWALL Gateway Anti-Virus
performance, security features, or causing potential problems with your SonicWALL security appliance.
Tip! Useful information about security features and configurations for your SonicWALL Gateway Anti-Virus
running on a SonicWALL security appliance.
Convention Use
Bold Highlights items you can select on the SonicWALL
management interface.
Italic Highlights a value to enter into a field. For example, “type
192.168.168.168 in the IP Address field.”
Top Level Menu Button >
Submenu Item
Indicates a multiple step Management Interface menu
choice. For example, Security Services > Gateway Anti-
Virus means select Security Services, then select
Gateway Anti-Virus.
Page 4 SonicWALL Gateway Anti-Virus Administrator’s Guide
Note: Important information on a feature that requires callout for special attention or reference to other related
resources.
SonicWALL Technical Support
For timely resolution of technical support questions, visit SonicWALL on the Internet at
. Web-based resources are available to help you
resolve most technical issues or contact SonicWALL Technical Support.
To contact SonicWALL telephone support, see the telephone numbers listed below:
North America Telephone Support
U.S./Canada - 888.777.1476 or +1 408.752.7819
International Telephone Support
Australia - + 1800.35.1642
Austria - + 43(0)820.400.105
EMEA - +31(0)411.617.810
France - + 33(0)1.4933.7414
Germany - + 49(0)1805.0800.22
Hong Kong - + 1.800.93.0997
India - + 8026556828
Italy - +39.02.7541.9803
Japan - + 81(0)3.5460.5356
New Zealand - + 0800.446489
Singapore - + 800.110.1441
Spain - + 34(0)9137.53035
Switzerland - +41.1.308.3.977
UK - +44(0)1344.668.484
Note: Please visit for the latest technical support telephone
numbers.
Page 5
SonicWALL Gateway Anti-Virus Overview
SonicWALL Gateway Anti-Virus (SonicWALL GAV) is part of the SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service solution that provides unified threat management. The integration of gateway
anti-virus and intrusion prevention delivers intelligent, real-time network security protection against
sophisticated application layer and content-based attacks. Utilizing a configurable, high-performance
deep packet inspection architecture, SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
secures the network from the core to the perimeter against a comprehensive array of dynamic threats
including viruses, worms, Trojans, and software vulnerabilities, such as buffer overflows, as well as peerto-
peer and instant messenger applications, backdoor exploits, and other malicious code.
SonicWALL GAV delivers real-time virus protection directly on the SonicWALL security appliance by
using SonicWALL’s IPS-Deep Packet Inspection v2.0 engine to inspect all traffic that traverses the
SonicWALL gateway. Building on SonicWALL’s reassembly-free architecture, SonicWALL GAV inspects
multiple application protocols, as well as generic TCP streams, and compressed traffic. Because
SonicWALL GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also performed on a
single-pass, per-packet basis.
SonicWALL GAV delivers threat protection directly on the SonicWALL security appliance by matching
downloaded or e-mailed files against an extensive and dynamically updated database of threat virus
signatures. Virus attacks are caught and suppressed before they travel to desktops. New signatures are
created and added to the database by a combination of SonicWALL’s SonicAlert Team, third-party virus
analysts, open source developers and other sources.
SonicWALL GAV can be configured to protect against internal threats as well as those originating outside
the network. It operates over a multitude of protocols including SMTP, POP3, IMAP, HTTP, FTP,
NetBIOS, instant messaging and peer-to-peer applications and dozens of other stream-based protocols,
to provide administrators with comprehensive network threat prevention and control. Because files
containing malicious code and viruses can also be compressed and therefore inaccessible to
conventional anti-virus solutions, SonicWALL GAV integrates advanced decompression technology that
automatically decompresses and scans files on a per packet basis.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
Page 6 SonicWALL Gateway Anti-Virus Administrator’s Guide
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features
• Integrated Deep Packet Inspection Technology - SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service features a configurable, high-performance deep packet inspection architecture
that uses parallel searching algorithms up through the application layer to deliver increased
application layer, Web and e-mail attack prevention. Parallel processing reduces the performance
impact on the firewall and maximizes available memory for exceptional throughput on SonicWALL
integrated security gateways.
• Real-Time Anti-Virus Gateway Scanning - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers intelligent file-based virus and malicious code prevention by scanning in real-time for
decompressed and compressed files containing viruses, Trojans, worms and other Internet threats
over the corporate network.
• Powerful Intrusion Prevention - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
provides complete protection from a comprehensive array of network-based application layer threats
by scanning packet payloads for worms, Trojans, software vulnerabilities such as buffer overflows,
peer-to-peer and instant messenger applications, backdoor exploits, and other malicious code.
• Ultimate Scalability and Performance - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a per packet scanning engine, making SonicWALL’s solution unique in its ability to
handle unlimited file size and virtually unlimited concurrent downloads, offering ultimate scalability
and performance for today’s networked environment.
• Day Zero Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service ensures
incredibly fast time-to-protection by employing a dynamically-updated database of signatures created
by a combination of SonicWALL’s SonicAlert Team, third-party virus analysts and developers, and
open source databases of known threats.
• Extensive Virus Signature List - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
utilizes an extensive database of thousands of attack and vulnerability signatures written to detect and
prevent intrusions, viruses, worms, Tojans, application exploits, and malicious applications.
• Distributed Enforcement Architecture - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a distributed enforcement architecture to deliver automated signature updates,
providing real-time protection from emerging threats and lowering total cost of ownership.
• Inter-zone Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides
application layer attack protection against malicious code and other threats originating from the
Internet or from internal sources. Administrators have the ability to enforce intrusion prevention and
anti-virus scanning not only between each network zone and the Internet, but also between internal
network zones for added security (Requires SonicOS Enhanced).
• Advanced File Decompression Technology - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service includes advanced decompression technology that can automatically decompress and scan
files on a per packet basis to search for viruses, Trojans, worms and malware. Supported
compression formats include: ZIP, Deflate and GZIP.
• File-Based Scanning Protocol Support - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers protection for high threat viruses and malware by inspecting the most common
protocols used in today’s networked environments, including SMTP, POP3, IMAP, HTTP, FTP,
NETBIOS, instant messaging and peer-to-peer applications, and dozens of other stream-based
protocols. This closes potential backdoors that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Application Control - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides the
ability to prevent instant messaging and peer-to-peer file sharing programs from operating through
the firewall, closing a potential back door that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Simplified Deployment and Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service allows network administrators to create global policies between security zones and group
attacks by priority, simplifying deployment and management across a distributed network.
Page 7
• Granular Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides an
intuitive user interface and granular policy tools, allowing network administrators to configure a
custom set of detection or prevention policies for their specific network environment and reduce the
number of false policies while identifying immediate threats.
• Logging and Reporting - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service offers
comprehensive logging of all intrusion attempts with the ability to filter logs based on priority level,
enabling administrators to highlight high priority attacks. Granular reporting based on attack source,
destination and type of intrusion is available through SonicWALL ViewPoint and Global Management
System.
SonicWALL GAV Multi-Layered Approach
SonicWALL GAV delivers comprehensive, multi-layered anti-virus protection for networks at the desktop,
the network, and at remote sites. SonicWALL GAV enforces anti-virus policies at the gateway to ensure
all users have the latest updates and monitors files as they come into the network.
Page 8 SonicWALL Gateway Anti-Virus Administrator’s Guide
Remote Site Protection
1. Users send typical e-mail and files between remote sites and the corporate office.
2. SonicWALL GAV scans and analyzes files and e-mail messages on the SonicWALL security
appliance.
3. Viruses are found and blocked before infecting remote desktop.
4. Virus is logged and alert is sent to administrator.
Page 9
Internal Network Protection
1. Internal user contracts a virus and releases it internally.
2. All files are scanned at the gateway before being received by other network users.
3. If virus is found, file is discarded.
4. Virus is logged and alert is sent to administrator.
HTTP File Downloads
1. Client makes a request to download a file from the Web.
2. File is downloaded through the Internet.
3. File is analyzed the SonicWALL GAV engine for malicious code and viruses
4. If virus found, file discarded.
5. Virus is logged and alert sent to administrator.
Page 10 SonicWALL Gateway Anti-Virus Administrator’s Guide
Server Protection
1. Outside user sends an incoming e-mail.
2. E-mail is analyzed the SonicWALL GAV engine for malicious code and viruses before received by email
server.
3. If virus found, threat prevented.
4. E-mail is returned to sender, virus is logged, and alert sent to administrator.
Page 11
SonicWALL GAV Architecture
SonicWALL GAV is based on SonicWALL's high performance DPIv2.0 engine (Deep Packet Inspection
version 2.0) engine, which performs all scanning directly on the SonicWALL security appliance.
SonicWALL GAV includes advanced decompression technology that can automatically decompress and
scan files on a per packet basis to search for viruses and malware. The SonicWALL GAV engine can
perform base64 decoding without ever reassembling the entire base64 encoded mail stream. Because
SonicWALL's GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding and ZIP, LHZ, and GZIP (LZ77) decompression are also performed
on a single-pass, per-packet basis. Reassembly free virus scanning functionality of the SonicWALL GAV
engine is inherited from the Deep Packet Inspection engine, which is capable of scanning streams without
ever buffering any of the bytes within the stream.
Building on SonicWALL's reassembly-free architecture, GAV has the ability to inspect multiple application
protocols, as well as generic TCP streams, and compressed traffic. SonicWALL GAV protocol inspection
is based on high performance state machines which are specific to each supported protocol. SonicWALL
GAV delivers protection by inspecting over the most common protocols used in today's networked
environments, including SMTP, POP3, IMAP, HTTP, FTP, NetBIOS, instant messaging and peer-to-peer
applications and dozens of other stream-based protocols. This closes potential backdoors that can be
used to compromise the network while also improving employee productivity and conserving Internet
bandwidth.
Page 12 SonicWALL Gateway Anti-Virus Administrator’s Guide
Stream Concurrency Limitations by SonicWALL Security Appliance
Because SonicWALL GAV does not have to perform reassembly, there are no file-size limitations
imposed by the scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also
performed on a single-pass, per-packet basis. Stream-concurrency are platform dependent as follows:.
Disabling the SonicWALL GAV/IPS Engine
In the unlikely event that SonicWALL Gateway Anti-Virus/Intrusion Prevention Service is not enabled on
your SonicWALL security appliance, the SonicWALL GAV/IPS engine itself can be disabled, and the
resources can be reallocated to the SPI connection cache.
To disable the SonicWALL GAV/IPS engine:
1. Select the Firewall > Advanced page.
2. Select the Disable Gateway AV and IPS Engine (increases maximum SPI connections)
checkbox. This presents an alert informing you that the SonicWALL security appliance must be
rebooted for the change to take effect.
3. Restart your SonicWALL security appliance.
Platform
GAV-Disabled
Connections
Cache Size
GAV-Enabled
Connections
Cache Size
(Concurrent File
Downloads)
Concurrent
Compressed
File Downloads
with GAV
GAV Signatures
TZ 150
Series
2,048 2,048 100 4,500
TZ 170
Series
6,144 6,144 100 4,500
PRO 1260 6,144 6,144 100 4,500
PRO 2040 32,768 16,384 300 25,000
PRO 3060 131,072 65,536 1,000 25,000
PRO 4060 524,288 131,072 1,500 25,000
PRO 5060 750,000 393,216 3,000 25,000
Page 13
Protocol Handling
SonicWALL GAV functionality supports the following protocols: HTTP, SMTP, IMAP, POP3, FTP and the
scanning of generic TCP streams for viruses.
If malicious traffic is detected, appropriate actions are taken based on the protocol. For generic TCP
streams, the traffic is dropped and the connection is reset. If so configured, an encrypted and hashed
message explaining the action is sent to the user's Global Security Client (requires version 2.0 or higher)
and to the user's 'Security Action Notification Applet', and displayed to the user if either application is
active. Application level awareness of the type of protocol that was transporting the violation allows for
very specific actions to be taken to gracefully handle the rejection of the payload:
Note: 8-bit encoding is handled natively for all email based protocols (SMTP, POP3, and IMAP) since no
decoding is required for each encoding scheme.
SMTP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the head of the sent
queue, thus preventing it from being resent, via 552 SMTP response and the connection is terminated.
POP3
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the POP3 server via
'DELE' command and the connection is terminated. Continuation of message downloads following
termination requires the user to re-initiate the download process on their POP3 client in order to download
the rest of the messages from the POP3 server.
Note: POP3 client behavior varies from one client to the next. SonicWALL GAV attempts to determine the type
of POP3 client being used, and to compensate for behavioral differences. In rare cases, some clients
may require special GAV settings - these settings have been made available in the /diag.html page.
• Disable Gateway AV POP3 Auto Deletion - When a POP3 client is identified as Outlook Express,
DELE (delete) message sequencing is tailored to Outlook Express' behavior. This setting can resolve
problems caused by misidentification that are encountered during the deletion of virus-infected
emails.
• Disable Gateway AV POP3 UIDL Rewriting - Certain Netscape POP3 clients have difficulty with the
UIDL (unique ID listing - RFC1939) command. When a POP3 client is recognized as Netscape, UIDL
messages are suppressed, which is allowable because they are optional. This setting can resolve
problems caused by misidentification that are encountered during the message retrieval process.
IMAP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from downloading the mail
containing the violation. The user must manually mark the mail deleted and purge it from the server.
Page 14 SonicWALL Gateway Anti-Virus Administrator’s Guide
HTTP
Capabilities: zip (including archives), gzip and deflate decompression. Deflate decompression method is
not supported when HTTP response is Chunk Encoded. All HTTP traffic is inspected, not just TCP port
80. Suppresses the use of HTTP Byte-Range requests to prevent the sectional retrieval and reassembly
of potentially malicious content.
Note: Suppression of HTTP Byte-Range requests may inhibit the use of certain download accelerator
programs that attempt to retrieve files as multiple simultaneous requests.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
FTP
Capabilities: zip (including archives) and gzip decompression. FTP stateful code follows data port
negotiations, allowing FTP data to be inspected across any operating TCP port. Suppresses the use of
the FTP 'REST' (restart) request to prevent the sectional retrieval and reassembly of potentially malicious
content. "The suppression of the 'REST' request can be overridden from the /diag.html page with the
option 'Enable FTP 'REST' requests with Gateway AV’.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
IM, P2P and Proprietary Protocols
Capabilities: zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
Deploying SonicWALL GAV
SonicWALL GAV is designed to provide comprehensive virus protection with minimal configuration. The
following sections provide the key information you need to successfully activate, configure, and administer
SonicWALL GAV on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher):
• “Activating SonicWALL GAV” on page 15 - provides instructions for activating the SonicWALL GAV
license on your SonicWALL security appliance via the management interface. If you already have
SonicWALL GAV activated on your SonicWALL security appliance, skip this section.
• “Setting Up SonicWALL GAV Protection” on page 19 - provides instructions for essential
configuration of SonicWALL IPS to protect your network against the most dangerous and disruptive
attacks.
Alert! After activating your SonicWALL GAV license, you must enable SonicWALL GAV on the SonicWALL
management interface before anti-virus protection are applied to your network traffic.
• “Configuring Client Alerts and an Exclusion List” on page 23 - provides instructions for configuring
SonicWALL GAV client notification alerts and creating a SonicWALL GAV exclusion list.
• “Restricting File Transfers” on page 24 - provides instructions on preventing files with specific
attributes from being transferred.
Page 15
Activating SonicWALL GAV
If you do not have SonicWALL GAV installed on your SonicWALL security appliance, the Security
Services > Gateway Anti-Virus page indicates an upgrade is required and includes a link to activiate it
from your SonicWALL security appliance management interface.
SonicWALL GAV is part of the unified SonicWALL Gateway Anti-Virus/Intrusion Prevention Service that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is also activated.
To activate a SonicWALL Gateway Anti-Virus/Intrusion Prevention Service on your SonicWALL security
appliance, you need the following:
• SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license. You need to purchase a
SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license from a SonicWALL reseller or
through your mySonicWALL.com account (limited to customers in the USA and Canada).
• mySonicWALL.com account. Creating a mySonicWALL.com account is fast, simple, and FREE.
Simply complete an online registration form from your SonicWALL security appliance management
interface. Your mySonicWALL.com account is also accessible at
from any Internet connection with a Web browser.
• Registered SonicWALL security appliance with active Internet connection. Registering your
SonicWALL security appliance is a simple procedure done directly from the management interface.
• SonicOS Standard 3.0 or SonicOS Enhanced 3.0. Your SonicWALL security appliance must be
running SonicOS Standard 3.0 or SonicOS Enhanced 3.0 for SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service.
Tip! If your SonicWALL security appliance is connected to the Internet and registered at
mySonicWALL.com, you can activate a 30-day FREE TRIAL of SonicWALL IPS.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
If you activated SonicWALL GAV at , SonicWALL GAV activation is
automatically enabled on your SonicWALL within 24-hours or you can click the Synchronize button on
the Security Services > Summary page to update your SonicWALL security appliance.
Page 16 SonicWALL Gateway Anti-Virus Administrator’s Guide
Creating a mySonicWALL.com Account
Creating a mySonicWALL.com account is fast, simple, and FREE. Simply complete an online
registration form in the SonicWALL security appliance management interface.
Note: If you already have a mysonicWALL.com account, go to “Registering Your SonicWALL Security
Appliance” on page 17.
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displayed in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link in Your
SonicWALL is not registered. Click here to Register your SonicWALL.
4. In the mySonicWALL.com Login page, click the here link in If you do not have a mySonicWALL
account, please click here to create one.
5. In the MySonicWall Account page, enter in your information in the Account Information, Personal
Information and Preferences fields. All fields marked with an asterisk (*) are required fields.
Note: Remember your username and password to access your mySonicWALL.com account.
6. Click Submit after completing the MySonicWALL Account form.
7. When the mySonicWALL.com server has finished processing your account, you will see a page
saying that your account has been created. Click Continue.
Congratulations. Your mySonicWALL.com account is activated.
Now you need to log into mySonicWALL.com to register your SonicWALL security appliance.
Note: mySonicWALL.com registration information is not sold or shared with any other company.
Page 17
Registering Your SonicWALL Security Appliance
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displaying in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link. The
mySonicWALL.com Login page is displayed.
4. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit.
5. The next several pages inform you about the free trials available to you for SonicWALL’s Security
Services:
• Gateway Anti-Virus - Delivers real-time virus protection for your entire network.
• Network Anti Virus - Provides desktop and server anti-virus protection with software running on
each computer.
• Premium Content Filtering Service - Enhances productivity by limiting access to objectionable
Web content.
• Intrusion Prevention Service - Protects your network against worms, Trojans, and application
layer attacks.
Click Continue on each page.
6. At the top of the Product Survey page, Enter a “friendly name” for your SonicWALL content security
appliance in the Friendly Name field. The friendly name allows you to easily identify your
SonicWALL content security appliance in your mySonicWALL.com account.
7. Please complete the Product Survey. SonicWALL uses this information to further tailor services to fit
your needs.
8. Click Submit.
9. When the mySonicWALL.com server has finished processing your registration, a page is displayed
informing you that the SonicWALL security appliance is registered. Click Continue, and the
System > Licenses page is displayed showing you the available services. You can activate the
service from this page or the specific service page under the Security Services left-navigation
menu in the management interface.
Page 18 SonicWALL Gateway Anti-Virus Administrator’s Guide
Activating SonicWALL GAV
If you do not have a SonicWALL GAV license activated on your SonicWALL security appliance, you must
purchase it from a SonicWALL reseller or through your mySonicWALL.com account (limited to customers
in the USA and Canada).
SonicWALL GAV is part of SonicWALL Gateway Anti-Virus/Intrusion Prevention Service. The Activation
Key you receive is for both SonicWALL GAV and SonicWALL Intrusion Prevention Service. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is automatically activated.
If you have an Activation Key for SonicWALL Gateway Anti-Virus/Intrusion Prevention Service, perform
these steps to activate the combined services:
1. On the Security Services > Intrusion Prevention page, click the SonicWALL Intrusion
Prevention Service Subscription link. The mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already registered to your
mySonicWALL.com account, the System > Licenses page appears.
3. Click Activate or Renew in the Manage Service column in the Manage Services Online table.
4. Type in the Activation Key in the New License Key field and click Submit. Your SonicWALL GAV
subscription is activated on your SonicWALL security appliance.
If you activated the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service subscription on
mySonicWALL.com, the activation is automatically enabled on your SonicWALL security appliance within
24-hours or you can click the Synchronize button on the Security Services > Summary page to
immediately update your SonicWALL security appliance.
Activating the SonicWALL GAV FREE TRIAL
To try a FREE TRIAL of SonicWALL GAV, perform these steps:
1. Click the FREE TRIAL link on the Security Services > Gateway Anti-Virus page. The
mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already connected to your
mySonicWALL.com account, the System > Licenses page appears after you click the FREE TRIAL
link.
3. Click Try in the FREE TRIAL column in the Manage Services Online table. Your SonicWALL GAV
trial subscription is activated on your SonicWALL security appliance.
Page 19
Setting Up SonicWALL GAV Protection
The Security Services > Gateway Anti-Virus page provides the settings for configuring SonicWALL
GAV on your SonicWALL security appliance.
Enabling SonicWALL GAV
You must select Enable Gateway Anti-Virus check box in the Gateway Anti-Virus Global Settings
section to enable SonicWALL GAV on your SonicWALL security appliance. If your SonicWALL security
appliance is running SonicOS Standard 3.0, you must also specify the interfaces you want to apply
SonicWALL GAV protection. If your SonicWALL security appliance is running SonicOS Enhanced 3.0,
you must specify the Zones you want to SonicWALL GAV protection on the Network > Zones page.
Applying SonicWALL GAV Protection on Interfaces
If your SonicWALL security appliance is running SonicOS Standard 3.0, you also need to specify the
interface that you want to enable SonicWALL GAV protection. Depending on the SonicWALL security
appliance model you are using, you can choose the WAN, LAN, DMZ, OPT or WLAN port, depending on
your SonicWALL security appliance model. After selecting the interface(s), click Apply.It is recommended
you select the WAN and LAN interfaces.
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you apply SonicWALL GAV to
Zones on the Network > Zones page.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 20 SonicWALL Gateway Anti-Virus Administrator’s Guide
Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you can enforce SonicWALL
GAV not only between each network zone and the WAN, but also between internal zones. For example,
enabling SonicWALL GAV on the LAN zone enforces anti-virus protection on all incoming and outgoing
LAN traffic.
1. In the SonicWALL security appliance management interface, select Network > Zones or from the
Gateway Anti-Virus Status section, on the Security Services > Gateway Anti-Virus page, click the
Network > Zones link. The Network > Zones page is displayed.
2. In the Configure column in the Zone Settings table, click the edit icon . The Edit Zone window
is displayed.
3. Click the Enable Gateway Anti-Virus Service checkbox. A checkmark appears. To disable Gateway
Anti-Virus Service, uncheck the box.
4. Click OK.
Page 21
Note: You also enable SonicWALL GAV protection for new zones you create on the Network > Zones page.
Clicking the Add button displays the Add Zone window, which includes the same settings as the Edit
Zone window.
Viewing SonicWALL GAV Status Information
The Gateway Anti-Virus Status section shows the state of the anti-virus signature database, including
the database's timestamp, and the time the SonicWALL signature servers were last checked for the most
current database version. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
The Gateway Anti-Virus Status section displays the following information:
• Signature Database indicates whether the signature database needs to be downloaded or has been
downloaded.
• Signature Database Timestamp displays the last update to the SonicWALL GAV signature
database, not the last update to your SonicWALL security appliance.
• Last Checked indicates the last time the SonicWALL security appliance checked the signature
database for updates. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
• Gateway Anti-Virus Expiration Date indicates the date when the SonicWALL GAV service expires.
If your SonicWALL GAV subscription expires, the SonicWALL IPS inspection is stopped and the
SonicWALL GAV configuration settings are removed from the SonicWALL security appliance. These
settings are automatically restored after renewing your SonicWALL GAV license to the previously
configured state.
If your SonicWALL security appliance is running SonicOS Standard 3.0 and no interfaces are specified in
the Gateway Anti-Virus Global Settings section, the message: Warning: No interfaces have Gateway
Anti-Virus enabled is displayed in the Gateway Anti-Virus Status section. You must check the Enable
Gateway Anti-Virus on Interface and specify the interface(s) you want to apply anti-virus scanning.
If your SonicWALL security appliance you are using SonicOS Enhanced 3.0, the Gateway Anti-Virus
Status section displays Note: Enable the Gateway Anti-Virus per zone from the Network > Zones
page. Clicking on the Network > Zones link displays the Network > Zones page for applying SonicWALL
GAV on Zones.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 22 SonicWALL Gateway Anti-Virus Administrator’s Guide
Updating SonicWALL GAV Signatures
By default, the SonicWALL security appliance running SonicWALL GAV automatically checks the
SonicWALL signature servers once an hour. There is no need for an administrator to constantly check for
new signature updates. You can also manually update your SonicWALL GAV database at any time by
clicking the Update button located in the Gateway Anti-Virus Status section.
SonicWALL GAV signature updates are secured. The SonicWALL security appliance must first
authenticate itself with a pre-shared secret, created during the SonicWALL Distributed Enforcement
Architecture licensing registration. The signature request is transported through HTTPS, along with full
server certificate verification.
Specifying Protocol Filtering
Application-level awareness of the type of protocol that is transporting the violation allows SonicWALL
GAV to perform specific actions within the context of the application to gracefully handle the rejection of
the payload.
By default, SonicWALL GAV inspects all inbound HTTP, FTP, IMAP, SMTP and POP3 traffic. Generic
TCP Stream can optionally be enabled to inspect all other TCP based traffic, such as
non-standard ports of operation for SMTP and POP3, and IM and P2P protocols.
Note: Refer to “Protocol Handling” on page 13 for detailed descriptions of how SonicWALL GAV handles
protocol traffic.
Enabling Inbound Inspection
Within the context of SonicWALL GAV, the Enable Inbound Inspection protocol traffic handling refers
to the following:
• Non-SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to any Zone.
• Non-SMTP traffic from a Public Zone destined to an Untrusted Zone.
• SMTP traffic initiating from a non-Trusted Zone destined to a Trusted, Wireless, Encrypted, or Public
Zone.
• SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to a Trusted, Wireless,
or Encrypted Zone.
Page 23
The Enable Inbound Inspection protocol traffic handling represented as a table:
Enabling Outbound SMTP Inspection
The Enable Outbound Inspection feature is available for SMTP traffic, such as for a mail server that
might be hosted on the DMZ. Enabling outbound inspection for SMTP scans mail that is delivered to the
internally hosted SMTP server for viruses.
Configuring Client Alerts and an Exclusion List
Clicking the Configure Gateway AV Settings button in the Gateway Anti-Virus Global Settings section
displays the Gateway AV Config View window, which allows you to configure client notification alerts and
create a SonicWALL GAV exclusion list.
Configuring Client Alerts
If you want clients on your network to receive notifications on their desktop when a HTTP file download is
blocked by GAV, check the Enable Client Notification Alerts (desktop client installation is required)
box. You must install the client software included on the Resource CD for your SonicWALL security
appliance for the client to receive these notifications from SonicWALL GAV.
Page 24 SonicWALL Gateway Anti-Virus Administrator’s Guide
If you want to suppress the sending of e-mail messages (SMTP) to clients from SonicWALL GAV when a
virus is detected in an e-mail or attachment, check the Disable SMTP Responses box.
Configuring a SonicWALL GAV Exclusion List
Any IP addresses listed in the exclusion list bypass virus scanning on their traffic.The Gateway AV
Exclusion List section provides the ability to define a range of IP addresses whose traffic will be excluded
from SonicWALL GAV scanning.
Alert! Use caution when specifying exclusions to SonicWALL GAV protection.
To add an IP address range for exclusion, perform these steps:
1. Click the Enable Gateway AV Exclusion List checkbox to enable the exclusion list.
2. Click the Add button. The Add GAV Range Entry window is displayed.
3. Enter the IP address range in the IP Address Form and IP Address To fields, then click OK. You IP
address range appears in the Gateway AV Exclusion List table. Click the edit icon in the Configure
column to change an entry or click the trashcan icon to delete an entry.
4. Click OK to exit the Gateway AV Config View window.
Restricting File Transfers
The restrict transfer settings listed under the Configure Gateway AV Settings button in the
Gateway Anti-Virus Global Settings section, if enabled, prevent files with specific attributes from being
transferred.
These restrict transfer settings include:
• Restrict Transfer of password-protected Zip files - Disables the transfer of password protected
ZIP files over any enabled protocol. This option only functions on protocols (e.g. HTTP, FTP, SMTP)
that are enabled for inspection.
• Restrict Transfer of MS-Office type files containing macros (VBA 5 and above) - Disables the
transfers of any MS Office 97 and above files that contain VBA macros.
• Restrict Transfer of packed executable files (UPX, FSG, etc.) - Disables the transfer of packed
executable files. Packers are utilities which compress and sometimes encrypt executables. Although
there are legitimate applications for these, they are also sometimes used with the intent of
obfuscation, so as to make the executables less detectable by anti-virus applications. The packer
adds a header that expands the file in memory, and then executes that file. SonicWALL Gateway
Anti-Virus currently recognizes the most common packed formats: UPX, FSG, PKLite32, Petite, and
ASPack. additional formats are dynamically added along with SonicWALL GAV signature updates.
Page 25
Viewing SonicWALL GAV Signatures
The Gateway Anti-Virus Signatures section allows you to view the contents of the SonicWALL GAV
signature database. All the entries displayed in the Gateway Anti-Virus Signatures table are from the
SonicWALL GAV signature database downloaded to your SonicWALL security appliance.
Note: Signature entries in the database change over time in response to new threats.
Displaying Signatures
You can display the signatures in a variety of views using the View Style menu.
• Use Search String - Allows you to display signatures containing a specified string entered in the
Lookup Signatures Containing String field.
• All Signatures - Displays all the signatures in the table, 50 to a page.
• 0 - 9 - Displays signature names beginning with the number you select from the menu.
• A-Z - Displays signature names beginning with the letter you select from menu.
Navigating the Gateway Anti-Virus Signatures Table
The SonicWALL GAV signatures are displayed fifty to a page in the Gateway Anti-Virus Signatures
table. The Items field displays the table number of the first signature. If your displaying the first page of a
signature table, the entry might be Items 1 to 50 (of 58). Use the navigation buttons to navigate the table.
Page 26 SonicWALL Gateway Anti-Virus Administrator’s Guide
Searching the Gateway Anti-Virus Signature Database
You can search the signature database by entering a search string in the Lookup Signatures
Containing String field, then clicking the edit (Notepad) icon.
The signatures that match the specified string are displayed in the Gateway Anti-Virus Signatures table.
Glossary
• Deep Packet Inspection - looking at the data portion of the packet. Enables the firewall to investigate
farther into the protocol to examine information at the application layer and defend against attacks
targeting application vulnerabilities.
• Distributed Enforcement Architecture - SonicWALL’s unified threat management technology that
delivers automated signature updates that provide real-time protection from current and emerging
threats.
• False Positive - a falsely identified attack traffic pattern.
• Signature - code written to detect and prevent viruses, worms, application exploits, and other
malicious code.
• Stateful Packet Inspection - examines the contents of individual packets at all layers of the OSI
model, from network layer to application layer.
Page 27
Index
A
activating Gateway Anti-Virus
overview 15
free trial version 18
activating Gateway Anti-Virus
activation key 18
C
client alerts
configuring 23
concurrency limitations 12
PRO 1260 12
PRO 2040 12
PRO 3060 12
PRO 4060 12
PRO 5060 12
TZ 150 Series 12
TZ 170 Series 12
creating a mysonicwall.com account 16
D
deploying SonicWALL GAV 14
disabling GAV/IPS engine 12
displaying signatures 25
all signatures 25
signatures beginning with letter 25
signatures beginning with number 25
using search strings 25
E
Edit Zone window 20
enable inbound inspection 22
enable outbound SMTP inspection 23
enabling inbound inspection 22
exclusion list
configuring 24
G
Gateway AV Config View window 23
GAV/IPS
real-time scanning 6
GAV/IPS features
application control 6
deep packet inspection 6
distributed enforcement architecture 6
file based scanning protocol support 6
file decompression technology 6
granular management 7
inter-zone scanning 6
logging and reporting 7
real-time scanning 6
glossary 26
deep packet inspection 26
Distributed Enforcement Architecture 26
false positive 26
signature 26
stateful packet inspection 26
H
how DPIv2.0 works
11
protocol handling 13
HTTP file downloads protection 9
I
internal network protection 9
N
navigating signatures table 25
P
protocol handling
FTP 14
HTTP 14
IM, P2P, proprietary 14
IMAP 13
POP3 13
SMTP 13
R
registering your SonicWALL security appliance 17
remote site protection 8
restrict 24
restrict file transfer
MS-Office files 24
packed executable files 24
password protected ZIP files 24
S
searching signature database 26
server protection 10
setting up GAV protection
applying to infaces (SonicOS Standard 3.0) 19
applying to zones (SonicOS Enhanced) 20
enabling 19
overview 19
signatures table 25
SonicWALL Gateway Anti-Virus
overview 5
SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service
overview 5
specifying protocol filtering 22
specifying protocols 22
status information
expiration date 21
last checked 21
overview 21
signature database 21
signature database timestamp 21
surpress SMTP messages 24
U
updating signatures 22
Page 28 SonicWALL Gateway Anti-Virus Administrator’s Guide
© 2005 SonicWALL, I n c . SonicWALL is a registered trademark of SonicWALL, I n c . Other product and company names mentioned herein may be
t rademarks and/ or registered trademarks of their respective companies. Specifications and descriptions subject to change with out notice.
T: 408.745.9600
F: 408.745.9300
www.sonicwall.com
SonicWALL,Inc.
1143 Borregas Avenue
Sunnyvale,CA 94089-1306
P/ N 232- 000610- 00
Rev E 01/05
P/ N 232- 000550- 00
Rev A 05/ 04COMPREHENSIVE INTERNET SECURITY™
S o n i c WALL Internet Security Ap p l i a n c e s
SonicWALL PRO 5060
Getting Started Guide
Page 1
Table of Contents
Introduction ................................................................................3
Introduction to the Example Network .................................................... 4
Network Elements ............................................................................... 4
Network Deployment Planning .............................................................. 6
ISP Connection Information ................................................................ 6
Network Information ............................................................................ 6
VPN Information.................................................................................. 6
Configuration Flowchart ........................................................................ 7
Zones Overview .................................................................................... 7
Pre-Defined Zones .............................................................................. 8
Security Types .................................................................................... 8
Setting Up the PRO 5060.........................................................11
Before You Begin ................................................................................ 11
Check Package Contents.................................................................. 11
What You Need to Get Connected...................................................... 11
ISP Connection Information ................................................................ 12
IP Addressing using DHCP............................................................... 12
IP Addressing using PPPoE.............................................................. 12
IP Addressing using a Single, Static Public IP Address.................... 12
SonicWALL PRO 5060c Front View.................................................... 13
SonicWALL PRO 5060f Front View..................................................... 14
SonicWALL PRO 5060 Rear View...................................................... 15
Applying Power to the PRO 5060........................................................ 15
Connecting the Network Cables.......................................................... 16
Configuring Your Management Station ............................................... 17
Windows XP...................................................................................... 17
Windows 2000................................................................................... 17
Windows NT...................................................................................... 18
Windows 98....................................................................................... 18
Accessing the PRO 5060 Management Interface ............................... 19
Troubleshooting ................................................................................ 20
Configuring the WAN (Internet) and LAN Connectivity ............21
Configuring WAN and LAN Connectivity with the Setup Wizard ......... 21
Using the Setup Wizard .................................................................... 21
Page 2 SonicWALL PRO 5060 Getting Started Guide
Configuring Access to Public Servers ......................................25
Creating the DMZ for Public Servers................................................... 25
Creating Access to the Server with the Public Server Wizard............. 27
What the Public Server Wizard Configures....................................... 28
Testing the Public Server .................................................................. 29
Creating a Custom Security Zone ............................................31
Creating and Configuring the Zone ..................................................... 31
Creating the Zone and Assigning an Interface.................................. 31
Configuring the DHCP Server ........................................................... 33
Configuring Access Rules for the Zone............................................. 34
Testing Access from the New Zone .................................................. 35
Configuring GroupVPN for SonicWALL Global VPN Clients....37
Configuring GroupVPN using the VPN Policy Wizard......................... 37
Using the VPN Policy Wizard............................................................ 38
Connecting the Global VPN Clients .................................................. 40
Configuring a Site-to-Site VPN.................................................41
Configuring a Site-to-Site VPN using the VPN Policy Wizard ............. 41
Using the VPN Policy Wizard to Configure Preshared Secret .......... 41
Registering the PRO 5060 and
Activating Security Services.....................................................45
mySonicWALL.com............................................................................. 45
Registering Your SonicWALL.............................................................. 46
Creating Your mySonicWALL.com Account...................................... 46
Registering Your SonicWALL from the Management Interface ........ 47
Activating SonicWALL Security Services ............................................ 48
Page 3 SonicWALL PRO 5060 Getting Started Guide
1 Introduction
This guide explains how to configure your SonicWALL PRO 5060 running SonicOS
Enhanced as the central security appliance for your corporate network. The network diagram
shows a typical PRO 5060 deployment scenario where the PRO 5060 protects multiple
networks at the corporate Headquarters (HQ). The PRO 5060 also acts as a VPN gateway
for a remote satellite office, telecommuter, and mobile users using the SonicWALL Global
VPN Client.
Your network may include different elements but you can use specific parts of this guide to
configure your custom scenario. This scenario involves setting up your SonicWALL PRO
5060 and configuring SonicOS Enhanced management interface.
Note: See the SonicWALL PRO 5060 Resource CD that ships with your security appliance for an
interactive PDF version of this Getting Started Guide and the SonicOS Enhanced
Administrator’s Guide. Also included on the Resource CD are Administrator’s Guides for all
SonicWALL Security Services, such as SonicWALL Intrusion Prevention Service.
Page 4 SonicWALL PRO 5060 Getting Started Guide
Introduction to the Example Network
The example network shows most common network design elements in a single example. It
demonstrates a common setup scenario for deploying your SonicWALL PRO 5060.
Network Elements
The following network elements together make up the deployment scenario used as the basis
of this guide. Your network may include all or some of the elements. For example, after setting
up your security appliance and configuring it for Internet (WAN) and LAN connectivity, you
may only need to create Internet access to a public server on your network and a VPN policy
to support SonicWALL Global VPN Clients.
TZ 170 Wireless
Site-to-site VPN
Global VPN
Clients
X0 X1 X2 X3 X4 X5
PRO 5060
Internet
LAN X0
192.168.168.168/24
Accounting X4
172.22.3.1/24
DMZ X2
172.22.2.1/24
Connects to: WAN
X1: 64.56.191.114/24
Server
Server
Mail
Server
172.22.2.33
WWW
Server
Accounting
Server
Corporate HQ
Satellite
Office
Remote Employees
Introduction Page 5
PRO 5060
The SonicWALL PRO 5060 is the central security appliance of the example network. It is
running SonicOS Enhanced. This guide focuses on configuring the PRO 5060 security
appliance and assumes all other devices and servers are already configured.
• The X0 interface is configured to the LAN Zone.
• The X1 interface is configured to the WAN zone. The site-to-site VPN and remote VPN
clients use this interface.
• The X2 interface is set up as the DMZ. E-mail and Web servers communicate through
this zone to protect your LAN.
• The X4 interface is set up as a separate “Accounting” zone in this example, which
provides restricted access to sensitive company information.
WAN
The WAN zone is the connection to the Internet. Two sets of protected resources
communicate with the PRO 5060 via the WAN using VPNs:
• SonicWALL TZ 170 Wireless: The SonicWALL TZ 170 Wireless is running SonicOS
Standard and is located at the other end of a site-to-site VPN tunnel. It is located in a
small remote office with multiple PCs connected to it. The office has a DSL Internet
connection using PPPoE.
• SonicWALL Global VPN Clients: SonicWALL Global VPN Clients are used by mobile
users or telecommuters with dial-up or broadband Internet access scattered across the
country. The Global VPN Clients are automatically configured from the SonicWALL PRO
5060 with a GroupVPN policy.
Note: For more product information on the SonicWALL Global VPN Client, please visit
http://www.sonicwall.com. Product documentation is available on your PRO 5060
Resource CD or at http://www.sonicwall.com/services/documentation.html.
LAN
The LAN is the internal corporate network. It has a Windows 2000 network server, an internal
Web server, and a wide variety of user desktop stations. All traffic to and from the LAN goes
through the X0 interface.
DMZ
The DMZ is a special zone for traffic you don’t necessarily want to trust. The corporate e-mail
server and external Web server are in the DMZ, and access from the DMZ to the rest of the
network is tightly controlled with access policies. The DMZ uses the X2 interface.
Page 6 SonicWALL PRO 5060 Getting Started Guide
Accounting
Accounting is a separate protected network similar to the LAN but needs access tightly
controlled via firewall access rules between the zones. It uses the X4 interface.
Network Deployment Planning
ISP Connection Information
IP Addressing using DHCP
No information necessary. The security appliance automatically detects the presence of a
DHCP server during setup.
IP Addressing using PPPoE
User Name:________________________
Password:_________________________
IP Addressing using a Single, Static Public IP Address
IP Address:________________________
Subnet Mask:______________________
Default Gateway:___________________
Primary DNS:______________________
Secondary DNS:___________________
Network Information
WAN - Network Mode:______________ IP Address:____________
Subnet Mask:____________
Router IP Address:_______________ DNS Server 1 IP Address:______________
DNS Server 2 IP Address:_________________
LAN - IP Address:____________ Subnet Mask:____________DHCP Enabled: Yes__ No__
DHCP IP Address Range:______________________
VPN Information
The IP addressing information of the remote SonicWALL appliances for setting up site-to-site
VPN tunnels.
Introduction Page 7
Configuration Flowchart
Configuring this example network encompasses the following steps:
1. Setting Up the PRO 5060: Set up the physical connections to the SonicWALL PRO 5060
and configure the Management Station for access to the security appliance Management
Interface.
2. Configuring the WAN (Internet) and LAN Connectivity: Configure your Internet
connection and LAN using the Setup Wizard.
3. Configuring Access to Public Servers: Configure the DMZ zone to allow access from
inside and outside the LAN using the Pubic Server Wizard.
4. Creating a Custom Security Zone: Configure a custom Accounting zone to tightly
control access to sensitive information.
5. Configuring GroupVPN for SonicWALL Global VPN Clients: Configure a GroupVPN
on the PRO 5060 using the VPN Wizard to allow remote users to connect to your network
with the SonicWALL Global VPN Client or SonicWALL Global Security Client.
6. Configuring a Site-to-Site VPN: Configure a site-to-site VPN to connect a SonicWALL
TZ 170 Wireless at a remote office using the VPN Wizard to allow the users at the remote
office to connect to the corporate network.
7. Registering the PRO 5060 and Activating Security Services: Register your
SonicWALL PRO 5060 and activate SonicWALL Security Services directly from the
SonicWALL security appliance Management Interface.
Zones Overview
A security zone is simply a logical method of grouping one or more interfaces or subinterfaces
with friendly, user configurable names, and applying security rules as traffic passes from one
zone to another zone. This concept of multiple segments, or interfaces, logically grouped
together is called security zones. Configuration by security zones provides an additional,
more flexible layer of security for the security appliance.
The security zone permits the administrator to name the zone in a user-friendly way and to
write security rules that apply to all the segments in a zone, without needing to address each
physical interface individually. This greatly simplifies the firewall rule base. Security zones
also allow you to group multiple physical segments together as well as selectively apply
SonicWALL Security Service across zones, such as Intrusion Prevention Service.
The SonicWALL PRO 5060 has six user-definable interfaces. The first two interfaces (X0 and
X1) are fixed interfaces, permanently bound to the LAN and WAN zones, respectively. The
remaining four interfaces, X2-X5 on the PRO 5060c, X2, X3, F0, and F1 on the PRO 5060f,
can be configured and bound to any zone.
Page 8 SonicWALL PRO 5060 Getting Started Guide
Pre-Defined Zones
The pre-defined security zones on the SonicWALL PRO 5060 are not modifiable and are
defined as follows:
• WAN: The WAN zone is usually connected to the internet, and has the lowest level of
trust. This zone can consist of either one or two interfaces.
• LAN: This zone can consist of one to five interfaces, depending on your network design.
Even though each interface will have a different network subnet attached to it, when
grouped together they can be managed as a single entity.
• DMZ: This zone is normally used for publicly accessible servers. This zone can consist of
one to four interfaces, depending on you network design.
• VPN: This virtual zone is used for simplifying secure, remote connectivity. It does not
have an assigned physical interface.
• WLAN: This zone provides support to SonicWALL SonicPoints.
• MULTICAST: This zone provides support for IP multicasting, which is a method for
sending IN packets from a single source simultaneously to multiple hosts.
Note: Even though you may group interfaces together into one security zone, you may still
address an individual interface within the Zone.
Security Types
Each zone has a security type. The security type defines the of trust given to that zone. There
are five security types:
• Trusted: Trusted is a security type that provides the highest level of trust--meaning that
the least amount of scrutiny is applied to traffic coming from trusted zones. Trusted
security can be thought of as being on the LAN (protected) side of the security appliance.
The LAN zone is always Trusted.
• Encrypted: Encrypted is a security type used exclusively by the VPN Zone. All traffic to
and from an Encrypted zone is encrypted.
• Wireless: Wireless is a security type applied to the WLAN zone or any zone where the
only interface to the network consists of SonicWALL SonicPoint devices. You typically
use WiFiSec to secure traffic in a Wireless zone. The Wireless security type is designed
specifically for use with SonicPoint devices. Placing an interface in a Wireless Zone
activates SDP (SonicWALL Discovery Protocol) and SSPP (SonicWALL Simple
Provisioning Protocol) on that interface for automatic discovery and provisioning of
SonicPoint devices. Only traffic that passes through a SonicPoint is allowed through a
Wireless zone; all other traffic is dropped.
Introduction Page 9
• Public: A Public security type offers a higher level of trust than an Untrusted zone, but a
lower level of trust than a Trusted zone. Public zones can be thought of as being a
secure area between the LAN (protected) side of the security appliance and the WAN
(unprotected) side. The DMZ, for example, is a Public zone because traffic flows from it
to both the LAN and the WAN, but it will only have default access to the WAN, not the
LAN.
• Untrusted: The Untrusted security type represents the lowest level of trust. It is used by
both the WAN and the virtual Multicast zone. An Untrusted zone can be thought of as
being on the WAN (unprotected) side of the security appliance.By default, traffic from
Untrusted zones is not permitted to enter any other zone type without explicit rules, but
traffic from every other zone type is permitted to Untrusted zones.
Page 10 SonicWALL PRO 5060 Getting Started Guide
Page 11 SonicWALL PRO 5060 Getting Started Guide
2 Setting Up the PRO 5060
This chapter explains the physical setup of your PRO 5060 and setting up your Management
Station to access the SonicWALL Management Interface. The Management Station is the
computer you use to access the PRO 5060 Management Interface.
After you physically set up the security appliance and configure the Management Station,
use the Setup Wizard to configure the LAN and WAN (Internet) connections.
Before You Begin
Check Package Contents
• One SonicWALL PRO 5060
• One SonicWALL PRO 5060 Getting Started Guide
• One PRO 5060 Resource CD (Includes product documentation and utilities)
• One Ethernet cable
• One Crossover cable
• One Console Port cable
• One Power cord
• One Mounting Kit including brackets and screws
Alert! If any items are missing from your package, contact SonicWALL, Inc.
Web: Phone: (888) 777-1476
What You Need to Get Connected
• SonicWALL PRO 5060 Internet Security Appliance
• Broadband Internet connection
• PC or Macintosh computer
• A Web browser (Microsoft Internet Explorer v5.0 or later, or Netscape Navigator v4.7 or
later--your Web browser must support Java and HTTP uploads in order to fully manage
the security appliance.)
• Internet Service Provider (ISP) connection information
• Network addressing information
Page 12 SonicWALL PRO 5060 Getting Started Guide
ISP Connection Information
Before you can begin installing your security appliance, determine how your ISP distributes
IP addresses. The most common instances include the following connection methods:
• A range of public, static IP addresses
• A single static IP address
• A dynamic IP address using DHCP
• A dynamic IP address using PPPoE
Alert! If you are not using one of the network configurations above, step-by-step installation
instructions for additional networking methods are found in the SonicWALL
Administrator’s Guide on the PRO 5060 Resource CD. The SonicWALL Administrator’s
Guide requires Acrobat Reader to view it. Acrobat Reader is also provided on the Resource
CD.
Record all of your networking information in the checklist below:
IP Addressing using DHCP
No action necessary. The security appliance automatically detects the presence of a DHCP
server during setup.
IP Addressing using PPPoE
User Name:________________________
Password:_________________________
IP Addressing using a Single, Static Public IP Address
IP Address:________________________
Subnet Mask:______________________
Default Gateway:___________________
Primary DNS:______________________
Secondary DNS:___________________
Setting Up the PRO 5060 Page 13
SonicWALL PRO 5060c Front View
• Console Port: DB-9 RS-232 Console port for Command Line Interface support.
• Power: Lights up when power is applied to the security appliance.
• Test: Lights when the security appliance is powered up and performing diagnostic tests
to check for proper operation. These tests take about 90 seconds. If the Test LED
remains lit after this time, turn the security appliance off and back on again after a few
seconds.
If the security appliance fails to restart, contact SonicWALL Tech. Support at
http://www.sonicwall.com/support/ or (888) 777-1476
• Alarm: Lights when the firmware is reset and when certain network traffic conditions
occur.
There are six Ethernet ports: one for the LAN port, one for the WAN port, and four userdefined
ports:
• Link: Lights up when a Twisted Pair connection is made to another Ethernet device on
the port. Note that the device connected to the security appliance must support the
standard Link Integrity test.
• 100/1000: Lights orange when the connection is a 100 Mbps connection. Lights green
when the connection is a 1 Gbps connection.
• Activity: Lights up when the security appliance transmits or receives a packet through
the Twisted Pair port.
Test
LAN
link, 100/1000, act link, 100/1000, act
WAN
Alarm
Console Port
Power
User-defined
(X0)
Ports
(X2 - X5)
(X1)
Page 14 SonicWALL PRO 5060 Getting Started Guide
SonicWALL PRO 5060f Front View
• Console Port: DB-9 RS-232 Console port for Command Line Interface support.
• Power: Lights up when power is applied to the security appliance.
• Test: Lights when the security appliance is powered up and performing diagnostic tests
to check for proper operation. These tests take about 90 seconds. If the Test LED
remains lit after this time, turn the security appliance off and back on again after a few
seconds.
If the security appliance fails to restart, contact SonicWALL Tech. Support at
http://www.sonicwall.com/support/ or (888) 777-1476
• Alarm: Lights when the firmware is reset and when certain network traffic conditions
occur.
There are six Ethernet ports: one for the LAN port, one for the WAN port, and four userdefined
ports:
• Link: Lights up when a Twisted Pair connection is made to another Ethernet device on
the port. Note that the device connected to the security appliance must support the
standard Link Integrity test.
• 100/1000: Lights orange when the connection is a 100 Mbps connection. Lights green
when the connection is a 1 Gbps connection.
• Activity: Lights up when the security appliance transmits or receives a packet through
the Twisted Pair port.
Test
LAN
link, 100/1000, act
link, 100/1000, act
WAN
Alarm
Console Port
Power
User-defined
(X0)
Ports
(X2 - X3)
(X1)
User-defined
Ports
(F0 - F1)
Setting Up the PRO 5060 Page 15
SonicWALL PRO 5060 Rear View
• Power Input: Connects to the external power supply that is provided with the security
appliance. The use of an Uninterruptible Power Supply (UPS) is recommended to protect
the security appliance against damage or loss of data due to electrical storms, power
failures, or power surges.
• Internal Fans: Four chassis fans and one power supply fan maintain the temperature of
the security appliance and prevent overheating.
Alert! Obstructing the airflow or blocking the fans causes the security appliance to overheat.
Be sure to allow enough room for air circulation around the appliance.
Applying Power to the PRO 5060
Plug the power cord into the security appliance and the other end into an appropriate power
outlet. Turn on the security appliance using the On/Off switch located on the back of the
appliance.
The Power light turns green when power is applied to the security appliance and the Test
light remains lit for approximately one minute while the security appliance performs a series
of diagnostic tests. When the Test light is no longer lit, the security appliance is ready for
configuration.
Power Input
100-240VAC
Internal Fans
Power
Switch 50-60Hz
1.5A
Page 16 SonicWALL PRO 5060 Getting Started Guide
Connecting the Network Cables
Connect one end of the gray Ethernet cable to your DSL modem, cable modem, or Internet
router. Connect the other end of the gray Ethernet cable to the WAN (X1) port of the PRO
5060. When you connect the cable, the link LED lights either orange or green indicating an
active connection. If the LED does not light, try connecting the red crossover cable.
On the SonicWALL PRO 5060c:
On the SonicWALL PRO 5060f.
Connect one end of the provided Crossover cable to the Ethernet port of your computer.
Connect the other end of the cable to the LAN(X0) port of your PRO 5060. The link LED lights
indicating an active connection. If the LED does not light, try the Ethernet cable.
PRO 5060c
PRO 5060f
Setting Up the PRO 5060 Page 17
Configuring Your Management Station
The management station is the computer you use to access the SonicWALL PRO 5060
Management Interface. The management station must have Windows XP, 2000, NT, or 98
and must have a web browser that supports HTTP upload, such as Microsoft Internet
Explorer 6.0 or Netscape 7.0.
To configure your management station to connect to the Management Interface, use the
following instructions that match the operating system of your computer:
Windows XP
1. On your desktop, right-click the My Network Places icon and select Properties.
2. Right-click on the Local Area Connection icon and select Properties.
3. Open the Local Area Connection Properties window.
4. Double-click Internet Protocol (TCP/IP) to open the Internet Protocol (TCP/IP)
Properties window.
5. Select Use the following IP address and type 192.168.168.200 in the IP address field.
6. Enter 255.255.255.0 in the Subnet Mask field.
7. Enter the DNS IP address in the Preferred DNS Server field. If you have more than one
address, type the second one in the Alternate DNS server field.
8. Click OK for the settings to take effect on the computer.
Windows 2000
1. From your Windows task bar, click Start.
2. Then click Settings.
3. Click Network and Dial-up Connections.
4. Double-click the network icon to open the connection window.
5. Click Properties.
6. Highlight Internet Protocol (TCP/IP) and click Properties.
7. Select Use the following IP address.
8. Enter 192.168.168.200 in the IP address field.
9. Enter 255.255.255.0 in the Subnet field.
10. If you have a DNS Server IP address from your ISP, enter it in the Preferred DNS
Server field.
11. Click OK.
Page 18 SonicWALL PRO 5060 Getting Started Guide
Windows NT
1. From the Start list, highlight Settings and then select Control Panel.
2. Double-click the Network icon in the Control Panel window.
3. Double-click TCP/IP in the TCP/IP Properties window.
4. Select Specify an IP Address.
5. Enter 192.168.168.200 in the IP Address field.
6. Enter 255.255.255.0 in the Subnet Mask field.
7. Click DNS at the top of the window.
8. Type the DNS IP address in the Preferred DNS Server field. If you have more than one
address, enter the second one in the Alternate DNS server field.
9. Click OK, and then click OK again.
10. Restart the computer.
Windows 98
1. From the Start list, highlight Settings and then select Control Panel. Double-click the
Network icon in the Control Panel window.
2. Double-click TCP/IP in the TCP/IP Properties window.
3. Select Specify an IP Address.
4. Enter 192.168.168.200 in the IP Address field.
5. Enter 255.255.255.0 in the Subnet Mask field.
6. Click DNS Configuration.
7. Type the DNS IP address in the Preferred DNS Server field. If you have more than one
address, type the second one in the Alternate DNS server field.
8. Click OK, and then click OK again.
9. Restart the computer.
Setting Up the PRO 5060 Page 19
Accessing the PRO 5060 Management Interface
The SonicWALL PRO 5060 LAN (X0) port is configured with the default IP address of
192.168.168.168.
To begin configuring your security appliance, log into the LAN port of the SonicWALL security
appliance at the default IP address using a Web browser:
Alert! Disable any popup blocking software before launching the Management Interface. Many of the
management procedures will not be able to complete without using popup browser windows.
Allow enough time for the security appliance to power up completely before attempting to log into the
Management Interface. It takes approximately one minute for the security appliance to cycle
completely. When the Test light is no longer lit, the security appliance is ready for configuration.
1. Launch your Web browser.
Note: Because you are temporarily disconnected from the Internet, you may receive an error
message when your Web browser first opens. This does not affect the configuration
process.
2. Enter 192.168.168.168 in the Location or Address field.
3. The first time you log into the SonicWALL Management Interface, the Setup Wizard is
automatically displayed for configuring your WAN (Internet) and LAN setup.
Page 20 SonicWALL PRO 5060 Getting Started Guide
See Configuring WAN and LAN Connectivity with the Setup Wizard for configuration
instructions using the Setup Wizard.
Troubleshooting
If you cannot connect to the security appliance, check the following:
• Did you correctly enter the SonicWALL default LAN IP address in your browser window?
• Is the security appliance connected to the same network as your computer?
• Have you changed the TCP/IP network settings on your computer?
• Try pinging the 192.168.168.168 LAN IP address of the security appliance from your
computer. It should reply, assuming that you are using the correct TCP/IP network
settings and have a good ethernet connection. If it does reply, try again with the Web
browser to 192.168.168.168
Page 21 SonicWALL PRO 5060 Getting Started Guide
3 Configuring the WAN (Internet) and
LAN Connectivity
This procedure steps you through using the Setup Wizard or Management Interface to
configure the Primary WAN (X1) and LAN (X0) Interfaces.
In the example network used in this guide, the LAN and WAN are configured:
• LAN Interface: X0 - 192.168.168.168
• WAN Interface: X1 - 64.56.191.114 (IP address for www.sonicwall.com)
Configuring WAN and LAN Connectivity with the Setup
Wizard
The Setup Wizard automates the following steps:
• Change Administrator Password and Time Zone
• Select WAN mode: Static IP, DHCP, PPPoE, or PPTP
• Configure WAN ports
• Configure LAN port
• Configure DHCP for the LAN
Using the Setup Wizard
1. The first time you log into the security appliance, the Setup Wizard is automatically
displayed. If the Setup Wizard is not displayed, click the Wizards button on the
System>Status page and select Setup Wizard in the first screen.
Page 22 SonicWALL PRO 5060 Getting Started Guide
2. Click Next.
3. In the Change Password page, enter a new management password and click Next.
Alert! If you change the default password (password), be sure to note your new password. You
need the new password to log into your SonicWALL Management Interface.
4. In the Change Time Zone page, select your time zone and click Next.
5. Select the WAN network mode for generating the IP addresses in the WAN Network
Mode page. Click on a link for a definition of that networking mode. You can select:
• Static IP
• DHCP
• PPPoE
• PPTP
For this example, select Static IP and click Next.
6. If you selected Static IP, in the next screen enter the IP Address, Subnet Mask, Gateway
address, and DNS Server information.
For this example, enter:
• SonicWALL WAN IP Address: 64.56.191.114
• WAN Subnet Mask: 255.255.0.0
Configuring the WAN (Internet) and LAN Connectivity Page 23
• Gateway (Router) Address: the address of your gateway router, for example,
10.0.0.254
• DNS Server Address: the address of your DNS server, for example, 10.50.128.52
• DNS Server Address #2 (optional): if you have a secondary DNS server, its
address, for example, 10.50.128.53
If you selected DHCP, you do not need to enter any ISP settings in the next screen. Your
security appliance will automatically detect the DHCP server settings.
If you selected PPPoE, in the next screen select whether to automatically obtain an IP
address from the server or use a specific one. Enter the PPPoE username and
password. Check the Inactivity Disconnect box and specify a number of minutes if you
want it to automatically disconnect from the PPPoE server after a certain amount of
inactive time.
If you selected PPTP, enter the PPTP server IP address, username, and password.
Select whether you want the device to automatically obtain an IP address or use a
specified address. If you select to use a specified address, enter the WAN IP address,
the WAN/DMZ netmask, and the IP address of the gateway router.
7. Configure the LAN Settings: Enter the IP address and subnet mask.
For this example, accept the default:
• SonicWALL LAN IP Address: 192.168.168.168
• LAN Subnet Mask: 255.255.255.0
8. If you are using DHCP for your LAN, check the Enable DHCP box and enter the range of
IP addresses available for the DHCP server.
For this example, enter a LAN address range from 192.168.168.1 to 192.168.168.255.
Note: If you already have a DHCP Server configured for the LAN, the Setup Wizard automatically
detects it and does not display the LAN DHCP Settings page.
Page 24 SonicWALL PRO 5060 Getting Started Guide
9. Verify the configuration in the Configuration Summary page. Click Back to return to a
previous screen of the wizard and change a setting.
10.Click Apply to apply the configuration to your security appliance.The next screen shows
the progress as it applies the settings. When the configuration is complete, you see the
Wizard Complete page showing your management URL, and the management login ID.
For security purposes, the configuration summary does not display the management
password.
Page 25 SonicWALL PRO 5060 Getting Started Guide
4 Configuring Access to Public Servers
SonicOS Enhanced includes the Public Server Wizard to automate the process of
configuring the SonicWALL PRO 5060 for handling public servers. For example, if you have
an e-mail and Web servers on your network for access from users on the Internet.
The Public Server Wizard allows you to select or define the server type (HTTP, FTP, Mail),
the private (external) address objects, and the public (internal) address objects. Once the
server type, private and public network objects are configured, the wizard creates the correct
NAT Policies and Access Rule entries on the PRO 5060 for the server. You can use the
SonicWALL Management Interface for additional configuration options.
Creating the DMZ for Public Servers
The example network used in this guide has two public servers, an e-mail server and a web
server, in the DMZ zone. The DMZ is configured:
• DMZ Interface: X2 - 172.22.2.1
• DMZ IP Range: 172.22.2.1 to 172.22.2.255
• Mail Server IP: 172.22.2.33
This example steps you through configuring the mail server in the DMZ zone, and making it
available both inside and outside your network. Placing your servers on the DMZ provides
added protection for your LAN from Internet threats.
Before using the Public Server Wizard to create the e-mail server in the DMZ, you must
configure a DMZ port:
1. Select Network>Interfaces.
2. Select an unassigned interface and click the Edit icon to edit its settings. For the
example in this guide, select X2.
3. In the Edit Interface window, assign:
Page 26 SonicWALL PRO 5060 Getting Started Guide
• Zone: DMZ
• IP Address: 172.22.2.1
• Subnet Mask: 255.255.255.0
4. Click OK.
Note: Note the IP address range you assigned to the DMZ. To create a server in the DMZ, you
need to assign an IP in that range to the server. The IP address range you created in this
example is 172.22.2.1 - 172.22.2.255.
Configuring Access to Public Servers Page 27
Creating Access to the Server with the Public Server
Wizard
Once you create the DMZ zone, you use the Public Server Wizard to set up each server on
your DMZ. The following example shows you how to configure the PRO 5060 to handle an
e-mail server.
1. On the System>Status page, click Wizards.
2. Select Public Server Wizard and click Next.
3. For Server Type, select Mail Server. Leave all three protocols selected, SMTP, POP3,
and IMAP. Click Next
4. Enter the name of the server.
5. Enter the private IP address of the server. For this server to be in the DMZ zone, you must
specify an IP address in the range assigned to DMZ. The Public Server Wizard
automatically assigns the server to the zone in which its IP address belongs. In this
example, because the DMZ address range is 172.22.2.x/24, enter 172.22.2.33.
6. Click Next.
7. Enter the public IP address of the server. The default address is the WAN public IP
address. If you enter a different IP, the Public Server Wizard creates an address object
for that IP address and bind the address object to the WAN zone. For this example, use
the default address.
8. Click Next
Page 28 SonicWALL PRO 5060 Getting Started Guide
9. The Summary page displays a summary of all the configuration you have performed in
the wizard. See the next section for an explanation of what the Public Server Wizard
configures on the PRO 5060.
10. Click Apply to complete the wizard and apply the configuration to your security
appliance. The final Congratulations page is displayed.
11. Click Close.
What the Public Server Wizard Configures
The Public Server Wizard performs several interrelated tasks within the SonicWALL
Management Interface to enable Internet users to access servers on your network. The
following explains the configuration changes made to your security appliance after
completing the wizard.
Server Address Objects
The wizard creates the address object for the new server and binds it to the DMZ zone. It
gives the object a name you specified for the server plus “_private.” The wizard assigns the
server to the DMZ because you specified an IP address in the DMZ address range. If you had
specified an IP address in the range of another zone, it would have bound the address object
to that zone. For example, if you had specified 10.0.93.100, and the IP range for the WAN
zone is 10.0.93.x/24, the wizard would have bound the IP address to the WAN zone. If you
specified an IP address out of the range of any zone you have configured, the wizard would
have bound the address object to the LAN zone. The wizard states that it uses the existing
WAN address object when constructing policies between the new server and the WAN.
Server Service Address Object
The wizard creates a service group object for the services used by the new server. In this
example, the service group includes SMTP, IMAP4 and POP3, the three mail services. This
Configuring Access to Public Servers Page 29
way, you have a convenient group to refer to when creating or editing access policies for this
server.
Server NAT Policies
The wizard creates a NAT policy to translate the destination addresses of all incoming
packets with one of the services in the new service group and addressed to the WAN address
of the address of the new server. Therefore, in this example, if a packet with a service type
of POP3 comes in addressed to the WAN interface (64.56.191.114), the NAT policy
translates its address to 172.22.2.33. The wizard also creates a Loopback NAT policy to
translate mail service traffic from inside your network addresses to the WAN IP address back
to the address of the mail server.
Server Access Rules
The wizard creates an access policy allowing all mail service traffic from the WAN zone to the
DMZ.
Testing the Public Server
You may wish to verify that all Address Objects, Access Rules and NAT Policies are created
properly by testing access from the WAN with an external host as well as internal (Firewalled
Subnets) access, which should be tested from all applicable zones and interfaces via both
the private and public addresses.
Page 30 SonicWALL PRO 5060 Getting Started Guide
Page 31 SonicWALL PRO 5060 Getting Started Guide
5 Creating a Custom Security Zone
SonicOS Enhanced provides zone-based security policies. A security zone is a logical
method for grouping one or more interfaces with user-configurable names, and applying
security rules as traffic passes from one zone to another zone. Using zones on your security
appliance enables you to organize resources into different zones, and then selectively allow
or deny various types of network traffic between zones. This allows you to restrict access to
critical internal resources, such as accounting or engineering code servers.
In this example, the administrator creates a custom zone on X4 to secure an Accounting
network on the network.
Creating and Configuring the Zone
Creating and configuring a custom zone consists of three primary steps:
1. Create the zone and assign an interface.
2. Configure the DHCP server for the zone.
3. Configure Access Rules for the zone.
Creating the Zone and Assigning an Interface
1. In the SonicWALL Management Interface, select Network>Interface.
2. To edit the interface, click on the Edit icon for the X4 interface. In the Edit Interface
X4 window is displayed.
Page 32 SonicWALL PRO 5060 Getting Started Guide
3. In the General tab, select Create new Zone from the Zone menu.
4. In the Add Zone dialog box, enter the configuration for the new zone:
• Name: Enter the name of the zone, for this example Accounting.
• Security Type: When creating a custom zone, the zone can be Trusted, Public, or
Wireless. Because you want this zone in this example to be on the LAN (protected)
side of the security appliance, select Trusted.
• Check Allow Interface Trust to allow unhindered traffic between interfaces within the
same zone.
• The three services, Content Filtering, Anti-Virus, and Intrusion Prevention
Service (IPS) are optional. See the SonicOS Administrators Guide or
www.sonicwall.com for information on these services.
5. Click OK. You return to the Edit Interface window with the new accounting zone selected
and the rest of the configuration choices available.
6. Enter the information for the interface:
• Zone: The new zone is already selected.
• IP Address and Subnet Mask: Enter the IP address and subnet mask for the
interface. This will define the address range for this zone. For this example, enter
172.22.3.1 for the IP address and 255.255.255.0 for the subnet mask.
• Comment: Enter any descriptive text about the zone.
• Management: The choices under the Management heading define allow the firewall
administrator to log in and manage the firewall using the selected protocol. For this
example, do not allow any management traffic. Leave all choices unchecked.
• User Login: These choices allow users to authenticate directly with the firewall using
HTTP or HTTPS. For this example, the users will authenticate with Windows
networking and the local servers in the accounting zone. Leave both options
unchecked.
7. Click OK.
8. A warning dialog box tells you that Web management is disabled on this zone. Because
Web management is enabled on the LAN zone, click OK to continue.
Creating a Custom Security Zone Page 33
Configuring the DHCP Server
1. In the SonicWALL Management Interface, select Network>DHCP Server.
2. In the Network>DHCP Server page, if Enable DHCP Server is not checked, check it.
3. Click Configure. The DHCP Server Configuration window is displayed.
4. The Dynamic tab of the DHCP Server Configuration window should list a DHCP server
range for the X0 (LAN) zone.
5. Click Add in the Dynamic tab to add a range for your custom zone. The Dynamic
Range Configuration window is displayed.
6. Select the X4 interface you assigned to the new zone from the Interface list. When you
select the interface, the rest of the fields automatically populate with the information for
that zone.
7. Lease Time is the number of minutes a resource (a PC or Server) can hold on to a
dynamically assigned IP number. The default is 1440 minutes (24 hours).
8. Make sure Enable this DHCP Range is checked and click OK.
Page 34 SonicWALL PRO 5060 Getting Started Guide
Configuring Access Rules for the Zone
1. In the SonicWALL Management Interface, select Firewall>Access Rules.
The default view of access rules is Matrix, which allows you to select the intersection of
two zones to view and configure rules between those zones. When you click on the Edit
icon in the matrix, you see the access rules for traffic from the zone in the left column
to the zone in the top row.
2. Check the access rule from the LAN to the new zone Accounting.
Because you selected Trusted for Security Type when you created the zone, the new
zone is on the trusted side of the firewall, and there is an access rule allowing all traffic
from the LAN to the new Accounting zone.
3. Select Firewall>Access Rules to return to the access rule matrix.
4. Click on the Edit icon to edit rules from the WAN to the new Accounting zone.
Because the zone is on the trusted side of the firewall, by default there is a rule denying
all traffic between the WAN and the new Accounting zone. To enable traffic outside the
firewall, you must add rules to allow specific kinds of traffic to and from the WAN
5. Click Add to add a new rule.
6. In the Add Rule dialog box, enter the information for the rule:
• Action: Select Allow.
• Service: Select the service or service group you want to allow from the WAN to the
new zone. To test the new zone, Ping and FTP can be useful.
• Source: Select a specific network source for the traffic. For this example, select Any.
• Destination: Select a destination within the new zone. For this example select Any.
Creating a Custom Security Zone Page 35
• Users Allowed: Select the user or user group from whom traffic is allowed. For this
example, select All.
• Schedule: If you want the rule to be in effect only at specified times, select the times
when this rule is in effect from the Schedule list. This can be very useful if you do not
want access to a particular resource at certain hours or periods on a weekly basis. For
this example, select Always On.
• Logging: Check logging to automatically create a record of all traffic denied by this
rule.
7. Click OK to create the rule.
8. Click Access Rules in the left column to display the matrix again.
9. Click the Edit icon to edit rules from the new Accounting zone to the WAN.
Testing Access from the New Zone
1. Add another rule similar to the one in steps 5 through 7.
2. Connect a PC to the DMZ zone (X2).
3. Connect another PC to the new Accounting zone (X4). Make a note of it’s IP address.
4. On the PC in the DMZ, open a command prompt window.
5. Ping the IP address of the PC in the Accounting zone. For example.
H:\>ping 172.22.3.3
Pinging 172.22.3.3 with 32 bytes of data:
Reply from 172.22.3.3: bytes=32 time<1ms TTL=128
Reply from 172.22.3.3: bytes=32 time<1ms TTL=128
Reply from 172.22.3.3: bytes=32 time<1ms TTL=128
Reply from 172.22.3.3: bytes=32 time<1ms TTL=128
Ping statistics for 172.22.3.3:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
H:\>
Page 36 SonicWALL PRO 5060 Getting Started Guide
Page 37 SonicWALL PRO 5060 Getting Started Guide
6 Configuring GroupVPN for SonicWALL
Global VPN Clients
SonicWALL’s GroupVPN provides automatic VPN policy provisioning for SonicWALL Global
VPN Clients. The SonicWALL Global VPN Client provides an easy-to-use solution for secure,
encrypted access to the corporate network for remote dial-up or broadband users.
The GroupVPN on the security appliance and the SonicWALL Global VPN Client (part of the
SonicWALL Global Security Client) dramatically streamline VPN deployment and
management. Using SonicWALL’s Client Policy Provisioning technology, you define the VPN
policies for Global VPN Client users. This policy information automatically downloads from
the security appliance (VPN Gateway) to Global Security Clients, saving remote users the
burden of provisioning VPN connections.
The procedure in this guide includes a single GroupVPN policy configuration on the PRO
5060 to allow SonicWALL Global Security Client users to connect to the LAN through the
default WAN port.
Note: For more information on the SonicWALL Global VPN Client, see the SonicWALL Global
VPN Client Administrator’s Guide. For more information on the SonicWALL Global
Security Client, see the SonicWALL Global Security Client Administrator’s Guide.
Configuring GroupVPN using the VPN Policy Wizard
The VPN Wizard walks you step-by-step through the configuration of GroupVPN on the
security appliance. After the completing configuration, the wizard creates the necessary VPN
settings for the selected VPN policy. You can use the SonicWALL Management Interface for
optional advanced configuration options.
Note: For more information on configuring GroupVPN, see the SonicOS 2.5 Administrator’s
Guide on the SonicWALL PRO 5060 Resource CD.
Page 38 SonicWALL PRO 5060 Getting Started Guide
Using the VPN Policy Wizard
1. On the System>Status page, click on Wizards.
2. In the Welcome to the SonicWALL Configuration Wizard page select VPN Wizard
and click Next.
3. In the VPN Policy Type page, select WAN GroupVPN and click Next.
4. In the IKE Phase 1 Key Method page, you select the authentication key to use for this
VPN policy:
• Default Key: If you choose the default key, all your Global VPN Clients and Global
Security Clients will automatically use the default key generated by the security appliance
to authenticate with the security appliance.
• Use this Key: If you choose a custom preshared key, you must distribute the key to
every VPN Client because the user is prompted for this key when connecting to the
security appliance.
Note: If you select Use this Key, and leave the default key as the value, you must still distribute
the key to your VPN clients.
5. Click Next.
6. In the IKE Security Settings page, you select the security settings for IKE Phase 2
negotiations and for the VPN tunnel. You can use the defaults settings.
• DH Group: The Diffie-Hellman (DH) group are the group of numbers used to create
the key pair. Each subsequent group uses larger numbers to start with. You can
Configuring GroupVPN for SonicWALL Global VPN Clients Page 39
choose Group 1, Group 2, or Group 5. The VPN Uses this during IKE negotiation to
create the key pair.
• Encryption: This is the method for encrypting data through the VPN Tunnel. The
methods are listed in order of security. DES is the least secure and the and takes the
least amount of time to encrypt and decrypt. AES-256 is the most secure and takes
the longest time to encrypt and decrypt. You can choose DES, 3DES, AES-128, or
AES-256.
• Authentication: This is the hashing method used to authenticate the key, once it is
exchanged during IKE negotiation. You can choose MD5 or SHA-1.
• Life Time (seconds): This is the length of time the VPN tunnel stays open before
needing to re-authenticate. The default is eight hours (28800).
Alert! The SonicWALL Global VPN Client version 1.x does not support AES encryption, so if you
chose this method, only SonicWALL Global VPN Client versions 2.x and higher will be able
to connect.
7. Click Next.
8. In the User Authentication page, select if you want the VPN Users to be required to
authenticate with the security appliance when they connect. If you select Enable User
Authentication, you must select the user group which contains the VPN users. For this
example, leave Enable User Authentication unchecked.
Alert! If you selected Default Key for the IKE Phase 1 Key Method (step 4), you must select
Enable User Authentication.
Note: If you enable user authentication, the users must be entered in the SonicWALL database
for authentication. Users are entered into the SonicWALL database on the Users>Local
Users page, and then you can add users to groups in the Users>Local Groups page.
9. Click Next.
10.In the Configure Virtual IP Adapter page, select whether you want SonicWALL Global
VPN Clients to use IP addresses from a DHCP server on the internal LAN (X0) interface
when the client connects to the SonicWALL Security Appliance. This allows Global VPN
Clients to obtain IP addresses from the LAN zone’s IP address range. Therefore, when a
user connects, it appears that the user is inside the LAN. The virtual IP address can be
Page 40 SonicWALL PRO 5060 Getting Started Guide
obtained from the SonicWALL Security Appliance’s internal DHCP server or from an
existing network DHCP server. Check the Use Virtual IP Adapter box and click Next.
11.The Configuration Summary page details the settings that will be pushed to the
security appliance when you apply the configuration. Click Apply to create your
GroupVPN.
Connecting the Global VPN Clients
Remote users install the SonicWALL Global VPN Client software. Once they have installed
the application, they use a connection wizard to setup their VPN connection. To configure the
VPN connection, the client must have the following information:
• A public IP address (or domain name) of the WAN port for your security appliance
• The shared secret if you selected a custom preshared secret in the VPN Wizard.
• The authentication username and password.
Note: For more information on installing, configuring and managing the SonicWALL Global VPN
Client, see the SonicWALL Global VPN Client Administrator’s Guide or the
SonicWALL Global Security Client Administrator’s Guide on the PRO 5060 Resource
CD.
Page 41 SonicWALL PRO 5060 Getting Started Guide
7 Configuring a Site-to-Site VPN
Remote office networks can securely connect to your network using site-to-site VPN
connections. For example, a satellite office using a SonicWALL TZ 170 Wireless that
supports a small group of users can provide secure access to corporate network for all the
users at the remote office through a single VPN tunnel.
Using the VPN Policy Wizard, you can quickly create a site-to-site VPN policy from the PRO
5060 to the remote site. Whenever data is intended for the remote site, the SonicWALL
security appliance automatically encrypts the data and sends it over the Internet to the remote
site, where it is decrypted and forwarded to the intended destination.
Note: You need to configure the remote SonicWALL TZ 170 Wireless to complete the site-to-site
VPN configuration. See the SonicOS Administrator’s Guide for the SonicWALL TZ 170
Wireless for configuration instructions.
Configuring a Site-to-Site VPN using the VPN Policy
Wizard
You use the VPN Policy Wizard to create the site-to-site VPN policy.
Using the VPN Policy Wizard to Configure Preshared Secret
1. On the System>Status page, click on Wizards.
Page 42 SonicWALL PRO 5060 Getting Started Guide
2. In the Welcome to the SonicWALL Configuration Wizard page select VPN Wizard
and click Next.
3. In the VPN Policy Type page, select Site-to-Site and click Next.
4. In the Create Site-to-Site Policy page, enter the following information:
• Policy Name: Enter a name you can use to refer to the policy. For example, Boston
Office.
• Preshared Key: Enter a character string to use to authenticate traffic during IKE
Phase 1 negotiation. You can use the default, generated Preshared Key.
• I know my Remote Peer IP Address (or FQDN): If you check this option, this security
appliance can initiate the contact with the named remote peer.
If you do not check this option, the peer must initiate contact to create a VPN tunnel.
This device will use aggressive mode for IKE negotiation.
Note: The I know my Remote Peer IP Address (for FQDN) should specify the peer address
whenever possible. Only leave it blank if the remote is dynamically addressed, or as a very
last resort.
For this example, leave the option unchecked.
• Remote Peer IP Address (or FQDN): If you checked the option above, enter the IP
address or Fully Qualified Domain Name (FQDN) of the remote peer (For example,
gateway.yourcompany.com).
Configuring a Site-to-Site VPN Page 43
5. Click Next.
6. In the Network Selection page, select the local and destination resources connecting
through this VPN:
• Local Networks: Select the local network resources protected by this security appliance
that you are connecting with this VPN. You can select any address object or
group on the device, including networks, subnets, individual servers, and interface IP
addresses.
If the object or group you want has not been created yet, select Create Object or
Create Group. Create the new object or group in the dialog box that pops up. Then
select the new object or group.
For this example, select LAN Subnets.
• Destination Networks: Select the network resources on the destination end of the
VPN Tunnel. If the object or group does not exist, select Create new Address Object
or Create new Address Group.
Page 44 SonicWALL PRO 5060 Getting Started Guide
For example:
a.Select Create new Address Group.
a.In the Name field, enter LAN-DMZ Group.
b.In the list on the left, select LAN Subnets and DMZ Subnets click the -> button.
Hold down the Ctrl key while clicking to select more than one item.
c.Click OK to create the group and return to the Network Selection page.
d.In the Destination Networks field, select the newly created group.
5. Click Next.
6. In the IKE Security Settings page, select the security settings used for IKE Phase 2
negotiations and for traffic through the VPN tunnel. You can use the default settings.
• DH Group: The Diffie-Hellman (DH) group are the group of numbers used to create
the key pair. Each subsequent group uses larger numbers to start with. You can
choose Group 1, Group 2, or Group 5. The VPN uses this during IKE negotiation to
create the key pair.
• Encryption: This is the method for encrypting data through the VPN Tunnel. The
methods are listed in order of security. DES is the least secure and the and takes the
least amount of time to encrypt and decrypt. AES-256 is the most secure and takes
the longest time to encrypt and decrypt. You can choose DES, 3DES, AES-128, or
AES-256. The VPN uses this for all data through the tunnel.
• Authentication: This is the hashing method used to authenticate the key, once it is
exchanged during IKE negotiation. You can choose MD5 or SHA-1
• Life Time (seconds): This is the length of time the VPN tunnel stays open before
needing to re-authenticate. The default is eight hours (28800).
7. The Configuration Summary page details the settings that will be pushed to the
security appliance when you apply the configuration. Click Apply to create the VPN.
Page 45 SonicWALL PRO 5060 Getting Started Guide
8 Registering the PRO 5060 and
Activating Security Services
Once you’ve established your Internet connection, you can register your security appliance
at mySonicWALL.com as well as activate SonicWALL Security Services. Any bundled
services included with your SonicWALL PRO 5060 are automatically activated when your
register.
You need a mySonicWALL.com account to register your security appliance or activate
SonicWALL Security Services. You can create a mySonicWALL.com account directly from
the SonicWALL Management Interface. If your security appliance is connected to the
Internet, and you have a mySonicWALL.com account, you can register the security appliance
and activate SonicWALL Security Services directly from the Management Interface.
mySonicWALL.com
mySonicWALL.com delivers a convenient, one-stop resource for registration, activation, and
management of your SonicWALL products and services. Your mySonicWALL.com account
provides a single profile to do the following:
• Register your SonicWALL Internet Security Appliances
• Purchase/Activate SonicWALL Security Services and Upgrades
• Receive SonicWALL firmware and security service updates and alerts
• Manage (change or delete) your SonicWALL security services
• Access SonicWALL Technical Support
Creating a mySonicWALL.com account is easy and FREE. Simply complete an online
registration form. Once your account is created, you can register SonicWALL Internet
Security Appliances and activate SonicWALL Security Services associated with the security
appliance.
Your mySonicWALL.com account is accessible from any Internet connection with a Web
browser using the HTTPS (Hypertext Transfer Protocol Secure) protocol to protect your
sensitive information. You can also access mySonicWALL.com license and registration
services directly from the SonicWALL management interface for increased ease of use and
simplified services activation.
Tip! For more information on mySonicWALL.com, access the online help available at
https://www.mysonicwall.com.
Note: mySonicWALL.com registration information is not sold or shared with any other company.
Page 46 SonicWALL PRO 5060 Getting Started Guide
Registering Your SonicWALL
If your security appliance is not registered, the following message is displayed in the Security
Services folder on the System>Status page in the SonicWALL Management Interface: Your
SonicWALL is not registered. Click here to Register your SonicWALL Security
Appliance.
You can also manually register your security appliance at the www.mySonicWALL.com site
by using the Serial Number and Authentication Code displayed in the Security Services
section. Click the SonicWALL link to access your mySonicWALL.com account. You will be
given a registration code after you have registered your security appliance. Enter the
registration code in the field below the You will be given a registration code, which you
should enter below heading, then click Update.
The following sections explain how to create a mySonicWALL.com account from the
SonicWALL Management Interface, if you don’t have an account, and how to register your
security appliance directly from the Management Interface.
Creating Your mySonicWALL.com Account
If you already have a mySonicWALL.com account, skip this section. To create a
mySonicWALL.com account from the SonicWALL Management Interface, follow these steps:
1. In the Security Services folder on the System>Status page in the SonicWALL
Management Interface, click the here link in Your security appliance is not registered.
Click here to Register your security appliance. The mySonicWALL.com Login page
is displayed.
2. Click the here link in If you do not have a mySonicWALL account, please click here
to create one. The mySonicWALL.com account form is displayed.
Registering the PRO 5060 and Activating Security Services Page 47
3. Enter in your information in the Account Information, Personal Information and
Preferences fields. All fields marked with an * are required fields.
Alert! Remember your username and password to access your mySonicWALL.com account.
4. Click Submit after completing the mySonicWALL.com account form.
5. Review your account information. If the information is correct, click OK. You will receive
a subscription code by e-mail from SonicWALL. This code is required to complete the
activation of your new account.
Alert! Your new account must be activated with the subscription code within 72 hours of receiving
the code.
6. After you receive your subscription code, in the Security Services folder on the
System>Status page in the SonicWALL Management Interface, click the here link in
Your SonicWALL is not registered. Click here to Register your SonicWALL.
7. In the mySonicWALL.com Login page, enter your mySonicWALL.com account
username and password, and click Submit. You are prompted for the subscription code.
8. Enter your subscription code and click Submit. Your mySonicWALL.com account is
activated.
Registering Your SonicWALL from the Management Interface
If you have a mySonicWALL.com account, follow these steps to register your security
appliance:
1. Click the here link to automatically register your security appliance. The
mySonicWALL.com Login page is displayed.
2. Type your mySonicWALL.com username and password in the User Name and
Password fields and click Submit.
3. Type in a “friendly name” for your SonicWALL in the Friendly Name field. A friendly name
is used to help identify your SonicWALL, such as its location.
4. Click Submit. Your security appliance is now registered.
Alert! Make sure the DNS and Time settings on your security appliance are correct when you
register the device.
Page 48 SonicWALL PRO 5060 Getting Started Guide
Activating SonicWALL Security Services
After you have successfully registered your SonicWALL PRO 5060, all the bundled Security
Services are automatically activated. You can view the status of all your SonicWALL Security
Services from the Management Interface.
In the System>Licenses page, click the click here link in the Manage Security Services
Online section to display the MySonicWALL.com Login page. In the mySonicWALL.com
Login page, type your mySonicWALL.com username and password in the User Name and
Password fields, then click Submit. The Manage Services Online page is displayed.
All the available SonicWALL Security Services available for the security appliance are
displayed. If a service is activated, the number of licenses for the Security Services are
displayed in the Count column. The expiration date for any activated service is displayed in
the Expiration column.
Note: For product documentation on a SonicWALL Security Service, see the PRO 5060
Resource CD or go to the SonicWALL documentation site at
http://www.sonicwall.com/services.documentation.html.
© 2004 SonicWALL, I n c . SonicWALL is a registered trademark of SonicWALL, I n c . Other product and company names mentioned herein may be
t rademarks and/ or registered trademarks of their respective companies. Specifications and descriptions subject to change with out notice.
T: 408.745.9600
F: 408.745.9300
www.sonicwall.com
SonicWALL,Inc.
1143 Borregas Avenue
Sunnyvale,CA 94089-1306COMPREHENSIVE INTERNET SECURITY™
S SSSSSSSSo n i c WALL Gateway Anti-Virus
Administrator's Guide
Page 1
Table of Contents
Preface .................................................................................................. 1
Copyright Notice ..............................................................................1
Trademarks......................................................................................1
Limited Warranty..............................................................................1
About this Guide.................................................................................... 3
Guide Conventions .......................................................................... 3
Icons Used in this Guide............................................................. 3
SonicWALL Technical Support ........................................................ 4
North America Telephone Support ............................................. 4
International Telephone Support ................................................ 4
SonicWALL Gateway Anti-Virus Overview............................................ 5
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features ...... 6
SonicWALL GAV Multi-Layered Approach............................................ 7
Remote Site Protection ....................................................................8
Internal Network Protection.............................................................. 9
HTTP File Downloads ...................................................................... 9
Server Protection ...........................................................................10
SonicWALL GAV Architecture............................................................. 11
Stream Concurrency Limitations
by SonicWALL Security Appliance................................................. 12
Disabling the SonicWALL GAV/IPS Engine................................... 12
Protocol Handling...........................................................................13
SMTP........................................................................................ 13
POP3 ........................................................................................ 13
IMAP......................................................................................... 13
HTTP ........................................................................................ 14
FTP........................................................................................... 14
IM, P2P and Proprietary Protocols ........................................... 14
Deploying SonicWALL GAV................................................................ 14
Activating SonicWALL GAV ................................................................ 15
Creating a mySonicWALL.com Account ........................................ 16
Registering Your SonicWALL Security Appliance.......................... 17
Activating SonicWALL GAV........................................................... 18
Activating the SonicWALL GAV FREE TRIAL ............................... 18
Setting Up SonicWALL GAV Protection .............................................. 19
Enabling SonicWALL GAV............................................................. 19
Applying SonicWALL GAV Protection on Interfaces...................... 19
Applying SonicWALL GAV Protection on Zones
(SonicOS Enhanced 3.0) ............................................................... 20
Viewing SonicWALL GAV Status Information................................ 21
Updating SonicWALL GAV Signatures .......................................... 22
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
Specifying Protocol Filtering ................................................................22
Enabling Inbound Inspection ..........................................................22
Enabling Outbound SMTP Inspection ............................................23
Configuring Client Alerts and an Exclusion List ...................................23
Configuring Client Alerts.................................................................23
Configuring a SonicWALL GAV Exclusion List...............................24
Restricting File Transfers.....................................................................24
Viewing SonicWALL GAV Signatures..................................................25
Displaying Signatures.....................................................................25
Navigating the Gateway Anti-Virus Signatures Table ....................25
Searching the Gateway Anti-Virus Signature Database.................26
Glossary...............................................................................................26
Index ....................................................................................................27
Page 1 SonicWALL Gateway Anti-Virus Administrator’s Guide
Preface
Copyright Notice
© 2005 SonicWALL, Inc.
All rights reserved.
Under the copyright laws, this manual or the software described within, can not be copied, in whole or part,
without the written consent of the manufacturer, except in the normal use of the software to make a backup
copy. The same proprietary and copyright notices must be affixed to any permitted copies as were affixed
to the original. This exception does not allow copies to be made for others, whether or not sold, but all of
the material purchased (with all backup copies) can be sold, given, or loaned to another person. Under
the law, copying includes translating into another language or format.
Specifications and descriptions subject to change without notice.
Trademarks
SonicWALL is a registered trademark of SonicWALL, Inc.
Microsoft Windows 98, Windows NT, Windows 2000, Windows XP, Windows Server 2003, Internet
Explorer, and Active Directory are trademarks or registered trademarks of Microsoft Corporation.
Netscape is a registered trademark of Netscape Communications Corporation in the U.S. and other
countries. Netscape Navigator and Netscape Communicator are also trademarks of Netscape
Communications Corporation and may be registered outside the U.S.
Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems
Incorporated in the U.S. and/or other countries.
Other product and company names mentioned herein may be trademarks and/or registered trademarks
of their respective companies and are the sole property of their respective manufacturers.
Limited Warranty
SonicWALL, Inc. warrants that commencing from the delivery date to Customer (but in any case
commencing not more than ninety (90) days after the original shipment by SonicWALL), and continuing
for a period of twelve (12) months, that the product will be free from defects in materials and workmanship
under normal use. This Limited Warranty is not transferable and applies only to the original end user of
the product. SonicWALL and its suppliers' entire liability and Customer's sole and exclusive remedy under
this limited warranty will be shipment of a replacement product. At SonicWALL's discretion the
replacement product may be of equal or greater functionality and may be of either new or like-new quality.
SonicWALL's obligations under this warranty are contingent upon the return of the defective product
according to the terms of SonicWALL's then-current Support Services policies.
This warranty does not apply if the product has been subjected to abnormal electrical stress, damaged by
accident, abuse, misuse or misapplication, or has been modified without the written permission of
SonicWALL.
DISCLAIMER OF WARRANTY. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR
IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT
LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, NONINFRINGEMENT, SATISFACTORY QUALITY OR ARISING FROM A
COURSE OF DEALING, LAW, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE
MAXIMUM EXTENT ALLOWED BY APPLICABLE LAW. TO THE EXTENT AN IMPLIED WARRANTY
CANNOT BE EXCLUDED, SUCH WARRANTY IS LIMITED IN DURATION TO THE WARRANTY
PERIOD. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW
LONG AN IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. THIS
WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, AND YOU MAY ALSO HAVE OTHER RIGHTS
WHICH VARY FROM JURISDICTION TO JURISDICTION. This disclaimer and exclusion shall apply
even if the express warranty set forth above fails of its essential purpose.
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
DISCLAIMER OF LIABILITY. SONICWALL'S SOLE LIABILITY IS THE SHIPMENT OF A
REPLACEMENT PRODUCT AS DESCRIBED IN THE ABOVE LIMITED WARRANTY. IN NO EVENT
SHALL SONICWALL OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER,
INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS
INTERRUPTION, LOSS OF INFORMATION, OR OTHER PECUNIARY LOSS ARISING OUT OF THE
USE OR INABILITY TO USE THE PRODUCT, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL,
INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY
OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE HARDWARE OR SOFTWARE
EVEN IF SONICWALL OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. In no event shall SonicWALL or its suppliers' liability to Customer, whether in contract, tort
(including negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shall
apply even if the above-stated warranty fails of its essential purpose. BECAUSE SOME STATES OR
JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR
INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.
Page 3
About this Guide
Welcome to the SonicWALL Gateway Anti-Virus Administrator’s Guide. This manual provides the
information you need to successfully activate, configure, and administer SonicWALL Gateway Anti-Virus
(SonicWALL (GAV) on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher). The audience for this guide is administrators that are familiar with the
features, functions, and operating characteristics of SonicWALL security appliances.
Note: This guide assumes your SonicWALL security appliance is operational with Internet connectivity. If your
SonicWALL security appliance is not setup, refer to the Getting Started Guide for your SonicWALL
security appliance located on the SonicWALL Web site:
.
SonicWALL GAV is part of the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service solution that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate a SonicWALL GAV license, SonicWALL Intrusion Prevention Service is included and activated.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the complete
instructions on configuring SonicWALL Intrusion Prevention Service 2.0, located on the SonicWALL
Web site: .
Guide Conventions
Conventions used in this guide are as follows:
Icons Used in this Guide
These special messages refer to noteworthy information, and include a symbol for quick identification:
Alert! Important information that cautions about features affecting SonicWALL Gateway Anti-Virus
performance, security features, or causing potential problems with your SonicWALL security appliance.
Tip! Useful information about security features and configurations for your SonicWALL Gateway Anti-Virus
running on a SonicWALL security appliance.
Convention Use
Bold Highlights items you can select on the SonicWALL
management interface.
Italic Highlights a value to enter into a field. For example, “type
192.168.168.168 in the IP Address field.”
Top Level Menu Button >
Submenu Item
Indicates a multiple step Management Interface menu
choice. For example, Security Services > Gateway Anti-
Virus means select Security Services, then select
Gateway Anti-Virus.
Page 4 SonicWALL Gateway Anti-Virus Administrator’s Guide
Note: Important information on a feature that requires callout for special attention or reference to other related
resources.
SonicWALL Technical Support
For timely resolution of technical support questions, visit SonicWALL on the Internet at
. Web-based resources are available to help you
resolve most technical issues or contact SonicWALL Technical Support.
To contact SonicWALL telephone support, see the telephone numbers listed below:
North America Telephone Support
U.S./Canada - 888.777.1476 or +1 408.752.7819
International Telephone Support
Australia - + 1800.35.1642
Austria - + 43(0)820.400.105
EMEA - +31(0)411.617.810
France - + 33(0)1.4933.7414
Germany - + 49(0)1805.0800.22
Hong Kong - + 1.800.93.0997
India - + 8026556828
Italy - +39.02.7541.9803
Japan - + 81(0)3.5460.5356
New Zealand - + 0800.446489
Singapore - + 800.110.1441
Spain - + 34(0)9137.53035
Switzerland - +41.1.308.3.977
UK - +44(0)1344.668.484
Note: Please visit for the latest technical support telephone
numbers.
Page 5
SonicWALL Gateway Anti-Virus Overview
SonicWALL Gateway Anti-Virus (SonicWALL GAV) is part of the SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service solution that provides unified threat management. The integration of gateway
anti-virus and intrusion prevention delivers intelligent, real-time network security protection against
sophisticated application layer and content-based attacks. Utilizing a configurable, high-performance
deep packet inspection architecture, SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
secures the network from the core to the perimeter against a comprehensive array of dynamic threats
including viruses, worms, Trojans, and software vulnerabilities, such as buffer overflows, as well as peerto-
peer and instant messenger applications, backdoor exploits, and other malicious code.
SonicWALL GAV delivers real-time virus protection directly on the SonicWALL security appliance by
using SonicWALL’s IPS-Deep Packet Inspection v2.0 engine to inspect all traffic that traverses the
SonicWALL gateway. Building on SonicWALL’s reassembly-free architecture, SonicWALL GAV inspects
multiple application protocols, as well as generic TCP streams, and compressed traffic. Because
SonicWALL GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also performed on a
single-pass, per-packet basis.
SonicWALL GAV delivers threat protection directly on the SonicWALL security appliance by matching
downloaded or e-mailed files against an extensive and dynamically updated database of threat virus
signatures. Virus attacks are caught and suppressed before they travel to desktops. New signatures are
created and added to the database by a combination of SonicWALL’s SonicAlert Team, third-party virus
analysts, open source developers and other sources.
SonicWALL GAV can be configured to protect against internal threats as well as those originating outside
the network. It operates over a multitude of protocols including SMTP, POP3, IMAP, HTTP, FTP,
NetBIOS, instant messaging and peer-to-peer applications and dozens of other stream-based protocols,
to provide administrators with comprehensive network threat prevention and control. Because files
containing malicious code and viruses can also be compressed and therefore inaccessible to
conventional anti-virus solutions, SonicWALL GAV integrates advanced decompression technology that
automatically decompresses and scans files on a per packet basis.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
Page 6 SonicWALL Gateway Anti-Virus Administrator’s Guide
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features
• Integrated Deep Packet Inspection Technology - SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service features a configurable, high-performance deep packet inspection architecture
that uses parallel searching algorithms up through the application layer to deliver increased
application layer, Web and e-mail attack prevention. Parallel processing reduces the performance
impact on the firewall and maximizes available memory for exceptional throughput on SonicWALL
integrated security gateways.
• Real-Time Anti-Virus Gateway Scanning - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers intelligent file-based virus and malicious code prevention by scanning in real-time for
decompressed and compressed files containing viruses, Trojans, worms and other Internet threats
over the corporate network.
• Powerful Intrusion Prevention - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
provides complete protection from a comprehensive array of network-based application layer threats
by scanning packet payloads for worms, Trojans, software vulnerabilities such as buffer overflows,
peer-to-peer and instant messenger applications, backdoor exploits, and other malicious code.
• Ultimate Scalability and Performance - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a per packet scanning engine, making SonicWALL’s solution unique in its ability to
handle unlimited file size and virtually unlimited concurrent downloads, offering ultimate scalability
and performance for today’s networked environment.
• Day Zero Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service ensures
incredibly fast time-to-protection by employing a dynamically-updated database of signatures created
by a combination of SonicWALL’s SonicAlert Team, third-party virus analysts and developers, and
open source databases of known threats.
• Extensive Virus Signature List - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
utilizes an extensive database of thousands of attack and vulnerability signatures written to detect and
prevent intrusions, viruses, worms, Tojans, application exploits, and malicious applications.
• Distributed Enforcement Architecture - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a distributed enforcement architecture to deliver automated signature updates,
providing real-time protection from emerging threats and lowering total cost of ownership.
• Inter-zone Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides
application layer attack protection against malicious code and other threats originating from the
Internet or from internal sources. Administrators have the ability to enforce intrusion prevention and
anti-virus scanning not only between each network zone and the Internet, but also between internal
network zones for added security (Requires SonicOS Enhanced).
• Advanced File Decompression Technology - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service includes advanced decompression technology that can automatically decompress and scan
files on a per packet basis to search for viruses, Trojans, worms and malware. Supported
compression formats include: ZIP, Deflate and GZIP.
• File-Based Scanning Protocol Support - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers protection for high threat viruses and malware by inspecting the most common
protocols used in today’s networked environments, including SMTP, POP3, IMAP, HTTP, FTP,
NETBIOS, instant messaging and peer-to-peer applications, and dozens of other stream-based
protocols. This closes potential backdoors that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Application Control - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides the
ability to prevent instant messaging and peer-to-peer file sharing programs from operating through
the firewall, closing a potential back door that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Simplified Deployment and Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service allows network administrators to create global policies between security zones and group
attacks by priority, simplifying deployment and management across a distributed network.
Page 7
• Granular Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides an
intuitive user interface and granular policy tools, allowing network administrators to configure a
custom set of detection or prevention policies for their specific network environment and reduce the
number of false policies while identifying immediate threats.
• Logging and Reporting - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service offers
comprehensive logging of all intrusion attempts with the ability to filter logs based on priority level,
enabling administrators to highlight high priority attacks. Granular reporting based on attack source,
destination and type of intrusion is available through SonicWALL ViewPoint and Global Management
System.
SonicWALL GAV Multi-Layered Approach
SonicWALL GAV delivers comprehensive, multi-layered anti-virus protection for networks at the desktop,
the network, and at remote sites. SonicWALL GAV enforces anti-virus policies at the gateway to ensure
all users have the latest updates and monitors files as they come into the network.
Page 8 SonicWALL Gateway Anti-Virus Administrator’s Guide
Remote Site Protection
1. Users send typical e-mail and files between remote sites and the corporate office.
2. SonicWALL GAV scans and analyzes files and e-mail messages on the SonicWALL security
appliance.
3. Viruses are found and blocked before infecting remote desktop.
4. Virus is logged and alert is sent to administrator.
Page 9
Internal Network Protection
1. Internal user contracts a virus and releases it internally.
2. All files are scanned at the gateway before being received by other network users.
3. If virus is found, file is discarded.
4. Virus is logged and alert is sent to administrator.
HTTP File Downloads
1. Client makes a request to download a file from the Web.
2. File is downloaded through the Internet.
3. File is analyzed the SonicWALL GAV engine for malicious code and viruses
4. If virus found, file discarded.
5. Virus is logged and alert sent to administrator.
Page 10 SonicWALL Gateway Anti-Virus Administrator’s Guide
Server Protection
1. Outside user sends an incoming e-mail.
2. E-mail is analyzed the SonicWALL GAV engine for malicious code and viruses before received by email
server.
3. If virus found, threat prevented.
4. E-mail is returned to sender, virus is logged, and alert sent to administrator.
Page 11
SonicWALL GAV Architecture
SonicWALL GAV is based on SonicWALL's high performance DPIv2.0 engine (Deep Packet Inspection
version 2.0) engine, which performs all scanning directly on the SonicWALL security appliance.
SonicWALL GAV includes advanced decompression technology that can automatically decompress and
scan files on a per packet basis to search for viruses and malware. The SonicWALL GAV engine can
perform base64 decoding without ever reassembling the entire base64 encoded mail stream. Because
SonicWALL's GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding and ZIP, LHZ, and GZIP (LZ77) decompression are also performed
on a single-pass, per-packet basis. Reassembly free virus scanning functionality of the SonicWALL GAV
engine is inherited from the Deep Packet Inspection engine, which is capable of scanning streams without
ever buffering any of the bytes within the stream.
Building on SonicWALL's reassembly-free architecture, GAV has the ability to inspect multiple application
protocols, as well as generic TCP streams, and compressed traffic. SonicWALL GAV protocol inspection
is based on high performance state machines which are specific to each supported protocol. SonicWALL
GAV delivers protection by inspecting over the most common protocols used in today's networked
environments, including SMTP, POP3, IMAP, HTTP, FTP, NetBIOS, instant messaging and peer-to-peer
applications and dozens of other stream-based protocols. This closes potential backdoors that can be
used to compromise the network while also improving employee productivity and conserving Internet
bandwidth.
Page 12 SonicWALL Gateway Anti-Virus Administrator’s Guide
Stream Concurrency Limitations by SonicWALL Security Appliance
Because SonicWALL GAV does not have to perform reassembly, there are no file-size limitations
imposed by the scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also
performed on a single-pass, per-packet basis. Stream-concurrency are platform dependent as follows:.
Disabling the SonicWALL GAV/IPS Engine
In the unlikely event that SonicWALL Gateway Anti-Virus/Intrusion Prevention Service is not enabled on
your SonicWALL security appliance, the SonicWALL GAV/IPS engine itself can be disabled, and the
resources can be reallocated to the SPI connection cache.
To disable the SonicWALL GAV/IPS engine:
1. Select the Firewall > Advanced page.
2. Select the Disable Gateway AV and IPS Engine (increases maximum SPI connections)
checkbox. This presents an alert informing you that the SonicWALL security appliance must be
rebooted for the change to take effect.
3. Restart your SonicWALL security appliance.
Platform
GAV-Disabled
Connections
Cache Size
GAV-Enabled
Connections
Cache Size
(Concurrent File
Downloads)
Concurrent
Compressed
File Downloads
with GAV
GAV Signatures
TZ 150
Series
2,048 2,048 100 4,500
TZ 170
Series
6,144 6,144 100 4,500
PRO 1260 6,144 6,144 100 4,500
PRO 2040 32,768 16,384 300 25,000
PRO 3060 131,072 65,536 1,000 25,000
PRO 4060 524,288 131,072 1,500 25,000
PRO 5060 750,000 393,216 3,000 25,000
Page 13
Protocol Handling
SonicWALL GAV functionality supports the following protocols: HTTP, SMTP, IMAP, POP3, FTP and the
scanning of generic TCP streams for viruses.
If malicious traffic is detected, appropriate actions are taken based on the protocol. For generic TCP
streams, the traffic is dropped and the connection is reset. If so configured, an encrypted and hashed
message explaining the action is sent to the user's Global Security Client (requires version 2.0 or higher)
and to the user's 'Security Action Notification Applet', and displayed to the user if either application is
active. Application level awareness of the type of protocol that was transporting the violation allows for
very specific actions to be taken to gracefully handle the rejection of the payload:
Note: 8-bit encoding is handled natively for all email based protocols (SMTP, POP3, and IMAP) since no
decoding is required for each encoding scheme.
SMTP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the head of the sent
queue, thus preventing it from being resent, via 552 SMTP response and the connection is terminated.
POP3
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the POP3 server via
'DELE' command and the connection is terminated. Continuation of message downloads following
termination requires the user to re-initiate the download process on their POP3 client in order to download
the rest of the messages from the POP3 server.
Note: POP3 client behavior varies from one client to the next. SonicWALL GAV attempts to determine the type
of POP3 client being used, and to compensate for behavioral differences. In rare cases, some clients
may require special GAV settings - these settings have been made available in the /diag.html page.
• Disable Gateway AV POP3 Auto Deletion - When a POP3 client is identified as Outlook Express,
DELE (delete) message sequencing is tailored to Outlook Express' behavior. This setting can resolve
problems caused by misidentification that are encountered during the deletion of virus-infected
emails.
• Disable Gateway AV POP3 UIDL Rewriting - Certain Netscape POP3 clients have difficulty with the
UIDL (unique ID listing - RFC1939) command. When a POP3 client is recognized as Netscape, UIDL
messages are suppressed, which is allowable because they are optional. This setting can resolve
problems caused by misidentification that are encountered during the message retrieval process.
IMAP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from downloading the mail
containing the violation. The user must manually mark the mail deleted and purge it from the server.
Page 14 SonicWALL Gateway Anti-Virus Administrator’s Guide
HTTP
Capabilities: zip (including archives), gzip and deflate decompression. Deflate decompression method is
not supported when HTTP response is Chunk Encoded. All HTTP traffic is inspected, not just TCP port
80. Suppresses the use of HTTP Byte-Range requests to prevent the sectional retrieval and reassembly
of potentially malicious content.
Note: Suppression of HTTP Byte-Range requests may inhibit the use of certain download accelerator
programs that attempt to retrieve files as multiple simultaneous requests.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
FTP
Capabilities: zip (including archives) and gzip decompression. FTP stateful code follows data port
negotiations, allowing FTP data to be inspected across any operating TCP port. Suppresses the use of
the FTP 'REST' (restart) request to prevent the sectional retrieval and reassembly of potentially malicious
content. "The suppression of the 'REST' request can be overridden from the /diag.html page with the
option 'Enable FTP 'REST' requests with Gateway AV’.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
IM, P2P and Proprietary Protocols
Capabilities: zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
Deploying SonicWALL GAV
SonicWALL GAV is designed to provide comprehensive virus protection with minimal configuration. The
following sections provide the key information you need to successfully activate, configure, and administer
SonicWALL GAV on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher):
• “Activating SonicWALL GAV” on page 15 - provides instructions for activating the SonicWALL GAV
license on your SonicWALL security appliance via the management interface. If you already have
SonicWALL GAV activated on your SonicWALL security appliance, skip this section.
• “Setting Up SonicWALL GAV Protection” on page 19 - provides instructions for essential
configuration of SonicWALL IPS to protect your network against the most dangerous and disruptive
attacks.
Alert! After activating your SonicWALL GAV license, you must enable SonicWALL GAV on the SonicWALL
management interface before anti-virus protection are applied to your network traffic.
• “Configuring Client Alerts and an Exclusion List” on page 23 - provides instructions for configuring
SonicWALL GAV client notification alerts and creating a SonicWALL GAV exclusion list.
• “Restricting File Transfers” on page 24 - provides instructions on preventing files with specific
attributes from being transferred.
Page 15
Activating SonicWALL GAV
If you do not have SonicWALL GAV installed on your SonicWALL security appliance, the Security
Services > Gateway Anti-Virus page indicates an upgrade is required and includes a link to activiate it
from your SonicWALL security appliance management interface.
SonicWALL GAV is part of the unified SonicWALL Gateway Anti-Virus/Intrusion Prevention Service that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is also activated.
To activate a SonicWALL Gateway Anti-Virus/Intrusion Prevention Service on your SonicWALL security
appliance, you need the following:
• SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license. You need to purchase a
SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license from a SonicWALL reseller or
through your mySonicWALL.com account (limited to customers in the USA and Canada).
• mySonicWALL.com account. Creating a mySonicWALL.com account is fast, simple, and FREE.
Simply complete an online registration form from your SonicWALL security appliance management
interface. Your mySonicWALL.com account is also accessible at
from any Internet connection with a Web browser.
• Registered SonicWALL security appliance with active Internet connection. Registering your
SonicWALL security appliance is a simple procedure done directly from the management interface.
• SonicOS Standard 3.0 or SonicOS Enhanced 3.0. Your SonicWALL security appliance must be
running SonicOS Standard 3.0 or SonicOS Enhanced 3.0 for SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service.
Tip! If your SonicWALL security appliance is connected to the Internet and registered at
mySonicWALL.com, you can activate a 30-day FREE TRIAL of SonicWALL IPS.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
If you activated SonicWALL GAV at , SonicWALL GAV activation is
automatically enabled on your SonicWALL within 24-hours or you can click the Synchronize button on
the Security Services > Summary page to update your SonicWALL security appliance.
Page 16 SonicWALL Gateway Anti-Virus Administrator’s Guide
Creating a mySonicWALL.com Account
Creating a mySonicWALL.com account is fast, simple, and FREE. Simply complete an online
registration form in the SonicWALL security appliance management interface.
Note: If you already have a mysonicWALL.com account, go to “Registering Your SonicWALL Security
Appliance” on page 17.
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displayed in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link in Your
SonicWALL is not registered. Click here to Register your SonicWALL.
4. In the mySonicWALL.com Login page, click the here link in If you do not have a mySonicWALL
account, please click here to create one.
5. In the MySonicWall Account page, enter in your information in the Account Information, Personal
Information and Preferences fields. All fields marked with an asterisk (*) are required fields.
Note: Remember your username and password to access your mySonicWALL.com account.
6. Click Submit after completing the MySonicWALL Account form.
7. When the mySonicWALL.com server has finished processing your account, you will see a page
saying that your account has been created. Click Continue.
Congratulations. Your mySonicWALL.com account is activated.
Now you need to log into mySonicWALL.com to register your SonicWALL security appliance.
Note: mySonicWALL.com registration information is not sold or shared with any other company.
Page 17
Registering Your SonicWALL Security Appliance
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displaying in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link. The
mySonicWALL.com Login page is displayed.
4. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit.
5. The next several pages inform you about the free trials available to you for SonicWALL’s Security
Services:
• Gateway Anti-Virus - Delivers real-time virus protection for your entire network.
• Network Anti Virus - Provides desktop and server anti-virus protection with software running on
each computer.
• Premium Content Filtering Service - Enhances productivity by limiting access to objectionable
Web content.
• Intrusion Prevention Service - Protects your network against worms, Trojans, and application
layer attacks.
Click Continue on each page.
6. At the top of the Product Survey page, Enter a “friendly name” for your SonicWALL content security
appliance in the Friendly Name field. The friendly name allows you to easily identify your
SonicWALL content security appliance in your mySonicWALL.com account.
7. Please complete the Product Survey. SonicWALL uses this information to further tailor services to fit
your needs.
8. Click Submit.
9. When the mySonicWALL.com server has finished processing your registration, a page is displayed
informing you that the SonicWALL security appliance is registered. Click Continue, and the
System > Licenses page is displayed showing you the available services. You can activate the
service from this page or the specific service page under the Security Services left-navigation
menu in the management interface.
Page 18 SonicWALL Gateway Anti-Virus Administrator’s Guide
Activating SonicWALL GAV
If you do not have a SonicWALL GAV license activated on your SonicWALL security appliance, you must
purchase it from a SonicWALL reseller or through your mySonicWALL.com account (limited to customers
in the USA and Canada).
SonicWALL GAV is part of SonicWALL Gateway Anti-Virus/Intrusion Prevention Service. The Activation
Key you receive is for both SonicWALL GAV and SonicWALL Intrusion Prevention Service. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is automatically activated.
If you have an Activation Key for SonicWALL Gateway Anti-Virus/Intrusion Prevention Service, perform
these steps to activate the combined services:
1. On the Security Services > Intrusion Prevention page, click the SonicWALL Intrusion
Prevention Service Subscription link. The mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already registered to your
mySonicWALL.com account, the System > Licenses page appears.
3. Click Activate or Renew in the Manage Service column in the Manage Services Online table.
4. Type in the Activation Key in the New License Key field and click Submit. Your SonicWALL GAV
subscription is activated on your SonicWALL security appliance.
If you activated the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service subscription on
mySonicWALL.com, the activation is automatically enabled on your SonicWALL security appliance within
24-hours or you can click the Synchronize button on the Security Services > Summary page to
immediately update your SonicWALL security appliance.
Activating the SonicWALL GAV FREE TRIAL
To try a FREE TRIAL of SonicWALL GAV, perform these steps:
1. Click the FREE TRIAL link on the Security Services > Gateway Anti-Virus page. The
mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already connected to your
mySonicWALL.com account, the System > Licenses page appears after you click the FREE TRIAL
link.
3. Click Try in the FREE TRIAL column in the Manage Services Online table. Your SonicWALL GAV
trial subscription is activated on your SonicWALL security appliance.
Page 19
Setting Up SonicWALL GAV Protection
The Security Services > Gateway Anti-Virus page provides the settings for configuring SonicWALL
GAV on your SonicWALL security appliance.
Enabling SonicWALL GAV
You must select Enable Gateway Anti-Virus check box in the Gateway Anti-Virus Global Settings
section to enable SonicWALL GAV on your SonicWALL security appliance. If your SonicWALL security
appliance is running SonicOS Standard 3.0, you must also specify the interfaces you want to apply
SonicWALL GAV protection. If your SonicWALL security appliance is running SonicOS Enhanced 3.0,
you must specify the Zones you want to SonicWALL GAV protection on the Network > Zones page.
Applying SonicWALL GAV Protection on Interfaces
If your SonicWALL security appliance is running SonicOS Standard 3.0, you also need to specify the
interface that you want to enable SonicWALL GAV protection. Depending on the SonicWALL security
appliance model you are using, you can choose the WAN, LAN, DMZ, OPT or WLAN port, depending on
your SonicWALL security appliance model. After selecting the interface(s), click Apply.It is recommended
you select the WAN and LAN interfaces.
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you apply SonicWALL GAV to
Zones on the Network > Zones page.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 20 SonicWALL Gateway Anti-Virus Administrator’s Guide
Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you can enforce SonicWALL
GAV not only between each network zone and the WAN, but also between internal zones. For example,
enabling SonicWALL GAV on the LAN zone enforces anti-virus protection on all incoming and outgoing
LAN traffic.
1. In the SonicWALL security appliance management interface, select Network > Zones or from the
Gateway Anti-Virus Status section, on the Security Services > Gateway Anti-Virus page, click the
Network > Zones link. The Network > Zones page is displayed.
2. In the Configure column in the Zone Settings table, click the edit icon . The Edit Zone window
is displayed.
3. Click the Enable Gateway Anti-Virus Service checkbox. A checkmark appears. To disable Gateway
Anti-Virus Service, uncheck the box.
4. Click OK.
Page 21
Note: You also enable SonicWALL GAV protection for new zones you create on the Network > Zones page.
Clicking the Add button displays the Add Zone window, which includes the same settings as the Edit
Zone window.
Viewing SonicWALL GAV Status Information
The Gateway Anti-Virus Status section shows the state of the anti-virus signature database, including
the database's timestamp, and the time the SonicWALL signature servers were last checked for the most
current database version. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
The Gateway Anti-Virus Status section displays the following information:
• Signature Database indicates whether the signature database needs to be downloaded or has been
downloaded.
• Signature Database Timestamp displays the last update to the SonicWALL GAV signature
database, not the last update to your SonicWALL security appliance.
• Last Checked indicates the last time the SonicWALL security appliance checked the signature
database for updates. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
• Gateway Anti-Virus Expiration Date indicates the date when the SonicWALL GAV service expires.
If your SonicWALL GAV subscription expires, the SonicWALL IPS inspection is stopped and the
SonicWALL GAV configuration settings are removed from the SonicWALL security appliance. These
settings are automatically restored after renewing your SonicWALL GAV license to the previously
configured state.
If your SonicWALL security appliance is running SonicOS Standard 3.0 and no interfaces are specified in
the Gateway Anti-Virus Global Settings section, the message: Warning: No interfaces have Gateway
Anti-Virus enabled is displayed in the Gateway Anti-Virus Status section. You must check the Enable
Gateway Anti-Virus on Interface and specify the interface(s) you want to apply anti-virus scanning.
If your SonicWALL security appliance you are using SonicOS Enhanced 3.0, the Gateway Anti-Virus
Status section displays Note: Enable the Gateway Anti-Virus per zone from the Network > Zones
page. Clicking on the Network > Zones link displays the Network > Zones page for applying SonicWALL
GAV on Zones.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 22 SonicWALL Gateway Anti-Virus Administrator’s Guide
Updating SonicWALL GAV Signatures
By default, the SonicWALL security appliance running SonicWALL GAV automatically checks the
SonicWALL signature servers once an hour. There is no need for an administrator to constantly check for
new signature updates. You can also manually update your SonicWALL GAV database at any time by
clicking the Update button located in the Gateway Anti-Virus Status section.
SonicWALL GAV signature updates are secured. The SonicWALL security appliance must first
authenticate itself with a pre-shared secret, created during the SonicWALL Distributed Enforcement
Architecture licensing registration. The signature request is transported through HTTPS, along with full
server certificate verification.
Specifying Protocol Filtering
Application-level awareness of the type of protocol that is transporting the violation allows SonicWALL
GAV to perform specific actions within the context of the application to gracefully handle the rejection of
the payload.
By default, SonicWALL GAV inspects all inbound HTTP, FTP, IMAP, SMTP and POP3 traffic. Generic
TCP Stream can optionally be enabled to inspect all other TCP based traffic, such as
non-standard ports of operation for SMTP and POP3, and IM and P2P protocols.
Note: Refer to “Protocol Handling” on page 13 for detailed descriptions of how SonicWALL GAV handles
protocol traffic.
Enabling Inbound Inspection
Within the context of SonicWALL GAV, the Enable Inbound Inspection protocol traffic handling refers
to the following:
• Non-SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to any Zone.
• Non-SMTP traffic from a Public Zone destined to an Untrusted Zone.
• SMTP traffic initiating from a non-Trusted Zone destined to a Trusted, Wireless, Encrypted, or Public
Zone.
• SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to a Trusted, Wireless,
or Encrypted Zone.
Page 23
The Enable Inbound Inspection protocol traffic handling represented as a table:
Enabling Outbound SMTP Inspection
The Enable Outbound Inspection feature is available for SMTP traffic, such as for a mail server that
might be hosted on the DMZ. Enabling outbound inspection for SMTP scans mail that is delivered to the
internally hosted SMTP server for viruses.
Configuring Client Alerts and an Exclusion List
Clicking the Configure Gateway AV Settings button in the Gateway Anti-Virus Global Settings section
displays the Gateway AV Config View window, which allows you to configure client notification alerts and
create a SonicWALL GAV exclusion list.
Configuring Client Alerts
If you want clients on your network to receive notifications on their desktop when a HTTP file download is
blocked by GAV, check the Enable Client Notification Alerts (desktop client installation is required)
box. You must install the client software included on the Resource CD for your SonicWALL security
appliance for the client to receive these notifications from SonicWALL GAV.
Page 24 SonicWALL Gateway Anti-Virus Administrator’s Guide
If you want to suppress the sending of e-mail messages (SMTP) to clients from SonicWALL GAV when a
virus is detected in an e-mail or attachment, check the Disable SMTP Responses box.
Configuring a SonicWALL GAV Exclusion List
Any IP addresses listed in the exclusion list bypass virus scanning on their traffic.The Gateway AV
Exclusion List section provides the ability to define a range of IP addresses whose traffic will be excluded
from SonicWALL GAV scanning.
Alert! Use caution when specifying exclusions to SonicWALL GAV protection.
To add an IP address range for exclusion, perform these steps:
1. Click the Enable Gateway AV Exclusion List checkbox to enable the exclusion list.
2. Click the Add button. The Add GAV Range Entry window is displayed.
3. Enter the IP address range in the IP Address Form and IP Address To fields, then click OK. You IP
address range appears in the Gateway AV Exclusion List table. Click the edit icon in the Configure
column to change an entry or click the trashcan icon to delete an entry.
4. Click OK to exit the Gateway AV Config View window.
Restricting File Transfers
The restrict transfer settings listed under the Configure Gateway AV Settings button in the
Gateway Anti-Virus Global Settings section, if enabled, prevent files with specific attributes from being
transferred.
These restrict transfer settings include:
• Restrict Transfer of password-protected Zip files - Disables the transfer of password protected
ZIP files over any enabled protocol. This option only functions on protocols (e.g. HTTP, FTP, SMTP)
that are enabled for inspection.
• Restrict Transfer of MS-Office type files containing macros (VBA 5 and above) - Disables the
transfers of any MS Office 97 and above files that contain VBA macros.
• Restrict Transfer of packed executable files (UPX, FSG, etc.) - Disables the transfer of packed
executable files. Packers are utilities which compress and sometimes encrypt executables. Although
there are legitimate applications for these, they are also sometimes used with the intent of
obfuscation, so as to make the executables less detectable by anti-virus applications. The packer
adds a header that expands the file in memory, and then executes that file. SonicWALL Gateway
Anti-Virus currently recognizes the most common packed formats: UPX, FSG, PKLite32, Petite, and
ASPack. additional formats are dynamically added along with SonicWALL GAV signature updates.
Page 25
Viewing SonicWALL GAV Signatures
The Gateway Anti-Virus Signatures section allows you to view the contents of the SonicWALL GAV
signature database. All the entries displayed in the Gateway Anti-Virus Signatures table are from the
SonicWALL GAV signature database downloaded to your SonicWALL security appliance.
Note: Signature entries in the database change over time in response to new threats.
Displaying Signatures
You can display the signatures in a variety of views using the View Style menu.
• Use Search String - Allows you to display signatures containing a specified string entered in the
Lookup Signatures Containing String field.
• All Signatures - Displays all the signatures in the table, 50 to a page.
• 0 - 9 - Displays signature names beginning with the number you select from the menu.
• A-Z - Displays signature names beginning with the letter you select from menu.
Navigating the Gateway Anti-Virus Signatures Table
The SonicWALL GAV signatures are displayed fifty to a page in the Gateway Anti-Virus Signatures
table. The Items field displays the table number of the first signature. If your displaying the first page of a
signature table, the entry might be Items 1 to 50 (of 58). Use the navigation buttons to navigate the table.
Page 26 SonicWALL Gateway Anti-Virus Administrator’s Guide
Searching the Gateway Anti-Virus Signature Database
You can search the signature database by entering a search string in the Lookup Signatures
Containing String field, then clicking the edit (Notepad) icon.
The signatures that match the specified string are displayed in the Gateway Anti-Virus Signatures table.
Glossary
• Deep Packet Inspection - looking at the data portion of the packet. Enables the firewall to investigate
farther into the protocol to examine information at the application layer and defend against attacks
targeting application vulnerabilities.
• Distributed Enforcement Architecture - SonicWALL’s unified threat management technology that
delivers automated signature updates that provide real-time protection from current and emerging
threats.
• False Positive - a falsely identified attack traffic pattern.
• Signature - code written to detect and prevent viruses, worms, application exploits, and other
malicious code.
• Stateful Packet Inspection - examines the contents of individual packets at all layers of the OSI
model, from network layer to application layer.
Page 27
Index
A
activating Gateway Anti-Virus
overview 15
free trial version 18
activating Gateway Anti-Virus
activation key 18
C
client alerts
configuring 23
concurrency limitations 12
PRO 1260 12
PRO 2040 12
PRO 3060 12
PRO 4060 12
PRO 5060 12
TZ 150 Series 12
TZ 170 Series 12
creating a mysonicwall.com account 16
D
deploying SonicWALL GAV 14
disabling GAV/IPS engine 12
displaying signatures 25
all signatures 25
signatures beginning with letter 25
signatures beginning with number 25
using search strings 25
E
Edit Zone window 20
enable inbound inspection 22
enable outbound SMTP inspection 23
enabling inbound inspection 22
exclusion list
configuring 24
G
Gateway AV Config View window 23
GAV/IPS
real-time scanning 6
GAV/IPS features
application control 6
deep packet inspection 6
distributed enforcement architecture 6
file based scanning protocol support 6
file decompression technology 6
granular management 7
inter-zone scanning 6
logging and reporting 7
real-time scanning 6
glossary 26
deep packet inspection 26
Distributed Enforcement Architecture 26
false positive 26
signature 26
stateful packet inspection 26
H
how DPIv2.0 works
11
protocol handling 13
HTTP file downloads protection 9
I
internal network protection 9
N
navigating signatures table 25
P
protocol handling
FTP 14
HTTP 14
IM, P2P, proprietary 14
IMAP 13
POP3 13
SMTP 13
R
registering your SonicWALL security appliance 17
remote site protection 8
restrict 24
restrict file transfer
MS-Office files 24
packed executable files 24
password protected ZIP files 24
S
searching signature database 26
server protection 10
setting up GAV protection
applying to infaces (SonicOS Standard 3.0) 19
applying to zones (SonicOS Enhanced) 20
enabling 19
overview 19
signatures table 25
SonicWALL Gateway Anti-Virus
overview 5
SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service
overview 5
specifying protocol filtering 22
specifying protocols 22
status information
expiration date 21
last checked 21
overview 21
signature database 21
signature database timestamp 21
surpress SMTP messages 24
U
updating signatures 22
Page 28 SonicWALL Gateway Anti-Virus Administrator’s Guide
© 2005 SonicWALL, I n c . SonicWALL is a registered trademark of SonicWALL, I n c . Other product and company names mentioned herein may be
t rademarks and/ or registered trademarks of their respective companies. Specifications and descriptions subject to change with out notice.
T: 408.745.9600
F: 408.745.9300
www.sonicwall.com
SonicWALL,Inc.
1143 Borregas Avenue
Sunnyvale,CA 94089-1306
P/ N 232- 000610- 00
Rev E 01/05COMPREHENSIVE INTERNET SECURITY™
S SSSSSSSSo n i c WALL Gateway Anti-Virus
Administrator's Guide
Page 1
Table of Contents
Preface .................................................................................................. 1
Copyright Notice ..............................................................................1
Trademarks......................................................................................1
Limited Warranty..............................................................................1
About this Guide.................................................................................... 3
Guide Conventions .......................................................................... 3
Icons Used in this Guide............................................................. 3
SonicWALL Technical Support ........................................................ 4
North America Telephone Support ............................................. 4
International Telephone Support ................................................ 4
SonicWALL Gateway Anti-Virus Overview............................................ 5
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features ...... 6
SonicWALL GAV Multi-Layered Approach............................................ 7
Remote Site Protection ....................................................................8
Internal Network Protection.............................................................. 9
HTTP File Downloads ...................................................................... 9
Server Protection ...........................................................................10
SonicWALL GAV Architecture............................................................. 11
Stream Concurrency Limitations
by SonicWALL Security Appliance................................................. 12
Disabling the SonicWALL GAV/IPS Engine................................... 12
Protocol Handling...........................................................................13
SMTP........................................................................................ 13
POP3 ........................................................................................ 13
IMAP......................................................................................... 13
HTTP ........................................................................................ 14
FTP........................................................................................... 14
IM, P2P and Proprietary Protocols ........................................... 14
Deploying SonicWALL GAV................................................................ 14
Activating SonicWALL GAV ................................................................ 15
Creating a mySonicWALL.com Account ........................................ 16
Registering Your SonicWALL Security Appliance.......................... 17
Activating SonicWALL GAV........................................................... 18
Activating the SonicWALL GAV FREE TRIAL ............................... 18
Setting Up SonicWALL GAV Protection .............................................. 19
Enabling SonicWALL GAV............................................................. 19
Applying SonicWALL GAV Protection on Interfaces...................... 19
Applying SonicWALL GAV Protection on Zones
(SonicOS Enhanced 3.0) ............................................................... 20
Viewing SonicWALL GAV Status Information................................ 21
Updating SonicWALL GAV Signatures .......................................... 22
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
Specifying Protocol Filtering ................................................................22
Enabling Inbound Inspection ..........................................................22
Enabling Outbound SMTP Inspection ............................................23
Configuring Client Alerts and an Exclusion List ...................................23
Configuring Client Alerts.................................................................23
Configuring a SonicWALL GAV Exclusion List...............................24
Restricting File Transfers.....................................................................24
Viewing SonicWALL GAV Signatures..................................................25
Displaying Signatures.....................................................................25
Navigating the Gateway Anti-Virus Signatures Table ....................25
Searching the Gateway Anti-Virus Signature Database.................26
Glossary...............................................................................................26
Index ....................................................................................................27
Page 1 SonicWALL Gateway Anti-Virus Administrator’s Guide
Preface
Copyright Notice
© 2005 SonicWALL, Inc.
All rights reserved.
Under the copyright laws, this manual or the software described within, can not be copied, in whole or part,
without the written consent of the manufacturer, except in the normal use of the software to make a backup
copy. The same proprietary and copyright notices must be affixed to any permitted copies as were affixed
to the original. This exception does not allow copies to be made for others, whether or not sold, but all of
the material purchased (with all backup copies) can be sold, given, or loaned to another person. Under
the law, copying includes translating into another language or format.
Specifications and descriptions subject to change without notice.
Trademarks
SonicWALL is a registered trademark of SonicWALL, Inc.
Microsoft Windows 98, Windows NT, Windows 2000, Windows XP, Windows Server 2003, Internet
Explorer, and Active Directory are trademarks or registered trademarks of Microsoft Corporation.
Netscape is a registered trademark of Netscape Communications Corporation in the U.S. and other
countries. Netscape Navigator and Netscape Communicator are also trademarks of Netscape
Communications Corporation and may be registered outside the U.S.
Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems
Incorporated in the U.S. and/or other countries.
Other product and company names mentioned herein may be trademarks and/or registered trademarks
of their respective companies and are the sole property of their respective manufacturers.
Limited Warranty
SonicWALL, Inc. warrants that commencing from the delivery date to Customer (but in any case
commencing not more than ninety (90) days after the original shipment by SonicWALL), and continuing
for a period of twelve (12) months, that the product will be free from defects in materials and workmanship
under normal use. This Limited Warranty is not transferable and applies only to the original end user of
the product. SonicWALL and its suppliers' entire liability and Customer's sole and exclusive remedy under
this limited warranty will be shipment of a replacement product. At SonicWALL's discretion the
replacement product may be of equal or greater functionality and may be of either new or like-new quality.
SonicWALL's obligations under this warranty are contingent upon the return of the defective product
according to the terms of SonicWALL's then-current Support Services policies.
This warranty does not apply if the product has been subjected to abnormal electrical stress, damaged by
accident, abuse, misuse or misapplication, or has been modified without the written permission of
SonicWALL.
DISCLAIMER OF WARRANTY. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR
IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT
LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, NONINFRINGEMENT, SATISFACTORY QUALITY OR ARISING FROM A
COURSE OF DEALING, LAW, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE
MAXIMUM EXTENT ALLOWED BY APPLICABLE LAW. TO THE EXTENT AN IMPLIED WARRANTY
CANNOT BE EXCLUDED, SUCH WARRANTY IS LIMITED IN DURATION TO THE WARRANTY
PERIOD. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW
LONG AN IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. THIS
WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, AND YOU MAY ALSO HAVE OTHER RIGHTS
WHICH VARY FROM JURISDICTION TO JURISDICTION. This disclaimer and exclusion shall apply
even if the express warranty set forth above fails of its essential purpose.
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
DISCLAIMER OF LIABILITY. SONICWALL'S SOLE LIABILITY IS THE SHIPMENT OF A
REPLACEMENT PRODUCT AS DESCRIBED IN THE ABOVE LIMITED WARRANTY. IN NO EVENT
SHALL SONICWALL OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER,
INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS
INTERRUPTION, LOSS OF INFORMATION, OR OTHER PECUNIARY LOSS ARISING OUT OF THE
USE OR INABILITY TO USE THE PRODUCT, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL,
INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY
OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE HARDWARE OR SOFTWARE
EVEN IF SONICWALL OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. In no event shall SonicWALL or its suppliers' liability to Customer, whether in contract, tort
(including negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shall
apply even if the above-stated warranty fails of its essential purpose. BECAUSE SOME STATES OR
JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR
INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.
Page 3
About this Guide
Welcome to the SonicWALL Gateway Anti-Virus Administrator’s Guide. This manual provides the
information you need to successfully activate, configure, and administer SonicWALL Gateway Anti-Virus
(SonicWALL (GAV) on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher). The audience for this guide is administrators that are familiar with the
features, functions, and operating characteristics of SonicWALL security appliances.
Note: This guide assumes your SonicWALL security appliance is operational with Internet connectivity. If your
SonicWALL security appliance is not setup, refer to the Getting Started Guide for your SonicWALL
security appliance located on the SonicWALL Web site:
.
SonicWALL GAV is part of the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service solution that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate a SonicWALL GAV license, SonicWALL Intrusion Prevention Service is included and activated.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the complete
instructions on configuring SonicWALL Intrusion Prevention Service 2.0, located on the SonicWALL
Web site: .
Guide Conventions
Conventions used in this guide are as follows:
Icons Used in this Guide
These special messages refer to noteworthy information, and include a symbol for quick identification:
Alert! Important information that cautions about features affecting SonicWALL Gateway Anti-Virus
performance, security features, or causing potential problems with your SonicWALL security appliance.
Tip! Useful information about security features and configurations for your SonicWALL Gateway Anti-Virus
running on a SonicWALL security appliance.
Convention Use
Bold Highlights items you can select on the SonicWALL
management interface.
Italic Highlights a value to enter into a field. For example, “type
192.168.168.168 in the IP Address field.”
Top Level Menu Button >
Submenu Item
Indicates a multiple step Management Interface menu
choice. For example, Security Services > Gateway Anti-
Virus means select Security Services, then select
Gateway Anti-Virus.
Page 4 SonicWALL Gateway Anti-Virus Administrator’s Guide
Note: Important information on a feature that requires callout for special attention or reference to other related
resources.
SonicWALL Technical Support
For timely resolution of technical support questions, visit SonicWALL on the Internet at
. Web-based resources are available to help you
resolve most technical issues or contact SonicWALL Technical Support.
To contact SonicWALL telephone support, see the telephone numbers listed below:
North America Telephone Support
U.S./Canada - 888.777.1476 or +1 408.752.7819
International Telephone Support
Australia - + 1800.35.1642
Austria - + 43(0)820.400.105
EMEA - +31(0)411.617.810
France - + 33(0)1.4933.7414
Germany - + 49(0)1805.0800.22
Hong Kong - + 1.800.93.0997
India - + 8026556828
Italy - +39.02.7541.9803
Japan - + 81(0)3.5460.5356
New Zealand - + 0800.446489
Singapore - + 800.110.1441
Spain - + 34(0)9137.53035
Switzerland - +41.1.308.3.977
UK - +44(0)1344.668.484
Note: Please visit for the latest technical support telephone
numbers.
Page 5
SonicWALL Gateway Anti-Virus Overview
SonicWALL Gateway Anti-Virus (SonicWALL GAV) is part of the SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service solution that provides unified threat management. The integration of gateway
anti-virus and intrusion prevention delivers intelligent, real-time network security protection against
sophisticated application layer and content-based attacks. Utilizing a configurable, high-performance
deep packet inspection architecture, SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
secures the network from the core to the perimeter against a comprehensive array of dynamic threats
including viruses, worms, Trojans, and software vulnerabilities, such as buffer overflows, as well as peerto-
peer and instant messenger applications, backdoor exploits, and other malicious code.
SonicWALL GAV delivers real-time virus protection directly on the SonicWALL security appliance by
using SonicWALL’s IPS-Deep Packet Inspection v2.0 engine to inspect all traffic that traverses the
SonicWALL gateway. Building on SonicWALL’s reassembly-free architecture, SonicWALL GAV inspects
multiple application protocols, as well as generic TCP streams, and compressed traffic. Because
SonicWALL GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also performed on a
single-pass, per-packet basis.
SonicWALL GAV delivers threat protection directly on the SonicWALL security appliance by matching
downloaded or e-mailed files against an extensive and dynamically updated database of threat virus
signatures. Virus attacks are caught and suppressed before they travel to desktops. New signatures are
created and added to the database by a combination of SonicWALL’s SonicAlert Team, third-party virus
analysts, open source developers and other sources.
SonicWALL GAV can be configured to protect against internal threats as well as those originating outside
the network. It operates over a multitude of protocols including SMTP, POP3, IMAP, HTTP, FTP,
NetBIOS, instant messaging and peer-to-peer applications and dozens of other stream-based protocols,
to provide administrators with comprehensive network threat prevention and control. Because files
containing malicious code and viruses can also be compressed and therefore inaccessible to
conventional anti-virus solutions, SonicWALL GAV integrates advanced decompression technology that
automatically decompresses and scans files on a per packet basis.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
Page 6 SonicWALL Gateway Anti-Virus Administrator’s Guide
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features
• Integrated Deep Packet Inspection Technology - SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service features a configurable, high-performance deep packet inspection architecture
that uses parallel searching algorithms up through the application layer to deliver increased
application layer, Web and e-mail attack prevention. Parallel processing reduces the performance
impact on the firewall and maximizes available memory for exceptional throughput on SonicWALL
integrated security gateways.
• Real-Time Anti-Virus Gateway Scanning - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers intelligent file-based virus and malicious code prevention by scanning in real-time for
decompressed and compressed files containing viruses, Trojans, worms and other Internet threats
over the corporate network.
• Powerful Intrusion Prevention - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
provides complete protection from a comprehensive array of network-based application layer threats
by scanning packet payloads for worms, Trojans, software vulnerabilities such as buffer overflows,
peer-to-peer and instant messenger applications, backdoor exploits, and other malicious code.
• Ultimate Scalability and Performance - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a per packet scanning engine, making SonicWALL’s solution unique in its ability to
handle unlimited file size and virtually unlimited concurrent downloads, offering ultimate scalability
and performance for today’s networked environment.
• Day Zero Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service ensures
incredibly fast time-to-protection by employing a dynamically-updated database of signatures created
by a combination of SonicWALL’s SonicAlert Team, third-party virus analysts and developers, and
open source databases of known threats.
• Extensive Virus Signature List - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
utilizes an extensive database of thousands of attack and vulnerability signatures written to detect and
prevent intrusions, viruses, worms, Tojans, application exploits, and malicious applications.
• Distributed Enforcement Architecture - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a distributed enforcement architecture to deliver automated signature updates,
providing real-time protection from emerging threats and lowering total cost of ownership.
• Inter-zone Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides
application layer attack protection against malicious code and other threats originating from the
Internet or from internal sources. Administrators have the ability to enforce intrusion prevention and
anti-virus scanning not only between each network zone and the Internet, but also between internal
network zones for added security (Requires SonicOS Enhanced).
• Advanced File Decompression Technology - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service includes advanced decompression technology that can automatically decompress and scan
files on a per packet basis to search for viruses, Trojans, worms and malware. Supported
compression formats include: ZIP, Deflate and GZIP.
• File-Based Scanning Protocol Support - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers protection for high threat viruses and malware by inspecting the most common
protocols used in today’s networked environments, including SMTP, POP3, IMAP, HTTP, FTP,
NETBIOS, instant messaging and peer-to-peer applications, and dozens of other stream-based
protocols. This closes potential backdoors that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Application Control - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides the
ability to prevent instant messaging and peer-to-peer file sharing programs from operating through
the firewall, closing a potential back door that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Simplified Deployment and Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service allows network administrators to create global policies between security zones and group
attacks by priority, simplifying deployment and management across a distributed network.
Page 7
• Granular Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides an
intuitive user interface and granular policy tools, allowing network administrators to configure a
custom set of detection or prevention policies for their specific network environment and reduce the
number of false policies while identifying immediate threats.
• Logging and Reporting - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service offers
comprehensive logging of all intrusion attempts with the ability to filter logs based on priority level,
enabling administrators to highlight high priority attacks. Granular reporting based on attack source,
destination and type of intrusion is available through SonicWALL ViewPoint and Global Management
System.
SonicWALL GAV Multi-Layered Approach
SonicWALL GAV delivers comprehensive, multi-layered anti-virus protection for networks at the desktop,
the network, and at remote sites. SonicWALL GAV enforces anti-virus policies at the gateway to ensure
all users have the latest updates and monitors files as they come into the network.
Page 8 SonicWALL Gateway Anti-Virus Administrator’s Guide
Remote Site Protection
1. Users send typical e-mail and files between remote sites and the corporate office.
2. SonicWALL GAV scans and analyzes files and e-mail messages on the SonicWALL security
appliance.
3. Viruses are found and blocked before infecting remote desktop.
4. Virus is logged and alert is sent to administrator.
Page 9
Internal Network Protection
1. Internal user contracts a virus and releases it internally.
2. All files are scanned at the gateway before being received by other network users.
3. If virus is found, file is discarded.
4. Virus is logged and alert is sent to administrator.
HTTP File Downloads
1. Client makes a request to download a file from the Web.
2. File is downloaded through the Internet.
3. File is analyzed the SonicWALL GAV engine for malicious code and viruses
4. If virus found, file discarded.
5. Virus is logged and alert sent to administrator.
Page 10 SonicWALL Gateway Anti-Virus Administrator’s Guide
Server Protection
1. Outside user sends an incoming e-mail.
2. E-mail is analyzed the SonicWALL GAV engine for malicious code and viruses before received by email
server.
3. If virus found, threat prevented.
4. E-mail is returned to sender, virus is logged, and alert sent to administrator.
Page 11
SonicWALL GAV Architecture
SonicWALL GAV is based on SonicWALL's high performance DPIv2.0 engine (Deep Packet Inspection
version 2.0) engine, which performs all scanning directly on the SonicWALL security appliance.
SonicWALL GAV includes advanced decompression technology that can automatically decompress and
scan files on a per packet basis to search for viruses and malware. The SonicWALL GAV engine can
perform base64 decoding without ever reassembling the entire base64 encoded mail stream. Because
SonicWALL's GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding and ZIP, LHZ, and GZIP (LZ77) decompression are also performed
on a single-pass, per-packet basis. Reassembly free virus scanning functionality of the SonicWALL GAV
engine is inherited from the Deep Packet Inspection engine, which is capable of scanning streams without
ever buffering any of the bytes within the stream.
Building on SonicWALL's reassembly-free architecture, GAV has the ability to inspect multiple application
protocols, as well as generic TCP streams, and compressed traffic. SonicWALL GAV protocol inspection
is based on high performance state machines which are specific to each supported protocol. SonicWALL
GAV delivers protection by inspecting over the most common protocols used in today's networked
environments, including SMTP, POP3, IMAP, HTTP, FTP, NetBIOS, instant messaging and peer-to-peer
applications and dozens of other stream-based protocols. This closes potential backdoors that can be
used to compromise the network while also improving employee productivity and conserving Internet
bandwidth.
Page 12 SonicWALL Gateway Anti-Virus Administrator’s Guide
Stream Concurrency Limitations by SonicWALL Security Appliance
Because SonicWALL GAV does not have to perform reassembly, there are no file-size limitations
imposed by the scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also
performed on a single-pass, per-packet basis. Stream-concurrency are platform dependent as follows:.
Disabling the SonicWALL GAV/IPS Engine
In the unlikely event that SonicWALL Gateway Anti-Virus/Intrusion Prevention Service is not enabled on
your SonicWALL security appliance, the SonicWALL GAV/IPS engine itself can be disabled, and the
resources can be reallocated to the SPI connection cache.
To disable the SonicWALL GAV/IPS engine:
1. Select the Firewall > Advanced page.
2. Select the Disable Gateway AV and IPS Engine (increases maximum SPI connections)
checkbox. This presents an alert informing you that the SonicWALL security appliance must be
rebooted for the change to take effect.
3. Restart your SonicWALL security appliance.
Platform
GAV-Disabled
Connections
Cache Size
GAV-Enabled
Connections
Cache Size
(Concurrent File
Downloads)
Concurrent
Compressed
File Downloads
with GAV
GAV Signatures
TZ 150
Series
2,048 2,048 100 4,500
TZ 170
Series
6,144 6,144 100 4,500
PRO 1260 6,144 6,144 100 4,500
PRO 2040 32,768 16,384 300 25,000
PRO 3060 131,072 65,536 1,000 25,000
PRO 4060 524,288 131,072 1,500 25,000
PRO 5060 750,000 393,216 3,000 25,000
Page 13
Protocol Handling
SonicWALL GAV functionality supports the following protocols: HTTP, SMTP, IMAP, POP3, FTP and the
scanning of generic TCP streams for viruses.
If malicious traffic is detected, appropriate actions are taken based on the protocol. For generic TCP
streams, the traffic is dropped and the connection is reset. If so configured, an encrypted and hashed
message explaining the action is sent to the user's Global Security Client (requires version 2.0 or higher)
and to the user's 'Security Action Notification Applet', and displayed to the user if either application is
active. Application level awareness of the type of protocol that was transporting the violation allows for
very specific actions to be taken to gracefully handle the rejection of the payload:
Note: 8-bit encoding is handled natively for all email based protocols (SMTP, POP3, and IMAP) since no
decoding is required for each encoding scheme.
SMTP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the head of the sent
queue, thus preventing it from being resent, via 552 SMTP response and the connection is terminated.
POP3
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the POP3 server via
'DELE' command and the connection is terminated. Continuation of message downloads following
termination requires the user to re-initiate the download process on their POP3 client in order to download
the rest of the messages from the POP3 server.
Note: POP3 client behavior varies from one client to the next. SonicWALL GAV attempts to determine the type
of POP3 client being used, and to compensate for behavioral differences. In rare cases, some clients
may require special GAV settings - these settings have been made available in the /diag.html page.
• Disable Gateway AV POP3 Auto Deletion - When a POP3 client is identified as Outlook Express,
DELE (delete) message sequencing is tailored to Outlook Express' behavior. This setting can resolve
problems caused by misidentification that are encountered during the deletion of virus-infected
emails.
• Disable Gateway AV POP3 UIDL Rewriting - Certain Netscape POP3 clients have difficulty with the
UIDL (unique ID listing - RFC1939) command. When a POP3 client is recognized as Netscape, UIDL
messages are suppressed, which is allowable because they are optional. This setting can resolve
problems caused by misidentification that are encountered during the message retrieval process.
IMAP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from downloading the mail
containing the violation. The user must manually mark the mail deleted and purge it from the server.
Page 14 SonicWALL Gateway Anti-Virus Administrator’s Guide
HTTP
Capabilities: zip (including archives), gzip and deflate decompression. Deflate decompression method is
not supported when HTTP response is Chunk Encoded. All HTTP traffic is inspected, not just TCP port
80. Suppresses the use of HTTP Byte-Range requests to prevent the sectional retrieval and reassembly
of potentially malicious content.
Note: Suppression of HTTP Byte-Range requests may inhibit the use of certain download accelerator
programs that attempt to retrieve files as multiple simultaneous requests.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
FTP
Capabilities: zip (including archives) and gzip decompression. FTP stateful code follows data port
negotiations, allowing FTP data to be inspected across any operating TCP port. Suppresses the use of
the FTP 'REST' (restart) request to prevent the sectional retrieval and reassembly of potentially malicious
content. "The suppression of the 'REST' request can be overridden from the /diag.html page with the
option 'Enable FTP 'REST' requests with Gateway AV’.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
IM, P2P and Proprietary Protocols
Capabilities: zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
Deploying SonicWALL GAV
SonicWALL GAV is designed to provide comprehensive virus protection with minimal configuration. The
following sections provide the key information you need to successfully activate, configure, and administer
SonicWALL GAV on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher):
• “Activating SonicWALL GAV” on page 15 - provides instructions for activating the SonicWALL GAV
license on your SonicWALL security appliance via the management interface. If you already have
SonicWALL GAV activated on your SonicWALL security appliance, skip this section.
• “Setting Up SonicWALL GAV Protection” on page 19 - provides instructions for essential
configuration of SonicWALL IPS to protect your network against the most dangerous and disruptive
attacks.
Alert! After activating your SonicWALL GAV license, you must enable SonicWALL GAV on the SonicWALL
management interface before anti-virus protection are applied to your network traffic.
• “Configuring Client Alerts and an Exclusion List” on page 23 - provides instructions for configuring
SonicWALL GAV client notification alerts and creating a SonicWALL GAV exclusion list.
• “Restricting File Transfers” on page 24 - provides instructions on preventing files with specific
attributes from being transferred.
Page 15
Activating SonicWALL GAV
If you do not have SonicWALL GAV installed on your SonicWALL security appliance, the Security
Services > Gateway Anti-Virus page indicates an upgrade is required and includes a link to activiate it
from your SonicWALL security appliance management interface.
SonicWALL GAV is part of the unified SonicWALL Gateway Anti-Virus/Intrusion Prevention Service that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is also activated.
To activate a SonicWALL Gateway Anti-Virus/Intrusion Prevention Service on your SonicWALL security
appliance, you need the following:
• SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license. You need to purchase a
SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license from a SonicWALL reseller or
through your mySonicWALL.com account (limited to customers in the USA and Canada).
• mySonicWALL.com account. Creating a mySonicWALL.com account is fast, simple, and FREE.
Simply complete an online registration form from your SonicWALL security appliance management
interface. Your mySonicWALL.com account is also accessible at
from any Internet connection with a Web browser.
• Registered SonicWALL security appliance with active Internet connection. Registering your
SonicWALL security appliance is a simple procedure done directly from the management interface.
• SonicOS Standard 3.0 or SonicOS Enhanced 3.0. Your SonicWALL security appliance must be
running SonicOS Standard 3.0 or SonicOS Enhanced 3.0 for SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service.
Tip! If your SonicWALL security appliance is connected to the Internet and registered at
mySonicWALL.com, you can activate a 30-day FREE TRIAL of SonicWALL IPS.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
If you activated SonicWALL GAV at , SonicWALL GAV activation is
automatically enabled on your SonicWALL within 24-hours or you can click the Synchronize button on
the Security Services > Summary page to update your SonicWALL security appliance.
Page 16 SonicWALL Gateway Anti-Virus Administrator’s Guide
Creating a mySonicWALL.com Account
Creating a mySonicWALL.com account is fast, simple, and FREE. Simply complete an online
registration form in the SonicWALL security appliance management interface.
Note: If you already have a mysonicWALL.com account, go to “Registering Your SonicWALL Security
Appliance” on page 17.
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displayed in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link in Your
SonicWALL is not registered. Click here to Register your SonicWALL.
4. In the mySonicWALL.com Login page, click the here link in If you do not have a mySonicWALL
account, please click here to create one.
5. In the MySonicWall Account page, enter in your information in the Account Information, Personal
Information and Preferences fields. All fields marked with an asterisk (*) are required fields.
Note: Remember your username and password to access your mySonicWALL.com account.
6. Click Submit after completing the MySonicWALL Account form.
7. When the mySonicWALL.com server has finished processing your account, you will see a page
saying that your account has been created. Click Continue.
Congratulations. Your mySonicWALL.com account is activated.
Now you need to log into mySonicWALL.com to register your SonicWALL security appliance.
Note: mySonicWALL.com registration information is not sold or shared with any other company.
Page 17
Registering Your SonicWALL Security Appliance
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displaying in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link. The
mySonicWALL.com Login page is displayed.
4. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit.
5. The next several pages inform you about the free trials available to you for SonicWALL’s Security
Services:
• Gateway Anti-Virus - Delivers real-time virus protection for your entire network.
• Network Anti Virus - Provides desktop and server anti-virus protection with software running on
each computer.
• Premium Content Filtering Service - Enhances productivity by limiting access to objectionable
Web content.
• Intrusion Prevention Service - Protects your network against worms, Trojans, and application
layer attacks.
Click Continue on each page.
6. At the top of the Product Survey page, Enter a “friendly name” for your SonicWALL content security
appliance in the Friendly Name field. The friendly name allows you to easily identify your
SonicWALL content security appliance in your mySonicWALL.com account.
7. Please complete the Product Survey. SonicWALL uses this information to further tailor services to fit
your needs.
8. Click Submit.
9. When the mySonicWALL.com server has finished processing your registration, a page is displayed
informing you that the SonicWALL security appliance is registered. Click Continue, and the
System > Licenses page is displayed showing you the available services. You can activate the
service from this page or the specific service page under the Security Services left-navigation
menu in the management interface.
Page 18 SonicWALL Gateway Anti-Virus Administrator’s Guide
Activating SonicWALL GAV
If you do not have a SonicWALL GAV license activated on your SonicWALL security appliance, you must
purchase it from a SonicWALL reseller or through your mySonicWALL.com account (limited to customers
in the USA and Canada).
SonicWALL GAV is part of SonicWALL Gateway Anti-Virus/Intrusion Prevention Service. The Activation
Key you receive is for both SonicWALL GAV and SonicWALL Intrusion Prevention Service. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is automatically activated.
If you have an Activation Key for SonicWALL Gateway Anti-Virus/Intrusion Prevention Service, perform
these steps to activate the combined services:
1. On the Security Services > Intrusion Prevention page, click the SonicWALL Intrusion
Prevention Service Subscription link. The mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already registered to your
mySonicWALL.com account, the System > Licenses page appears.
3. Click Activate or Renew in the Manage Service column in the Manage Services Online table.
4. Type in the Activation Key in the New License Key field and click Submit. Your SonicWALL GAV
subscription is activated on your SonicWALL security appliance.
If you activated the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service subscription on
mySonicWALL.com, the activation is automatically enabled on your SonicWALL security appliance within
24-hours or you can click the Synchronize button on the Security Services > Summary page to
immediately update your SonicWALL security appliance.
Activating the SonicWALL GAV FREE TRIAL
To try a FREE TRIAL of SonicWALL GAV, perform these steps:
1. Click the FREE TRIAL link on the Security Services > Gateway Anti-Virus page. The
mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already connected to your
mySonicWALL.com account, the System > Licenses page appears after you click the FREE TRIAL
link.
3. Click Try in the FREE TRIAL column in the Manage Services Online table. Your SonicWALL GAV
trial subscription is activated on your SonicWALL security appliance.
Page 19
Setting Up SonicWALL GAV Protection
The Security Services > Gateway Anti-Virus page provides the settings for configuring SonicWALL
GAV on your SonicWALL security appliance.
Enabling SonicWALL GAV
You must select Enable Gateway Anti-Virus check box in the Gateway Anti-Virus Global Settings
section to enable SonicWALL GAV on your SonicWALL security appliance. If your SonicWALL security
appliance is running SonicOS Standard 3.0, you must also specify the interfaces you want to apply
SonicWALL GAV protection. If your SonicWALL security appliance is running SonicOS Enhanced 3.0,
you must specify the Zones you want to SonicWALL GAV protection on the Network > Zones page.
Applying SonicWALL GAV Protection on Interfaces
If your SonicWALL security appliance is running SonicOS Standard 3.0, you also need to specify the
interface that you want to enable SonicWALL GAV protection. Depending on the SonicWALL security
appliance model you are using, you can choose the WAN, LAN, DMZ, OPT or WLAN port, depending on
your SonicWALL security appliance model. After selecting the interface(s), click Apply.It is recommended
you select the WAN and LAN interfaces.
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you apply SonicWALL GAV to
Zones on the Network > Zones page.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 20 SonicWALL Gateway Anti-Virus Administrator’s Guide
Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you can enforce SonicWALL
GAV not only between each network zone and the WAN, but also between internal zones. For example,
enabling SonicWALL GAV on the LAN zone enforces anti-virus protection on all incoming and outgoing
LAN traffic.
1. In the SonicWALL security appliance management interface, select Network > Zones or from the
Gateway Anti-Virus Status section, on the Security Services > Gateway Anti-Virus page, click the
Network > Zones link. The Network > Zones page is displayed.
2. In the Configure column in the Zone Settings table, click the edit icon . The Edit Zone window
is displayed.
3. Click the Enable Gateway Anti-Virus Service checkbox. A checkmark appears. To disable Gateway
Anti-Virus Service, uncheck the box.
4. Click OK.
Page 21
Note: You also enable SonicWALL GAV protection for new zones you create on the Network > Zones page.
Clicking the Add button displays the Add Zone window, which includes the same settings as the Edit
Zone window.
Viewing SonicWALL GAV Status Information
The Gateway Anti-Virus Status section shows the state of the anti-virus signature database, including
the database's timestamp, and the time the SonicWALL signature servers were last checked for the most
current database version. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
The Gateway Anti-Virus Status section displays the following information:
• Signature Database indicates whether the signature database needs to be downloaded or has been
downloaded.
• Signature Database Timestamp displays the last update to the SonicWALL GAV signature
database, not the last update to your SonicWALL security appliance.
• Last Checked indicates the last time the SonicWALL security appliance checked the signature
database for updates. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
• Gateway Anti-Virus Expiration Date indicates the date when the SonicWALL GAV service expires.
If your SonicWALL GAV subscription expires, the SonicWALL IPS inspection is stopped and the
SonicWALL GAV configuration settings are removed from the SonicWALL security appliance. These
settings are automatically restored after renewing your SonicWALL GAV license to the previously
configured state.
If your SonicWALL security appliance is running SonicOS Standard 3.0 and no interfaces are specified in
the Gateway Anti-Virus Global Settings section, the message: Warning: No interfaces have Gateway
Anti-Virus enabled is displayed in the Gateway Anti-Virus Status section. You must check the Enable
Gateway Anti-Virus on Interface and specify the interface(s) you want to apply anti-virus scanning.
If your SonicWALL security appliance you are using SonicOS Enhanced 3.0, the Gateway Anti-Virus
Status section displays Note: Enable the Gateway Anti-Virus per zone from the Network > Zones
page. Clicking on the Network > Zones link displays the Network > Zones page for applying SonicWALL
GAV on Zones.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 22 SonicWALL Gateway Anti-Virus Administrator’s Guide
Updating SonicWALL GAV Signatures
By default, the SonicWALL security appliance running SonicWALL GAV automatically checks the
SonicWALL signature servers once an hour. There is no need for an administrator to constantly check for
new signature updates. You can also manually update your SonicWALL GAV database at any time by
clicking the Update button located in the Gateway Anti-Virus Status section.
SonicWALL GAV signature updates are secured. The SonicWALL security appliance must first
authenticate itself with a pre-shared secret, created during the SonicWALL Distributed Enforcement
Architecture licensing registration. The signature request is transported through HTTPS, along with full
server certificate verification.
Specifying Protocol Filtering
Application-level awareness of the type of protocol that is transporting the violation allows SonicWALL
GAV to perform specific actions within the context of the application to gracefully handle the rejection of
the payload.
By default, SonicWALL GAV inspects all inbound HTTP, FTP, IMAP, SMTP and POP3 traffic. Generic
TCP Stream can optionally be enabled to inspect all other TCP based traffic, such as
non-standard ports of operation for SMTP and POP3, and IM and P2P protocols.
Note: Refer to “Protocol Handling” on page 13 for detailed descriptions of how SonicWALL GAV handles
protocol traffic.
Enabling Inbound Inspection
Within the context of SonicWALL GAV, the Enable Inbound Inspection protocol traffic handling refers
to the following:
• Non-SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to any Zone.
• Non-SMTP traffic from a Public Zone destined to an Untrusted Zone.
• SMTP traffic initiating from a non-Trusted Zone destined to a Trusted, Wireless, Encrypted, or Public
Zone.
• SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to a Trusted, Wireless,
or Encrypted Zone.
Page 23
The Enable Inbound Inspection protocol traffic handling represented as a table:
Enabling Outbound SMTP Inspection
The Enable Outbound Inspection feature is available for SMTP traffic, such as for a mail server that
might be hosted on the DMZ. Enabling outbound inspection for SMTP scans mail that is delivered to the
internally hosted SMTP server for viruses.
Configuring Client Alerts and an Exclusion List
Clicking the Configure Gateway AV Settings button in the Gateway Anti-Virus Global Settings section
displays the Gateway AV Config View window, which allows you to configure client notification alerts and
create a SonicWALL GAV exclusion list.
Configuring Client Alerts
If you want clients on your network to receive notifications on their desktop when a HTTP file download is
blocked by GAV, check the Enable Client Notification Alerts (desktop client installation is required)
box. You must install the client software included on the Resource CD for your SonicWALL security
appliance for the client to receive these notifications from SonicWALL GAV.
Page 24 SonicWALL Gateway Anti-Virus Administrator’s Guide
If you want to suppress the sending of e-mail messages (SMTP) to clients from SonicWALL GAV when a
virus is detected in an e-mail or attachment, check the Disable SMTP Responses box.
Configuring a SonicWALL GAV Exclusion List
Any IP addresses listed in the exclusion list bypass virus scanning on their traffic.The Gateway AV
Exclusion List section provides the ability to define a range of IP addresses whose traffic will be excluded
from SonicWALL GAV scanning.
Alert! Use caution when specifying exclusions to SonicWALL GAV protection.
To add an IP address range for exclusion, perform these steps:
1. Click the Enable Gateway AV Exclusion List checkbox to enable the exclusion list.
2. Click the Add button. The Add GAV Range Entry window is displayed.
3. Enter the IP address range in the IP Address Form and IP Address To fields, then click OK. You IP
address range appears in the Gateway AV Exclusion List table. Click the edit icon in the Configure
column to change an entry or click the trashcan icon to delete an entry.
4. Click OK to exit the Gateway AV Config View window.
Restricting File Transfers
The restrict transfer settings listed under the Configure Gateway AV Settings button in the
Gateway Anti-Virus Global Settings section, if enabled, prevent files with specific attributes from being
transferred.
These restrict transfer settings include:
• Restrict Transfer of password-protected Zip files - Disables the transfer of password protected
ZIP files over any enabled protocol. This option only functions on protocols (e.g. HTTP, FTP, SMTP)
that are enabled for inspection.
• Restrict Transfer of MS-Office type files containing macros (VBA 5 and above) - Disables the
transfers of any MS Office 97 and above files that contain VBA macros.
• Restrict Transfer of packed executable files (UPX, FSG, etc.) - Disables the transfer of packed
executable files. Packers are utilities which compress and sometimes encrypt executables. Although
there are legitimate applications for these, they are also sometimes used with the intent of
obfuscation, so as to make the executables less detectable by anti-virus applications. The packer
adds a header that expands the file in memory, and then executes that file. SonicWALL Gateway
Anti-Virus currently recognizes the most common packed formats: UPX, FSG, PKLite32, Petite, and
ASPack. additional formats are dynamically added along with SonicWALL GAV signature updates.
Page 25
Viewing SonicWALL GAV Signatures
The Gateway Anti-Virus Signatures section allows you to view the contents of the SonicWALL GAV
signature database. All the entries displayed in the Gateway Anti-Virus Signatures table are from the
SonicWALL GAV signature database downloaded to your SonicWALL security appliance.
Note: Signature entries in the database change over time in response to new threats.
Displaying Signatures
You can display the signatures in a variety of views using the View Style menu.
• Use Search String - Allows you to display signatures containing a specified string entered in the
Lookup Signatures Containing String field.
• All Signatures - Displays all the signatures in the table, 50 to a page.
• 0 - 9 - Displays signature names beginning with the number you select from the menu.
• A-Z - Displays signature names beginning with the letter you select from menu.
Navigating the Gateway Anti-Virus Signatures Table
The SonicWALL GAV signatures are displayed fifty to a page in the Gateway Anti-Virus Signatures
table. The Items field displays the table number of the first signature. If your displaying the first page of a
signature table, the entry might be Items 1 to 50 (of 58). Use the navigation buttons to navigate the table.
Page 26 SonicWALL Gateway Anti-Virus Administrator’s Guide
Searching the Gateway Anti-Virus Signature Database
You can search the signature database by entering a search string in the Lookup Signatures
Containing String field, then clicking the edit (Notepad) icon.
The signatures that match the specified string are displayed in the Gateway Anti-Virus Signatures table.
Glossary
• Deep Packet Inspection - looking at the data portion of the packet. Enables the firewall to investigate
farther into the protocol to examine information at the application layer and defend against attacks
targeting application vulnerabilities.
• Distributed Enforcement Architecture - SonicWALL’s unified threat management technology that
delivers automated signature updates that provide real-time protection from current and emerging
threats.
• False Positive - a falsely identified attack traffic pattern.
• Signature - code written to detect and prevent viruses, worms, application exploits, and other
malicious code.
• Stateful Packet Inspection - examines the contents of individual packets at all layers of the OSI
model, from network layer to application layer.
Page 27
Index
A
activating Gateway Anti-Virus
overview 15
free trial version 18
activating Gateway Anti-Virus
activation key 18
C
client alerts
configuring 23
concurrency limitations 12
PRO 1260 12
PRO 2040 12
PRO 3060 12
PRO 4060 12
PRO 5060 12
TZ 150 Series 12
TZ 170 Series 12
creating a mysonicwall.com account 16
D
deploying SonicWALL GAV 14
disabling GAV/IPS engine 12
displaying signatures 25
all signatures 25
signatures beginning with letter 25
signatures beginning with number 25
using search strings 25
E
Edit Zone window 20
enable inbound inspection 22
enable outbound SMTP inspection 23
enabling inbound inspection 22
exclusion list
configuring 24
G
Gateway AV Config View window 23
GAV/IPS
real-time scanning 6
GAV/IPS features
application control 6
deep packet inspection 6
distributed enforcement architecture 6
file based scanning protocol support 6
file decompression technology 6
granular management 7
inter-zone scanning 6
logging and reporting 7
real-time scanning 6
glossary 26
deep packet inspection 26
Distributed Enforcement Architecture 26
false positive 26
signature 26
stateful packet inspection 26
H
how DPIv2.0 works
11
protocol handling 13
HTTP file downloads protection 9
I
internal network protection 9
N
navigating signatures table 25
P
protocol handling
FTP 14
HTTP 14
IM, P2P, proprietary 14
IMAP 13
POP3 13
SMTP 13
R
registering your SonicWALL security appliance 17
remote site protection 8
restrict 24
restrict file transfer
MS-Office files 24
packed executable files 24
password protected ZIP files 24
S
searching signature database 26
server protection 10
setting up GAV protection
applying to infaces (SonicOS Standard 3.0) 19
applying to zones (SonicOS Enhanced) 20
enabling 19
overview 19
signatures table 25
SonicWALL Gateway Anti-Virus
overview 5
SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service
overview 5
specifying protocol filtering 22
specifying protocols 22
status information
expiration date 21
last checked 21
overview 21
signature database 21
signature database timestamp 21
surpress SMTP messages 24
U
updating signatures 22
Page 28 SonicWALL Gateway Anti-Virus Administrator’s Guide
© 2005 SonicWALL, I n c . SonicWALL is a registered trademark of SonicWALL, I n c . Other product and company names mentioned herein may be
t rademarks and/ or registered trademarks of their respective companies. Specifications and descriptions subject to change with out notice.
T: 408.745.9600
F: 408.745.9300
www.sonicwall.com
SonicWALL,Inc.
1143 Borregas Avenue
Sunnyvale,CA 94089-1306
P/ N 232- 000610- 00
Rev E 01/05COMPREHENSIVE INTERNET SECURITY™
S SSSSSSSSo n i c WALL Gateway Anti-Virus
Administrator's Guide
Page 1
Table of Contents
Preface .................................................................................................. 1
Copyright Notice ..............................................................................1
Trademarks......................................................................................1
Limited Warranty..............................................................................1
About this Guide.................................................................................... 3
Guide Conventions .......................................................................... 3
Icons Used in this Guide............................................................. 3
SonicWALL Technical Support ........................................................ 4
North America Telephone Support ............................................. 4
International Telephone Support ................................................ 4
SonicWALL Gateway Anti-Virus Overview............................................ 5
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features ...... 6
SonicWALL GAV Multi-Layered Approach............................................ 7
Remote Site Protection ....................................................................8
Internal Network Protection.............................................................. 9
HTTP File Downloads ...................................................................... 9
Server Protection ...........................................................................10
SonicWALL GAV Architecture............................................................. 11
Stream Concurrency Limitations
by SonicWALL Security Appliance................................................. 12
Disabling the SonicWALL GAV/IPS Engine................................... 12
Protocol Handling...........................................................................13
SMTP........................................................................................ 13
POP3 ........................................................................................ 13
IMAP......................................................................................... 13
HTTP ........................................................................................ 14
FTP........................................................................................... 14
IM, P2P and Proprietary Protocols ........................................... 14
Deploying SonicWALL GAV................................................................ 14
Activating SonicWALL GAV ................................................................ 15
Creating a mySonicWALL.com Account ........................................ 16
Registering Your SonicWALL Security Appliance.......................... 17
Activating SonicWALL GAV........................................................... 18
Activating the SonicWALL GAV FREE TRIAL ............................... 18
Setting Up SonicWALL GAV Protection .............................................. 19
Enabling SonicWALL GAV............................................................. 19
Applying SonicWALL GAV Protection on Interfaces...................... 19
Applying SonicWALL GAV Protection on Zones
(SonicOS Enhanced 3.0) ............................................................... 20
Viewing SonicWALL GAV Status Information................................ 21
Updating SonicWALL GAV Signatures .......................................... 22
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
Specifying Protocol Filtering ................................................................22
Enabling Inbound Inspection ..........................................................22
Enabling Outbound SMTP Inspection ............................................23
Configuring Client Alerts and an Exclusion List ...................................23
Configuring Client Alerts.................................................................23
Configuring a SonicWALL GAV Exclusion List...............................24
Restricting File Transfers.....................................................................24
Viewing SonicWALL GAV Signatures..................................................25
Displaying Signatures.....................................................................25
Navigating the Gateway Anti-Virus Signatures Table ....................25
Searching the Gateway Anti-Virus Signature Database.................26
Glossary...............................................................................................26
Index ....................................................................................................27
Page 1 SonicWALL Gateway Anti-Virus Administrator’s Guide
Preface
Copyright Notice
© 2005 SonicWALL, Inc.
All rights reserved.
Under the copyright laws, this manual or the software described within, can not be copied, in whole or part,
without the written consent of the manufacturer, except in the normal use of the software to make a backup
copy. The same proprietary and copyright notices must be affixed to any permitted copies as were affixed
to the original. This exception does not allow copies to be made for others, whether or not sold, but all of
the material purchased (with all backup copies) can be sold, given, or loaned to another person. Under
the law, copying includes translating into another language or format.
Specifications and descriptions subject to change without notice.
Trademarks
SonicWALL is a registered trademark of SonicWALL, Inc.
Microsoft Windows 98, Windows NT, Windows 2000, Windows XP, Windows Server 2003, Internet
Explorer, and Active Directory are trademarks or registered trademarks of Microsoft Corporation.
Netscape is a registered trademark of Netscape Communications Corporation in the U.S. and other
countries. Netscape Navigator and Netscape Communicator are also trademarks of Netscape
Communications Corporation and may be registered outside the U.S.
Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems
Incorporated in the U.S. and/or other countries.
Other product and company names mentioned herein may be trademarks and/or registered trademarks
of their respective companies and are the sole property of their respective manufacturers.
Limited Warranty
SonicWALL, Inc. warrants that commencing from the delivery date to Customer (but in any case
commencing not more than ninety (90) days after the original shipment by SonicWALL), and continuing
for a period of twelve (12) months, that the product will be free from defects in materials and workmanship
under normal use. This Limited Warranty is not transferable and applies only to the original end user of
the product. SonicWALL and its suppliers' entire liability and Customer's sole and exclusive remedy under
this limited warranty will be shipment of a replacement product. At SonicWALL's discretion the
replacement product may be of equal or greater functionality and may be of either new or like-new quality.
SonicWALL's obligations under this warranty are contingent upon the return of the defective product
according to the terms of SonicWALL's then-current Support Services policies.
This warranty does not apply if the product has been subjected to abnormal electrical stress, damaged by
accident, abuse, misuse or misapplication, or has been modified without the written permission of
SonicWALL.
DISCLAIMER OF WARRANTY. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR
IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT
LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, NONINFRINGEMENT, SATISFACTORY QUALITY OR ARISING FROM A
COURSE OF DEALING, LAW, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE
MAXIMUM EXTENT ALLOWED BY APPLICABLE LAW. TO THE EXTENT AN IMPLIED WARRANTY
CANNOT BE EXCLUDED, SUCH WARRANTY IS LIMITED IN DURATION TO THE WARRANTY
PERIOD. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW
LONG AN IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. THIS
WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, AND YOU MAY ALSO HAVE OTHER RIGHTS
WHICH VARY FROM JURISDICTION TO JURISDICTION. This disclaimer and exclusion shall apply
even if the express warranty set forth above fails of its essential purpose.
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
DISCLAIMER OF LIABILITY. SONICWALL'S SOLE LIABILITY IS THE SHIPMENT OF A
REPLACEMENT PRODUCT AS DESCRIBED IN THE ABOVE LIMITED WARRANTY. IN NO EVENT
SHALL SONICWALL OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER,
INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS
INTERRUPTION, LOSS OF INFORMATION, OR OTHER PECUNIARY LOSS ARISING OUT OF THE
USE OR INABILITY TO USE THE PRODUCT, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL,
INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY
OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE HARDWARE OR SOFTWARE
EVEN IF SONICWALL OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. In no event shall SonicWALL or its suppliers' liability to Customer, whether in contract, tort
(including negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shall
apply even if the above-stated warranty fails of its essential purpose. BECAUSE SOME STATES OR
JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR
INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.
Page 3
About this Guide
Welcome to the SonicWALL Gateway Anti-Virus Administrator’s Guide. This manual provides the
information you need to successfully activate, configure, and administer SonicWALL Gateway Anti-Virus
(SonicWALL (GAV) on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher). The audience for this guide is administrators that are familiar with the
features, functions, and operating characteristics of SonicWALL security appliances.
Note: This guide assumes your SonicWALL security appliance is operational with Internet connectivity. If your
SonicWALL security appliance is not setup, refer to the Getting Started Guide for your SonicWALL
security appliance located on the SonicWALL Web site:
.
SonicWALL GAV is part of the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service solution that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate a SonicWALL GAV license, SonicWALL Intrusion Prevention Service is included and activated.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the complete
instructions on configuring SonicWALL Intrusion Prevention Service 2.0, located on the SonicWALL
Web site: .
Guide Conventions
Conventions used in this guide are as follows:
Icons Used in this Guide
These special messages refer to noteworthy information, and include a symbol for quick identification:
Alert! Important information that cautions about features affecting SonicWALL Gateway Anti-Virus
performance, security features, or causing potential problems with your SonicWALL security appliance.
Tip! Useful information about security features and configurations for your SonicWALL Gateway Anti-Virus
running on a SonicWALL security appliance.
Convention Use
Bold Highlights items you can select on the SonicWALL
management interface.
Italic Highlights a value to enter into a field. For example, “type
192.168.168.168 in the IP Address field.”
Top Level Menu Button >
Submenu Item
Indicates a multiple step Management Interface menu
choice. For example, Security Services > Gateway Anti-
Virus means select Security Services, then select
Gateway Anti-Virus.
Page 4 SonicWALL Gateway Anti-Virus Administrator’s Guide
Note: Important information on a feature that requires callout for special attention or reference to other related
resources.
SonicWALL Technical Support
For timely resolution of technical support questions, visit SonicWALL on the Internet at
. Web-based resources are available to help you
resolve most technical issues or contact SonicWALL Technical Support.
To contact SonicWALL telephone support, see the telephone numbers listed below:
North America Telephone Support
U.S./Canada - 888.777.1476 or +1 408.752.7819
International Telephone Support
Australia - + 1800.35.1642
Austria - + 43(0)820.400.105
EMEA - +31(0)411.617.810
France - + 33(0)1.4933.7414
Germany - + 49(0)1805.0800.22
Hong Kong - + 1.800.93.0997
India - + 8026556828
Italy - +39.02.7541.9803
Japan - + 81(0)3.5460.5356
New Zealand - + 0800.446489
Singapore - + 800.110.1441
Spain - + 34(0)9137.53035
Switzerland - +41.1.308.3.977
UK - +44(0)1344.668.484
Note: Please visit for the latest technical support telephone
numbers.
Page 5
SonicWALL Gateway Anti-Virus Overview
SonicWALL Gateway Anti-Virus (SonicWALL GAV) is part of the SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service solution that provides unified threat management. The integration of gateway
anti-virus and intrusion prevention delivers intelligent, real-time network security protection against
sophisticated application layer and content-based attacks. Utilizing a configurable, high-performance
deep packet inspection architecture, SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
secures the network from the core to the perimeter against a comprehensive array of dynamic threats
including viruses, worms, Trojans, and software vulnerabilities, such as buffer overflows, as well as peerto-
peer and instant messenger applications, backdoor exploits, and other malicious code.
SonicWALL GAV delivers real-time virus protection directly on the SonicWALL security appliance by
using SonicWALL’s IPS-Deep Packet Inspection v2.0 engine to inspect all traffic that traverses the
SonicWALL gateway. Building on SonicWALL’s reassembly-free architecture, SonicWALL GAV inspects
multiple application protocols, as well as generic TCP streams, and compressed traffic. Because
SonicWALL GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also performed on a
single-pass, per-packet basis.
SonicWALL GAV delivers threat protection directly on the SonicWALL security appliance by matching
downloaded or e-mailed files against an extensive and dynamically updated database of threat virus
signatures. Virus attacks are caught and suppressed before they travel to desktops. New signatures are
created and added to the database by a combination of SonicWALL’s SonicAlert Team, third-party virus
analysts, open source developers and other sources.
SonicWALL GAV can be configured to protect against internal threats as well as those originating outside
the network. It operates over a multitude of protocols including SMTP, POP3, IMAP, HTTP, FTP,
NetBIOS, instant messaging and peer-to-peer applications and dozens of other stream-based protocols,
to provide administrators with comprehensive network threat prevention and control. Because files
containing malicious code and viruses can also be compressed and therefore inaccessible to
conventional anti-virus solutions, SonicWALL GAV integrates advanced decompression technology that
automatically decompresses and scans files on a per packet basis.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
Page 6 SonicWALL Gateway Anti-Virus Administrator’s Guide
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features
• Integrated Deep Packet Inspection Technology - SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service features a configurable, high-performance deep packet inspection architecture
that uses parallel searching algorithms up through the application layer to deliver increased
application layer, Web and e-mail attack prevention. Parallel processing reduces the performance
impact on the firewall and maximizes available memory for exceptional throughput on SonicWALL
integrated security gateways.
• Real-Time Anti-Virus Gateway Scanning - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers intelligent file-based virus and malicious code prevention by scanning in real-time for
decompressed and compressed files containing viruses, Trojans, worms and other Internet threats
over the corporate network.
• Powerful Intrusion Prevention - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
provides complete protection from a comprehensive array of network-based application layer threats
by scanning packet payloads for worms, Trojans, software vulnerabilities such as buffer overflows,
peer-to-peer and instant messenger applications, backdoor exploits, and other malicious code.
• Ultimate Scalability and Performance - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a per packet scanning engine, making SonicWALL’s solution unique in its ability to
handle unlimited file size and virtually unlimited concurrent downloads, offering ultimate scalability
and performance for today’s networked environment.
• Day Zero Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service ensures
incredibly fast time-to-protection by employing a dynamically-updated database of signatures created
by a combination of SonicWALL’s SonicAlert Team, third-party virus analysts and developers, and
open source databases of known threats.
• Extensive Virus Signature List - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
utilizes an extensive database of thousands of attack and vulnerability signatures written to detect and
prevent intrusions, viruses, worms, Tojans, application exploits, and malicious applications.
• Distributed Enforcement Architecture - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a distributed enforcement architecture to deliver automated signature updates,
providing real-time protection from emerging threats and lowering total cost of ownership.
• Inter-zone Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides
application layer attack protection against malicious code and other threats originating from the
Internet or from internal sources. Administrators have the ability to enforce intrusion prevention and
anti-virus scanning not only between each network zone and the Internet, but also between internal
network zones for added security (Requires SonicOS Enhanced).
• Advanced File Decompression Technology - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service includes advanced decompression technology that can automatically decompress and scan
files on a per packet basis to search for viruses, Trojans, worms and malware. Supported
compression formats include: ZIP, Deflate and GZIP.
• File-Based Scanning Protocol Support - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers protection for high threat viruses and malware by inspecting the most common
protocols used in today’s networked environments, including SMTP, POP3, IMAP, HTTP, FTP,
NETBIOS, instant messaging and peer-to-peer applications, and dozens of other stream-based
protocols. This closes potential backdoors that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Application Control - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides the
ability to prevent instant messaging and peer-to-peer file sharing programs from operating through
the firewall, closing a potential back door that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Simplified Deployment and Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service allows network administrators to create global policies between security zones and group
attacks by priority, simplifying deployment and management across a distributed network.
Page 7
• Granular Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides an
intuitive user interface and granular policy tools, allowing network administrators to configure a
custom set of detection or prevention policies for their specific network environment and reduce the
number of false policies while identifying immediate threats.
• Logging and Reporting - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service offers
comprehensive logging of all intrusion attempts with the ability to filter logs based on priority level,
enabling administrators to highlight high priority attacks. Granular reporting based on attack source,
destination and type of intrusion is available through SonicWALL ViewPoint and Global Management
System.
SonicWALL GAV Multi-Layered Approach
SonicWALL GAV delivers comprehensive, multi-layered anti-virus protection for networks at the desktop,
the network, and at remote sites. SonicWALL GAV enforces anti-virus policies at the gateway to ensure
all users have the latest updates and monitors files as they come into the network.
Page 8 SonicWALL Gateway Anti-Virus Administrator’s Guide
Remote Site Protection
1. Users send typical e-mail and files between remote sites and the corporate office.
2. SonicWALL GAV scans and analyzes files and e-mail messages on the SonicWALL security
appliance.
3. Viruses are found and blocked before infecting remote desktop.
4. Virus is logged and alert is sent to administrator.
Page 9
Internal Network Protection
1. Internal user contracts a virus and releases it internally.
2. All files are scanned at the gateway before being received by other network users.
3. If virus is found, file is discarded.
4. Virus is logged and alert is sent to administrator.
HTTP File Downloads
1. Client makes a request to download a file from the Web.
2. File is downloaded through the Internet.
3. File is analyzed the SonicWALL GAV engine for malicious code and viruses
4. If virus found, file discarded.
5. Virus is logged and alert sent to administrator.
Page 10 SonicWALL Gateway Anti-Virus Administrator’s Guide
Server Protection
1. Outside user sends an incoming e-mail.
2. E-mail is analyzed the SonicWALL GAV engine for malicious code and viruses before received by email
server.
3. If virus found, threat prevented.
4. E-mail is returned to sender, virus is logged, and alert sent to administrator.
Page 11
SonicWALL GAV Architecture
SonicWALL GAV is based on SonicWALL's high performance DPIv2.0 engine (Deep Packet Inspection
version 2.0) engine, which performs all scanning directly on the SonicWALL security appliance.
SonicWALL GAV includes advanced decompression technology that can automatically decompress and
scan files on a per packet basis to search for viruses and malware. The SonicWALL GAV engine can
perform base64 decoding without ever reassembling the entire base64 encoded mail stream. Because
SonicWALL's GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding and ZIP, LHZ, and GZIP (LZ77) decompression are also performed
on a single-pass, per-packet basis. Reassembly free virus scanning functionality of the SonicWALL GAV
engine is inherited from the Deep Packet Inspection engine, which is capable of scanning streams without
ever buffering any of the bytes within the stream.
Building on SonicWALL's reassembly-free architecture, GAV has the ability to inspect multiple application
protocols, as well as generic TCP streams, and compressed traffic. SonicWALL GAV protocol inspection
is based on high performance state machines which are specific to each supported protocol. SonicWALL
GAV delivers protection by inspecting over the most common protocols used in today's networked
environments, including SMTP, POP3, IMAP, HTTP, FTP, NetBIOS, instant messaging and peer-to-peer
applications and dozens of other stream-based protocols. This closes potential backdoors that can be
used to compromise the network while also improving employee productivity and conserving Internet
bandwidth.
Page 12 SonicWALL Gateway Anti-Virus Administrator’s Guide
Stream Concurrency Limitations by SonicWALL Security Appliance
Because SonicWALL GAV does not have to perform reassembly, there are no file-size limitations
imposed by the scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also
performed on a single-pass, per-packet basis. Stream-concurrency are platform dependent as follows:.
Disabling the SonicWALL GAV/IPS Engine
In the unlikely event that SonicWALL Gateway Anti-Virus/Intrusion Prevention Service is not enabled on
your SonicWALL security appliance, the SonicWALL GAV/IPS engine itself can be disabled, and the
resources can be reallocated to the SPI connection cache.
To disable the SonicWALL GAV/IPS engine:
1. Select the Firewall > Advanced page.
2. Select the Disable Gateway AV and IPS Engine (increases maximum SPI connections)
checkbox. This presents an alert informing you that the SonicWALL security appliance must be
rebooted for the change to take effect.
3. Restart your SonicWALL security appliance.
Platform
GAV-Disabled
Connections
Cache Size
GAV-Enabled
Connections
Cache Size
(Concurrent File
Downloads)
Concurrent
Compressed
File Downloads
with GAV
GAV Signatures
TZ 150
Series
2,048 2,048 100 4,500
TZ 170
Series
6,144 6,144 100 4,500
PRO 1260 6,144 6,144 100 4,500
PRO 2040 32,768 16,384 300 25,000
PRO 3060 131,072 65,536 1,000 25,000
PRO 4060 524,288 131,072 1,500 25,000
PRO 5060 750,000 393,216 3,000 25,000
Page 13
Protocol Handling
SonicWALL GAV functionality supports the following protocols: HTTP, SMTP, IMAP, POP3, FTP and the
scanning of generic TCP streams for viruses.
If malicious traffic is detected, appropriate actions are taken based on the protocol. For generic TCP
streams, the traffic is dropped and the connection is reset. If so configured, an encrypted and hashed
message explaining the action is sent to the user's Global Security Client (requires version 2.0 or higher)
and to the user's 'Security Action Notification Applet', and displayed to the user if either application is
active. Application level awareness of the type of protocol that was transporting the violation allows for
very specific actions to be taken to gracefully handle the rejection of the payload:
Note: 8-bit encoding is handled natively for all email based protocols (SMTP, POP3, and IMAP) since no
decoding is required for each encoding scheme.
SMTP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the head of the sent
queue, thus preventing it from being resent, via 552 SMTP response and the connection is terminated.
POP3
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the POP3 server via
'DELE' command and the connection is terminated. Continuation of message downloads following
termination requires the user to re-initiate the download process on their POP3 client in order to download
the rest of the messages from the POP3 server.
Note: POP3 client behavior varies from one client to the next. SonicWALL GAV attempts to determine the type
of POP3 client being used, and to compensate for behavioral differences. In rare cases, some clients
may require special GAV settings - these settings have been made available in the /diag.html page.
• Disable Gateway AV POP3 Auto Deletion - When a POP3 client is identified as Outlook Express,
DELE (delete) message sequencing is tailored to Outlook Express' behavior. This setting can resolve
problems caused by misidentification that are encountered during the deletion of virus-infected
emails.
• Disable Gateway AV POP3 UIDL Rewriting - Certain Netscape POP3 clients have difficulty with the
UIDL (unique ID listing - RFC1939) command. When a POP3 client is recognized as Netscape, UIDL
messages are suppressed, which is allowable because they are optional. This setting can resolve
problems caused by misidentification that are encountered during the message retrieval process.
IMAP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from downloading the mail
containing the violation. The user must manually mark the mail deleted and purge it from the server.
Page 14 SonicWALL Gateway Anti-Virus Administrator’s Guide
HTTP
Capabilities: zip (including archives), gzip and deflate decompression. Deflate decompression method is
not supported when HTTP response is Chunk Encoded. All HTTP traffic is inspected, not just TCP port
80. Suppresses the use of HTTP Byte-Range requests to prevent the sectional retrieval and reassembly
of potentially malicious content.
Note: Suppression of HTTP Byte-Range requests may inhibit the use of certain download accelerator
programs that attempt to retrieve files as multiple simultaneous requests.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
FTP
Capabilities: zip (including archives) and gzip decompression. FTP stateful code follows data port
negotiations, allowing FTP data to be inspected across any operating TCP port. Suppresses the use of
the FTP 'REST' (restart) request to prevent the sectional retrieval and reassembly of potentially malicious
content. "The suppression of the 'REST' request can be overridden from the /diag.html page with the
option 'Enable FTP 'REST' requests with Gateway AV’.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
IM, P2P and Proprietary Protocols
Capabilities: zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
Deploying SonicWALL GAV
SonicWALL GAV is designed to provide comprehensive virus protection with minimal configuration. The
following sections provide the key information you need to successfully activate, configure, and administer
SonicWALL GAV on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher):
• “Activating SonicWALL GAV” on page 15 - provides instructions for activating the SonicWALL GAV
license on your SonicWALL security appliance via the management interface. If you already have
SonicWALL GAV activated on your SonicWALL security appliance, skip this section.
• “Setting Up SonicWALL GAV Protection” on page 19 - provides instructions for essential
configuration of SonicWALL IPS to protect your network against the most dangerous and disruptive
attacks.
Alert! After activating your SonicWALL GAV license, you must enable SonicWALL GAV on the SonicWALL
management interface before anti-virus protection are applied to your network traffic.
• “Configuring Client Alerts and an Exclusion List” on page 23 - provides instructions for configuring
SonicWALL GAV client notification alerts and creating a SonicWALL GAV exclusion list.
• “Restricting File Transfers” on page 24 - provides instructions on preventing files with specific
attributes from being transferred.
Page 15
Activating SonicWALL GAV
If you do not have SonicWALL GAV installed on your SonicWALL security appliance, the Security
Services > Gateway Anti-Virus page indicates an upgrade is required and includes a link to activiate it
from your SonicWALL security appliance management interface.
SonicWALL GAV is part of the unified SonicWALL Gateway Anti-Virus/Intrusion Prevention Service that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is also activated.
To activate a SonicWALL Gateway Anti-Virus/Intrusion Prevention Service on your SonicWALL security
appliance, you need the following:
• SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license. You need to purchase a
SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license from a SonicWALL reseller or
through your mySonicWALL.com account (limited to customers in the USA and Canada).
• mySonicWALL.com account. Creating a mySonicWALL.com account is fast, simple, and FREE.
Simply complete an online registration form from your SonicWALL security appliance management
interface. Your mySonicWALL.com account is also accessible at
from any Internet connection with a Web browser.
• Registered SonicWALL security appliance with active Internet connection. Registering your
SonicWALL security appliance is a simple procedure done directly from the management interface.
• SonicOS Standard 3.0 or SonicOS Enhanced 3.0. Your SonicWALL security appliance must be
running SonicOS Standard 3.0 or SonicOS Enhanced 3.0 for SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service.
Tip! If your SonicWALL security appliance is connected to the Internet and registered at
mySonicWALL.com, you can activate a 30-day FREE TRIAL of SonicWALL IPS.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
If you activated SonicWALL GAV at , SonicWALL GAV activation is
automatically enabled on your SonicWALL within 24-hours or you can click the Synchronize button on
the Security Services > Summary page to update your SonicWALL security appliance.
Page 16 SonicWALL Gateway Anti-Virus Administrator’s Guide
Creating a mySonicWALL.com Account
Creating a mySonicWALL.com account is fast, simple, and FREE. Simply complete an online
registration form in the SonicWALL security appliance management interface.
Note: If you already have a mysonicWALL.com account, go to “Registering Your SonicWALL Security
Appliance” on page 17.
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displayed in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link in Your
SonicWALL is not registered. Click here to Register your SonicWALL.
4. In the mySonicWALL.com Login page, click the here link in If you do not have a mySonicWALL
account, please click here to create one.
5. In the MySonicWall Account page, enter in your information in the Account Information, Personal
Information and Preferences fields. All fields marked with an asterisk (*) are required fields.
Note: Remember your username and password to access your mySonicWALL.com account.
6. Click Submit after completing the MySonicWALL Account form.
7. When the mySonicWALL.com server has finished processing your account, you will see a page
saying that your account has been created. Click Continue.
Congratulations. Your mySonicWALL.com account is activated.
Now you need to log into mySonicWALL.com to register your SonicWALL security appliance.
Note: mySonicWALL.com registration information is not sold or shared with any other company.
Page 17
Registering Your SonicWALL Security Appliance
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displaying in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link. The
mySonicWALL.com Login page is displayed.
4. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit.
5. The next several pages inform you about the free trials available to you for SonicWALL’s Security
Services:
• Gateway Anti-Virus - Delivers real-time virus protection for your entire network.
• Network Anti Virus - Provides desktop and server anti-virus protection with software running on
each computer.
• Premium Content Filtering Service - Enhances productivity by limiting access to objectionable
Web content.
• Intrusion Prevention Service - Protects your network against worms, Trojans, and application
layer attacks.
Click Continue on each page.
6. At the top of the Product Survey page, Enter a “friendly name” for your SonicWALL content security
appliance in the Friendly Name field. The friendly name allows you to easily identify your
SonicWALL content security appliance in your mySonicWALL.com account.
7. Please complete the Product Survey. SonicWALL uses this information to further tailor services to fit
your needs.
8. Click Submit.
9. When the mySonicWALL.com server has finished processing your registration, a page is displayed
informing you that the SonicWALL security appliance is registered. Click Continue, and the
System > Licenses page is displayed showing you the available services. You can activate the
service from this page or the specific service page under the Security Services left-navigation
menu in the management interface.
Page 18 SonicWALL Gateway Anti-Virus Administrator’s Guide
Activating SonicWALL GAV
If you do not have a SonicWALL GAV license activated on your SonicWALL security appliance, you must
purchase it from a SonicWALL reseller or through your mySonicWALL.com account (limited to customers
in the USA and Canada).
SonicWALL GAV is part of SonicWALL Gateway Anti-Virus/Intrusion Prevention Service. The Activation
Key you receive is for both SonicWALL GAV and SonicWALL Intrusion Prevention Service. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is automatically activated.
If you have an Activation Key for SonicWALL Gateway Anti-Virus/Intrusion Prevention Service, perform
these steps to activate the combined services:
1. On the Security Services > Intrusion Prevention page, click the SonicWALL Intrusion
Prevention Service Subscription link. The mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already registered to your
mySonicWALL.com account, the System > Licenses page appears.
3. Click Activate or Renew in the Manage Service column in the Manage Services Online table.
4. Type in the Activation Key in the New License Key field and click Submit. Your SonicWALL GAV
subscription is activated on your SonicWALL security appliance.
If you activated the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service subscription on
mySonicWALL.com, the activation is automatically enabled on your SonicWALL security appliance within
24-hours or you can click the Synchronize button on the Security Services > Summary page to
immediately update your SonicWALL security appliance.
Activating the SonicWALL GAV FREE TRIAL
To try a FREE TRIAL of SonicWALL GAV, perform these steps:
1. Click the FREE TRIAL link on the Security Services > Gateway Anti-Virus page. The
mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already connected to your
mySonicWALL.com account, the System > Licenses page appears after you click the FREE TRIAL
link.
3. Click Try in the FREE TRIAL column in the Manage Services Online table. Your SonicWALL GAV
trial subscription is activated on your SonicWALL security appliance.
Page 19
Setting Up SonicWALL GAV Protection
The Security Services > Gateway Anti-Virus page provides the settings for configuring SonicWALL
GAV on your SonicWALL security appliance.
Enabling SonicWALL GAV
You must select Enable Gateway Anti-Virus check box in the Gateway Anti-Virus Global Settings
section to enable SonicWALL GAV on your SonicWALL security appliance. If your SonicWALL security
appliance is running SonicOS Standard 3.0, you must also specify the interfaces you want to apply
SonicWALL GAV protection. If your SonicWALL security appliance is running SonicOS Enhanced 3.0,
you must specify the Zones you want to SonicWALL GAV protection on the Network > Zones page.
Applying SonicWALL GAV Protection on Interfaces
If your SonicWALL security appliance is running SonicOS Standard 3.0, you also need to specify the
interface that you want to enable SonicWALL GAV protection. Depending on the SonicWALL security
appliance model you are using, you can choose the WAN, LAN, DMZ, OPT or WLAN port, depending on
your SonicWALL security appliance model. After selecting the interface(s), click Apply.It is recommended
you select the WAN and LAN interfaces.
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you apply SonicWALL GAV to
Zones on the Network > Zones page.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 20 SonicWALL Gateway Anti-Virus Administrator’s Guide
Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you can enforce SonicWALL
GAV not only between each network zone and the WAN, but also between internal zones. For example,
enabling SonicWALL GAV on the LAN zone enforces anti-virus protection on all incoming and outgoing
LAN traffic.
1. In the SonicWALL security appliance management interface, select Network > Zones or from the
Gateway Anti-Virus Status section, on the Security Services > Gateway Anti-Virus page, click the
Network > Zones link. The Network > Zones page is displayed.
2. In the Configure column in the Zone Settings table, click the edit icon . The Edit Zone window
is displayed.
3. Click the Enable Gateway Anti-Virus Service checkbox. A checkmark appears. To disable Gateway
Anti-Virus Service, uncheck the box.
4. Click OK.
Page 21
Note: You also enable SonicWALL GAV protection for new zones you create on the Network > Zones page.
Clicking the Add button displays the Add Zone window, which includes the same settings as the Edit
Zone window.
Viewing SonicWALL GAV Status Information
The Gateway Anti-Virus Status section shows the state of the anti-virus signature database, including
the database's timestamp, and the time the SonicWALL signature servers were last checked for the most
current database version. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
The Gateway Anti-Virus Status section displays the following information:
• Signature Database indicates whether the signature database needs to be downloaded or has been
downloaded.
• Signature Database Timestamp displays the last update to the SonicWALL GAV signature
database, not the last update to your SonicWALL security appliance.
• Last Checked indicates the last time the SonicWALL security appliance checked the signature
database for updates. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
• Gateway Anti-Virus Expiration Date indicates the date when the SonicWALL GAV service expires.
If your SonicWALL GAV subscription expires, the SonicWALL IPS inspection is stopped and the
SonicWALL GAV configuration settings are removed from the SonicWALL security appliance. These
settings are automatically restored after renewing your SonicWALL GAV license to the previously
configured state.
If your SonicWALL security appliance is running SonicOS Standard 3.0 and no interfaces are specified in
the Gateway Anti-Virus Global Settings section, the message: Warning: No interfaces have Gateway
Anti-Virus enabled is displayed in the Gateway Anti-Virus Status section. You must check the Enable
Gateway Anti-Virus on Interface and specify the interface(s) you want to apply anti-virus scanning.
If your SonicWALL security appliance you are using SonicOS Enhanced 3.0, the Gateway Anti-Virus
Status section displays Note: Enable the Gateway Anti-Virus per zone from the Network > Zones
page. Clicking on the Network > Zones link displays the Network > Zones page for applying SonicWALL
GAV on Zones.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 22 SonicWALL Gateway Anti-Virus Administrator’s Guide
Updating SonicWALL GAV Signatures
By default, the SonicWALL security appliance running SonicWALL GAV automatically checks the
SonicWALL signature servers once an hour. There is no need for an administrator to constantly check for
new signature updates. You can also manually update your SonicWALL GAV database at any time by
clicking the Update button located in the Gateway Anti-Virus Status section.
SonicWALL GAV signature updates are secured. The SonicWALL security appliance must first
authenticate itself with a pre-shared secret, created during the SonicWALL Distributed Enforcement
Architecture licensing registration. The signature request is transported through HTTPS, along with full
server certificate verification.
Specifying Protocol Filtering
Application-level awareness of the type of protocol that is transporting the violation allows SonicWALL
GAV to perform specific actions within the context of the application to gracefully handle the rejection of
the payload.
By default, SonicWALL GAV inspects all inbound HTTP, FTP, IMAP, SMTP and POP3 traffic. Generic
TCP Stream can optionally be enabled to inspect all other TCP based traffic, such as
non-standard ports of operation for SMTP and POP3, and IM and P2P protocols.
Note: Refer to “Protocol Handling” on page 13 for detailed descriptions of how SonicWALL GAV handles
protocol traffic.
Enabling Inbound Inspection
Within the context of SonicWALL GAV, the Enable Inbound Inspection protocol traffic handling refers
to the following:
• Non-SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to any Zone.
• Non-SMTP traffic from a Public Zone destined to an Untrusted Zone.
• SMTP traffic initiating from a non-Trusted Zone destined to a Trusted, Wireless, Encrypted, or Public
Zone.
• SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to a Trusted, Wireless,
or Encrypted Zone.
Page 23
The Enable Inbound Inspection protocol traffic handling represented as a table:
Enabling Outbound SMTP Inspection
The Enable Outbound Inspection feature is available for SMTP traffic, such as for a mail server that
might be hosted on the DMZ. Enabling outbound inspection for SMTP scans mail that is delivered to the
internally hosted SMTP server for viruses.
Configuring Client Alerts and an Exclusion List
Clicking the Configure Gateway AV Settings button in the Gateway Anti-Virus Global Settings section
displays the Gateway AV Config View window, which allows you to configure client notification alerts and
create a SonicWALL GAV exclusion list.
Configuring Client Alerts
If you want clients on your network to receive notifications on their desktop when a HTTP file download is
blocked by GAV, check the Enable Client Notification Alerts (desktop client installation is required)
box. You must install the client software included on the Resource CD for your SonicWALL security
appliance for the client to receive these notifications from SonicWALL GAV.
Page 24 SonicWALL Gateway Anti-Virus Administrator’s Guide
If you want to suppress the sending of e-mail messages (SMTP) to clients from SonicWALL GAV when a
virus is detected in an e-mail or attachment, check the Disable SMTP Responses box.
Configuring a SonicWALL GAV Exclusion List
Any IP addresses listed in the exclusion list bypass virus scanning on their traffic.The Gateway AV
Exclusion List section provides the ability to define a range of IP addresses whose traffic will be excluded
from SonicWALL GAV scanning.
Alert! Use caution when specifying exclusions to SonicWALL GAV protection.
To add an IP address range for exclusion, perform these steps:
1. Click the Enable Gateway AV Exclusion List checkbox to enable the exclusion list.
2. Click the Add button. The Add GAV Range Entry window is displayed.
3. Enter the IP address range in the IP Address Form and IP Address To fields, then click OK. You IP
address range appears in the Gateway AV Exclusion List table. Click the edit icon in the Configure
column to change an entry or click the trashcan icon to delete an entry.
4. Click OK to exit the Gateway AV Config View window.
Restricting File Transfers
The restrict transfer settings listed under the Configure Gateway AV Settings button in the
Gateway Anti-Virus Global Settings section, if enabled, prevent files with specific attributes from being
transferred.
These restrict transfer settings include:
• Restrict Transfer of password-protected Zip files - Disables the transfer of password protected
ZIP files over any enabled protocol. This option only functions on protocols (e.g. HTTP, FTP, SMTP)
that are enabled for inspection.
• Restrict Transfer of MS-Office type files containing macros (VBA 5 and above) - Disables the
transfers of any MS Office 97 and above files that contain VBA macros.
• Restrict Transfer of packed executable files (UPX, FSG, etc.) - Disables the transfer of packed
executable files. Packers are utilities which compress and sometimes encrypt executables. Although
there are legitimate applications for these, they are also sometimes used with the intent of
obfuscation, so as to make the executables less detectable by anti-virus applications. The packer
adds a header that expands the file in memory, and then executes that file. SonicWALL Gateway
Anti-Virus currently recognizes the most common packed formats: UPX, FSG, PKLite32, Petite, and
ASPack. additional formats are dynamically added along with SonicWALL GAV signature updates.
Page 25
Viewing SonicWALL GAV Signatures
The Gateway Anti-Virus Signatures section allows you to view the contents of the SonicWALL GAV
signature database. All the entries displayed in the Gateway Anti-Virus Signatures table are from the
SonicWALL GAV signature database downloaded to your SonicWALL security appliance.
Note: Signature entries in the database change over time in response to new threats.
Displaying Signatures
You can display the signatures in a variety of views using the View Style menu.
• Use Search String - Allows you to display signatures containing a specified string entered in the
Lookup Signatures Containing String field.
• All Signatures - Displays all the signatures in the table, 50 to a page.
• 0 - 9 - Displays signature names beginning with the number you select from the menu.
• A-Z - Displays signature names beginning with the letter you select from menu.
Navigating the Gateway Anti-Virus Signatures Table
The SonicWALL GAV signatures are displayed fifty to a page in the Gateway Anti-Virus Signatures
table. The Items field displays the table number of the first signature. If your displaying the first page of a
signature table, the entry might be Items 1 to 50 (of 58). Use the navigation buttons to navigate the table.
Page 26 SonicWALL Gateway Anti-Virus Administrator’s Guide
Searching the Gateway Anti-Virus Signature Database
You can search the signature database by entering a search string in the Lookup Signatures
Containing String field, then clicking the edit (Notepad) icon.
The signatures that match the specified string are displayed in the Gateway Anti-Virus Signatures table.
Glossary
• Deep Packet Inspection - looking at the data portion of the packet. Enables the firewall to investigate
farther into the protocol to examine information at the application layer and defend against attacks
targeting application vulnerabilities.
• Distributed Enforcement Architecture - SonicWALL’s unified threat management technology that
delivers automated signature updates that provide real-time protection from current and emerging
threats.
• False Positive - a falsely identified attack traffic pattern.
• Signature - code written to detect and prevent viruses, worms, application exploits, and other
malicious code.
• Stateful Packet Inspection - examines the contents of individual packets at all layers of the OSI
model, from network layer to application layer.
Page 27
Index
A
activating Gateway Anti-Virus
overview 15
free trial version 18
activating Gateway Anti-Virus
activation key 18
C
client alerts
configuring 23
concurrency limitations 12
PRO 1260 12
PRO 2040 12
PRO 3060 12
PRO 4060 12
PRO 5060 12
TZ 150 Series 12
TZ 170 Series 12
creating a mysonicwall.com account 16
D
deploying SonicWALL GAV 14
disabling GAV/IPS engine 12
displaying signatures 25
all signatures 25
signatures beginning with letter 25
signatures beginning with number 25
using search strings 25
E
Edit Zone window 20
enable inbound inspection 22
enable outbound SMTP inspection 23
enabling inbound inspection 22
exclusion list
configuring 24
G
Gateway AV Config View window 23
GAV/IPS
real-time scanning 6
GAV/IPS features
application control 6
deep packet inspection 6
distributed enforcement architecture 6
file based scanning protocol support 6
file decompression technology 6
granular management 7
inter-zone scanning 6
logging and reporting 7
real-time scanning 6
glossary 26
deep packet inspection 26
Distributed Enforcement Architecture 26
false positive 26
signature 26
stateful packet inspection 26
H
how DPIv2.0 works
11
protocol handling 13
HTTP file downloads protection 9
I
internal network protection 9
N
navigating signatures table 25
P
protocol handling
FTP 14
HTTP 14
IM, P2P, proprietary 14
IMAP 13
POP3 13
SMTP 13
R
registering your SonicWALL security appliance 17
remote site protection 8
restrict 24
restrict file transfer
MS-Office files 24
packed executable files 24
password protected ZIP files 24
S
searching signature database 26
server protection 10
setting up GAV protection
applying to infaces (SonicOS Standard 3.0) 19
applying to zones (SonicOS Enhanced) 20
enabling 19
overview 19
signatures table 25
SonicWALL Gateway Anti-Virus
overview 5
SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service
overview 5
specifying protocol filtering 22
specifying protocols 22
status information
expiration date 21
last checked 21
overview 21
signature database 21
signature database timestamp 21
surpress SMTP messages 24
U
updating signatures 22
Page 28 SonicWALL Gateway Anti-Virus Administrator’s Guide
© 2005 SonicWALL, I n c . SonicWALL is a registered trademark of SonicWALL, I n c . Other product and company names mentioned herein may be
t rademarks and/ or registered trademarks of their respective companies. Specifications and descriptions subject to change with out notice.
T: 408.745.9600
F: 408.745.9300
www.sonicwall.com
SonicWALL,Inc.
1143 Borregas Avenue
Sunnyvale,CA 94089-1306
P/ N 232- 000610- 00
Rev E 01/05COMPREHENSIVE INTERNET SECURITY™
S SSSSSSSSo n i c WALL Gateway Anti-Virus
Administrator's Guide
Page 1
Table of Contents
Preface .................................................................................................. 1
Copyright Notice ..............................................................................1
Trademarks......................................................................................1
Limited Warranty..............................................................................1
About this Guide.................................................................................... 3
Guide Conventions .......................................................................... 3
Icons Used in this Guide............................................................. 3
SonicWALL Technical Support ........................................................ 4
North America Telephone Support ............................................. 4
International Telephone Support ................................................ 4
SonicWALL Gateway Anti-Virus Overview............................................ 5
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features ...... 6
SonicWALL GAV Multi-Layered Approach............................................ 7
Remote Site Protection ....................................................................8
Internal Network Protection.............................................................. 9
HTTP File Downloads ...................................................................... 9
Server Protection ...........................................................................10
SonicWALL GAV Architecture............................................................. 11
Stream Concurrency Limitations
by SonicWALL Security Appliance................................................. 12
Disabling the SonicWALL GAV/IPS Engine................................... 12
Protocol Handling...........................................................................13
SMTP........................................................................................ 13
POP3 ........................................................................................ 13
IMAP......................................................................................... 13
HTTP ........................................................................................ 14
FTP........................................................................................... 14
IM, P2P and Proprietary Protocols ........................................... 14
Deploying SonicWALL GAV................................................................ 14
Activating SonicWALL GAV ................................................................ 15
Creating a mySonicWALL.com Account ........................................ 16
Registering Your SonicWALL Security Appliance.......................... 17
Activating SonicWALL GAV........................................................... 18
Activating the SonicWALL GAV FREE TRIAL ............................... 18
Setting Up SonicWALL GAV Protection .............................................. 19
Enabling SonicWALL GAV............................................................. 19
Applying SonicWALL GAV Protection on Interfaces...................... 19
Applying SonicWALL GAV Protection on Zones
(SonicOS Enhanced 3.0) ............................................................... 20
Viewing SonicWALL GAV Status Information................................ 21
Updating SonicWALL GAV Signatures .......................................... 22
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
Specifying Protocol Filtering ................................................................22
Enabling Inbound Inspection ..........................................................22
Enabling Outbound SMTP Inspection ............................................23
Configuring Client Alerts and an Exclusion List ...................................23
Configuring Client Alerts.................................................................23
Configuring a SonicWALL GAV Exclusion List...............................24
Restricting File Transfers.....................................................................24
Viewing SonicWALL GAV Signatures..................................................25
Displaying Signatures.....................................................................25
Navigating the Gateway Anti-Virus Signatures Table ....................25
Searching the Gateway Anti-Virus Signature Database.................26
Glossary...............................................................................................26
Index ....................................................................................................27
Page 1 SonicWALL Gateway Anti-Virus Administrator’s Guide
Preface
Copyright Notice
© 2005 SonicWALL, Inc.
All rights reserved.
Under the copyright laws, this manual or the software described within, can not be copied, in whole or part,
without the written consent of the manufacturer, except in the normal use of the software to make a backup
copy. The same proprietary and copyright notices must be affixed to any permitted copies as were affixed
to the original. This exception does not allow copies to be made for others, whether or not sold, but all of
the material purchased (with all backup copies) can be sold, given, or loaned to another person. Under
the law, copying includes translating into another language or format.
Specifications and descriptions subject to change without notice.
Trademarks
SonicWALL is a registered trademark of SonicWALL, Inc.
Microsoft Windows 98, Windows NT, Windows 2000, Windows XP, Windows Server 2003, Internet
Explorer, and Active Directory are trademarks or registered trademarks of Microsoft Corporation.
Netscape is a registered trademark of Netscape Communications Corporation in the U.S. and other
countries. Netscape Navigator and Netscape Communicator are also trademarks of Netscape
Communications Corporation and may be registered outside the U.S.
Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems
Incorporated in the U.S. and/or other countries.
Other product and company names mentioned herein may be trademarks and/or registered trademarks
of their respective companies and are the sole property of their respective manufacturers.
Limited Warranty
SonicWALL, Inc. warrants that commencing from the delivery date to Customer (but in any case
commencing not more than ninety (90) days after the original shipment by SonicWALL), and continuing
for a period of twelve (12) months, that the product will be free from defects in materials and workmanship
under normal use. This Limited Warranty is not transferable and applies only to the original end user of
the product. SonicWALL and its suppliers' entire liability and Customer's sole and exclusive remedy under
this limited warranty will be shipment of a replacement product. At SonicWALL's discretion the
replacement product may be of equal or greater functionality and may be of either new or like-new quality.
SonicWALL's obligations under this warranty are contingent upon the return of the defective product
according to the terms of SonicWALL's then-current Support Services policies.
This warranty does not apply if the product has been subjected to abnormal electrical stress, damaged by
accident, abuse, misuse or misapplication, or has been modified without the written permission of
SonicWALL.
DISCLAIMER OF WARRANTY. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR
IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT
LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, NONINFRINGEMENT, SATISFACTORY QUALITY OR ARISING FROM A
COURSE OF DEALING, LAW, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE
MAXIMUM EXTENT ALLOWED BY APPLICABLE LAW. TO THE EXTENT AN IMPLIED WARRANTY
CANNOT BE EXCLUDED, SUCH WARRANTY IS LIMITED IN DURATION TO THE WARRANTY
PERIOD. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW
LONG AN IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. THIS
WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, AND YOU MAY ALSO HAVE OTHER RIGHTS
WHICH VARY FROM JURISDICTION TO JURISDICTION. This disclaimer and exclusion shall apply
even if the express warranty set forth above fails of its essential purpose.
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
DISCLAIMER OF LIABILITY. SONICWALL'S SOLE LIABILITY IS THE SHIPMENT OF A
REPLACEMENT PRODUCT AS DESCRIBED IN THE ABOVE LIMITED WARRANTY. IN NO EVENT
SHALL SONICWALL OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER,
INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS
INTERRUPTION, LOSS OF INFORMATION, OR OTHER PECUNIARY LOSS ARISING OUT OF THE
USE OR INABILITY TO USE THE PRODUCT, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL,
INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY
OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE HARDWARE OR SOFTWARE
EVEN IF SONICWALL OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. In no event shall SonicWALL or its suppliers' liability to Customer, whether in contract, tort
(including negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shall
apply even if the above-stated warranty fails of its essential purpose. BECAUSE SOME STATES OR
JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR
INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.
Page 3
About this Guide
Welcome to the SonicWALL Gateway Anti-Virus Administrator’s Guide. This manual provides the
information you need to successfully activate, configure, and administer SonicWALL Gateway Anti-Virus
(SonicWALL (GAV) on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher). The audience for this guide is administrators that are familiar with the
features, functions, and operating characteristics of SonicWALL security appliances.
Note: This guide assumes your SonicWALL security appliance is operational with Internet connectivity. If your
SonicWALL security appliance is not setup, refer to the Getting Started Guide for your SonicWALL
security appliance located on the SonicWALL Web site:
.
SonicWALL GAV is part of the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service solution that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate a SonicWALL GAV license, SonicWALL Intrusion Prevention Service is included and activated.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the complete
instructions on configuring SonicWALL Intrusion Prevention Service 2.0, located on the SonicWALL
Web site: .
Guide Conventions
Conventions used in this guide are as follows:
Icons Used in this Guide
These special messages refer to noteworthy information, and include a symbol for quick identification:
Alert! Important information that cautions about features affecting SonicWALL Gateway Anti-Virus
performance, security features, or causing potential problems with your SonicWALL security appliance.
Tip! Useful information about security features and configurations for your SonicWALL Gateway Anti-Virus
running on a SonicWALL security appliance.
Convention Use
Bold Highlights items you can select on the SonicWALL
management interface.
Italic Highlights a value to enter into a field. For example, “type
192.168.168.168 in the IP Address field.”
Top Level Menu Button >
Submenu Item
Indicates a multiple step Management Interface menu
choice. For example, Security Services > Gateway Anti-
Virus means select Security Services, then select
Gateway Anti-Virus.
Page 4 SonicWALL Gateway Anti-Virus Administrator’s Guide
Note: Important information on a feature that requires callout for special attention or reference to other related
resources.
SonicWALL Technical Support
For timely resolution of technical support questions, visit SonicWALL on the Internet at
. Web-based resources are available to help you
resolve most technical issues or contact SonicWALL Technical Support.
To contact SonicWALL telephone support, see the telephone numbers listed below:
North America Telephone Support
U.S./Canada - 888.777.1476 or +1 408.752.7819
International Telephone Support
Australia - + 1800.35.1642
Austria - + 43(0)820.400.105
EMEA - +31(0)411.617.810
France - + 33(0)1.4933.7414
Germany - + 49(0)1805.0800.22
Hong Kong - + 1.800.93.0997
India - + 8026556828
Italy - +39.02.7541.9803
Japan - + 81(0)3.5460.5356
New Zealand - + 0800.446489
Singapore - + 800.110.1441
Spain - + 34(0)9137.53035
Switzerland - +41.1.308.3.977
UK - +44(0)1344.668.484
Note: Please visit for the latest technical support telephone
numbers.
Page 5
SonicWALL Gateway Anti-Virus Overview
SonicWALL Gateway Anti-Virus (SonicWALL GAV) is part of the SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service solution that provides unified threat management. The integration of gateway
anti-virus and intrusion prevention delivers intelligent, real-time network security protection against
sophisticated application layer and content-based attacks. Utilizing a configurable, high-performance
deep packet inspection architecture, SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
secures the network from the core to the perimeter against a comprehensive array of dynamic threats
including viruses, worms, Trojans, and software vulnerabilities, such as buffer overflows, as well as peerto-
peer and instant messenger applications, backdoor exploits, and other malicious code.
SonicWALL GAV delivers real-time virus protection directly on the SonicWALL security appliance by
using SonicWALL’s IPS-Deep Packet Inspection v2.0 engine to inspect all traffic that traverses the
SonicWALL gateway. Building on SonicWALL’s reassembly-free architecture, SonicWALL GAV inspects
multiple application protocols, as well as generic TCP streams, and compressed traffic. Because
SonicWALL GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also performed on a
single-pass, per-packet basis.
SonicWALL GAV delivers threat protection directly on the SonicWALL security appliance by matching
downloaded or e-mailed files against an extensive and dynamically updated database of threat virus
signatures. Virus attacks are caught and suppressed before they travel to desktops. New signatures are
created and added to the database by a combination of SonicWALL’s SonicAlert Team, third-party virus
analysts, open source developers and other sources.
SonicWALL GAV can be configured to protect against internal threats as well as those originating outside
the network. It operates over a multitude of protocols including SMTP, POP3, IMAP, HTTP, FTP,
NetBIOS, instant messaging and peer-to-peer applications and dozens of other stream-based protocols,
to provide administrators with comprehensive network threat prevention and control. Because files
containing malicious code and viruses can also be compressed and therefore inaccessible to
conventional anti-virus solutions, SonicWALL GAV integrates advanced decompression technology that
automatically decompresses and scans files on a per packet basis.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
Page 6 SonicWALL Gateway Anti-Virus Administrator’s Guide
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features
• Integrated Deep Packet Inspection Technology - SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service features a configurable, high-performance deep packet inspection architecture
that uses parallel searching algorithms up through the application layer to deliver increased
application layer, Web and e-mail attack prevention. Parallel processing reduces the performance
impact on the firewall and maximizes available memory for exceptional throughput on SonicWALL
integrated security gateways.
• Real-Time Anti-Virus Gateway Scanning - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers intelligent file-based virus and malicious code prevention by scanning in real-time for
decompressed and compressed files containing viruses, Trojans, worms and other Internet threats
over the corporate network.
• Powerful Intrusion Prevention - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
provides complete protection from a comprehensive array of network-based application layer threats
by scanning packet payloads for worms, Trojans, software vulnerabilities such as buffer overflows,
peer-to-peer and instant messenger applications, backdoor exploits, and other malicious code.
• Ultimate Scalability and Performance - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a per packet scanning engine, making SonicWALL’s solution unique in its ability to
handle unlimited file size and virtually unlimited concurrent downloads, offering ultimate scalability
and performance for today’s networked environment.
• Day Zero Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service ensures
incredibly fast time-to-protection by employing a dynamically-updated database of signatures created
by a combination of SonicWALL’s SonicAlert Team, third-party virus analysts and developers, and
open source databases of known threats.
• Extensive Virus Signature List - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
utilizes an extensive database of thousands of attack and vulnerability signatures written to detect and
prevent intrusions, viruses, worms, Tojans, application exploits, and malicious applications.
• Distributed Enforcement Architecture - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a distributed enforcement architecture to deliver automated signature updates,
providing real-time protection from emerging threats and lowering total cost of ownership.
• Inter-zone Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides
application layer attack protection against malicious code and other threats originating from the
Internet or from internal sources. Administrators have the ability to enforce intrusion prevention and
anti-virus scanning not only between each network zone and the Internet, but also between internal
network zones for added security (Requires SonicOS Enhanced).
• Advanced File Decompression Technology - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service includes advanced decompression technology that can automatically decompress and scan
files on a per packet basis to search for viruses, Trojans, worms and malware. Supported
compression formats include: ZIP, Deflate and GZIP.
• File-Based Scanning Protocol Support - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers protection for high threat viruses and malware by inspecting the most common
protocols used in today’s networked environments, including SMTP, POP3, IMAP, HTTP, FTP,
NETBIOS, instant messaging and peer-to-peer applications, and dozens of other stream-based
protocols. This closes potential backdoors that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Application Control - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides the
ability to prevent instant messaging and peer-to-peer file sharing programs from operating through
the firewall, closing a potential back door that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Simplified Deployment and Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service allows network administrators to create global policies between security zones and group
attacks by priority, simplifying deployment and management across a distributed network.
Page 7
• Granular Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides an
intuitive user interface and granular policy tools, allowing network administrators to configure a
custom set of detection or prevention policies for their specific network environment and reduce the
number of false policies while identifying immediate threats.
• Logging and Reporting - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service offers
comprehensive logging of all intrusion attempts with the ability to filter logs based on priority level,
enabling administrators to highlight high priority attacks. Granular reporting based on attack source,
destination and type of intrusion is available through SonicWALL ViewPoint and Global Management
System.
SonicWALL GAV Multi-Layered Approach
SonicWALL GAV delivers comprehensive, multi-layered anti-virus protection for networks at the desktop,
the network, and at remote sites. SonicWALL GAV enforces anti-virus policies at the gateway to ensure
all users have the latest updates and monitors files as they come into the network.
Page 8 SonicWALL Gateway Anti-Virus Administrator’s Guide
Remote Site Protection
1. Users send typical e-mail and files between remote sites and the corporate office.
2. SonicWALL GAV scans and analyzes files and e-mail messages on the SonicWALL security
appliance.
3. Viruses are found and blocked before infecting remote desktop.
4. Virus is logged and alert is sent to administrator.
Page 9
Internal Network Protection
1. Internal user contracts a virus and releases it internally.
2. All files are scanned at the gateway before being received by other network users.
3. If virus is found, file is discarded.
4. Virus is logged and alert is sent to administrator.
HTTP File Downloads
1. Client makes a request to download a file from the Web.
2. File is downloaded through the Internet.
3. File is analyzed the SonicWALL GAV engine for malicious code and viruses
4. If virus found, file discarded.
5. Virus is logged and alert sent to administrator.
Page 10 SonicWALL Gateway Anti-Virus Administrator’s Guide
Server Protection
1. Outside user sends an incoming e-mail.
2. E-mail is analyzed the SonicWALL GAV engine for malicious code and viruses before received by email
server.
3. If virus found, threat prevented.
4. E-mail is returned to sender, virus is logged, and alert sent to administrator.
Page 11
SonicWALL GAV Architecture
SonicWALL GAV is based on SonicWALL's high performance DPIv2.0 engine (Deep Packet Inspection
version 2.0) engine, which performs all scanning directly on the SonicWALL security appliance.
SonicWALL GAV includes advanced decompression technology that can automatically decompress and
scan files on a per packet basis to search for viruses and malware. The SonicWALL GAV engine can
perform base64 decoding without ever reassembling the entire base64 encoded mail stream. Because
SonicWALL's GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding and ZIP, LHZ, and GZIP (LZ77) decompression are also performed
on a single-pass, per-packet basis. Reassembly free virus scanning functionality of the SonicWALL GAV
engine is inherited from the Deep Packet Inspection engine, which is capable of scanning streams without
ever buffering any of the bytes within the stream.
Building on SonicWALL's reassembly-free architecture, GAV has the ability to inspect multiple application
protocols, as well as generic TCP streams, and compressed traffic. SonicWALL GAV protocol inspection
is based on high performance state machines which are specific to each supported protocol. SonicWALL
GAV delivers protection by inspecting over the most common protocols used in today's networked
environments, including SMTP, POP3, IMAP, HTTP, FTP, NetBIOS, instant messaging and peer-to-peer
applications and dozens of other stream-based protocols. This closes potential backdoors that can be
used to compromise the network while also improving employee productivity and conserving Internet
bandwidth.
Page 12 SonicWALL Gateway Anti-Virus Administrator’s Guide
Stream Concurrency Limitations by SonicWALL Security Appliance
Because SonicWALL GAV does not have to perform reassembly, there are no file-size limitations
imposed by the scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also
performed on a single-pass, per-packet basis. Stream-concurrency are platform dependent as follows:.
Disabling the SonicWALL GAV/IPS Engine
In the unlikely event that SonicWALL Gateway Anti-Virus/Intrusion Prevention Service is not enabled on
your SonicWALL security appliance, the SonicWALL GAV/IPS engine itself can be disabled, and the
resources can be reallocated to the SPI connection cache.
To disable the SonicWALL GAV/IPS engine:
1. Select the Firewall > Advanced page.
2. Select the Disable Gateway AV and IPS Engine (increases maximum SPI connections)
checkbox. This presents an alert informing you that the SonicWALL security appliance must be
rebooted for the change to take effect.
3. Restart your SonicWALL security appliance.
Platform
GAV-Disabled
Connections
Cache Size
GAV-Enabled
Connections
Cache Size
(Concurrent File
Downloads)
Concurrent
Compressed
File Downloads
with GAV
GAV Signatures
TZ 150
Series
2,048 2,048 100 4,500
TZ 170
Series
6,144 6,144 100 4,500
PRO 1260 6,144 6,144 100 4,500
PRO 2040 32,768 16,384 300 25,000
PRO 3060 131,072 65,536 1,000 25,000
PRO 4060 524,288 131,072 1,500 25,000
PRO 5060 750,000 393,216 3,000 25,000
Page 13
Protocol Handling
SonicWALL GAV functionality supports the following protocols: HTTP, SMTP, IMAP, POP3, FTP and the
scanning of generic TCP streams for viruses.
If malicious traffic is detected, appropriate actions are taken based on the protocol. For generic TCP
streams, the traffic is dropped and the connection is reset. If so configured, an encrypted and hashed
message explaining the action is sent to the user's Global Security Client (requires version 2.0 or higher)
and to the user's 'Security Action Notification Applet', and displayed to the user if either application is
active. Application level awareness of the type of protocol that was transporting the violation allows for
very specific actions to be taken to gracefully handle the rejection of the payload:
Note: 8-bit encoding is handled natively for all email based protocols (SMTP, POP3, and IMAP) since no
decoding is required for each encoding scheme.
SMTP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the head of the sent
queue, thus preventing it from being resent, via 552 SMTP response and the connection is terminated.
POP3
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the POP3 server via
'DELE' command and the connection is terminated. Continuation of message downloads following
termination requires the user to re-initiate the download process on their POP3 client in order to download
the rest of the messages from the POP3 server.
Note: POP3 client behavior varies from one client to the next. SonicWALL GAV attempts to determine the type
of POP3 client being used, and to compensate for behavioral differences. In rare cases, some clients
may require special GAV settings - these settings have been made available in the /diag.html page.
• Disable Gateway AV POP3 Auto Deletion - When a POP3 client is identified as Outlook Express,
DELE (delete) message sequencing is tailored to Outlook Express' behavior. This setting can resolve
problems caused by misidentification that are encountered during the deletion of virus-infected
emails.
• Disable Gateway AV POP3 UIDL Rewriting - Certain Netscape POP3 clients have difficulty with the
UIDL (unique ID listing - RFC1939) command. When a POP3 client is recognized as Netscape, UIDL
messages are suppressed, which is allowable because they are optional. This setting can resolve
problems caused by misidentification that are encountered during the message retrieval process.
IMAP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from downloading the mail
containing the violation. The user must manually mark the mail deleted and purge it from the server.
Page 14 SonicWALL Gateway Anti-Virus Administrator’s Guide
HTTP
Capabilities: zip (including archives), gzip and deflate decompression. Deflate decompression method is
not supported when HTTP response is Chunk Encoded. All HTTP traffic is inspected, not just TCP port
80. Suppresses the use of HTTP Byte-Range requests to prevent the sectional retrieval and reassembly
of potentially malicious content.
Note: Suppression of HTTP Byte-Range requests may inhibit the use of certain download accelerator
programs that attempt to retrieve files as multiple simultaneous requests.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
FTP
Capabilities: zip (including archives) and gzip decompression. FTP stateful code follows data port
negotiations, allowing FTP data to be inspected across any operating TCP port. Suppresses the use of
the FTP 'REST' (restart) request to prevent the sectional retrieval and reassembly of potentially malicious
content. "The suppression of the 'REST' request can be overridden from the /diag.html page with the
option 'Enable FTP 'REST' requests with Gateway AV’.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
IM, P2P and Proprietary Protocols
Capabilities: zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
Deploying SonicWALL GAV
SonicWALL GAV is designed to provide comprehensive virus protection with minimal configuration. The
following sections provide the key information you need to successfully activate, configure, and administer
SonicWALL GAV on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher):
• “Activating SonicWALL GAV” on page 15 - provides instructions for activating the SonicWALL GAV
license on your SonicWALL security appliance via the management interface. If you already have
SonicWALL GAV activated on your SonicWALL security appliance, skip this section.
• “Setting Up SonicWALL GAV Protection” on page 19 - provides instructions for essential
configuration of SonicWALL IPS to protect your network against the most dangerous and disruptive
attacks.
Alert! After activating your SonicWALL GAV license, you must enable SonicWALL GAV on the SonicWALL
management interface before anti-virus protection are applied to your network traffic.
• “Configuring Client Alerts and an Exclusion List” on page 23 - provides instructions for configuring
SonicWALL GAV client notification alerts and creating a SonicWALL GAV exclusion list.
• “Restricting File Transfers” on page 24 - provides instructions on preventing files with specific
attributes from being transferred.
Page 15
Activating SonicWALL GAV
If you do not have SonicWALL GAV installed on your SonicWALL security appliance, the Security
Services > Gateway Anti-Virus page indicates an upgrade is required and includes a link to activiate it
from your SonicWALL security appliance management interface.
SonicWALL GAV is part of the unified SonicWALL Gateway Anti-Virus/Intrusion Prevention Service that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is also activated.
To activate a SonicWALL Gateway Anti-Virus/Intrusion Prevention Service on your SonicWALL security
appliance, you need the following:
• SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license. You need to purchase a
SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license from a SonicWALL reseller or
through your mySonicWALL.com account (limited to customers in the USA and Canada).
• mySonicWALL.com account. Creating a mySonicWALL.com account is fast, simple, and FREE.
Simply complete an online registration form from your SonicWALL security appliance management
interface. Your mySonicWALL.com account is also accessible at
from any Internet connection with a Web browser.
• Registered SonicWALL security appliance with active Internet connection. Registering your
SonicWALL security appliance is a simple procedure done directly from the management interface.
• SonicOS Standard 3.0 or SonicOS Enhanced 3.0. Your SonicWALL security appliance must be
running SonicOS Standard 3.0 or SonicOS Enhanced 3.0 for SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service.
Tip! If your SonicWALL security appliance is connected to the Internet and registered at
mySonicWALL.com, you can activate a 30-day FREE TRIAL of SonicWALL IPS.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
If you activated SonicWALL GAV at , SonicWALL GAV activation is
automatically enabled on your SonicWALL within 24-hours or you can click the Synchronize button on
the Security Services > Summary page to update your SonicWALL security appliance.
Page 16 SonicWALL Gateway Anti-Virus Administrator’s Guide
Creating a mySonicWALL.com Account
Creating a mySonicWALL.com account is fast, simple, and FREE. Simply complete an online
registration form in the SonicWALL security appliance management interface.
Note: If you already have a mysonicWALL.com account, go to “Registering Your SonicWALL Security
Appliance” on page 17.
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displayed in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link in Your
SonicWALL is not registered. Click here to Register your SonicWALL.
4. In the mySonicWALL.com Login page, click the here link in If you do not have a mySonicWALL
account, please click here to create one.
5. In the MySonicWall Account page, enter in your information in the Account Information, Personal
Information and Preferences fields. All fields marked with an asterisk (*) are required fields.
Note: Remember your username and password to access your mySonicWALL.com account.
6. Click Submit after completing the MySonicWALL Account form.
7. When the mySonicWALL.com server has finished processing your account, you will see a page
saying that your account has been created. Click Continue.
Congratulations. Your mySonicWALL.com account is activated.
Now you need to log into mySonicWALL.com to register your SonicWALL security appliance.
Note: mySonicWALL.com registration information is not sold or shared with any other company.
Page 17
Registering Your SonicWALL Security Appliance
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displaying in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link. The
mySonicWALL.com Login page is displayed.
4. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit.
5. The next several pages inform you about the free trials available to you for SonicWALL’s Security
Services:
• Gateway Anti-Virus - Delivers real-time virus protection for your entire network.
• Network Anti Virus - Provides desktop and server anti-virus protection with software running on
each computer.
• Premium Content Filtering Service - Enhances productivity by limiting access to objectionable
Web content.
• Intrusion Prevention Service - Protects your network against worms, Trojans, and application
layer attacks.
Click Continue on each page.
6. At the top of the Product Survey page, Enter a “friendly name” for your SonicWALL content security
appliance in the Friendly Name field. The friendly name allows you to easily identify your
SonicWALL content security appliance in your mySonicWALL.com account.
7. Please complete the Product Survey. SonicWALL uses this information to further tailor services to fit
your needs.
8. Click Submit.
9. When the mySonicWALL.com server has finished processing your registration, a page is displayed
informing you that the SonicWALL security appliance is registered. Click Continue, and the
System > Licenses page is displayed showing you the available services. You can activate the
service from this page or the specific service page under the Security Services left-navigation
menu in the management interface.
Page 18 SonicWALL Gateway Anti-Virus Administrator’s Guide
Activating SonicWALL GAV
If you do not have a SonicWALL GAV license activated on your SonicWALL security appliance, you must
purchase it from a SonicWALL reseller or through your mySonicWALL.com account (limited to customers
in the USA and Canada).
SonicWALL GAV is part of SonicWALL Gateway Anti-Virus/Intrusion Prevention Service. The Activation
Key you receive is for both SonicWALL GAV and SonicWALL Intrusion Prevention Service. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is automatically activated.
If you have an Activation Key for SonicWALL Gateway Anti-Virus/Intrusion Prevention Service, perform
these steps to activate the combined services:
1. On the Security Services > Intrusion Prevention page, click the SonicWALL Intrusion
Prevention Service Subscription link. The mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already registered to your
mySonicWALL.com account, the System > Licenses page appears.
3. Click Activate or Renew in the Manage Service column in the Manage Services Online table.
4. Type in the Activation Key in the New License Key field and click Submit. Your SonicWALL GAV
subscription is activated on your SonicWALL security appliance.
If you activated the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service subscription on
mySonicWALL.com, the activation is automatically enabled on your SonicWALL security appliance within
24-hours or you can click the Synchronize button on the Security Services > Summary page to
immediately update your SonicWALL security appliance.
Activating the SonicWALL GAV FREE TRIAL
To try a FREE TRIAL of SonicWALL GAV, perform these steps:
1. Click the FREE TRIAL link on the Security Services > Gateway Anti-Virus page. The
mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already connected to your
mySonicWALL.com account, the System > Licenses page appears after you click the FREE TRIAL
link.
3. Click Try in the FREE TRIAL column in the Manage Services Online table. Your SonicWALL GAV
trial subscription is activated on your SonicWALL security appliance.
Page 19
Setting Up SonicWALL GAV Protection
The Security Services > Gateway Anti-Virus page provides the settings for configuring SonicWALL
GAV on your SonicWALL security appliance.
Enabling SonicWALL GAV
You must select Enable Gateway Anti-Virus check box in the Gateway Anti-Virus Global Settings
section to enable SonicWALL GAV on your SonicWALL security appliance. If your SonicWALL security
appliance is running SonicOS Standard 3.0, you must also specify the interfaces you want to apply
SonicWALL GAV protection. If your SonicWALL security appliance is running SonicOS Enhanced 3.0,
you must specify the Zones you want to SonicWALL GAV protection on the Network > Zones page.
Applying SonicWALL GAV Protection on Interfaces
If your SonicWALL security appliance is running SonicOS Standard 3.0, you also need to specify the
interface that you want to enable SonicWALL GAV protection. Depending on the SonicWALL security
appliance model you are using, you can choose the WAN, LAN, DMZ, OPT or WLAN port, depending on
your SonicWALL security appliance model. After selecting the interface(s), click Apply.It is recommended
you select the WAN and LAN interfaces.
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you apply SonicWALL GAV to
Zones on the Network > Zones page.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 20 SonicWALL Gateway Anti-Virus Administrator’s Guide
Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you can enforce SonicWALL
GAV not only between each network zone and the WAN, but also between internal zones. For example,
enabling SonicWALL GAV on the LAN zone enforces anti-virus protection on all incoming and outgoing
LAN traffic.
1. In the SonicWALL security appliance management interface, select Network > Zones or from the
Gateway Anti-Virus Status section, on the Security Services > Gateway Anti-Virus page, click the
Network > Zones link. The Network > Zones page is displayed.
2. In the Configure column in the Zone Settings table, click the edit icon . The Edit Zone window
is displayed.
3. Click the Enable Gateway Anti-Virus Service checkbox. A checkmark appears. To disable Gateway
Anti-Virus Service, uncheck the box.
4. Click OK.
Page 21
Note: You also enable SonicWALL GAV protection for new zones you create on the Network > Zones page.
Clicking the Add button displays the Add Zone window, which includes the same settings as the Edit
Zone window.
Viewing SonicWALL GAV Status Information
The Gateway Anti-Virus Status section shows the state of the anti-virus signature database, including
the database's timestamp, and the time the SonicWALL signature servers were last checked for the most
current database version. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
The Gateway Anti-Virus Status section displays the following information:
• Signature Database indicates whether the signature database needs to be downloaded or has been
downloaded.
• Signature Database Timestamp displays the last update to the SonicWALL GAV signature
database, not the last update to your SonicWALL security appliance.
• Last Checked indicates the last time the SonicWALL security appliance checked the signature
database for updates. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
• Gateway Anti-Virus Expiration Date indicates the date when the SonicWALL GAV service expires.
If your SonicWALL GAV subscription expires, the SonicWALL IPS inspection is stopped and the
SonicWALL GAV configuration settings are removed from the SonicWALL security appliance. These
settings are automatically restored after renewing your SonicWALL GAV license to the previously
configured state.
If your SonicWALL security appliance is running SonicOS Standard 3.0 and no interfaces are specified in
the Gateway Anti-Virus Global Settings section, the message: Warning: No interfaces have Gateway
Anti-Virus enabled is displayed in the Gateway Anti-Virus Status section. You must check the Enable
Gateway Anti-Virus on Interface and specify the interface(s) you want to apply anti-virus scanning.
If your SonicWALL security appliance you are using SonicOS Enhanced 3.0, the Gateway Anti-Virus
Status section displays Note: Enable the Gateway Anti-Virus per zone from the Network > Zones
page. Clicking on the Network > Zones link displays the Network > Zones page for applying SonicWALL
GAV on Zones.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 22 SonicWALL Gateway Anti-Virus Administrator’s Guide
Updating SonicWALL GAV Signatures
By default, the SonicWALL security appliance running SonicWALL GAV automatically checks the
SonicWALL signature servers once an hour. There is no need for an administrator to constantly check for
new signature updates. You can also manually update your SonicWALL GAV database at any time by
clicking the Update button located in the Gateway Anti-Virus Status section.
SonicWALL GAV signature updates are secured. The SonicWALL security appliance must first
authenticate itself with a pre-shared secret, created during the SonicWALL Distributed Enforcement
Architecture licensing registration. The signature request is transported through HTTPS, along with full
server certificate verification.
Specifying Protocol Filtering
Application-level awareness of the type of protocol that is transporting the violation allows SonicWALL
GAV to perform specific actions within the context of the application to gracefully handle the rejection of
the payload.
By default, SonicWALL GAV inspects all inbound HTTP, FTP, IMAP, SMTP and POP3 traffic. Generic
TCP Stream can optionally be enabled to inspect all other TCP based traffic, such as
non-standard ports of operation for SMTP and POP3, and IM and P2P protocols.
Note: Refer to “Protocol Handling” on page 13 for detailed descriptions of how SonicWALL GAV handles
protocol traffic.
Enabling Inbound Inspection
Within the context of SonicWALL GAV, the Enable Inbound Inspection protocol traffic handling refers
to the following:
• Non-SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to any Zone.
• Non-SMTP traffic from a Public Zone destined to an Untrusted Zone.
• SMTP traffic initiating from a non-Trusted Zone destined to a Trusted, Wireless, Encrypted, or Public
Zone.
• SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to a Trusted, Wireless,
or Encrypted Zone.
Page 23
The Enable Inbound Inspection protocol traffic handling represented as a table:
Enabling Outbound SMTP Inspection
The Enable Outbound Inspection feature is available for SMTP traffic, such as for a mail server that
might be hosted on the DMZ. Enabling outbound inspection for SMTP scans mail that is delivered to the
internally hosted SMTP server for viruses.
Configuring Client Alerts and an Exclusion List
Clicking the Configure Gateway AV Settings button in the Gateway Anti-Virus Global Settings section
displays the Gateway AV Config View window, which allows you to configure client notification alerts and
create a SonicWALL GAV exclusion list.
Configuring Client Alerts
If you want clients on your network to receive notifications on their desktop when a HTTP file download is
blocked by GAV, check the Enable Client Notification Alerts (desktop client installation is required)
box. You must install the client software included on the Resource CD for your SonicWALL security
appliance for the client to receive these notifications from SonicWALL GAV.
Page 24 SonicWALL Gateway Anti-Virus Administrator’s Guide
If you want to suppress the sending of e-mail messages (SMTP) to clients from SonicWALL GAV when a
virus is detected in an e-mail or attachment, check the Disable SMTP Responses box.
Configuring a SonicWALL GAV Exclusion List
Any IP addresses listed in the exclusion list bypass virus scanning on their traffic.The Gateway AV
Exclusion List section provides the ability to define a range of IP addresses whose traffic will be excluded
from SonicWALL GAV scanning.
Alert! Use caution when specifying exclusions to SonicWALL GAV protection.
To add an IP address range for exclusion, perform these steps:
1. Click the Enable Gateway AV Exclusion List checkbox to enable the exclusion list.
2. Click the Add button. The Add GAV Range Entry window is displayed.
3. Enter the IP address range in the IP Address Form and IP Address To fields, then click OK. You IP
address range appears in the Gateway AV Exclusion List table. Click the edit icon in the Configure
column to change an entry or click the trashcan icon to delete an entry.
4. Click OK to exit the Gateway AV Config View window.
Restricting File Transfers
The restrict transfer settings listed under the Configure Gateway AV Settings button in the
Gateway Anti-Virus Global Settings section, if enabled, prevent files with specific attributes from being
transferred.
These restrict transfer settings include:
• Restrict Transfer of password-protected Zip files - Disables the transfer of password protected
ZIP files over any enabled protocol. This option only functions on protocols (e.g. HTTP, FTP, SMTP)
that are enabled for inspection.
• Restrict Transfer of MS-Office type files containing macros (VBA 5 and above) - Disables the
transfers of any MS Office 97 and above files that contain VBA macros.
• Restrict Transfer of packed executable files (UPX, FSG, etc.) - Disables the transfer of packed
executable files. Packers are utilities which compress and sometimes encrypt executables. Although
there are legitimate applications for these, they are also sometimes used with the intent of
obfuscation, so as to make the executables less detectable by anti-virus applications. The packer
adds a header that expands the file in memory, and then executes that file. SonicWALL Gateway
Anti-Virus currently recognizes the most common packed formats: UPX, FSG, PKLite32, Petite, and
ASPack. additional formats are dynamically added along with SonicWALL GAV signature updates.
Page 25
Viewing SonicWALL GAV Signatures
The Gateway Anti-Virus Signatures section allows you to view the contents of the SonicWALL GAV
signature database. All the entries displayed in the Gateway Anti-Virus Signatures table are from the
SonicWALL GAV signature database downloaded to your SonicWALL security appliance.
Note: Signature entries in the database change over time in response to new threats.
Displaying Signatures
You can display the signatures in a variety of views using the View Style menu.
• Use Search String - Allows you to display signatures containing a specified string entered in the
Lookup Signatures Containing String field.
• All Signatures - Displays all the signatures in the table, 50 to a page.
• 0 - 9 - Displays signature names beginning with the number you select from the menu.
• A-Z - Displays signature names beginning with the letter you select from menu.
Navigating the Gateway Anti-Virus Signatures Table
The SonicWALL GAV signatures are displayed fifty to a page in the Gateway Anti-Virus Signatures
table. The Items field displays the table number of the first signature. If your displaying the first page of a
signature table, the entry might be Items 1 to 50 (of 58). Use the navigation buttons to navigate the table.
Page 26 SonicWALL Gateway Anti-Virus Administrator’s Guide
Searching the Gateway Anti-Virus Signature Database
You can search the signature database by entering a search string in the Lookup Signatures
Containing String field, then clicking the edit (Notepad) icon.
The signatures that match the specified string are displayed in the Gateway Anti-Virus Signatures table.
Glossary
• Deep Packet Inspection - looking at the data portion of the packet. Enables the firewall to investigate
farther into the protocol to examine information at the application layer and defend against attacks
targeting application vulnerabilities.
• Distributed Enforcement Architecture - SonicWALL’s unified threat management technology that
delivers automated signature updates that provide real-time protection from current and emerging
threats.
• False Positive - a falsely identified attack traffic pattern.
• Signature - code written to detect and prevent viruses, worms, application exploits, and other
malicious code.
• Stateful Packet Inspection - examines the contents of individual packets at all layers of the OSI
model, from network layer to application layer.
Page 27
Index
A
activating Gateway Anti-Virus
overview 15
free trial version 18
activating Gateway Anti-Virus
activation key 18
C
client alerts
configuring 23
concurrency limitations 12
PRO 1260 12
PRO 2040 12
PRO 3060 12
PRO 4060 12
PRO 5060 12
TZ 150 Series 12
TZ 170 Series 12
creating a mysonicwall.com account 16
D
deploying SonicWALL GAV 14
disabling GAV/IPS engine 12
displaying signatures 25
all signatures 25
signatures beginning with letter 25
signatures beginning with number 25
using search strings 25
E
Edit Zone window 20
enable inbound inspection 22
enable outbound SMTP inspection 23
enabling inbound inspection 22
exclusion list
configuring 24
G
Gateway AV Config View window 23
GAV/IPS
real-time scanning 6
GAV/IPS features
application control 6
deep packet inspection 6
distributed enforcement architecture 6
file based scanning protocol support 6
file decompression technology 6
granular management 7
inter-zone scanning 6
logging and reporting 7
real-time scanning 6
glossary 26
deep packet inspection 26
Distributed Enforcement Architecture 26
false positive 26
signature 26
stateful packet inspection 26
H
how DPIv2.0 works
11
protocol handling 13
HTTP file downloads protection 9
I
internal network protection 9
N
navigating signatures table 25
P
protocol handling
FTP 14
HTTP 14
IM, P2P, proprietary 14
IMAP 13
POP3 13
SMTP 13
R
registering your SonicWALL security appliance 17
remote site protection 8
restrict 24
restrict file transfer
MS-Office files 24
packed executable files 24
password protected ZIP files 24
S
searching signature database 26
server protection 10
setting up GAV protection
applying to infaces (SonicOS Standard 3.0) 19
applying to zones (SonicOS Enhanced) 20
enabling 19
overview 19
signatures table 25
SonicWALL Gateway Anti-Virus
overview 5
SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service
overview 5
specifying protocol filtering 22
specifying protocols 22
status information
expiration date 21
last checked 21
overview 21
signature database 21
signature database timestamp 21
surpress SMTP messages 24
U
updating signatures 22
Page 28 SonicWALL Gateway Anti-Virus Administrator’s Guide
© 2005 SonicWALL, I n c . SonicWALL is a registered trademark of SonicWALL, I n c . Other product and company names mentioned herein may be
t rademarks and/ or registered trademarks of their respective companies. Specifications and descriptions subject to change with out notice.
T: 408.745.9600
F: 408.745.9300
www.sonicwall.com
SonicWALL,Inc.
1143 Borregas Avenue
Sunnyvale,CA 94089-1306
P/ N 232- 000610- 00
Rev E 01/05COMPREHENSIVE INTERNET SECURITY™
S SSSSSSSSo n i c WALL Gateway Anti-Virus
Administrator's Guide
Page 1
Table of Contents
Preface .................................................................................................. 1
Copyright Notice ..............................................................................1
Trademarks......................................................................................1
Limited Warranty..............................................................................1
About this Guide.................................................................................... 3
Guide Conventions .......................................................................... 3
Icons Used in this Guide............................................................. 3
SonicWALL Technical Support ........................................................ 4
North America Telephone Support ............................................. 4
International Telephone Support ................................................ 4
SonicWALL Gateway Anti-Virus Overview............................................ 5
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features ...... 6
SonicWALL GAV Multi-Layered Approach............................................ 7
Remote Site Protection ....................................................................8
Internal Network Protection.............................................................. 9
HTTP File Downloads ...................................................................... 9
Server Protection ...........................................................................10
SonicWALL GAV Architecture............................................................. 11
Stream Concurrency Limitations
by SonicWALL Security Appliance................................................. 12
Disabling the SonicWALL GAV/IPS Engine................................... 12
Protocol Handling...........................................................................13
SMTP........................................................................................ 13
POP3 ........................................................................................ 13
IMAP......................................................................................... 13
HTTP ........................................................................................ 14
FTP........................................................................................... 14
IM, P2P and Proprietary Protocols ........................................... 14
Deploying SonicWALL GAV................................................................ 14
Activating SonicWALL GAV ................................................................ 15
Creating a mySonicWALL.com Account ........................................ 16
Registering Your SonicWALL Security Appliance.......................... 17
Activating SonicWALL GAV........................................................... 18
Activating the SonicWALL GAV FREE TRIAL ............................... 18
Setting Up SonicWALL GAV Protection .............................................. 19
Enabling SonicWALL GAV............................................................. 19
Applying SonicWALL GAV Protection on Interfaces...................... 19
Applying SonicWALL GAV Protection on Zones
(SonicOS Enhanced 3.0) ............................................................... 20
Viewing SonicWALL GAV Status Information................................ 21
Updating SonicWALL GAV Signatures .......................................... 22
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
Specifying Protocol Filtering ................................................................22
Enabling Inbound Inspection ..........................................................22
Enabling Outbound SMTP Inspection ............................................23
Configuring Client Alerts and an Exclusion List ...................................23
Configuring Client Alerts.................................................................23
Configuring a SonicWALL GAV Exclusion List...............................24
Restricting File Transfers.....................................................................24
Viewing SonicWALL GAV Signatures..................................................25
Displaying Signatures.....................................................................25
Navigating the Gateway Anti-Virus Signatures Table ....................25
Searching the Gateway Anti-Virus Signature Database.................26
Glossary...............................................................................................26
Index ....................................................................................................27
Page 1 SonicWALL Gateway Anti-Virus Administrator’s Guide
Preface
Copyright Notice
© 2005 SonicWALL, Inc.
All rights reserved.
Under the copyright laws, this manual or the software described within, can not be copied, in whole or part,
without the written consent of the manufacturer, except in the normal use of the software to make a backup
copy. The same proprietary and copyright notices must be affixed to any permitted copies as were affixed
to the original. This exception does not allow copies to be made for others, whether or not sold, but all of
the material purchased (with all backup copies) can be sold, given, or loaned to another person. Under
the law, copying includes translating into another language or format.
Specifications and descriptions subject to change without notice.
Trademarks
SonicWALL is a registered trademark of SonicWALL, Inc.
Microsoft Windows 98, Windows NT, Windows 2000, Windows XP, Windows Server 2003, Internet
Explorer, and Active Directory are trademarks or registered trademarks of Microsoft Corporation.
Netscape is a registered trademark of Netscape Communications Corporation in the U.S. and other
countries. Netscape Navigator and Netscape Communicator are also trademarks of Netscape
Communications Corporation and may be registered outside the U.S.
Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems
Incorporated in the U.S. and/or other countries.
Other product and company names mentioned herein may be trademarks and/or registered trademarks
of their respective companies and are the sole property of their respective manufacturers.
Limited Warranty
SonicWALL, Inc. warrants that commencing from the delivery date to Customer (but in any case
commencing not more than ninety (90) days after the original shipment by SonicWALL), and continuing
for a period of twelve (12) months, that the product will be free from defects in materials and workmanship
under normal use. This Limited Warranty is not transferable and applies only to the original end user of
the product. SonicWALL and its suppliers' entire liability and Customer's sole and exclusive remedy under
this limited warranty will be shipment of a replacement product. At SonicWALL's discretion the
replacement product may be of equal or greater functionality and may be of either new or like-new quality.
SonicWALL's obligations under this warranty are contingent upon the return of the defective product
according to the terms of SonicWALL's then-current Support Services policies.
This warranty does not apply if the product has been subjected to abnormal electrical stress, damaged by
accident, abuse, misuse or misapplication, or has been modified without the written permission of
SonicWALL.
DISCLAIMER OF WARRANTY. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR
IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT
LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, NONINFRINGEMENT, SATISFACTORY QUALITY OR ARISING FROM A
COURSE OF DEALING, LAW, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE
MAXIMUM EXTENT ALLOWED BY APPLICABLE LAW. TO THE EXTENT AN IMPLIED WARRANTY
CANNOT BE EXCLUDED, SUCH WARRANTY IS LIMITED IN DURATION TO THE WARRANTY
PERIOD. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW
LONG AN IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. THIS
WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, AND YOU MAY ALSO HAVE OTHER RIGHTS
WHICH VARY FROM JURISDICTION TO JURISDICTION. This disclaimer and exclusion shall apply
even if the express warranty set forth above fails of its essential purpose.
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
DISCLAIMER OF LIABILITY. SONICWALL'S SOLE LIABILITY IS THE SHIPMENT OF A
REPLACEMENT PRODUCT AS DESCRIBED IN THE ABOVE LIMITED WARRANTY. IN NO EVENT
SHALL SONICWALL OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER,
INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS
INTERRUPTION, LOSS OF INFORMATION, OR OTHER PECUNIARY LOSS ARISING OUT OF THE
USE OR INABILITY TO USE THE PRODUCT, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL,
INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY
OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE HARDWARE OR SOFTWARE
EVEN IF SONICWALL OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. In no event shall SonicWALL or its suppliers' liability to Customer, whether in contract, tort
(including negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shall
apply even if the above-stated warranty fails of its essential purpose. BECAUSE SOME STATES OR
JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR
INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.
Page 3
About this Guide
Welcome to the SonicWALL Gateway Anti-Virus Administrator’s Guide. This manual provides the
information you need to successfully activate, configure, and administer SonicWALL Gateway Anti-Virus
(SonicWALL (GAV) on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher). The audience for this guide is administrators that are familiar with the
features, functions, and operating characteristics of SonicWALL security appliances.
Note: This guide assumes your SonicWALL security appliance is operational with Internet connectivity. If your
SonicWALL security appliance is not setup, refer to the Getting Started Guide for your SonicWALL
security appliance located on the SonicWALL Web site:
.
SonicWALL GAV is part of the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service solution that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate a SonicWALL GAV license, SonicWALL Intrusion Prevention Service is included and activated.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the complete
instructions on configuring SonicWALL Intrusion Prevention Service 2.0, located on the SonicWALL
Web site: .
Guide Conventions
Conventions used in this guide are as follows:
Icons Used in this Guide
These special messages refer to noteworthy information, and include a symbol for quick identification:
Alert! Important information that cautions about features affecting SonicWALL Gateway Anti-Virus
performance, security features, or causing potential problems with your SonicWALL security appliance.
Tip! Useful information about security features and configurations for your SonicWALL Gateway Anti-Virus
running on a SonicWALL security appliance.
Convention Use
Bold Highlights items you can select on the SonicWALL
management interface.
Italic Highlights a value to enter into a field. For example, “type
192.168.168.168 in the IP Address field.”
Top Level Menu Button >
Submenu Item
Indicates a multiple step Management Interface menu
choice. For example, Security Services > Gateway Anti-
Virus means select Security Services, then select
Gateway Anti-Virus.
Page 4 SonicWALL Gateway Anti-Virus Administrator’s Guide
Note: Important information on a feature that requires callout for special attention or reference to other related
resources.
SonicWALL Technical Support
For timely resolution of technical support questions, visit SonicWALL on the Internet at
. Web-based resources are available to help you
resolve most technical issues or contact SonicWALL Technical Support.
To contact SonicWALL telephone support, see the telephone numbers listed below:
North America Telephone Support
U.S./Canada - 888.777.1476 or +1 408.752.7819
International Telephone Support
Australia - + 1800.35.1642
Austria - + 43(0)820.400.105
EMEA - +31(0)411.617.810
France - + 33(0)1.4933.7414
Germany - + 49(0)1805.0800.22
Hong Kong - + 1.800.93.0997
India - + 8026556828
Italy - +39.02.7541.9803
Japan - + 81(0)3.5460.5356
New Zealand - + 0800.446489
Singapore - + 800.110.1441
Spain - + 34(0)9137.53035
Switzerland - +41.1.308.3.977
UK - +44(0)1344.668.484
Note: Please visit for the latest technical support telephone
numbers.
Page 5
SonicWALL Gateway Anti-Virus Overview
SonicWALL Gateway Anti-Virus (SonicWALL GAV) is part of the SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service solution that provides unified threat management. The integration of gateway
anti-virus and intrusion prevention delivers intelligent, real-time network security protection against
sophisticated application layer and content-based attacks. Utilizing a configurable, high-performance
deep packet inspection architecture, SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
secures the network from the core to the perimeter against a comprehensive array of dynamic threats
including viruses, worms, Trojans, and software vulnerabilities, such as buffer overflows, as well as peerto-
peer and instant messenger applications, backdoor exploits, and other malicious code.
SonicWALL GAV delivers real-time virus protection directly on the SonicWALL security appliance by
using SonicWALL’s IPS-Deep Packet Inspection v2.0 engine to inspect all traffic that traverses the
SonicWALL gateway. Building on SonicWALL’s reassembly-free architecture, SonicWALL GAV inspects
multiple application protocols, as well as generic TCP streams, and compressed traffic. Because
SonicWALL GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also performed on a
single-pass, per-packet basis.
SonicWALL GAV delivers threat protection directly on the SonicWALL security appliance by matching
downloaded or e-mailed files against an extensive and dynamically updated database of threat virus
signatures. Virus attacks are caught and suppressed before they travel to desktops. New signatures are
created and added to the database by a combination of SonicWALL’s SonicAlert Team, third-party virus
analysts, open source developers and other sources.
SonicWALL GAV can be configured to protect against internal threats as well as those originating outside
the network. It operates over a multitude of protocols including SMTP, POP3, IMAP, HTTP, FTP,
NetBIOS, instant messaging and peer-to-peer applications and dozens of other stream-based protocols,
to provide administrators with comprehensive network threat prevention and control. Because files
containing malicious code and viruses can also be compressed and therefore inaccessible to
conventional anti-virus solutions, SonicWALL GAV integrates advanced decompression technology that
automatically decompresses and scans files on a per packet basis.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
Page 6 SonicWALL Gateway Anti-Virus Administrator’s Guide
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features
• Integrated Deep Packet Inspection Technology - SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service features a configurable, high-performance deep packet inspection architecture
that uses parallel searching algorithms up through the application layer to deliver increased
application layer, Web and e-mail attack prevention. Parallel processing reduces the performance
impact on the firewall and maximizes available memory for exceptional throughput on SonicWALL
integrated security gateways.
• Real-Time Anti-Virus Gateway Scanning - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers intelligent file-based virus and malicious code prevention by scanning in real-time for
decompressed and compressed files containing viruses, Trojans, worms and other Internet threats
over the corporate network.
• Powerful Intrusion Prevention - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
provides complete protection from a comprehensive array of network-based application layer threats
by scanning packet payloads for worms, Trojans, software vulnerabilities such as buffer overflows,
peer-to-peer and instant messenger applications, backdoor exploits, and other malicious code.
• Ultimate Scalability and Performance - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a per packet scanning engine, making SonicWALL’s solution unique in its ability to
handle unlimited file size and virtually unlimited concurrent downloads, offering ultimate scalability
and performance for today’s networked environment.
• Day Zero Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service ensures
incredibly fast time-to-protection by employing a dynamically-updated database of signatures created
by a combination of SonicWALL’s SonicAlert Team, third-party virus analysts and developers, and
open source databases of known threats.
• Extensive Virus Signature List - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
utilizes an extensive database of thousands of attack and vulnerability signatures written to detect and
prevent intrusions, viruses, worms, Tojans, application exploits, and malicious applications.
• Distributed Enforcement Architecture - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a distributed enforcement architecture to deliver automated signature updates,
providing real-time protection from emerging threats and lowering total cost of ownership.
• Inter-zone Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides
application layer attack protection against malicious code and other threats originating from the
Internet or from internal sources. Administrators have the ability to enforce intrusion prevention and
anti-virus scanning not only between each network zone and the Internet, but also between internal
network zones for added security (Requires SonicOS Enhanced).
• Advanced File Decompression Technology - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service includes advanced decompression technology that can automatically decompress and scan
files on a per packet basis to search for viruses, Trojans, worms and malware. Supported
compression formats include: ZIP, Deflate and GZIP.
• File-Based Scanning Protocol Support - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers protection for high threat viruses and malware by inspecting the most common
protocols used in today’s networked environments, including SMTP, POP3, IMAP, HTTP, FTP,
NETBIOS, instant messaging and peer-to-peer applications, and dozens of other stream-based
protocols. This closes potential backdoors that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Application Control - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides the
ability to prevent instant messaging and peer-to-peer file sharing programs from operating through
the firewall, closing a potential back door that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Simplified Deployment and Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service allows network administrators to create global policies between security zones and group
attacks by priority, simplifying deployment and management across a distributed network.
Page 7
• Granular Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides an
intuitive user interface and granular policy tools, allowing network administrators to configure a
custom set of detection or prevention policies for their specific network environment and reduce the
number of false policies while identifying immediate threats.
• Logging and Reporting - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service offers
comprehensive logging of all intrusion attempts with the ability to filter logs based on priority level,
enabling administrators to highlight high priority attacks. Granular reporting based on attack source,
destination and type of intrusion is available through SonicWALL ViewPoint and Global Management
System.
SonicWALL GAV Multi-Layered Approach
SonicWALL GAV delivers comprehensive, multi-layered anti-virus protection for networks at the desktop,
the network, and at remote sites. SonicWALL GAV enforces anti-virus policies at the gateway to ensure
all users have the latest updates and monitors files as they come into the network.
Page 8 SonicWALL Gateway Anti-Virus Administrator’s Guide
Remote Site Protection
1. Users send typical e-mail and files between remote sites and the corporate office.
2. SonicWALL GAV scans and analyzes files and e-mail messages on the SonicWALL security
appliance.
3. Viruses are found and blocked before infecting remote desktop.
4. Virus is logged and alert is sent to administrator.
Page 9
Internal Network Protection
1. Internal user contracts a virus and releases it internally.
2. All files are scanned at the gateway before being received by other network users.
3. If virus is found, file is discarded.
4. Virus is logged and alert is sent to administrator.
HTTP File Downloads
1. Client makes a request to download a file from the Web.
2. File is downloaded through the Internet.
3. File is analyzed the SonicWALL GAV engine for malicious code and viruses
4. If virus found, file discarded.
5. Virus is logged and alert sent to administrator.
Page 10 SonicWALL Gateway Anti-Virus Administrator’s Guide
Server Protection
1. Outside user sends an incoming e-mail.
2. E-mail is analyzed the SonicWALL GAV engine for malicious code and viruses before received by email
server.
3. If virus found, threat prevented.
4. E-mail is returned to sender, virus is logged, and alert sent to administrator.
Page 11
SonicWALL GAV Architecture
SonicWALL GAV is based on SonicWALL's high performance DPIv2.0 engine (Deep Packet Inspection
version 2.0) engine, which performs all scanning directly on the SonicWALL security appliance.
SonicWALL GAV includes advanced decompression technology that can automatically decompress and
scan files on a per packet basis to search for viruses and malware. The SonicWALL GAV engine can
perform base64 decoding without ever reassembling the entire base64 encoded mail stream. Because
SonicWALL's GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding and ZIP, LHZ, and GZIP (LZ77) decompression are also performed
on a single-pass, per-packet basis. Reassembly free virus scanning functionality of the SonicWALL GAV
engine is inherited from the Deep Packet Inspection engine, which is capable of scanning streams without
ever buffering any of the bytes within the stream.
Building on SonicWALL's reassembly-free architecture, GAV has the ability to inspect multiple application
protocols, as well as generic TCP streams, and compressed traffic. SonicWALL GAV protocol inspection
is based on high performance state machines which are specific to each supported protocol. SonicWALL
GAV delivers protection by inspecting over the most common protocols used in today's networked
environments, including SMTP, POP3, IMAP, HTTP, FTP, NetBIOS, instant messaging and peer-to-peer
applications and dozens of other stream-based protocols. This closes potential backdoors that can be
used to compromise the network while also improving employee productivity and conserving Internet
bandwidth.
Page 12 SonicWALL Gateway Anti-Virus Administrator’s Guide
Stream Concurrency Limitations by SonicWALL Security Appliance
Because SonicWALL GAV does not have to perform reassembly, there are no file-size limitations
imposed by the scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also
performed on a single-pass, per-packet basis. Stream-concurrency are platform dependent as follows:.
Disabling the SonicWALL GAV/IPS Engine
In the unlikely event that SonicWALL Gateway Anti-Virus/Intrusion Prevention Service is not enabled on
your SonicWALL security appliance, the SonicWALL GAV/IPS engine itself can be disabled, and the
resources can be reallocated to the SPI connection cache.
To disable the SonicWALL GAV/IPS engine:
1. Select the Firewall > Advanced page.
2. Select the Disable Gateway AV and IPS Engine (increases maximum SPI connections)
checkbox. This presents an alert informing you that the SonicWALL security appliance must be
rebooted for the change to take effect.
3. Restart your SonicWALL security appliance.
Platform
GAV-Disabled
Connections
Cache Size
GAV-Enabled
Connections
Cache Size
(Concurrent File
Downloads)
Concurrent
Compressed
File Downloads
with GAV
GAV Signatures
TZ 150
Series
2,048 2,048 100 4,500
TZ 170
Series
6,144 6,144 100 4,500
PRO 1260 6,144 6,144 100 4,500
PRO 2040 32,768 16,384 300 25,000
PRO 3060 131,072 65,536 1,000 25,000
PRO 4060 524,288 131,072 1,500 25,000
PRO 5060 750,000 393,216 3,000 25,000
Page 13
Protocol Handling
SonicWALL GAV functionality supports the following protocols: HTTP, SMTP, IMAP, POP3, FTP and the
scanning of generic TCP streams for viruses.
If malicious traffic is detected, appropriate actions are taken based on the protocol. For generic TCP
streams, the traffic is dropped and the connection is reset. If so configured, an encrypted and hashed
message explaining the action is sent to the user's Global Security Client (requires version 2.0 or higher)
and to the user's 'Security Action Notification Applet', and displayed to the user if either application is
active. Application level awareness of the type of protocol that was transporting the violation allows for
very specific actions to be taken to gracefully handle the rejection of the payload:
Note: 8-bit encoding is handled natively for all email based protocols (SMTP, POP3, and IMAP) since no
decoding is required for each encoding scheme.
SMTP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the head of the sent
queue, thus preventing it from being resent, via 552 SMTP response and the connection is terminated.
POP3
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the POP3 server via
'DELE' command and the connection is terminated. Continuation of message downloads following
termination requires the user to re-initiate the download process on their POP3 client in order to download
the rest of the messages from the POP3 server.
Note: POP3 client behavior varies from one client to the next. SonicWALL GAV attempts to determine the type
of POP3 client being used, and to compensate for behavioral differences. In rare cases, some clients
may require special GAV settings - these settings have been made available in the /diag.html page.
• Disable Gateway AV POP3 Auto Deletion - When a POP3 client is identified as Outlook Express,
DELE (delete) message sequencing is tailored to Outlook Express' behavior. This setting can resolve
problems caused by misidentification that are encountered during the deletion of virus-infected
emails.
• Disable Gateway AV POP3 UIDL Rewriting - Certain Netscape POP3 clients have difficulty with the
UIDL (unique ID listing - RFC1939) command. When a POP3 client is recognized as Netscape, UIDL
messages are suppressed, which is allowable because they are optional. This setting can resolve
problems caused by misidentification that are encountered during the message retrieval process.
IMAP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from downloading the mail
containing the violation. The user must manually mark the mail deleted and purge it from the server.
Page 14 SonicWALL Gateway Anti-Virus Administrator’s Guide
HTTP
Capabilities: zip (including archives), gzip and deflate decompression. Deflate decompression method is
not supported when HTTP response is Chunk Encoded. All HTTP traffic is inspected, not just TCP port
80. Suppresses the use of HTTP Byte-Range requests to prevent the sectional retrieval and reassembly
of potentially malicious content.
Note: Suppression of HTTP Byte-Range requests may inhibit the use of certain download accelerator
programs that attempt to retrieve files as multiple simultaneous requests.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
FTP
Capabilities: zip (including archives) and gzip decompression. FTP stateful code follows data port
negotiations, allowing FTP data to be inspected across any operating TCP port. Suppresses the use of
the FTP 'REST' (restart) request to prevent the sectional retrieval and reassembly of potentially malicious
content. "The suppression of the 'REST' request can be overridden from the /diag.html page with the
option 'Enable FTP 'REST' requests with Gateway AV’.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
IM, P2P and Proprietary Protocols
Capabilities: zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
Deploying SonicWALL GAV
SonicWALL GAV is designed to provide comprehensive virus protection with minimal configuration. The
following sections provide the key information you need to successfully activate, configure, and administer
SonicWALL GAV on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher):
• “Activating SonicWALL GAV” on page 15 - provides instructions for activating the SonicWALL GAV
license on your SonicWALL security appliance via the management interface. If you already have
SonicWALL GAV activated on your SonicWALL security appliance, skip this section.
• “Setting Up SonicWALL GAV Protection” on page 19 - provides instructions for essential
configuration of SonicWALL IPS to protect your network against the most dangerous and disruptive
attacks.
Alert! After activating your SonicWALL GAV license, you must enable SonicWALL GAV on the SonicWALL
management interface before anti-virus protection are applied to your network traffic.
• “Configuring Client Alerts and an Exclusion List” on page 23 - provides instructions for configuring
SonicWALL GAV client notification alerts and creating a SonicWALL GAV exclusion list.
• “Restricting File Transfers” on page 24 - provides instructions on preventing files with specific
attributes from being transferred.
Page 15
Activating SonicWALL GAV
If you do not have SonicWALL GAV installed on your SonicWALL security appliance, the Security
Services > Gateway Anti-Virus page indicates an upgrade is required and includes a link to activiate it
from your SonicWALL security appliance management interface.
SonicWALL GAV is part of the unified SonicWALL Gateway Anti-Virus/Intrusion Prevention Service that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is also activated.
To activate a SonicWALL Gateway Anti-Virus/Intrusion Prevention Service on your SonicWALL security
appliance, you need the following:
• SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license. You need to purchase a
SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license from a SonicWALL reseller or
through your mySonicWALL.com account (limited to customers in the USA and Canada).
• mySonicWALL.com account. Creating a mySonicWALL.com account is fast, simple, and FREE.
Simply complete an online registration form from your SonicWALL security appliance management
interface. Your mySonicWALL.com account is also accessible at
from any Internet connection with a Web browser.
• Registered SonicWALL security appliance with active Internet connection. Registering your
SonicWALL security appliance is a simple procedure done directly from the management interface.
• SonicOS Standard 3.0 or SonicOS Enhanced 3.0. Your SonicWALL security appliance must be
running SonicOS Standard 3.0 or SonicOS Enhanced 3.0 for SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service.
Tip! If your SonicWALL security appliance is connected to the Internet and registered at
mySonicWALL.com, you can activate a 30-day FREE TRIAL of SonicWALL IPS.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
If you activated SonicWALL GAV at , SonicWALL GAV activation is
automatically enabled on your SonicWALL within 24-hours or you can click the Synchronize button on
the Security Services > Summary page to update your SonicWALL security appliance.
Page 16 SonicWALL Gateway Anti-Virus Administrator’s Guide
Creating a mySonicWALL.com Account
Creating a mySonicWALL.com account is fast, simple, and FREE. Simply complete an online
registration form in the SonicWALL security appliance management interface.
Note: If you already have a mysonicWALL.com account, go to “Registering Your SonicWALL Security
Appliance” on page 17.
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displayed in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link in Your
SonicWALL is not registered. Click here to Register your SonicWALL.
4. In the mySonicWALL.com Login page, click the here link in If you do not have a mySonicWALL
account, please click here to create one.
5. In the MySonicWall Account page, enter in your information in the Account Information, Personal
Information and Preferences fields. All fields marked with an asterisk (*) are required fields.
Note: Remember your username and password to access your mySonicWALL.com account.
6. Click Submit after completing the MySonicWALL Account form.
7. When the mySonicWALL.com server has finished processing your account, you will see a page
saying that your account has been created. Click Continue.
Congratulations. Your mySonicWALL.com account is activated.
Now you need to log into mySonicWALL.com to register your SonicWALL security appliance.
Note: mySonicWALL.com registration information is not sold or shared with any other company.
Page 17
Registering Your SonicWALL Security Appliance
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displaying in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link. The
mySonicWALL.com Login page is displayed.
4. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit.
5. The next several pages inform you about the free trials available to you for SonicWALL’s Security
Services:
• Gateway Anti-Virus - Delivers real-time virus protection for your entire network.
• Network Anti Virus - Provides desktop and server anti-virus protection with software running on
each computer.
• Premium Content Filtering Service - Enhances productivity by limiting access to objectionable
Web content.
• Intrusion Prevention Service - Protects your network against worms, Trojans, and application
layer attacks.
Click Continue on each page.
6. At the top of the Product Survey page, Enter a “friendly name” for your SonicWALL content security
appliance in the Friendly Name field. The friendly name allows you to easily identify your
SonicWALL content security appliance in your mySonicWALL.com account.
7. Please complete the Product Survey. SonicWALL uses this information to further tailor services to fit
your needs.
8. Click Submit.
9. When the mySonicWALL.com server has finished processing your registration, a page is displayed
informing you that the SonicWALL security appliance is registered. Click Continue, and the
System > Licenses page is displayed showing you the available services. You can activate the
service from this page or the specific service page under the Security Services left-navigation
menu in the management interface.
Page 18 SonicWALL Gateway Anti-Virus Administrator’s Guide
Activating SonicWALL GAV
If you do not have a SonicWALL GAV license activated on your SonicWALL security appliance, you must
purchase it from a SonicWALL reseller or through your mySonicWALL.com account (limited to customers
in the USA and Canada).
SonicWALL GAV is part of SonicWALL Gateway Anti-Virus/Intrusion Prevention Service. The Activation
Key you receive is for both SonicWALL GAV and SonicWALL Intrusion Prevention Service. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is automatically activated.
If you have an Activation Key for SonicWALL Gateway Anti-Virus/Intrusion Prevention Service, perform
these steps to activate the combined services:
1. On the Security Services > Intrusion Prevention page, click the SonicWALL Intrusion
Prevention Service Subscription link. The mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already registered to your
mySonicWALL.com account, the System > Licenses page appears.
3. Click Activate or Renew in the Manage Service column in the Manage Services Online table.
4. Type in the Activation Key in the New License Key field and click Submit. Your SonicWALL GAV
subscription is activated on your SonicWALL security appliance.
If you activated the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service subscription on
mySonicWALL.com, the activation is automatically enabled on your SonicWALL security appliance within
24-hours or you can click the Synchronize button on the Security Services > Summary page to
immediately update your SonicWALL security appliance.
Activating the SonicWALL GAV FREE TRIAL
To try a FREE TRIAL of SonicWALL GAV, perform these steps:
1. Click the FREE TRIAL link on the Security Services > Gateway Anti-Virus page. The
mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already connected to your
mySonicWALL.com account, the System > Licenses page appears after you click the FREE TRIAL
link.
3. Click Try in the FREE TRIAL column in the Manage Services Online table. Your SonicWALL GAV
trial subscription is activated on your SonicWALL security appliance.
Page 19
Setting Up SonicWALL GAV Protection
The Security Services > Gateway Anti-Virus page provides the settings for configuring SonicWALL
GAV on your SonicWALL security appliance.
Enabling SonicWALL GAV
You must select Enable Gateway Anti-Virus check box in the Gateway Anti-Virus Global Settings
section to enable SonicWALL GAV on your SonicWALL security appliance. If your SonicWALL security
appliance is running SonicOS Standard 3.0, you must also specify the interfaces you want to apply
SonicWALL GAV protection. If your SonicWALL security appliance is running SonicOS Enhanced 3.0,
you must specify the Zones you want to SonicWALL GAV protection on the Network > Zones page.
Applying SonicWALL GAV Protection on Interfaces
If your SonicWALL security appliance is running SonicOS Standard 3.0, you also need to specify the
interface that you want to enable SonicWALL GAV protection. Depending on the SonicWALL security
appliance model you are using, you can choose the WAN, LAN, DMZ, OPT or WLAN port, depending on
your SonicWALL security appliance model. After selecting the interface(s), click Apply.It is recommended
you select the WAN and LAN interfaces.
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you apply SonicWALL GAV to
Zones on the Network > Zones page.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 20 SonicWALL Gateway Anti-Virus Administrator’s Guide
Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you can enforce SonicWALL
GAV not only between each network zone and the WAN, but also between internal zones. For example,
enabling SonicWALL GAV on the LAN zone enforces anti-virus protection on all incoming and outgoing
LAN traffic.
1. In the SonicWALL security appliance management interface, select Network > Zones or from the
Gateway Anti-Virus Status section, on the Security Services > Gateway Anti-Virus page, click the
Network > Zones link. The Network > Zones page is displayed.
2. In the Configure column in the Zone Settings table, click the edit icon . The Edit Zone window
is displayed.
3. Click the Enable Gateway Anti-Virus Service checkbox. A checkmark appears. To disable Gateway
Anti-Virus Service, uncheck the box.
4. Click OK.
Page 21
Note: You also enable SonicWALL GAV protection for new zones you create on the Network > Zones page.
Clicking the Add button displays the Add Zone window, which includes the same settings as the Edit
Zone window.
Viewing SonicWALL GAV Status Information
The Gateway Anti-Virus Status section shows the state of the anti-virus signature database, including
the database's timestamp, and the time the SonicWALL signature servers were last checked for the most
current database version. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
The Gateway Anti-Virus Status section displays the following information:
• Signature Database indicates whether the signature database needs to be downloaded or has been
downloaded.
• Signature Database Timestamp displays the last update to the SonicWALL GAV signature
database, not the last update to your SonicWALL security appliance.
• Last Checked indicates the last time the SonicWALL security appliance checked the signature
database for updates. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
• Gateway Anti-Virus Expiration Date indicates the date when the SonicWALL GAV service expires.
If your SonicWALL GAV subscription expires, the SonicWALL IPS inspection is stopped and the
SonicWALL GAV configuration settings are removed from the SonicWALL security appliance. These
settings are automatically restored after renewing your SonicWALL GAV license to the previously
configured state.
If your SonicWALL security appliance is running SonicOS Standard 3.0 and no interfaces are specified in
the Gateway Anti-Virus Global Settings section, the message: Warning: No interfaces have Gateway
Anti-Virus enabled is displayed in the Gateway Anti-Virus Status section. You must check the Enable
Gateway Anti-Virus on Interface and specify the interface(s) you want to apply anti-virus scanning.
If your SonicWALL security appliance you are using SonicOS Enhanced 3.0, the Gateway Anti-Virus
Status section displays Note: Enable the Gateway Anti-Virus per zone from the Network > Zones
page. Clicking on the Network > Zones link displays the Network > Zones page for applying SonicWALL
GAV on Zones.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 22 SonicWALL Gateway Anti-Virus Administrator’s Guide
Updating SonicWALL GAV Signatures
By default, the SonicWALL security appliance running SonicWALL GAV automatically checks the
SonicWALL signature servers once an hour. There is no need for an administrator to constantly check for
new signature updates. You can also manually update your SonicWALL GAV database at any time by
clicking the Update button located in the Gateway Anti-Virus Status section.
SonicWALL GAV signature updates are secured. The SonicWALL security appliance must first
authenticate itself with a pre-shared secret, created during the SonicWALL Distributed Enforcement
Architecture licensing registration. The signature request is transported through HTTPS, along with full
server certificate verification.
Specifying Protocol Filtering
Application-level awareness of the type of protocol that is transporting the violation allows SonicWALL
GAV to perform specific actions within the context of the application to gracefully handle the rejection of
the payload.
By default, SonicWALL GAV inspects all inbound HTTP, FTP, IMAP, SMTP and POP3 traffic. Generic
TCP Stream can optionally be enabled to inspect all other TCP based traffic, such as
non-standard ports of operation for SMTP and POP3, and IM and P2P protocols.
Note: Refer to “Protocol Handling” on page 13 for detailed descriptions of how SonicWALL GAV handles
protocol traffic.
Enabling Inbound Inspection
Within the context of SonicWALL GAV, the Enable Inbound Inspection protocol traffic handling refers
to the following:
• Non-SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to any Zone.
• Non-SMTP traffic from a Public Zone destined to an Untrusted Zone.
• SMTP traffic initiating from a non-Trusted Zone destined to a Trusted, Wireless, Encrypted, or Public
Zone.
• SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to a Trusted, Wireless,
or Encrypted Zone.
Page 23
The Enable Inbound Inspection protocol traffic handling represented as a table:
Enabling Outbound SMTP Inspection
The Enable Outbound Inspection feature is available for SMTP traffic, such as for a mail server that
might be hosted on the DMZ. Enabling outbound inspection for SMTP scans mail that is delivered to the
internally hosted SMTP server for viruses.
Configuring Client Alerts and an Exclusion List
Clicking the Configure Gateway AV Settings button in the Gateway Anti-Virus Global Settings section
displays the Gateway AV Config View window, which allows you to configure client notification alerts and
create a SonicWALL GAV exclusion list.
Configuring Client Alerts
If you want clients on your network to receive notifications on their desktop when a HTTP file download is
blocked by GAV, check the Enable Client Notification Alerts (desktop client installation is required)
box. You must install the client software included on the Resource CD for your SonicWALL security
appliance for the client to receive these notifications from SonicWALL GAV.
Page 24 SonicWALL Gateway Anti-Virus Administrator’s Guide
If you want to suppress the sending of e-mail messages (SMTP) to clients from SonicWALL GAV when a
virus is detected in an e-mail or attachment, check the Disable SMTP Responses box.
Configuring a SonicWALL GAV Exclusion List
Any IP addresses listed in the exclusion list bypass virus scanning on their traffic.The Gateway AV
Exclusion List section provides the ability to define a range of IP addresses whose traffic will be excluded
from SonicWALL GAV scanning.
Alert! Use caution when specifying exclusions to SonicWALL GAV protection.
To add an IP address range for exclusion, perform these steps:
1. Click the Enable Gateway AV Exclusion List checkbox to enable the exclusion list.
2. Click the Add button. The Add GAV Range Entry window is displayed.
3. Enter the IP address range in the IP Address Form and IP Address To fields, then click OK. You IP
address range appears in the Gateway AV Exclusion List table. Click the edit icon in the Configure
column to change an entry or click the trashcan icon to delete an entry.
4. Click OK to exit the Gateway AV Config View window.
Restricting File Transfers
The restrict transfer settings listed under the Configure Gateway AV Settings button in the
Gateway Anti-Virus Global Settings section, if enabled, prevent files with specific attributes from being
transferred.
These restrict transfer settings include:
• Restrict Transfer of password-protected Zip files - Disables the transfer of password protected
ZIP files over any enabled protocol. This option only functions on protocols (e.g. HTTP, FTP, SMTP)
that are enabled for inspection.
• Restrict Transfer of MS-Office type files containing macros (VBA 5 and above) - Disables the
transfers of any MS Office 97 and above files that contain VBA macros.
• Restrict Transfer of packed executable files (UPX, FSG, etc.) - Disables the transfer of packed
executable files. Packers are utilities which compress and sometimes encrypt executables. Although
there are legitimate applications for these, they are also sometimes used with the intent of
obfuscation, so as to make the executables less detectable by anti-virus applications. The packer
adds a header that expands the file in memory, and then executes that file. SonicWALL Gateway
Anti-Virus currently recognizes the most common packed formats: UPX, FSG, PKLite32, Petite, and
ASPack. additional formats are dynamically added along with SonicWALL GAV signature updates.
Page 25
Viewing SonicWALL GAV Signatures
The Gateway Anti-Virus Signatures section allows you to view the contents of the SonicWALL GAV
signature database. All the entries displayed in the Gateway Anti-Virus Signatures table are from the
SonicWALL GAV signature database downloaded to your SonicWALL security appliance.
Note: Signature entries in the database change over time in response to new threats.
Displaying Signatures
You can display the signatures in a variety of views using the View Style menu.
• Use Search String - Allows you to display signatures containing a specified string entered in the
Lookup Signatures Containing String field.
• All Signatures - Displays all the signatures in the table, 50 to a page.
• 0 - 9 - Displays signature names beginning with the number you select from the menu.
• A-Z - Displays signature names beginning with the letter you select from menu.
Navigating the Gateway Anti-Virus Signatures Table
The SonicWALL GAV signatures are displayed fifty to a page in the Gateway Anti-Virus Signatures
table. The Items field displays the table number of the first signature. If your displaying the first page of a
signature table, the entry might be Items 1 to 50 (of 58). Use the navigation buttons to navigate the table.
Page 26 SonicWALL Gateway Anti-Virus Administrator’s Guide
Searching the Gateway Anti-Virus Signature Database
You can search the signature database by entering a search string in the Lookup Signatures
Containing String field, then clicking the edit (Notepad) icon.
The signatures that match the specified string are displayed in the Gateway Anti-Virus Signatures table.
Glossary
• Deep Packet Inspection - looking at the data portion of the packet. Enables the firewall to investigate
farther into the protocol to examine information at the application layer and defend against attacks
targeting application vulnerabilities.
• Distributed Enforcement Architecture - SonicWALL’s unified threat management technology that
delivers automated signature updates that provide real-time protection from current and emerging
threats.
• False Positive - a falsely identified attack traffic pattern.
• Signature - code written to detect and prevent viruses, worms, application exploits, and other
malicious code.
• Stateful Packet Inspection - examines the contents of individual packets at all layers of the OSI
model, from network layer to application layer.
Page 27
Index
A
activating Gateway Anti-Virus
overview 15
free trial version 18
activating Gateway Anti-Virus
activation key 18
C
client alerts
configuring 23
concurrency limitations 12
PRO 1260 12
PRO 2040 12
PRO 3060 12
PRO 4060 12
PRO 5060 12
TZ 150 Series 12
TZ 170 Series 12
creating a mysonicwall.com account 16
D
deploying SonicWALL GAV 14
disabling GAV/IPS engine 12
displaying signatures 25
all signatures 25
signatures beginning with letter 25
signatures beginning with number 25
using search strings 25
E
Edit Zone window 20
enable inbound inspection 22
enable outbound SMTP inspection 23
enabling inbound inspection 22
exclusion list
configuring 24
G
Gateway AV Config View window 23
GAV/IPS
real-time scanning 6
GAV/IPS features
application control 6
deep packet inspection 6
distributed enforcement architecture 6
file based scanning protocol support 6
file decompression technology 6
granular management 7
inter-zone scanning 6
logging and reporting 7
real-time scanning 6
glossary 26
deep packet inspection 26
Distributed Enforcement Architecture 26
false positive 26
signature 26
stateful packet inspection 26
H
how DPIv2.0 works
11
protocol handling 13
HTTP file downloads protection 9
I
internal network protection 9
N
navigating signatures table 25
P
protocol handling
FTP 14
HTTP 14
IM, P2P, proprietary 14
IMAP 13
POP3 13
SMTP 13
R
registering your SonicWALL security appliance 17
remote site protection 8
restrict 24
restrict file transfer
MS-Office files 24
packed executable files 24
password protected ZIP files 24
S
searching signature database 26
server protection 10
setting up GAV protection
applying to infaces (SonicOS Standard 3.0) 19
applying to zones (SonicOS Enhanced) 20
enabling 19
overview 19
signatures table 25
SonicWALL Gateway Anti-Virus
overview 5
SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service
overview 5
specifying protocol filtering 22
specifying protocols 22
status information
expiration date 21
last checked 21
overview 21
signature database 21
signature database timestamp 21
surpress SMTP messages 24
U
updating signatures 22
Page 28 SonicWALL Gateway Anti-Virus Administrator’s Guide
© 2005 SonicWALL, I n c . SonicWALL is a registered trademark of SonicWALL, I n c . Other product and company names mentioned herein may be
t rademarks and/ or registered trademarks of their respective companies. Specifications and descriptions subject to change with out notice.
T: 408.745.9600
F: 408.745.9300
www.sonicwall.com
SonicWALL,Inc.
1143 Borregas Avenue
Sunnyvale,CA 94089-1306
P/ N 232- 000610- 00
Rev E 01/05COMPREHENSIVE INTERNET SECURITY™
S SSSSSSSSo n i c WALL Gateway Anti-Virus
Administrator's Guide
Page 1
Table of Contents
Preface .................................................................................................. 1
Copyright Notice ..............................................................................1
Trademarks......................................................................................1
Limited Warranty..............................................................................1
About this Guide.................................................................................... 3
Guide Conventions .......................................................................... 3
Icons Used in this Guide............................................................. 3
SonicWALL Technical Support ........................................................ 4
North America Telephone Support ............................................. 4
International Telephone Support ................................................ 4
SonicWALL Gateway Anti-Virus Overview............................................ 5
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features ...... 6
SonicWALL GAV Multi-Layered Approach............................................ 7
Remote Site Protection ....................................................................8
Internal Network Protection.............................................................. 9
HTTP File Downloads ...................................................................... 9
Server Protection ...........................................................................10
SonicWALL GAV Architecture............................................................. 11
Stream Concurrency Limitations
by SonicWALL Security Appliance................................................. 12
Disabling the SonicWALL GAV/IPS Engine................................... 12
Protocol Handling...........................................................................13
SMTP........................................................................................ 13
POP3 ........................................................................................ 13
IMAP......................................................................................... 13
HTTP ........................................................................................ 14
FTP........................................................................................... 14
IM, P2P and Proprietary Protocols ........................................... 14
Deploying SonicWALL GAV................................................................ 14
Activating SonicWALL GAV ................................................................ 15
Creating a mySonicWALL.com Account ........................................ 16
Registering Your SonicWALL Security Appliance.......................... 17
Activating SonicWALL GAV........................................................... 18
Activating the SonicWALL GAV FREE TRIAL ............................... 18
Setting Up SonicWALL GAV Protection .............................................. 19
Enabling SonicWALL GAV............................................................. 19
Applying SonicWALL GAV Protection on Interfaces...................... 19
Applying SonicWALL GAV Protection on Zones
(SonicOS Enhanced 3.0) ............................................................... 20
Viewing SonicWALL GAV Status Information................................ 21
Updating SonicWALL GAV Signatures .......................................... 22
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
Specifying Protocol Filtering ................................................................22
Enabling Inbound Inspection ..........................................................22
Enabling Outbound SMTP Inspection ............................................23
Configuring Client Alerts and an Exclusion List ...................................23
Configuring Client Alerts.................................................................23
Configuring a SonicWALL GAV Exclusion List...............................24
Restricting File Transfers.....................................................................24
Viewing SonicWALL GAV Signatures..................................................25
Displaying Signatures.....................................................................25
Navigating the Gateway Anti-Virus Signatures Table ....................25
Searching the Gateway Anti-Virus Signature Database.................26
Glossary...............................................................................................26
Index ....................................................................................................27
Page 1 SonicWALL Gateway Anti-Virus Administrator’s Guide
Preface
Copyright Notice
© 2005 SonicWALL, Inc.
All rights reserved.
Under the copyright laws, this manual or the software described within, can not be copied, in whole or part,
without the written consent of the manufacturer, except in the normal use of the software to make a backup
copy. The same proprietary and copyright notices must be affixed to any permitted copies as were affixed
to the original. This exception does not allow copies to be made for others, whether or not sold, but all of
the material purchased (with all backup copies) can be sold, given, or loaned to another person. Under
the law, copying includes translating into another language or format.
Specifications and descriptions subject to change without notice.
Trademarks
SonicWALL is a registered trademark of SonicWALL, Inc.
Microsoft Windows 98, Windows NT, Windows 2000, Windows XP, Windows Server 2003, Internet
Explorer, and Active Directory are trademarks or registered trademarks of Microsoft Corporation.
Netscape is a registered trademark of Netscape Communications Corporation in the U.S. and other
countries. Netscape Navigator and Netscape Communicator are also trademarks of Netscape
Communications Corporation and may be registered outside the U.S.
Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems
Incorporated in the U.S. and/or other countries.
Other product and company names mentioned herein may be trademarks and/or registered trademarks
of their respective companies and are the sole property of their respective manufacturers.
Limited Warranty
SonicWALL, Inc. warrants that commencing from the delivery date to Customer (but in any case
commencing not more than ninety (90) days after the original shipment by SonicWALL), and continuing
for a period of twelve (12) months, that the product will be free from defects in materials and workmanship
under normal use. This Limited Warranty is not transferable and applies only to the original end user of
the product. SonicWALL and its suppliers' entire liability and Customer's sole and exclusive remedy under
this limited warranty will be shipment of a replacement product. At SonicWALL's discretion the
replacement product may be of equal or greater functionality and may be of either new or like-new quality.
SonicWALL's obligations under this warranty are contingent upon the return of the defective product
according to the terms of SonicWALL's then-current Support Services policies.
This warranty does not apply if the product has been subjected to abnormal electrical stress, damaged by
accident, abuse, misuse or misapplication, or has been modified without the written permission of
SonicWALL.
DISCLAIMER OF WARRANTY. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR
IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT
LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, NONINFRINGEMENT, SATISFACTORY QUALITY OR ARISING FROM A
COURSE OF DEALING, LAW, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE
MAXIMUM EXTENT ALLOWED BY APPLICABLE LAW. TO THE EXTENT AN IMPLIED WARRANTY
CANNOT BE EXCLUDED, SUCH WARRANTY IS LIMITED IN DURATION TO THE WARRANTY
PERIOD. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW
LONG AN IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. THIS
WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, AND YOU MAY ALSO HAVE OTHER RIGHTS
WHICH VARY FROM JURISDICTION TO JURISDICTION. This disclaimer and exclusion shall apply
even if the express warranty set forth above fails of its essential purpose.
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
DISCLAIMER OF LIABILITY. SONICWALL'S SOLE LIABILITY IS THE SHIPMENT OF A
REPLACEMENT PRODUCT AS DESCRIBED IN THE ABOVE LIMITED WARRANTY. IN NO EVENT
SHALL SONICWALL OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER,
INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS
INTERRUPTION, LOSS OF INFORMATION, OR OTHER PECUNIARY LOSS ARISING OUT OF THE
USE OR INABILITY TO USE THE PRODUCT, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL,
INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY
OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE HARDWARE OR SOFTWARE
EVEN IF SONICWALL OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. In no event shall SonicWALL or its suppliers' liability to Customer, whether in contract, tort
(including negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shall
apply even if the above-stated warranty fails of its essential purpose. BECAUSE SOME STATES OR
JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR
INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.
Page 3
About this Guide
Welcome to the SonicWALL Gateway Anti-Virus Administrator’s Guide. This manual provides the
information you need to successfully activate, configure, and administer SonicWALL Gateway Anti-Virus
(SonicWALL (GAV) on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher). The audience for this guide is administrators that are familiar with the
features, functions, and operating characteristics of SonicWALL security appliances.
Note: This guide assumes your SonicWALL security appliance is operational with Internet connectivity. If your
SonicWALL security appliance is not setup, refer to the Getting Started Guide for your SonicWALL
security appliance located on the SonicWALL Web site:
.
SonicWALL GAV is part of the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service solution that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate a SonicWALL GAV license, SonicWALL Intrusion Prevention Service is included and activated.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the complete
instructions on configuring SonicWALL Intrusion Prevention Service 2.0, located on the SonicWALL
Web site: .
Guide Conventions
Conventions used in this guide are as follows:
Icons Used in this Guide
These special messages refer to noteworthy information, and include a symbol for quick identification:
Alert! Important information that cautions about features affecting SonicWALL Gateway Anti-Virus
performance, security features, or causing potential problems with your SonicWALL security appliance.
Tip! Useful information about security features and configurations for your SonicWALL Gateway Anti-Virus
running on a SonicWALL security appliance.
Convention Use
Bold Highlights items you can select on the SonicWALL
management interface.
Italic Highlights a value to enter into a field. For example, “type
192.168.168.168 in the IP Address field.”
Top Level Menu Button >
Submenu Item
Indicates a multiple step Management Interface menu
choice. For example, Security Services > Gateway Anti-
Virus means select Security Services, then select
Gateway Anti-Virus.
Page 4 SonicWALL Gateway Anti-Virus Administrator’s Guide
Note: Important information on a feature that requires callout for special attention or reference to other related
resources.
SonicWALL Technical Support
For timely resolution of technical support questions, visit SonicWALL on the Internet at
. Web-based resources are available to help you
resolve most technical issues or contact SonicWALL Technical Support.
To contact SonicWALL telephone support, see the telephone numbers listed below:
North America Telephone Support
U.S./Canada - 888.777.1476 or +1 408.752.7819
International Telephone Support
Australia - + 1800.35.1642
Austria - + 43(0)820.400.105
EMEA - +31(0)411.617.810
France - + 33(0)1.4933.7414
Germany - + 49(0)1805.0800.22
Hong Kong - + 1.800.93.0997
India - + 8026556828
Italy - +39.02.7541.9803
Japan - + 81(0)3.5460.5356
New Zealand - + 0800.446489
Singapore - + 800.110.1441
Spain - + 34(0)9137.53035
Switzerland - +41.1.308.3.977
UK - +44(0)1344.668.484
Note: Please visit for the latest technical support telephone
numbers.
Page 5
SonicWALL Gateway Anti-Virus Overview
SonicWALL Gateway Anti-Virus (SonicWALL GAV) is part of the SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service solution that provides unified threat management. The integration of gateway
anti-virus and intrusion prevention delivers intelligent, real-time network security protection against
sophisticated application layer and content-based attacks. Utilizing a configurable, high-performance
deep packet inspection architecture, SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
secures the network from the core to the perimeter against a comprehensive array of dynamic threats
including viruses, worms, Trojans, and software vulnerabilities, such as buffer overflows, as well as peerto-
peer and instant messenger applications, backdoor exploits, and other malicious code.
SonicWALL GAV delivers real-time virus protection directly on the SonicWALL security appliance by
using SonicWALL’s IPS-Deep Packet Inspection v2.0 engine to inspect all traffic that traverses the
SonicWALL gateway. Building on SonicWALL’s reassembly-free architecture, SonicWALL GAV inspects
multiple application protocols, as well as generic TCP streams, and compressed traffic. Because
SonicWALL GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also performed on a
single-pass, per-packet basis.
SonicWALL GAV delivers threat protection directly on the SonicWALL security appliance by matching
downloaded or e-mailed files against an extensive and dynamically updated database of threat virus
signatures. Virus attacks are caught and suppressed before they travel to desktops. New signatures are
created and added to the database by a combination of SonicWALL’s SonicAlert Team, third-party virus
analysts, open source developers and other sources.
SonicWALL GAV can be configured to protect against internal threats as well as those originating outside
the network. It operates over a multitude of protocols including SMTP, POP3, IMAP, HTTP, FTP,
NetBIOS, instant messaging and peer-to-peer applications and dozens of other stream-based protocols,
to provide administrators with comprehensive network threat prevention and control. Because files
containing malicious code and viruses can also be compressed and therefore inaccessible to
conventional anti-virus solutions, SonicWALL GAV integrates advanced decompression technology that
automatically decompresses and scans files on a per packet basis.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
Page 6 SonicWALL Gateway Anti-Virus Administrator’s Guide
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features
• Integrated Deep Packet Inspection Technology - SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service features a configurable, high-performance deep packet inspection architecture
that uses parallel searching algorithms up through the application layer to deliver increased
application layer, Web and e-mail attack prevention. Parallel processing reduces the performance
impact on the firewall and maximizes available memory for exceptional throughput on SonicWALL
integrated security gateways.
• Real-Time Anti-Virus Gateway Scanning - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers intelligent file-based virus and malicious code prevention by scanning in real-time for
decompressed and compressed files containing viruses, Trojans, worms and other Internet threats
over the corporate network.
• Powerful Intrusion Prevention - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
provides complete protection from a comprehensive array of network-based application layer threats
by scanning packet payloads for worms, Trojans, software vulnerabilities such as buffer overflows,
peer-to-peer and instant messenger applications, backdoor exploits, and other malicious code.
• Ultimate Scalability and Performance - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a per packet scanning engine, making SonicWALL’s solution unique in its ability to
handle unlimited file size and virtually unlimited concurrent downloads, offering ultimate scalability
and performance for today’s networked environment.
• Day Zero Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service ensures
incredibly fast time-to-protection by employing a dynamically-updated database of signatures created
by a combination of SonicWALL’s SonicAlert Team, third-party virus analysts and developers, and
open source databases of known threats.
• Extensive Virus Signature List - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
utilizes an extensive database of thousands of attack and vulnerability signatures written to detect and
prevent intrusions, viruses, worms, Tojans, application exploits, and malicious applications.
• Distributed Enforcement Architecture - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a distributed enforcement architecture to deliver automated signature updates,
providing real-time protection from emerging threats and lowering total cost of ownership.
• Inter-zone Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides
application layer attack protection against malicious code and other threats originating from the
Internet or from internal sources. Administrators have the ability to enforce intrusion prevention and
anti-virus scanning not only between each network zone and the Internet, but also between internal
network zones for added security (Requires SonicOS Enhanced).
• Advanced File Decompression Technology - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service includes advanced decompression technology that can automatically decompress and scan
files on a per packet basis to search for viruses, Trojans, worms and malware. Supported
compression formats include: ZIP, Deflate and GZIP.
• File-Based Scanning Protocol Support - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers protection for high threat viruses and malware by inspecting the most common
protocols used in today’s networked environments, including SMTP, POP3, IMAP, HTTP, FTP,
NETBIOS, instant messaging and peer-to-peer applications, and dozens of other stream-based
protocols. This closes potential backdoors that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Application Control - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides the
ability to prevent instant messaging and peer-to-peer file sharing programs from operating through
the firewall, closing a potential back door that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Simplified Deployment and Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service allows network administrators to create global policies between security zones and group
attacks by priority, simplifying deployment and management across a distributed network.
Page 7
• Granular Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides an
intuitive user interface and granular policy tools, allowing network administrators to configure a
custom set of detection or prevention policies for their specific network environment and reduce the
number of false policies while identifying immediate threats.
• Logging and Reporting - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service offers
comprehensive logging of all intrusion attempts with the ability to filter logs based on priority level,
enabling administrators to highlight high priority attacks. Granular reporting based on attack source,
destination and type of intrusion is available through SonicWALL ViewPoint and Global Management
System.
SonicWALL GAV Multi-Layered Approach
SonicWALL GAV delivers comprehensive, multi-layered anti-virus protection for networks at the desktop,
the network, and at remote sites. SonicWALL GAV enforces anti-virus policies at the gateway to ensure
all users have the latest updates and monitors files as they come into the network.
Page 8 SonicWALL Gateway Anti-Virus Administrator’s Guide
Remote Site Protection
1. Users send typical e-mail and files between remote sites and the corporate office.
2. SonicWALL GAV scans and analyzes files and e-mail messages on the SonicWALL security
appliance.
3. Viruses are found and blocked before infecting remote desktop.
4. Virus is logged and alert is sent to administrator.
Page 9
Internal Network Protection
1. Internal user contracts a virus and releases it internally.
2. All files are scanned at the gateway before being received by other network users.
3. If virus is found, file is discarded.
4. Virus is logged and alert is sent to administrator.
HTTP File Downloads
1. Client makes a request to download a file from the Web.
2. File is downloaded through the Internet.
3. File is analyzed the SonicWALL GAV engine for malicious code and viruses
4. If virus found, file discarded.
5. Virus is logged and alert sent to administrator.
Page 10 SonicWALL Gateway Anti-Virus Administrator’s Guide
Server Protection
1. Outside user sends an incoming e-mail.
2. E-mail is analyzed the SonicWALL GAV engine for malicious code and viruses before received by email
server.
3. If virus found, threat prevented.
4. E-mail is returned to sender, virus is logged, and alert sent to administrator.
Page 11
SonicWALL GAV Architecture
SonicWALL GAV is based on SonicWALL's high performance DPIv2.0 engine (Deep Packet Inspection
version 2.0) engine, which performs all scanning directly on the SonicWALL security appliance.
SonicWALL GAV includes advanced decompression technology that can automatically decompress and
scan files on a per packet basis to search for viruses and malware. The SonicWALL GAV engine can
perform base64 decoding without ever reassembling the entire base64 encoded mail stream. Because
SonicWALL's GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding and ZIP, LHZ, and GZIP (LZ77) decompression are also performed
on a single-pass, per-packet basis. Reassembly free virus scanning functionality of the SonicWALL GAV
engine is inherited from the Deep Packet Inspection engine, which is capable of scanning streams without
ever buffering any of the bytes within the stream.
Building on SonicWALL's reassembly-free architecture, GAV has the ability to inspect multiple application
protocols, as well as generic TCP streams, and compressed traffic. SonicWALL GAV protocol inspection
is based on high performance state machines which are specific to each supported protocol. SonicWALL
GAV delivers protection by inspecting over the most common protocols used in today's networked
environments, including SMTP, POP3, IMAP, HTTP, FTP, NetBIOS, instant messaging and peer-to-peer
applications and dozens of other stream-based protocols. This closes potential backdoors that can be
used to compromise the network while also improving employee productivity and conserving Internet
bandwidth.
Page 12 SonicWALL Gateway Anti-Virus Administrator’s Guide
Stream Concurrency Limitations by SonicWALL Security Appliance
Because SonicWALL GAV does not have to perform reassembly, there are no file-size limitations
imposed by the scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also
performed on a single-pass, per-packet basis. Stream-concurrency are platform dependent as follows:.
Disabling the SonicWALL GAV/IPS Engine
In the unlikely event that SonicWALL Gateway Anti-Virus/Intrusion Prevention Service is not enabled on
your SonicWALL security appliance, the SonicWALL GAV/IPS engine itself can be disabled, and the
resources can be reallocated to the SPI connection cache.
To disable the SonicWALL GAV/IPS engine:
1. Select the Firewall > Advanced page.
2. Select the Disable Gateway AV and IPS Engine (increases maximum SPI connections)
checkbox. This presents an alert informing you that the SonicWALL security appliance must be
rebooted for the change to take effect.
3. Restart your SonicWALL security appliance.
Platform
GAV-Disabled
Connections
Cache Size
GAV-Enabled
Connections
Cache Size
(Concurrent File
Downloads)
Concurrent
Compressed
File Downloads
with GAV
GAV Signatures
TZ 150
Series
2,048 2,048 100 4,500
TZ 170
Series
6,144 6,144 100 4,500
PRO 1260 6,144 6,144 100 4,500
PRO 2040 32,768 16,384 300 25,000
PRO 3060 131,072 65,536 1,000 25,000
PRO 4060 524,288 131,072 1,500 25,000
PRO 5060 750,000 393,216 3,000 25,000
Page 13
Protocol Handling
SonicWALL GAV functionality supports the following protocols: HTTP, SMTP, IMAP, POP3, FTP and the
scanning of generic TCP streams for viruses.
If malicious traffic is detected, appropriate actions are taken based on the protocol. For generic TCP
streams, the traffic is dropped and the connection is reset. If so configured, an encrypted and hashed
message explaining the action is sent to the user's Global Security Client (requires version 2.0 or higher)
and to the user's 'Security Action Notification Applet', and displayed to the user if either application is
active. Application level awareness of the type of protocol that was transporting the violation allows for
very specific actions to be taken to gracefully handle the rejection of the payload:
Note: 8-bit encoding is handled natively for all email based protocols (SMTP, POP3, and IMAP) since no
decoding is required for each encoding scheme.
SMTP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the head of the sent
queue, thus preventing it from being resent, via 552 SMTP response and the connection is terminated.
POP3
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the POP3 server via
'DELE' command and the connection is terminated. Continuation of message downloads following
termination requires the user to re-initiate the download process on their POP3 client in order to download
the rest of the messages from the POP3 server.
Note: POP3 client behavior varies from one client to the next. SonicWALL GAV attempts to determine the type
of POP3 client being used, and to compensate for behavioral differences. In rare cases, some clients
may require special GAV settings - these settings have been made available in the /diag.html page.
• Disable Gateway AV POP3 Auto Deletion - When a POP3 client is identified as Outlook Express,
DELE (delete) message sequencing is tailored to Outlook Express' behavior. This setting can resolve
problems caused by misidentification that are encountered during the deletion of virus-infected
emails.
• Disable Gateway AV POP3 UIDL Rewriting - Certain Netscape POP3 clients have difficulty with the
UIDL (unique ID listing - RFC1939) command. When a POP3 client is recognized as Netscape, UIDL
messages are suppressed, which is allowable because they are optional. This setting can resolve
problems caused by misidentification that are encountered during the message retrieval process.
IMAP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from downloading the mail
containing the violation. The user must manually mark the mail deleted and purge it from the server.
Page 14 SonicWALL Gateway Anti-Virus Administrator’s Guide
HTTP
Capabilities: zip (including archives), gzip and deflate decompression. Deflate decompression method is
not supported when HTTP response is Chunk Encoded. All HTTP traffic is inspected, not just TCP port
80. Suppresses the use of HTTP Byte-Range requests to prevent the sectional retrieval and reassembly
of potentially malicious content.
Note: Suppression of HTTP Byte-Range requests may inhibit the use of certain download accelerator
programs that attempt to retrieve files as multiple simultaneous requests.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
FTP
Capabilities: zip (including archives) and gzip decompression. FTP stateful code follows data port
negotiations, allowing FTP data to be inspected across any operating TCP port. Suppresses the use of
the FTP 'REST' (restart) request to prevent the sectional retrieval and reassembly of potentially malicious
content. "The suppression of the 'REST' request can be overridden from the /diag.html page with the
option 'Enable FTP 'REST' requests with Gateway AV’.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
IM, P2P and Proprietary Protocols
Capabilities: zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
Deploying SonicWALL GAV
SonicWALL GAV is designed to provide comprehensive virus protection with minimal configuration. The
following sections provide the key information you need to successfully activate, configure, and administer
SonicWALL GAV on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher):
• “Activating SonicWALL GAV” on page 15 - provides instructions for activating the SonicWALL GAV
license on your SonicWALL security appliance via the management interface. If you already have
SonicWALL GAV activated on your SonicWALL security appliance, skip this section.
• “Setting Up SonicWALL GAV Protection” on page 19 - provides instructions for essential
configuration of SonicWALL IPS to protect your network against the most dangerous and disruptive
attacks.
Alert! After activating your SonicWALL GAV license, you must enable SonicWALL GAV on the SonicWALL
management interface before anti-virus protection are applied to your network traffic.
• “Configuring Client Alerts and an Exclusion List” on page 23 - provides instructions for configuring
SonicWALL GAV client notification alerts and creating a SonicWALL GAV exclusion list.
• “Restricting File Transfers” on page 24 - provides instructions on preventing files with specific
attributes from being transferred.
Page 15
Activating SonicWALL GAV
If you do not have SonicWALL GAV installed on your SonicWALL security appliance, the Security
Services > Gateway Anti-Virus page indicates an upgrade is required and includes a link to activiate it
from your SonicWALL security appliance management interface.
SonicWALL GAV is part of the unified SonicWALL Gateway Anti-Virus/Intrusion Prevention Service that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is also activated.
To activate a SonicWALL Gateway Anti-Virus/Intrusion Prevention Service on your SonicWALL security
appliance, you need the following:
• SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license. You need to purchase a
SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license from a SonicWALL reseller or
through your mySonicWALL.com account (limited to customers in the USA and Canada).
• mySonicWALL.com account. Creating a mySonicWALL.com account is fast, simple, and FREE.
Simply complete an online registration form from your SonicWALL security appliance management
interface. Your mySonicWALL.com account is also accessible at
from any Internet connection with a Web browser.
• Registered SonicWALL security appliance with active Internet connection. Registering your
SonicWALL security appliance is a simple procedure done directly from the management interface.
• SonicOS Standard 3.0 or SonicOS Enhanced 3.0. Your SonicWALL security appliance must be
running SonicOS Standard 3.0 or SonicOS Enhanced 3.0 for SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service.
Tip! If your SonicWALL security appliance is connected to the Internet and registered at
mySonicWALL.com, you can activate a 30-day FREE TRIAL of SonicWALL IPS.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
If you activated SonicWALL GAV at , SonicWALL GAV activation is
automatically enabled on your SonicWALL within 24-hours or you can click the Synchronize button on
the Security Services > Summary page to update your SonicWALL security appliance.
Page 16 SonicWALL Gateway Anti-Virus Administrator’s Guide
Creating a mySonicWALL.com Account
Creating a mySonicWALL.com account is fast, simple, and FREE. Simply complete an online
registration form in the SonicWALL security appliance management interface.
Note: If you already have a mysonicWALL.com account, go to “Registering Your SonicWALL Security
Appliance” on page 17.
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displayed in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link in Your
SonicWALL is not registered. Click here to Register your SonicWALL.
4. In the mySonicWALL.com Login page, click the here link in If you do not have a mySonicWALL
account, please click here to create one.
5. In the MySonicWall Account page, enter in your information in the Account Information, Personal
Information and Preferences fields. All fields marked with an asterisk (*) are required fields.
Note: Remember your username and password to access your mySonicWALL.com account.
6. Click Submit after completing the MySonicWALL Account form.
7. When the mySonicWALL.com server has finished processing your account, you will see a page
saying that your account has been created. Click Continue.
Congratulations. Your mySonicWALL.com account is activated.
Now you need to log into mySonicWALL.com to register your SonicWALL security appliance.
Note: mySonicWALL.com registration information is not sold or shared with any other company.
Page 17
Registering Your SonicWALL Security Appliance
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displaying in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link. The
mySonicWALL.com Login page is displayed.
4. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit.
5. The next several pages inform you about the free trials available to you for SonicWALL’s Security
Services:
• Gateway Anti-Virus - Delivers real-time virus protection for your entire network.
• Network Anti Virus - Provides desktop and server anti-virus protection with software running on
each computer.
• Premium Content Filtering Service - Enhances productivity by limiting access to objectionable
Web content.
• Intrusion Prevention Service - Protects your network against worms, Trojans, and application
layer attacks.
Click Continue on each page.
6. At the top of the Product Survey page, Enter a “friendly name” for your SonicWALL content security
appliance in the Friendly Name field. The friendly name allows you to easily identify your
SonicWALL content security appliance in your mySonicWALL.com account.
7. Please complete the Product Survey. SonicWALL uses this information to further tailor services to fit
your needs.
8. Click Submit.
9. When the mySonicWALL.com server has finished processing your registration, a page is displayed
informing you that the SonicWALL security appliance is registered. Click Continue, and the
System > Licenses page is displayed showing you the available services. You can activate the
service from this page or the specific service page under the Security Services left-navigation
menu in the management interface.
Page 18 SonicWALL Gateway Anti-Virus Administrator’s Guide
Activating SonicWALL GAV
If you do not have a SonicWALL GAV license activated on your SonicWALL security appliance, you must
purchase it from a SonicWALL reseller or through your mySonicWALL.com account (limited to customers
in the USA and Canada).
SonicWALL GAV is part of SonicWALL Gateway Anti-Virus/Intrusion Prevention Service. The Activation
Key you receive is for both SonicWALL GAV and SonicWALL Intrusion Prevention Service. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is automatically activated.
If you have an Activation Key for SonicWALL Gateway Anti-Virus/Intrusion Prevention Service, perform
these steps to activate the combined services:
1. On the Security Services > Intrusion Prevention page, click the SonicWALL Intrusion
Prevention Service Subscription link. The mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already registered to your
mySonicWALL.com account, the System > Licenses page appears.
3. Click Activate or Renew in the Manage Service column in the Manage Services Online table.
4. Type in the Activation Key in the New License Key field and click Submit. Your SonicWALL GAV
subscription is activated on your SonicWALL security appliance.
If you activated the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service subscription on
mySonicWALL.com, the activation is automatically enabled on your SonicWALL security appliance within
24-hours or you can click the Synchronize button on the Security Services > Summary page to
immediately update your SonicWALL security appliance.
Activating the SonicWALL GAV FREE TRIAL
To try a FREE TRIAL of SonicWALL GAV, perform these steps:
1. Click the FREE TRIAL link on the Security Services > Gateway Anti-Virus page. The
mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already connected to your
mySonicWALL.com account, the System > Licenses page appears after you click the FREE TRIAL
link.
3. Click Try in the FREE TRIAL column in the Manage Services Online table. Your SonicWALL GAV
trial subscription is activated on your SonicWALL security appliance.
Page 19
Setting Up SonicWALL GAV Protection
The Security Services > Gateway Anti-Virus page provides the settings for configuring SonicWALL
GAV on your SonicWALL security appliance.
Enabling SonicWALL GAV
You must select Enable Gateway Anti-Virus check box in the Gateway Anti-Virus Global Settings
section to enable SonicWALL GAV on your SonicWALL security appliance. If your SonicWALL security
appliance is running SonicOS Standard 3.0, you must also specify the interfaces you want to apply
SonicWALL GAV protection. If your SonicWALL security appliance is running SonicOS Enhanced 3.0,
you must specify the Zones you want to SonicWALL GAV protection on the Network > Zones page.
Applying SonicWALL GAV Protection on Interfaces
If your SonicWALL security appliance is running SonicOS Standard 3.0, you also need to specify the
interface that you want to enable SonicWALL GAV protection. Depending on the SonicWALL security
appliance model you are using, you can choose the WAN, LAN, DMZ, OPT or WLAN port, depending on
your SonicWALL security appliance model. After selecting the interface(s), click Apply.It is recommended
you select the WAN and LAN interfaces.
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you apply SonicWALL GAV to
Zones on the Network > Zones page.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 20 SonicWALL Gateway Anti-Virus Administrator’s Guide
Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you can enforce SonicWALL
GAV not only between each network zone and the WAN, but also between internal zones. For example,
enabling SonicWALL GAV on the LAN zone enforces anti-virus protection on all incoming and outgoing
LAN traffic.
1. In the SonicWALL security appliance management interface, select Network > Zones or from the
Gateway Anti-Virus Status section, on the Security Services > Gateway Anti-Virus page, click the
Network > Zones link. The Network > Zones page is displayed.
2. In the Configure column in the Zone Settings table, click the edit icon . The Edit Zone window
is displayed.
3. Click the Enable Gateway Anti-Virus Service checkbox. A checkmark appears. To disable Gateway
Anti-Virus Service, uncheck the box.
4. Click OK.
Page 21
Note: You also enable SonicWALL GAV protection for new zones you create on the Network > Zones page.
Clicking the Add button displays the Add Zone window, which includes the same settings as the Edit
Zone window.
Viewing SonicWALL GAV Status Information
The Gateway Anti-Virus Status section shows the state of the anti-virus signature database, including
the database's timestamp, and the time the SonicWALL signature servers were last checked for the most
current database version. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
The Gateway Anti-Virus Status section displays the following information:
• Signature Database indicates whether the signature database needs to be downloaded or has been
downloaded.
• Signature Database Timestamp displays the last update to the SonicWALL GAV signature
database, not the last update to your SonicWALL security appliance.
• Last Checked indicates the last time the SonicWALL security appliance checked the signature
database for updates. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
• Gateway Anti-Virus Expiration Date indicates the date when the SonicWALL GAV service expires.
If your SonicWALL GAV subscription expires, the SonicWALL IPS inspection is stopped and the
SonicWALL GAV configuration settings are removed from the SonicWALL security appliance. These
settings are automatically restored after renewing your SonicWALL GAV license to the previously
configured state.
If your SonicWALL security appliance is running SonicOS Standard 3.0 and no interfaces are specified in
the Gateway Anti-Virus Global Settings section, the message: Warning: No interfaces have Gateway
Anti-Virus enabled is displayed in the Gateway Anti-Virus Status section. You must check the Enable
Gateway Anti-Virus on Interface and specify the interface(s) you want to apply anti-virus scanning.
If your SonicWALL security appliance you are using SonicOS Enhanced 3.0, the Gateway Anti-Virus
Status section displays Note: Enable the Gateway Anti-Virus per zone from the Network > Zones
page. Clicking on the Network > Zones link displays the Network > Zones page for applying SonicWALL
GAV on Zones.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 22 SonicWALL Gateway Anti-Virus Administrator’s Guide
Updating SonicWALL GAV Signatures
By default, the SonicWALL security appliance running SonicWALL GAV automatically checks the
SonicWALL signature servers once an hour. There is no need for an administrator to constantly check for
new signature updates. You can also manually update your SonicWALL GAV database at any time by
clicking the Update button located in the Gateway Anti-Virus Status section.
SonicWALL GAV signature updates are secured. The SonicWALL security appliance must first
authenticate itself with a pre-shared secret, created during the SonicWALL Distributed Enforcement
Architecture licensing registration. The signature request is transported through HTTPS, along with full
server certificate verification.
Specifying Protocol Filtering
Application-level awareness of the type of protocol that is transporting the violation allows SonicWALL
GAV to perform specific actions within the context of the application to gracefully handle the rejection of
the payload.
By default, SonicWALL GAV inspects all inbound HTTP, FTP, IMAP, SMTP and POP3 traffic. Generic
TCP Stream can optionally be enabled to inspect all other TCP based traffic, such as
non-standard ports of operation for SMTP and POP3, and IM and P2P protocols.
Note: Refer to “Protocol Handling” on page 13 for detailed descriptions of how SonicWALL GAV handles
protocol traffic.
Enabling Inbound Inspection
Within the context of SonicWALL GAV, the Enable Inbound Inspection protocol traffic handling refers
to the following:
• Non-SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to any Zone.
• Non-SMTP traffic from a Public Zone destined to an Untrusted Zone.
• SMTP traffic initiating from a non-Trusted Zone destined to a Trusted, Wireless, Encrypted, or Public
Zone.
• SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to a Trusted, Wireless,
or Encrypted Zone.
Page 23
The Enable Inbound Inspection protocol traffic handling represented as a table:
Enabling Outbound SMTP Inspection
The Enable Outbound Inspection feature is available for SMTP traffic, such as for a mail server that
might be hosted on the DMZ. Enabling outbound inspection for SMTP scans mail that is delivered to the
internally hosted SMTP server for viruses.
Configuring Client Alerts and an Exclusion List
Clicking the Configure Gateway AV Settings button in the Gateway Anti-Virus Global Settings section
displays the Gateway AV Config View window, which allows you to configure client notification alerts and
create a SonicWALL GAV exclusion list.
Configuring Client Alerts
If you want clients on your network to receive notifications on their desktop when a HTTP file download is
blocked by GAV, check the Enable Client Notification Alerts (desktop client installation is required)
box. You must install the client software included on the Resource CD for your SonicWALL security
appliance for the client to receive these notifications from SonicWALL GAV.
Page 24 SonicWALL Gateway Anti-Virus Administrator’s Guide
If you want to suppress the sending of e-mail messages (SMTP) to clients from SonicWALL GAV when a
virus is detected in an e-mail or attachment, check the Disable SMTP Responses box.
Configuring a SonicWALL GAV Exclusion List
Any IP addresses listed in the exclusion list bypass virus scanning on their traffic.The Gateway AV
Exclusion List section provides the ability to define a range of IP addresses whose traffic will be excluded
from SonicWALL GAV scanning.
Alert! Use caution when specifying exclusions to SonicWALL GAV protection.
To add an IP address range for exclusion, perform these steps:
1. Click the Enable Gateway AV Exclusion List checkbox to enable the exclusion list.
2. Click the Add button. The Add GAV Range Entry window is displayed.
3. Enter the IP address range in the IP Address Form and IP Address To fields, then click OK. You IP
address range appears in the Gateway AV Exclusion List table. Click the edit icon in the Configure
column to change an entry or click the trashcan icon to delete an entry.
4. Click OK to exit the Gateway AV Config View window.
Restricting File Transfers
The restrict transfer settings listed under the Configure Gateway AV Settings button in the
Gateway Anti-Virus Global Settings section, if enabled, prevent files with specific attributes from being
transferred.
These restrict transfer settings include:
• Restrict Transfer of password-protected Zip files - Disables the transfer of password protected
ZIP files over any enabled protocol. This option only functions on protocols (e.g. HTTP, FTP, SMTP)
that are enabled for inspection.
• Restrict Transfer of MS-Office type files containing macros (VBA 5 and above) - Disables the
transfers of any MS Office 97 and above files that contain VBA macros.
• Restrict Transfer of packed executable files (UPX, FSG, etc.) - Disables the transfer of packed
executable files. Packers are utilities which compress and sometimes encrypt executables. Although
there are legitimate applications for these, they are also sometimes used with the intent of
obfuscation, so as to make the executables less detectable by anti-virus applications. The packer
adds a header that expands the file in memory, and then executes that file. SonicWALL Gateway
Anti-Virus currently recognizes the most common packed formats: UPX, FSG, PKLite32, Petite, and
ASPack. additional formats are dynamically added along with SonicWALL GAV signature updates.
Page 25
Viewing SonicWALL GAV Signatures
The Gateway Anti-Virus Signatures section allows you to view the contents of the SonicWALL GAV
signature database. All the entries displayed in the Gateway Anti-Virus Signatures table are from the
SonicWALL GAV signature database downloaded to your SonicWALL security appliance.
Note: Signature entries in the database change over time in response to new threats.
Displaying Signatures
You can display the signatures in a variety of views using the View Style menu.
• Use Search String - Allows you to display signatures containing a specified string entered in the
Lookup Signatures Containing String field.
• All Signatures - Displays all the signatures in the table, 50 to a page.
• 0 - 9 - Displays signature names beginning with the number you select from the menu.
• A-Z - Displays signature names beginning with the letter you select from menu.
Navigating the Gateway Anti-Virus Signatures Table
The SonicWALL GAV signatures are displayed fifty to a page in the Gateway Anti-Virus Signatures
table. The Items field displays the table number of the first signature. If your displaying the first page of a
signature table, the entry might be Items 1 to 50 (of 58). Use the navigation buttons to navigate the table.
Page 26 SonicWALL Gateway Anti-Virus Administrator’s Guide
Searching the Gateway Anti-Virus Signature Database
You can search the signature database by entering a search string in the Lookup Signatures
Containing String field, then clicking the edit (Notepad) icon.
The signatures that match the specified string are displayed in the Gateway Anti-Virus Signatures table.
Glossary
• Deep Packet Inspection - looking at the data portion of the packet. Enables the firewall to investigate
farther into the protocol to examine information at the application layer and defend against attacks
targeting application vulnerabilities.
• Distributed Enforcement Architecture - SonicWALL’s unified threat management technology that
delivers automated signature updates that provide real-time protection from current and emerging
threats.
• False Positive - a falsely identified attack traffic pattern.
• Signature - code written to detect and prevent viruses, worms, application exploits, and other
malicious code.
• Stateful Packet Inspection - examines the contents of individual packets at all layers of the OSI
model, from network layer to application layer.
Page 27
Index
A
activating Gateway Anti-Virus
overview 15
free trial version 18
activating Gateway Anti-Virus
activation key 18
C
client alerts
configuring 23
concurrency limitations 12
PRO 1260 12
PRO 2040 12
PRO 3060 12
PRO 4060 12
PRO 5060 12
TZ 150 Series 12
TZ 170 Series 12
creating a mysonicwall.com account 16
D
deploying SonicWALL GAV 14
disabling GAV/IPS engine 12
displaying signatures 25
all signatures 25
signatures beginning with letter 25
signatures beginning with number 25
using search strings 25
E
Edit Zone window 20
enable inbound inspection 22
enable outbound SMTP inspection 23
enabling inbound inspection 22
exclusion list
configuring 24
G
Gateway AV Config View window 23
GAV/IPS
real-time scanning 6
GAV/IPS features
application control 6
deep packet inspection 6
distributed enforcement architecture 6
file based scanning protocol support 6
file decompression technology 6
granular management 7
inter-zone scanning 6
logging and reporting 7
real-time scanning 6
glossary 26
deep packet inspection 26
Distributed Enforcement Architecture 26
false positive 26
signature 26
stateful packet inspection 26
H
how DPIv2.0 works
11
protocol handling 13
HTTP file downloads protection 9
I
internal network protection 9
N
navigating signatures table 25
P
protocol handling
FTP 14
HTTP 14
IM, P2P, proprietary 14
IMAP 13
POP3 13
SMTP 13
R
registering your SonicWALL security appliance 17
remote site protection 8
restrict 24
restrict file transfer
MS-Office files 24
packed executable files 24
password protected ZIP files 24
S
searching signature database 26
server protection 10
setting up GAV protection
applying to infaces (SonicOS Standard 3.0) 19
applying to zones (SonicOS Enhanced) 20
enabling 19
overview 19
signatures table 25
SonicWALL Gateway Anti-Virus
overview 5
SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service
overview 5
specifying protocol filtering 22
specifying protocols 22
status information
expiration date 21
last checked 21
overview 21
signature database 21
signature database timestamp 21
surpress SMTP messages 24
U
updating signatures 22
Page 28 SonicWALL Gateway Anti-Virus Administrator’s Guide
© 2005 SonicWALL, I n c . SonicWALL is a registered trademark of SonicWALL, I n c . Other product and company names mentioned herein may be
t rademarks and/ or registered trademarks of their respective companies. Specifications and descriptions subject to change with out notice.
T: 408.745.9600
F: 408.745.9300
www.sonicwall.com
SonicWALL,Inc.
1143 Borregas Avenue
Sunnyvale,CA 94089-1306
P/ N 232- 000610- 00
Rev E 01/05COMPREHENSIVE INTERNET SECURITY™
S SSSSSSSSo n i c WALL Gateway Anti-Virus
Administrator's Guide
Page 1
Table of Contents
Preface .................................................................................................. 1
Copyright Notice ..............................................................................1
Trademarks......................................................................................1
Limited Warranty..............................................................................1
About this Guide.................................................................................... 3
Guide Conventions .......................................................................... 3
Icons Used in this Guide............................................................. 3
SonicWALL Technical Support ........................................................ 4
North America Telephone Support ............................................. 4
International Telephone Support ................................................ 4
SonicWALL Gateway Anti-Virus Overview............................................ 5
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features ...... 6
SonicWALL GAV Multi-Layered Approach............................................ 7
Remote Site Protection ....................................................................8
Internal Network Protection.............................................................. 9
HTTP File Downloads ...................................................................... 9
Server Protection ...........................................................................10
SonicWALL GAV Architecture............................................................. 11
Stream Concurrency Limitations
by SonicWALL Security Appliance................................................. 12
Disabling the SonicWALL GAV/IPS Engine................................... 12
Protocol Handling...........................................................................13
SMTP........................................................................................ 13
POP3 ........................................................................................ 13
IMAP......................................................................................... 13
HTTP ........................................................................................ 14
FTP........................................................................................... 14
IM, P2P and Proprietary Protocols ........................................... 14
Deploying SonicWALL GAV................................................................ 14
Activating SonicWALL GAV ................................................................ 15
Creating a mySonicWALL.com Account ........................................ 16
Registering Your SonicWALL Security Appliance.......................... 17
Activating SonicWALL GAV........................................................... 18
Activating the SonicWALL GAV FREE TRIAL ............................... 18
Setting Up SonicWALL GAV Protection .............................................. 19
Enabling SonicWALL GAV............................................................. 19
Applying SonicWALL GAV Protection on Interfaces...................... 19
Applying SonicWALL GAV Protection on Zones
(SonicOS Enhanced 3.0) ............................................................... 20
Viewing SonicWALL GAV Status Information................................ 21
Updating SonicWALL GAV Signatures .......................................... 22
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
Specifying Protocol Filtering ................................................................22
Enabling Inbound Inspection ..........................................................22
Enabling Outbound SMTP Inspection ............................................23
Configuring Client Alerts and an Exclusion List ...................................23
Configuring Client Alerts.................................................................23
Configuring a SonicWALL GAV Exclusion List...............................24
Restricting File Transfers.....................................................................24
Viewing SonicWALL GAV Signatures..................................................25
Displaying Signatures.....................................................................25
Navigating the Gateway Anti-Virus Signatures Table ....................25
Searching the Gateway Anti-Virus Signature Database.................26
Glossary...............................................................................................26
Index ....................................................................................................27
Page 1 SonicWALL Gateway Anti-Virus Administrator’s Guide
Preface
Copyright Notice
© 2005 SonicWALL, Inc.
All rights reserved.
Under the copyright laws, this manual or the software described within, can not be copied, in whole or part,
without the written consent of the manufacturer, except in the normal use of the software to make a backup
copy. The same proprietary and copyright notices must be affixed to any permitted copies as were affixed
to the original. This exception does not allow copies to be made for others, whether or not sold, but all of
the material purchased (with all backup copies) can be sold, given, or loaned to another person. Under
the law, copying includes translating into another language or format.
Specifications and descriptions subject to change without notice.
Trademarks
SonicWALL is a registered trademark of SonicWALL, Inc.
Microsoft Windows 98, Windows NT, Windows 2000, Windows XP, Windows Server 2003, Internet
Explorer, and Active Directory are trademarks or registered trademarks of Microsoft Corporation.
Netscape is a registered trademark of Netscape Communications Corporation in the U.S. and other
countries. Netscape Navigator and Netscape Communicator are also trademarks of Netscape
Communications Corporation and may be registered outside the U.S.
Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems
Incorporated in the U.S. and/or other countries.
Other product and company names mentioned herein may be trademarks and/or registered trademarks
of their respective companies and are the sole property of their respective manufacturers.
Limited Warranty
SonicWALL, Inc. warrants that commencing from the delivery date to Customer (but in any case
commencing not more than ninety (90) days after the original shipment by SonicWALL), and continuing
for a period of twelve (12) months, that the product will be free from defects in materials and workmanship
under normal use. This Limited Warranty is not transferable and applies only to the original end user of
the product. SonicWALL and its suppliers' entire liability and Customer's sole and exclusive remedy under
this limited warranty will be shipment of a replacement product. At SonicWALL's discretion the
replacement product may be of equal or greater functionality and may be of either new or like-new quality.
SonicWALL's obligations under this warranty are contingent upon the return of the defective product
according to the terms of SonicWALL's then-current Support Services policies.
This warranty does not apply if the product has been subjected to abnormal electrical stress, damaged by
accident, abuse, misuse or misapplication, or has been modified without the written permission of
SonicWALL.
DISCLAIMER OF WARRANTY. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR
IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT
LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, NONINFRINGEMENT, SATISFACTORY QUALITY OR ARISING FROM A
COURSE OF DEALING, LAW, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE
MAXIMUM EXTENT ALLOWED BY APPLICABLE LAW. TO THE EXTENT AN IMPLIED WARRANTY
CANNOT BE EXCLUDED, SUCH WARRANTY IS LIMITED IN DURATION TO THE WARRANTY
PERIOD. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW
LONG AN IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. THIS
WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, AND YOU MAY ALSO HAVE OTHER RIGHTS
WHICH VARY FROM JURISDICTION TO JURISDICTION. This disclaimer and exclusion shall apply
even if the express warranty set forth above fails of its essential purpose.
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
DISCLAIMER OF LIABILITY. SONICWALL'S SOLE LIABILITY IS THE SHIPMENT OF A
REPLACEMENT PRODUCT AS DESCRIBED IN THE ABOVE LIMITED WARRANTY. IN NO EVENT
SHALL SONICWALL OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER,
INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS
INTERRUPTION, LOSS OF INFORMATION, OR OTHER PECUNIARY LOSS ARISING OUT OF THE
USE OR INABILITY TO USE THE PRODUCT, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL,
INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY
OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE HARDWARE OR SOFTWARE
EVEN IF SONICWALL OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. In no event shall SonicWALL or its suppliers' liability to Customer, whether in contract, tort
(including negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shall
apply even if the above-stated warranty fails of its essential purpose. BECAUSE SOME STATES OR
JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR
INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.
Page 3
About this Guide
Welcome to the SonicWALL Gateway Anti-Virus Administrator’s Guide. This manual provides the
information you need to successfully activate, configure, and administer SonicWALL Gateway Anti-Virus
(SonicWALL (GAV) on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher). The audience for this guide is administrators that are familiar with the
features, functions, and operating characteristics of SonicWALL security appliances.
Note: This guide assumes your SonicWALL security appliance is operational with Internet connectivity. If your
SonicWALL security appliance is not setup, refer to the Getting Started Guide for your SonicWALL
security appliance located on the SonicWALL Web site:
.
SonicWALL GAV is part of the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service solution that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate a SonicWALL GAV license, SonicWALL Intrusion Prevention Service is included and activated.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the complete
instructions on configuring SonicWALL Intrusion Prevention Service 2.0, located on the SonicWALL
Web site: .
Guide Conventions
Conventions used in this guide are as follows:
Icons Used in this Guide
These special messages refer to noteworthy information, and include a symbol for quick identification:
Alert! Important information that cautions about features affecting SonicWALL Gateway Anti-Virus
performance, security features, or causing potential problems with your SonicWALL security appliance.
Tip! Useful information about security features and configurations for your SonicWALL Gateway Anti-Virus
running on a SonicWALL security appliance.
Convention Use
Bold Highlights items you can select on the SonicWALL
management interface.
Italic Highlights a value to enter into a field. For example, “type
192.168.168.168 in the IP Address field.”
Top Level Menu Button >
Submenu Item
Indicates a multiple step Management Interface menu
choice. For example, Security Services > Gateway Anti-
Virus means select Security Services, then select
Gateway Anti-Virus.
Page 4 SonicWALL Gateway Anti-Virus Administrator’s Guide
Note: Important information on a feature that requires callout for special attention or reference to other related
resources.
SonicWALL Technical Support
For timely resolution of technical support questions, visit SonicWALL on the Internet at
. Web-based resources are available to help you
resolve most technical issues or contact SonicWALL Technical Support.
To contact SonicWALL telephone support, see the telephone numbers listed below:
North America Telephone Support
U.S./Canada - 888.777.1476 or +1 408.752.7819
International Telephone Support
Australia - + 1800.35.1642
Austria - + 43(0)820.400.105
EMEA - +31(0)411.617.810
France - + 33(0)1.4933.7414
Germany - + 49(0)1805.0800.22
Hong Kong - + 1.800.93.0997
India - + 8026556828
Italy - +39.02.7541.9803
Japan - + 81(0)3.5460.5356
New Zealand - + 0800.446489
Singapore - + 800.110.1441
Spain - + 34(0)9137.53035
Switzerland - +41.1.308.3.977
UK - +44(0)1344.668.484
Note: Please visit for the latest technical support telephone
numbers.
Page 5
SonicWALL Gateway Anti-Virus Overview
SonicWALL Gateway Anti-Virus (SonicWALL GAV) is part of the SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service solution that provides unified threat management. The integration of gateway
anti-virus and intrusion prevention delivers intelligent, real-time network security protection against
sophisticated application layer and content-based attacks. Utilizing a configurable, high-performance
deep packet inspection architecture, SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
secures the network from the core to the perimeter against a comprehensive array of dynamic threats
including viruses, worms, Trojans, and software vulnerabilities, such as buffer overflows, as well as peerto-
peer and instant messenger applications, backdoor exploits, and other malicious code.
SonicWALL GAV delivers real-time virus protection directly on the SonicWALL security appliance by
using SonicWALL’s IPS-Deep Packet Inspection v2.0 engine to inspect all traffic that traverses the
SonicWALL gateway. Building on SonicWALL’s reassembly-free architecture, SonicWALL GAV inspects
multiple application protocols, as well as generic TCP streams, and compressed traffic. Because
SonicWALL GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also performed on a
single-pass, per-packet basis.
SonicWALL GAV delivers threat protection directly on the SonicWALL security appliance by matching
downloaded or e-mailed files against an extensive and dynamically updated database of threat virus
signatures. Virus attacks are caught and suppressed before they travel to desktops. New signatures are
created and added to the database by a combination of SonicWALL’s SonicAlert Team, third-party virus
analysts, open source developers and other sources.
SonicWALL GAV can be configured to protect against internal threats as well as those originating outside
the network. It operates over a multitude of protocols including SMTP, POP3, IMAP, HTTP, FTP,
NetBIOS, instant messaging and peer-to-peer applications and dozens of other stream-based protocols,
to provide administrators with comprehensive network threat prevention and control. Because files
containing malicious code and viruses can also be compressed and therefore inaccessible to
conventional anti-virus solutions, SonicWALL GAV integrates advanced decompression technology that
automatically decompresses and scans files on a per packet basis.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
Page 6 SonicWALL Gateway Anti-Virus Administrator’s Guide
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features
• Integrated Deep Packet Inspection Technology - SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service features a configurable, high-performance deep packet inspection architecture
that uses parallel searching algorithms up through the application layer to deliver increased
application layer, Web and e-mail attack prevention. Parallel processing reduces the performance
impact on the firewall and maximizes available memory for exceptional throughput on SonicWALL
integrated security gateways.
• Real-Time Anti-Virus Gateway Scanning - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers intelligent file-based virus and malicious code prevention by scanning in real-time for
decompressed and compressed files containing viruses, Trojans, worms and other Internet threats
over the corporate network.
• Powerful Intrusion Prevention - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
provides complete protection from a comprehensive array of network-based application layer threats
by scanning packet payloads for worms, Trojans, software vulnerabilities such as buffer overflows,
peer-to-peer and instant messenger applications, backdoor exploits, and other malicious code.
• Ultimate Scalability and Performance - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a per packet scanning engine, making SonicWALL’s solution unique in its ability to
handle unlimited file size and virtually unlimited concurrent downloads, offering ultimate scalability
and performance for today’s networked environment.
• Day Zero Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service ensures
incredibly fast time-to-protection by employing a dynamically-updated database of signatures created
by a combination of SonicWALL’s SonicAlert Team, third-party virus analysts and developers, and
open source databases of known threats.
• Extensive Virus Signature List - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
utilizes an extensive database of thousands of attack and vulnerability signatures written to detect and
prevent intrusions, viruses, worms, Tojans, application exploits, and malicious applications.
• Distributed Enforcement Architecture - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a distributed enforcement architecture to deliver automated signature updates,
providing real-time protection from emerging threats and lowering total cost of ownership.
• Inter-zone Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides
application layer attack protection against malicious code and other threats originating from the
Internet or from internal sources. Administrators have the ability to enforce intrusion prevention and
anti-virus scanning not only between each network zone and the Internet, but also between internal
network zones for added security (Requires SonicOS Enhanced).
• Advanced File Decompression Technology - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service includes advanced decompression technology that can automatically decompress and scan
files on a per packet basis to search for viruses, Trojans, worms and malware. Supported
compression formats include: ZIP, Deflate and GZIP.
• File-Based Scanning Protocol Support - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers protection for high threat viruses and malware by inspecting the most common
protocols used in today’s networked environments, including SMTP, POP3, IMAP, HTTP, FTP,
NETBIOS, instant messaging and peer-to-peer applications, and dozens of other stream-based
protocols. This closes potential backdoors that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Application Control - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides the
ability to prevent instant messaging and peer-to-peer file sharing programs from operating through
the firewall, closing a potential back door that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Simplified Deployment and Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service allows network administrators to create global policies between security zones and group
attacks by priority, simplifying deployment and management across a distributed network.
Page 7
• Granular Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides an
intuitive user interface and granular policy tools, allowing network administrators to configure a
custom set of detection or prevention policies for their specific network environment and reduce the
number of false policies while identifying immediate threats.
• Logging and Reporting - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service offers
comprehensive logging of all intrusion attempts with the ability to filter logs based on priority level,
enabling administrators to highlight high priority attacks. Granular reporting based on attack source,
destination and type of intrusion is available through SonicWALL ViewPoint and Global Management
System.
SonicWALL GAV Multi-Layered Approach
SonicWALL GAV delivers comprehensive, multi-layered anti-virus protection for networks at the desktop,
the network, and at remote sites. SonicWALL GAV enforces anti-virus policies at the gateway to ensure
all users have the latest updates and monitors files as they come into the network.
Page 8 SonicWALL Gateway Anti-Virus Administrator’s Guide
Remote Site Protection
1. Users send typical e-mail and files between remote sites and the corporate office.
2. SonicWALL GAV scans and analyzes files and e-mail messages on the SonicWALL security
appliance.
3. Viruses are found and blocked before infecting remote desktop.
4. Virus is logged and alert is sent to administrator.
Page 9
Internal Network Protection
1. Internal user contracts a virus and releases it internally.
2. All files are scanned at the gateway before being received by other network users.
3. If virus is found, file is discarded.
4. Virus is logged and alert is sent to administrator.
HTTP File Downloads
1. Client makes a request to download a file from the Web.
2. File is downloaded through the Internet.
3. File is analyzed the SonicWALL GAV engine for malicious code and viruses
4. If virus found, file discarded.
5. Virus is logged and alert sent to administrator.
Page 10 SonicWALL Gateway Anti-Virus Administrator’s Guide
Server Protection
1. Outside user sends an incoming e-mail.
2. E-mail is analyzed the SonicWALL GAV engine for malicious code and viruses before received by email
server.
3. If virus found, threat prevented.
4. E-mail is returned to sender, virus is logged, and alert sent to administrator.
Page 11
SonicWALL GAV Architecture
SonicWALL GAV is based on SonicWALL's high performance DPIv2.0 engine (Deep Packet Inspection
version 2.0) engine, which performs all scanning directly on the SonicWALL security appliance.
SonicWALL GAV includes advanced decompression technology that can automatically decompress and
scan files on a per packet basis to search for viruses and malware. The SonicWALL GAV engine can
perform base64 decoding without ever reassembling the entire base64 encoded mail stream. Because
SonicWALL's GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding and ZIP, LHZ, and GZIP (LZ77) decompression are also performed
on a single-pass, per-packet basis. Reassembly free virus scanning functionality of the SonicWALL GAV
engine is inherited from the Deep Packet Inspection engine, which is capable of scanning streams without
ever buffering any of the bytes within the stream.
Building on SonicWALL's reassembly-free architecture, GAV has the ability to inspect multiple application
protocols, as well as generic TCP streams, and compressed traffic. SonicWALL GAV protocol inspection
is based on high performance state machines which are specific to each supported protocol. SonicWALL
GAV delivers protection by inspecting over the most common protocols used in today's networked
environments, including SMTP, POP3, IMAP, HTTP, FTP, NetBIOS, instant messaging and peer-to-peer
applications and dozens of other stream-based protocols. This closes potential backdoors that can be
used to compromise the network while also improving employee productivity and conserving Internet
bandwidth.
Page 12 SonicWALL Gateway Anti-Virus Administrator’s Guide
Stream Concurrency Limitations by SonicWALL Security Appliance
Because SonicWALL GAV does not have to perform reassembly, there are no file-size limitations
imposed by the scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also
performed on a single-pass, per-packet basis. Stream-concurrency are platform dependent as follows:.
Disabling the SonicWALL GAV/IPS Engine
In the unlikely event that SonicWALL Gateway Anti-Virus/Intrusion Prevention Service is not enabled on
your SonicWALL security appliance, the SonicWALL GAV/IPS engine itself can be disabled, and the
resources can be reallocated to the SPI connection cache.
To disable the SonicWALL GAV/IPS engine:
1. Select the Firewall > Advanced page.
2. Select the Disable Gateway AV and IPS Engine (increases maximum SPI connections)
checkbox. This presents an alert informing you that the SonicWALL security appliance must be
rebooted for the change to take effect.
3. Restart your SonicWALL security appliance.
Platform
GAV-Disabled
Connections
Cache Size
GAV-Enabled
Connections
Cache Size
(Concurrent File
Downloads)
Concurrent
Compressed
File Downloads
with GAV
GAV Signatures
TZ 150
Series
2,048 2,048 100 4,500
TZ 170
Series
6,144 6,144 100 4,500
PRO 1260 6,144 6,144 100 4,500
PRO 2040 32,768 16,384 300 25,000
PRO 3060 131,072 65,536 1,000 25,000
PRO 4060 524,288 131,072 1,500 25,000
PRO 5060 750,000 393,216 3,000 25,000
Page 13
Protocol Handling
SonicWALL GAV functionality supports the following protocols: HTTP, SMTP, IMAP, POP3, FTP and the
scanning of generic TCP streams for viruses.
If malicious traffic is detected, appropriate actions are taken based on the protocol. For generic TCP
streams, the traffic is dropped and the connection is reset. If so configured, an encrypted and hashed
message explaining the action is sent to the user's Global Security Client (requires version 2.0 or higher)
and to the user's 'Security Action Notification Applet', and displayed to the user if either application is
active. Application level awareness of the type of protocol that was transporting the violation allows for
very specific actions to be taken to gracefully handle the rejection of the payload:
Note: 8-bit encoding is handled natively for all email based protocols (SMTP, POP3, and IMAP) since no
decoding is required for each encoding scheme.
SMTP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the head of the sent
queue, thus preventing it from being resent, via 552 SMTP response and the connection is terminated.
POP3
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the POP3 server via
'DELE' command and the connection is terminated. Continuation of message downloads following
termination requires the user to re-initiate the download process on their POP3 client in order to download
the rest of the messages from the POP3 server.
Note: POP3 client behavior varies from one client to the next. SonicWALL GAV attempts to determine the type
of POP3 client being used, and to compensate for behavioral differences. In rare cases, some clients
may require special GAV settings - these settings have been made available in the /diag.html page.
• Disable Gateway AV POP3 Auto Deletion - When a POP3 client is identified as Outlook Express,
DELE (delete) message sequencing is tailored to Outlook Express' behavior. This setting can resolve
problems caused by misidentification that are encountered during the deletion of virus-infected
emails.
• Disable Gateway AV POP3 UIDL Rewriting - Certain Netscape POP3 clients have difficulty with the
UIDL (unique ID listing - RFC1939) command. When a POP3 client is recognized as Netscape, UIDL
messages are suppressed, which is allowable because they are optional. This setting can resolve
problems caused by misidentification that are encountered during the message retrieval process.
IMAP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from downloading the mail
containing the violation. The user must manually mark the mail deleted and purge it from the server.
Page 14 SonicWALL Gateway Anti-Virus Administrator’s Guide
HTTP
Capabilities: zip (including archives), gzip and deflate decompression. Deflate decompression method is
not supported when HTTP response is Chunk Encoded. All HTTP traffic is inspected, not just TCP port
80. Suppresses the use of HTTP Byte-Range requests to prevent the sectional retrieval and reassembly
of potentially malicious content.
Note: Suppression of HTTP Byte-Range requests may inhibit the use of certain download accelerator
programs that attempt to retrieve files as multiple simultaneous requests.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
FTP
Capabilities: zip (including archives) and gzip decompression. FTP stateful code follows data port
negotiations, allowing FTP data to be inspected across any operating TCP port. Suppresses the use of
the FTP 'REST' (restart) request to prevent the sectional retrieval and reassembly of potentially malicious
content. "The suppression of the 'REST' request can be overridden from the /diag.html page with the
option 'Enable FTP 'REST' requests with Gateway AV’.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
IM, P2P and Proprietary Protocols
Capabilities: zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
Deploying SonicWALL GAV
SonicWALL GAV is designed to provide comprehensive virus protection with minimal configuration. The
following sections provide the key information you need to successfully activate, configure, and administer
SonicWALL GAV on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher):
• “Activating SonicWALL GAV” on page 15 - provides instructions for activating the SonicWALL GAV
license on your SonicWALL security appliance via the management interface. If you already have
SonicWALL GAV activated on your SonicWALL security appliance, skip this section.
• “Setting Up SonicWALL GAV Protection” on page 19 - provides instructions for essential
configuration of SonicWALL IPS to protect your network against the most dangerous and disruptive
attacks.
Alert! After activating your SonicWALL GAV license, you must enable SonicWALL GAV on the SonicWALL
management interface before anti-virus protection are applied to your network traffic.
• “Configuring Client Alerts and an Exclusion List” on page 23 - provides instructions for configuring
SonicWALL GAV client notification alerts and creating a SonicWALL GAV exclusion list.
• “Restricting File Transfers” on page 24 - provides instructions on preventing files with specific
attributes from being transferred.
Page 15
Activating SonicWALL GAV
If you do not have SonicWALL GAV installed on your SonicWALL security appliance, the Security
Services > Gateway Anti-Virus page indicates an upgrade is required and includes a link to activiate it
from your SonicWALL security appliance management interface.
SonicWALL GAV is part of the unified SonicWALL Gateway Anti-Virus/Intrusion Prevention Service that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is also activated.
To activate a SonicWALL Gateway Anti-Virus/Intrusion Prevention Service on your SonicWALL security
appliance, you need the following:
• SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license. You need to purchase a
SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license from a SonicWALL reseller or
through your mySonicWALL.com account (limited to customers in the USA and Canada).
• mySonicWALL.com account. Creating a mySonicWALL.com account is fast, simple, and FREE.
Simply complete an online registration form from your SonicWALL security appliance management
interface. Your mySonicWALL.com account is also accessible at
from any Internet connection with a Web browser.
• Registered SonicWALL security appliance with active Internet connection. Registering your
SonicWALL security appliance is a simple procedure done directly from the management interface.
• SonicOS Standard 3.0 or SonicOS Enhanced 3.0. Your SonicWALL security appliance must be
running SonicOS Standard 3.0 or SonicOS Enhanced 3.0 for SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service.
Tip! If your SonicWALL security appliance is connected to the Internet and registered at
mySonicWALL.com, you can activate a 30-day FREE TRIAL of SonicWALL IPS.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
If you activated SonicWALL GAV at , SonicWALL GAV activation is
automatically enabled on your SonicWALL within 24-hours or you can click the Synchronize button on
the Security Services > Summary page to update your SonicWALL security appliance.
Page 16 SonicWALL Gateway Anti-Virus Administrator’s Guide
Creating a mySonicWALL.com Account
Creating a mySonicWALL.com account is fast, simple, and FREE. Simply complete an online
registration form in the SonicWALL security appliance management interface.
Note: If you already have a mysonicWALL.com account, go to “Registering Your SonicWALL Security
Appliance” on page 17.
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displayed in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link in Your
SonicWALL is not registered. Click here to Register your SonicWALL.
4. In the mySonicWALL.com Login page, click the here link in If you do not have a mySonicWALL
account, please click here to create one.
5. In the MySonicWall Account page, enter in your information in the Account Information, Personal
Information and Preferences fields. All fields marked with an asterisk (*) are required fields.
Note: Remember your username and password to access your mySonicWALL.com account.
6. Click Submit after completing the MySonicWALL Account form.
7. When the mySonicWALL.com server has finished processing your account, you will see a page
saying that your account has been created. Click Continue.
Congratulations. Your mySonicWALL.com account is activated.
Now you need to log into mySonicWALL.com to register your SonicWALL security appliance.
Note: mySonicWALL.com registration information is not sold or shared with any other company.
Page 17
Registering Your SonicWALL Security Appliance
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displaying in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link. The
mySonicWALL.com Login page is displayed.
4. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit.
5. The next several pages inform you about the free trials available to you for SonicWALL’s Security
Services:
• Gateway Anti-Virus - Delivers real-time virus protection for your entire network.
• Network Anti Virus - Provides desktop and server anti-virus protection with software running on
each computer.
• Premium Content Filtering Service - Enhances productivity by limiting access to objectionable
Web content.
• Intrusion Prevention Service - Protects your network against worms, Trojans, and application
layer attacks.
Click Continue on each page.
6. At the top of the Product Survey page, Enter a “friendly name” for your SonicWALL content security
appliance in the Friendly Name field. The friendly name allows you to easily identify your
SonicWALL content security appliance in your mySonicWALL.com account.
7. Please complete the Product Survey. SonicWALL uses this information to further tailor services to fit
your needs.
8. Click Submit.
9. When the mySonicWALL.com server has finished processing your registration, a page is displayed
informing you that the SonicWALL security appliance is registered. Click Continue, and the
System > Licenses page is displayed showing you the available services. You can activate the
service from this page or the specific service page under the Security Services left-navigation
menu in the management interface.
Page 18 SonicWALL Gateway Anti-Virus Administrator’s Guide
Activating SonicWALL GAV
If you do not have a SonicWALL GAV license activated on your SonicWALL security appliance, you must
purchase it from a SonicWALL reseller or through your mySonicWALL.com account (limited to customers
in the USA and Canada).
SonicWALL GAV is part of SonicWALL Gateway Anti-Virus/Intrusion Prevention Service. The Activation
Key you receive is for both SonicWALL GAV and SonicWALL Intrusion Prevention Service. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is automatically activated.
If you have an Activation Key for SonicWALL Gateway Anti-Virus/Intrusion Prevention Service, perform
these steps to activate the combined services:
1. On the Security Services > Intrusion Prevention page, click the SonicWALL Intrusion
Prevention Service Subscription link. The mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already registered to your
mySonicWALL.com account, the System > Licenses page appears.
3. Click Activate or Renew in the Manage Service column in the Manage Services Online table.
4. Type in the Activation Key in the New License Key field and click Submit. Your SonicWALL GAV
subscription is activated on your SonicWALL security appliance.
If you activated the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service subscription on
mySonicWALL.com, the activation is automatically enabled on your SonicWALL security appliance within
24-hours or you can click the Synchronize button on the Security Services > Summary page to
immediately update your SonicWALL security appliance.
Activating the SonicWALL GAV FREE TRIAL
To try a FREE TRIAL of SonicWALL GAV, perform these steps:
1. Click the FREE TRIAL link on the Security Services > Gateway Anti-Virus page. The
mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already connected to your
mySonicWALL.com account, the System > Licenses page appears after you click the FREE TRIAL
link.
3. Click Try in the FREE TRIAL column in the Manage Services Online table. Your SonicWALL GAV
trial subscription is activated on your SonicWALL security appliance.
Page 19
Setting Up SonicWALL GAV Protection
The Security Services > Gateway Anti-Virus page provides the settings for configuring SonicWALL
GAV on your SonicWALL security appliance.
Enabling SonicWALL GAV
You must select Enable Gateway Anti-Virus check box in the Gateway Anti-Virus Global Settings
section to enable SonicWALL GAV on your SonicWALL security appliance. If your SonicWALL security
appliance is running SonicOS Standard 3.0, you must also specify the interfaces you want to apply
SonicWALL GAV protection. If your SonicWALL security appliance is running SonicOS Enhanced 3.0,
you must specify the Zones you want to SonicWALL GAV protection on the Network > Zones page.
Applying SonicWALL GAV Protection on Interfaces
If your SonicWALL security appliance is running SonicOS Standard 3.0, you also need to specify the
interface that you want to enable SonicWALL GAV protection. Depending on the SonicWALL security
appliance model you are using, you can choose the WAN, LAN, DMZ, OPT or WLAN port, depending on
your SonicWALL security appliance model. After selecting the interface(s), click Apply.It is recommended
you select the WAN and LAN interfaces.
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you apply SonicWALL GAV to
Zones on the Network > Zones page.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 20 SonicWALL Gateway Anti-Virus Administrator’s Guide
Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you can enforce SonicWALL
GAV not only between each network zone and the WAN, but also between internal zones. For example,
enabling SonicWALL GAV on the LAN zone enforces anti-virus protection on all incoming and outgoing
LAN traffic.
1. In the SonicWALL security appliance management interface, select Network > Zones or from the
Gateway Anti-Virus Status section, on the Security Services > Gateway Anti-Virus page, click the
Network > Zones link. The Network > Zones page is displayed.
2. In the Configure column in the Zone Settings table, click the edit icon . The Edit Zone window
is displayed.
3. Click the Enable Gateway Anti-Virus Service checkbox. A checkmark appears. To disable Gateway
Anti-Virus Service, uncheck the box.
4. Click OK.
Page 21
Note: You also enable SonicWALL GAV protection for new zones you create on the Network > Zones page.
Clicking the Add button displays the Add Zone window, which includes the same settings as the Edit
Zone window.
Viewing SonicWALL GAV Status Information
The Gateway Anti-Virus Status section shows the state of the anti-virus signature database, including
the database's timestamp, and the time the SonicWALL signature servers were last checked for the most
current database version. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
The Gateway Anti-Virus Status section displays the following information:
• Signature Database indicates whether the signature database needs to be downloaded or has been
downloaded.
• Signature Database Timestamp displays the last update to the SonicWALL GAV signature
database, not the last update to your SonicWALL security appliance.
• Last Checked indicates the last time the SonicWALL security appliance checked the signature
database for updates. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
• Gateway Anti-Virus Expiration Date indicates the date when the SonicWALL GAV service expires.
If your SonicWALL GAV subscription expires, the SonicWALL IPS inspection is stopped and the
SonicWALL GAV configuration settings are removed from the SonicWALL security appliance. These
settings are automatically restored after renewing your SonicWALL GAV license to the previously
configured state.
If your SonicWALL security appliance is running SonicOS Standard 3.0 and no interfaces are specified in
the Gateway Anti-Virus Global Settings section, the message: Warning: No interfaces have Gateway
Anti-Virus enabled is displayed in the Gateway Anti-Virus Status section. You must check the Enable
Gateway Anti-Virus on Interface and specify the interface(s) you want to apply anti-virus scanning.
If your SonicWALL security appliance you are using SonicOS Enhanced 3.0, the Gateway Anti-Virus
Status section displays Note: Enable the Gateway Anti-Virus per zone from the Network > Zones
page. Clicking on the Network > Zones link displays the Network > Zones page for applying SonicWALL
GAV on Zones.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 22 SonicWALL Gateway Anti-Virus Administrator’s Guide
Updating SonicWALL GAV Signatures
By default, the SonicWALL security appliance running SonicWALL GAV automatically checks the
SonicWALL signature servers once an hour. There is no need for an administrator to constantly check for
new signature updates. You can also manually update your SonicWALL GAV database at any time by
clicking the Update button located in the Gateway Anti-Virus Status section.
SonicWALL GAV signature updates are secured. The SonicWALL security appliance must first
authenticate itself with a pre-shared secret, created during the SonicWALL Distributed Enforcement
Architecture licensing registration. The signature request is transported through HTTPS, along with full
server certificate verification.
Specifying Protocol Filtering
Application-level awareness of the type of protocol that is transporting the violation allows SonicWALL
GAV to perform specific actions within the context of the application to gracefully handle the rejection of
the payload.
By default, SonicWALL GAV inspects all inbound HTTP, FTP, IMAP, SMTP and POP3 traffic. Generic
TCP Stream can optionally be enabled to inspect all other TCP based traffic, such as
non-standard ports of operation for SMTP and POP3, and IM and P2P protocols.
Note: Refer to “Protocol Handling” on page 13 for detailed descriptions of how SonicWALL GAV handles
protocol traffic.
Enabling Inbound Inspection
Within the context of SonicWALL GAV, the Enable Inbound Inspection protocol traffic handling refers
to the following:
• Non-SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to any Zone.
• Non-SMTP traffic from a Public Zone destined to an Untrusted Zone.
• SMTP traffic initiating from a non-Trusted Zone destined to a Trusted, Wireless, Encrypted, or Public
Zone.
• SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to a Trusted, Wireless,
or Encrypted Zone.
Page 23
The Enable Inbound Inspection protocol traffic handling represented as a table:
Enabling Outbound SMTP Inspection
The Enable Outbound Inspection feature is available for SMTP traffic, such as for a mail server that
might be hosted on the DMZ. Enabling outbound inspection for SMTP scans mail that is delivered to the
internally hosted SMTP server for viruses.
Configuring Client Alerts and an Exclusion List
Clicking the Configure Gateway AV Settings button in the Gateway Anti-Virus Global Settings section
displays the Gateway AV Config View window, which allows you to configure client notification alerts and
create a SonicWALL GAV exclusion list.
Configuring Client Alerts
If you want clients on your network to receive notifications on their desktop when a HTTP file download is
blocked by GAV, check the Enable Client Notification Alerts (desktop client installation is required)
box. You must install the client software included on the Resource CD for your SonicWALL security
appliance for the client to receive these notifications from SonicWALL GAV.
Page 24 SonicWALL Gateway Anti-Virus Administrator’s Guide
If you want to suppress the sending of e-mail messages (SMTP) to clients from SonicWALL GAV when a
virus is detected in an e-mail or attachment, check the Disable SMTP Responses box.
Configuring a SonicWALL GAV Exclusion List
Any IP addresses listed in the exclusion list bypass virus scanning on their traffic.The Gateway AV
Exclusion List section provides the ability to define a range of IP addresses whose traffic will be excluded
from SonicWALL GAV scanning.
Alert! Use caution when specifying exclusions to SonicWALL GAV protection.
To add an IP address range for exclusion, perform these steps:
1. Click the Enable Gateway AV Exclusion List checkbox to enable the exclusion list.
2. Click the Add button. The Add GAV Range Entry window is displayed.
3. Enter the IP address range in the IP Address Form and IP Address To fields, then click OK. You IP
address range appears in the Gateway AV Exclusion List table. Click the edit icon in the Configure
column to change an entry or click the trashcan icon to delete an entry.
4. Click OK to exit the Gateway AV Config View window.
Restricting File Transfers
The restrict transfer settings listed under the Configure Gateway AV Settings button in the
Gateway Anti-Virus Global Settings section, if enabled, prevent files with specific attributes from being
transferred.
These restrict transfer settings include:
• Restrict Transfer of password-protected Zip files - Disables the transfer of password protected
ZIP files over any enabled protocol. This option only functions on protocols (e.g. HTTP, FTP, SMTP)
that are enabled for inspection.
• Restrict Transfer of MS-Office type files containing macros (VBA 5 and above) - Disables the
transfers of any MS Office 97 and above files that contain VBA macros.
• Restrict Transfer of packed executable files (UPX, FSG, etc.) - Disables the transfer of packed
executable files. Packers are utilities which compress and sometimes encrypt executables. Although
there are legitimate applications for these, they are also sometimes used with the intent of
obfuscation, so as to make the executables less detectable by anti-virus applications. The packer
adds a header that expands the file in memory, and then executes that file. SonicWALL Gateway
Anti-Virus currently recognizes the most common packed formats: UPX, FSG, PKLite32, Petite, and
ASPack. additional formats are dynamically added along with SonicWALL GAV signature updates.
Page 25
Viewing SonicWALL GAV Signatures
The Gateway Anti-Virus Signatures section allows you to view the contents of the SonicWALL GAV
signature database. All the entries displayed in the Gateway Anti-Virus Signatures table are from the
SonicWALL GAV signature database downloaded to your SonicWALL security appliance.
Note: Signature entries in the database change over time in response to new threats.
Displaying Signatures
You can display the signatures in a variety of views using the View Style menu.
• Use Search String - Allows you to display signatures containing a specified string entered in the
Lookup Signatures Containing String field.
• All Signatures - Displays all the signatures in the table, 50 to a page.
• 0 - 9 - Displays signature names beginning with the number you select from the menu.
• A-Z - Displays signature names beginning with the letter you select from menu.
Navigating the Gateway Anti-Virus Signatures Table
The SonicWALL GAV signatures are displayed fifty to a page in the Gateway Anti-Virus Signatures
table. The Items field displays the table number of the first signature. If your displaying the first page of a
signature table, the entry might be Items 1 to 50 (of 58). Use the navigation buttons to navigate the table.
Page 26 SonicWALL Gateway Anti-Virus Administrator’s Guide
Searching the Gateway Anti-Virus Signature Database
You can search the signature database by entering a search string in the Lookup Signatures
Containing String field, then clicking the edit (Notepad) icon.
The signatures that match the specified string are displayed in the Gateway Anti-Virus Signatures table.
Glossary
• Deep Packet Inspection - looking at the data portion of the packet. Enables the firewall to investigate
farther into the protocol to examine information at the application layer and defend against attacks
targeting application vulnerabilities.
• Distributed Enforcement Architecture - SonicWALL’s unified threat management technology that
delivers automated signature updates that provide real-time protection from current and emerging
threats.
• False Positive - a falsely identified attack traffic pattern.
• Signature - code written to detect and prevent viruses, worms, application exploits, and other
malicious code.
• Stateful Packet Inspection - examines the contents of individual packets at all layers of the OSI
model, from network layer to application layer.
Page 27
Index
A
activating Gateway Anti-Virus
overview 15
free trial version 18
activating Gateway Anti-Virus
activation key 18
C
client alerts
configuring 23
concurrency limitations 12
PRO 1260 12
PRO 2040 12
PRO 3060 12
PRO 4060 12
PRO 5060 12
TZ 150 Series 12
TZ 170 Series 12
creating a mysonicwall.com account 16
D
deploying SonicWALL GAV 14
disabling GAV/IPS engine 12
displaying signatures 25
all signatures 25
signatures beginning with letter 25
signatures beginning with number 25
using search strings 25
E
Edit Zone window 20
enable inbound inspection 22
enable outbound SMTP inspection 23
enabling inbound inspection 22
exclusion list
configuring 24
G
Gateway AV Config View window 23
GAV/IPS
real-time scanning 6
GAV/IPS features
application control 6
deep packet inspection 6
distributed enforcement architecture 6
file based scanning protocol support 6
file decompression technology 6
granular management 7
inter-zone scanning 6
logging and reporting 7
real-time scanning 6
glossary 26
deep packet inspection 26
Distributed Enforcement Architecture 26
false positive 26
signature 26
stateful packet inspection 26
H
how DPIv2.0 works
11
protocol handling 13
HTTP file downloads protection 9
I
internal network protection 9
N
navigating signatures table 25
P
protocol handling
FTP 14
HTTP 14
IM, P2P, proprietary 14
IMAP 13
POP3 13
SMTP 13
R
registering your SonicWALL security appliance 17
remote site protection 8
restrict 24
restrict file transfer
MS-Office files 24
packed executable files 24
password protected ZIP files 24
S
searching signature database 26
server protection 10
setting up GAV protection
applying to infaces (SonicOS Standard 3.0) 19
applying to zones (SonicOS Enhanced) 20
enabling 19
overview 19
signatures table 25
SonicWALL Gateway Anti-Virus
overview 5
SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service
overview 5
specifying protocol filtering 22
specifying protocols 22
status information
expiration date 21
last checked 21
overview 21
signature database 21
signature database timestamp 21
surpress SMTP messages 24
U
updating signatures 22
Page 28 SonicWALL Gateway Anti-Virus Administrator’s Guide
© 2005 SonicWALL, I n c . SonicWALL is a registered trademark of SonicWALL, I n c . Other product and company names mentioned herein may be
t rademarks and/ or registered trademarks of their respective companies. Specifications and descriptions subject to change with out notice.
T: 408.745.9600
F: 408.745.9300
www.sonicwall.com
SonicWALL,Inc.
1143 Borregas Avenue
Sunnyvale,CA 94089-1306
P/ N 232- 000610- 00
Rev E 01/05COMPREHENSIVE INTERNET SECURITY™
S SSSSSSSSo n i c WALL Gateway Anti-Virus
Administrator's Guide
Page 1
Table of Contents
Preface .................................................................................................. 1
Copyright Notice ..............................................................................1
Trademarks......................................................................................1
Limited Warranty..............................................................................1
About this Guide.................................................................................... 3
Guide Conventions .......................................................................... 3
Icons Used in this Guide............................................................. 3
SonicWALL Technical Support ........................................................ 4
North America Telephone Support ............................................. 4
International Telephone Support ................................................ 4
SonicWALL Gateway Anti-Virus Overview............................................ 5
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features ...... 6
SonicWALL GAV Multi-Layered Approach............................................ 7
Remote Site Protection ....................................................................8
Internal Network Protection.............................................................. 9
HTTP File Downloads ...................................................................... 9
Server Protection ...........................................................................10
SonicWALL GAV Architecture............................................................. 11
Stream Concurrency Limitations
by SonicWALL Security Appliance................................................. 12
Disabling the SonicWALL GAV/IPS Engine................................... 12
Protocol Handling...........................................................................13
SMTP........................................................................................ 13
POP3 ........................................................................................ 13
IMAP......................................................................................... 13
HTTP ........................................................................................ 14
FTP........................................................................................... 14
IM, P2P and Proprietary Protocols ........................................... 14
Deploying SonicWALL GAV................................................................ 14
Activating SonicWALL GAV ................................................................ 15
Creating a mySonicWALL.com Account ........................................ 16
Registering Your SonicWALL Security Appliance.......................... 17
Activating SonicWALL GAV........................................................... 18
Activating the SonicWALL GAV FREE TRIAL ............................... 18
Setting Up SonicWALL GAV Protection .............................................. 19
Enabling SonicWALL GAV............................................................. 19
Applying SonicWALL GAV Protection on Interfaces...................... 19
Applying SonicWALL GAV Protection on Zones
(SonicOS Enhanced 3.0) ............................................................... 20
Viewing SonicWALL GAV Status Information................................ 21
Updating SonicWALL GAV Signatures .......................................... 22
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
Specifying Protocol Filtering ................................................................22
Enabling Inbound Inspection ..........................................................22
Enabling Outbound SMTP Inspection ............................................23
Configuring Client Alerts and an Exclusion List ...................................23
Configuring Client Alerts.................................................................23
Configuring a SonicWALL GAV Exclusion List...............................24
Restricting File Transfers.....................................................................24
Viewing SonicWALL GAV Signatures..................................................25
Displaying Signatures.....................................................................25
Navigating the Gateway Anti-Virus Signatures Table ....................25
Searching the Gateway Anti-Virus Signature Database.................26
Glossary...............................................................................................26
Index ....................................................................................................27
Page 1 SonicWALL Gateway Anti-Virus Administrator’s Guide
Preface
Copyright Notice
© 2005 SonicWALL, Inc.
All rights reserved.
Under the copyright laws, this manual or the software described within, can not be copied, in whole or part,
without the written consent of the manufacturer, except in the normal use of the software to make a backup
copy. The same proprietary and copyright notices must be affixed to any permitted copies as were affixed
to the original. This exception does not allow copies to be made for others, whether or not sold, but all of
the material purchased (with all backup copies) can be sold, given, or loaned to another person. Under
the law, copying includes translating into another language or format.
Specifications and descriptions subject to change without notice.
Trademarks
SonicWALL is a registered trademark of SonicWALL, Inc.
Microsoft Windows 98, Windows NT, Windows 2000, Windows XP, Windows Server 2003, Internet
Explorer, and Active Directory are trademarks or registered trademarks of Microsoft Corporation.
Netscape is a registered trademark of Netscape Communications Corporation in the U.S. and other
countries. Netscape Navigator and Netscape Communicator are also trademarks of Netscape
Communications Corporation and may be registered outside the U.S.
Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems
Incorporated in the U.S. and/or other countries.
Other product and company names mentioned herein may be trademarks and/or registered trademarks
of their respective companies and are the sole property of their respective manufacturers.
Limited Warranty
SonicWALL, Inc. warrants that commencing from the delivery date to Customer (but in any case
commencing not more than ninety (90) days after the original shipment by SonicWALL), and continuing
for a period of twelve (12) months, that the product will be free from defects in materials and workmanship
under normal use. This Limited Warranty is not transferable and applies only to the original end user of
the product. SonicWALL and its suppliers' entire liability and Customer's sole and exclusive remedy under
this limited warranty will be shipment of a replacement product. At SonicWALL's discretion the
replacement product may be of equal or greater functionality and may be of either new or like-new quality.
SonicWALL's obligations under this warranty are contingent upon the return of the defective product
according to the terms of SonicWALL's then-current Support Services policies.
This warranty does not apply if the product has been subjected to abnormal electrical stress, damaged by
accident, abuse, misuse or misapplication, or has been modified without the written permission of
SonicWALL.
DISCLAIMER OF WARRANTY. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR
IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT
LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, NONINFRINGEMENT, SATISFACTORY QUALITY OR ARISING FROM A
COURSE OF DEALING, LAW, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE
MAXIMUM EXTENT ALLOWED BY APPLICABLE LAW. TO THE EXTENT AN IMPLIED WARRANTY
CANNOT BE EXCLUDED, SUCH WARRANTY IS LIMITED IN DURATION TO THE WARRANTY
PERIOD. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW
LONG AN IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. THIS
WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, AND YOU MAY ALSO HAVE OTHER RIGHTS
WHICH VARY FROM JURISDICTION TO JURISDICTION. This disclaimer and exclusion shall apply
even if the express warranty set forth above fails of its essential purpose.
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
DISCLAIMER OF LIABILITY. SONICWALL'S SOLE LIABILITY IS THE SHIPMENT OF A
REPLACEMENT PRODUCT AS DESCRIBED IN THE ABOVE LIMITED WARRANTY. IN NO EVENT
SHALL SONICWALL OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER,
INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS
INTERRUPTION, LOSS OF INFORMATION, OR OTHER PECUNIARY LOSS ARISING OUT OF THE
USE OR INABILITY TO USE THE PRODUCT, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL,
INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY
OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE HARDWARE OR SOFTWARE
EVEN IF SONICWALL OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. In no event shall SonicWALL or its suppliers' liability to Customer, whether in contract, tort
(including negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shall
apply even if the above-stated warranty fails of its essential purpose. BECAUSE SOME STATES OR
JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR
INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.
Page 3
About this Guide
Welcome to the SonicWALL Gateway Anti-Virus Administrator’s Guide. This manual provides the
information you need to successfully activate, configure, and administer SonicWALL Gateway Anti-Virus
(SonicWALL (GAV) on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher). The audience for this guide is administrators that are familiar with the
features, functions, and operating characteristics of SonicWALL security appliances.
Note: This guide assumes your SonicWALL security appliance is operational with Internet connectivity. If your
SonicWALL security appliance is not setup, refer to the Getting Started Guide for your SonicWALL
security appliance located on the SonicWALL Web site:
.
SonicWALL GAV is part of the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service solution that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate a SonicWALL GAV license, SonicWALL Intrusion Prevention Service is included and activated.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the complete
instructions on configuring SonicWALL Intrusion Prevention Service 2.0, located on the SonicWALL
Web site: .
Guide Conventions
Conventions used in this guide are as follows:
Icons Used in this Guide
These special messages refer to noteworthy information, and include a symbol for quick identification:
Alert! Important information that cautions about features affecting SonicWALL Gateway Anti-Virus
performance, security features, or causing potential problems with your SonicWALL security appliance.
Tip! Useful information about security features and configurations for your SonicWALL Gateway Anti-Virus
running on a SonicWALL security appliance.
Convention Use
Bold Highlights items you can select on the SonicWALL
management interface.
Italic Highlights a value to enter into a field. For example, “type
192.168.168.168 in the IP Address field.”
Top Level Menu Button >
Submenu Item
Indicates a multiple step Management Interface menu
choice. For example, Security Services > Gateway Anti-
Virus means select Security Services, then select
Gateway Anti-Virus.
Page 4 SonicWALL Gateway Anti-Virus Administrator’s Guide
Note: Important information on a feature that requires callout for special attention or reference to other related
resources.
SonicWALL Technical Support
For timely resolution of technical support questions, visit SonicWALL on the Internet at
. Web-based resources are available to help you
resolve most technical issues or contact SonicWALL Technical Support.
To contact SonicWALL telephone support, see the telephone numbers listed below:
North America Telephone Support
U.S./Canada - 888.777.1476 or +1 408.752.7819
International Telephone Support
Australia - + 1800.35.1642
Austria - + 43(0)820.400.105
EMEA - +31(0)411.617.810
France - + 33(0)1.4933.7414
Germany - + 49(0)1805.0800.22
Hong Kong - + 1.800.93.0997
India - + 8026556828
Italy - +39.02.7541.9803
Japan - + 81(0)3.5460.5356
New Zealand - + 0800.446489
Singapore - + 800.110.1441
Spain - + 34(0)9137.53035
Switzerland - +41.1.308.3.977
UK - +44(0)1344.668.484
Note: Please visit for the latest technical support telephone
numbers.
Page 5
SonicWALL Gateway Anti-Virus Overview
SonicWALL Gateway Anti-Virus (SonicWALL GAV) is part of the SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service solution that provides unified threat management. The integration of gateway
anti-virus and intrusion prevention delivers intelligent, real-time network security protection against
sophisticated application layer and content-based attacks. Utilizing a configurable, high-performance
deep packet inspection architecture, SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
secures the network from the core to the perimeter against a comprehensive array of dynamic threats
including viruses, worms, Trojans, and software vulnerabilities, such as buffer overflows, as well as peerto-
peer and instant messenger applications, backdoor exploits, and other malicious code.
SonicWALL GAV delivers real-time virus protection directly on the SonicWALL security appliance by
using SonicWALL’s IPS-Deep Packet Inspection v2.0 engine to inspect all traffic that traverses the
SonicWALL gateway. Building on SonicWALL’s reassembly-free architecture, SonicWALL GAV inspects
multiple application protocols, as well as generic TCP streams, and compressed traffic. Because
SonicWALL GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also performed on a
single-pass, per-packet basis.
SonicWALL GAV delivers threat protection directly on the SonicWALL security appliance by matching
downloaded or e-mailed files against an extensive and dynamically updated database of threat virus
signatures. Virus attacks are caught and suppressed before they travel to desktops. New signatures are
created and added to the database by a combination of SonicWALL’s SonicAlert Team, third-party virus
analysts, open source developers and other sources.
SonicWALL GAV can be configured to protect against internal threats as well as those originating outside
the network. It operates over a multitude of protocols including SMTP, POP3, IMAP, HTTP, FTP,
NetBIOS, instant messaging and peer-to-peer applications and dozens of other stream-based protocols,
to provide administrators with comprehensive network threat prevention and control. Because files
containing malicious code and viruses can also be compressed and therefore inaccessible to
conventional anti-virus solutions, SonicWALL GAV integrates advanced decompression technology that
automatically decompresses and scans files on a per packet basis.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
Page 6 SonicWALL Gateway Anti-Virus Administrator’s Guide
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features
• Integrated Deep Packet Inspection Technology - SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service features a configurable, high-performance deep packet inspection architecture
that uses parallel searching algorithms up through the application layer to deliver increased
application layer, Web and e-mail attack prevention. Parallel processing reduces the performance
impact on the firewall and maximizes available memory for exceptional throughput on SonicWALL
integrated security gateways.
• Real-Time Anti-Virus Gateway Scanning - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers intelligent file-based virus and malicious code prevention by scanning in real-time for
decompressed and compressed files containing viruses, Trojans, worms and other Internet threats
over the corporate network.
• Powerful Intrusion Prevention - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
provides complete protection from a comprehensive array of network-based application layer threats
by scanning packet payloads for worms, Trojans, software vulnerabilities such as buffer overflows,
peer-to-peer and instant messenger applications, backdoor exploits, and other malicious code.
• Ultimate Scalability and Performance - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a per packet scanning engine, making SonicWALL’s solution unique in its ability to
handle unlimited file size and virtually unlimited concurrent downloads, offering ultimate scalability
and performance for today’s networked environment.
• Day Zero Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service ensures
incredibly fast time-to-protection by employing a dynamically-updated database of signatures created
by a combination of SonicWALL’s SonicAlert Team, third-party virus analysts and developers, and
open source databases of known threats.
• Extensive Virus Signature List - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
utilizes an extensive database of thousands of attack and vulnerability signatures written to detect and
prevent intrusions, viruses, worms, Tojans, application exploits, and malicious applications.
• Distributed Enforcement Architecture - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a distributed enforcement architecture to deliver automated signature updates,
providing real-time protection from emerging threats and lowering total cost of ownership.
• Inter-zone Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides
application layer attack protection against malicious code and other threats originating from the
Internet or from internal sources. Administrators have the ability to enforce intrusion prevention and
anti-virus scanning not only between each network zone and the Internet, but also between internal
network zones for added security (Requires SonicOS Enhanced).
• Advanced File Decompression Technology - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service includes advanced decompression technology that can automatically decompress and scan
files on a per packet basis to search for viruses, Trojans, worms and malware. Supported
compression formats include: ZIP, Deflate and GZIP.
• File-Based Scanning Protocol Support - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers protection for high threat viruses and malware by inspecting the most common
protocols used in today’s networked environments, including SMTP, POP3, IMAP, HTTP, FTP,
NETBIOS, instant messaging and peer-to-peer applications, and dozens of other stream-based
protocols. This closes potential backdoors that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Application Control - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides the
ability to prevent instant messaging and peer-to-peer file sharing programs from operating through
the firewall, closing a potential back door that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Simplified Deployment and Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service allows network administrators to create global policies between security zones and group
attacks by priority, simplifying deployment and management across a distributed network.
Page 7
• Granular Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides an
intuitive user interface and granular policy tools, allowing network administrators to configure a
custom set of detection or prevention policies for their specific network environment and reduce the
number of false policies while identifying immediate threats.
• Logging and Reporting - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service offers
comprehensive logging of all intrusion attempts with the ability to filter logs based on priority level,
enabling administrators to highlight high priority attacks. Granular reporting based on attack source,
destination and type of intrusion is available through SonicWALL ViewPoint and Global Management
System.
SonicWALL GAV Multi-Layered Approach
SonicWALL GAV delivers comprehensive, multi-layered anti-virus protection for networks at the desktop,
the network, and at remote sites. SonicWALL GAV enforces anti-virus policies at the gateway to ensure
all users have the latest updates and monitors files as they come into the network.
Page 8 SonicWALL Gateway Anti-Virus Administrator’s Guide
Remote Site Protection
1. Users send typical e-mail and files between remote sites and the corporate office.
2. SonicWALL GAV scans and analyzes files and e-mail messages on the SonicWALL security
appliance.
3. Viruses are found and blocked before infecting remote desktop.
4. Virus is logged and alert is sent to administrator.
Page 9
Internal Network Protection
1. Internal user contracts a virus and releases it internally.
2. All files are scanned at the gateway before being received by other network users.
3. If virus is found, file is discarded.
4. Virus is logged and alert is sent to administrator.
HTTP File Downloads
1. Client makes a request to download a file from the Web.
2. File is downloaded through the Internet.
3. File is analyzed the SonicWALL GAV engine for malicious code and viruses
4. If virus found, file discarded.
5. Virus is logged and alert sent to administrator.
Page 10 SonicWALL Gateway Anti-Virus Administrator’s Guide
Server Protection
1. Outside user sends an incoming e-mail.
2. E-mail is analyzed the SonicWALL GAV engine for malicious code and viruses before received by email
server.
3. If virus found, threat prevented.
4. E-mail is returned to sender, virus is logged, and alert sent to administrator.
Page 11
SonicWALL GAV Architecture
SonicWALL GAV is based on SonicWALL's high performance DPIv2.0 engine (Deep Packet Inspection
version 2.0) engine, which performs all scanning directly on the SonicWALL security appliance.
SonicWALL GAV includes advanced decompression technology that can automatically decompress and
scan files on a per packet basis to search for viruses and malware. The SonicWALL GAV engine can
perform base64 decoding without ever reassembling the entire base64 encoded mail stream. Because
SonicWALL's GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding and ZIP, LHZ, and GZIP (LZ77) decompression are also performed
on a single-pass, per-packet basis. Reassembly free virus scanning functionality of the SonicWALL GAV
engine is inherited from the Deep Packet Inspection engine, which is capable of scanning streams without
ever buffering any of the bytes within the stream.
Building on SonicWALL's reassembly-free architecture, GAV has the ability to inspect multiple application
protocols, as well as generic TCP streams, and compressed traffic. SonicWALL GAV protocol inspection
is based on high performance state machines which are specific to each supported protocol. SonicWALL
GAV delivers protection by inspecting over the most common protocols used in today's networked
environments, including SMTP, POP3, IMAP, HTTP, FTP, NetBIOS, instant messaging and peer-to-peer
applications and dozens of other stream-based protocols. This closes potential backdoors that can be
used to compromise the network while also improving employee productivity and conserving Internet
bandwidth.
Page 12 SonicWALL Gateway Anti-Virus Administrator’s Guide
Stream Concurrency Limitations by SonicWALL Security Appliance
Because SonicWALL GAV does not have to perform reassembly, there are no file-size limitations
imposed by the scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also
performed on a single-pass, per-packet basis. Stream-concurrency are platform dependent as follows:.
Disabling the SonicWALL GAV/IPS Engine
In the unlikely event that SonicWALL Gateway Anti-Virus/Intrusion Prevention Service is not enabled on
your SonicWALL security appliance, the SonicWALL GAV/IPS engine itself can be disabled, and the
resources can be reallocated to the SPI connection cache.
To disable the SonicWALL GAV/IPS engine:
1. Select the Firewall > Advanced page.
2. Select the Disable Gateway AV and IPS Engine (increases maximum SPI connections)
checkbox. This presents an alert informing you that the SonicWALL security appliance must be
rebooted for the change to take effect.
3. Restart your SonicWALL security appliance.
Platform
GAV-Disabled
Connections
Cache Size
GAV-Enabled
Connections
Cache Size
(Concurrent File
Downloads)
Concurrent
Compressed
File Downloads
with GAV
GAV Signatures
TZ 150
Series
2,048 2,048 100 4,500
TZ 170
Series
6,144 6,144 100 4,500
PRO 1260 6,144 6,144 100 4,500
PRO 2040 32,768 16,384 300 25,000
PRO 3060 131,072 65,536 1,000 25,000
PRO 4060 524,288 131,072 1,500 25,000
PRO 5060 750,000 393,216 3,000 25,000
Page 13
Protocol Handling
SonicWALL GAV functionality supports the following protocols: HTTP, SMTP, IMAP, POP3, FTP and the
scanning of generic TCP streams for viruses.
If malicious traffic is detected, appropriate actions are taken based on the protocol. For generic TCP
streams, the traffic is dropped and the connection is reset. If so configured, an encrypted and hashed
message explaining the action is sent to the user's Global Security Client (requires version 2.0 or higher)
and to the user's 'Security Action Notification Applet', and displayed to the user if either application is
active. Application level awareness of the type of protocol that was transporting the violation allows for
very specific actions to be taken to gracefully handle the rejection of the payload:
Note: 8-bit encoding is handled natively for all email based protocols (SMTP, POP3, and IMAP) since no
decoding is required for each encoding scheme.
SMTP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the head of the sent
queue, thus preventing it from being resent, via 552 SMTP response and the connection is terminated.
POP3
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the POP3 server via
'DELE' command and the connection is terminated. Continuation of message downloads following
termination requires the user to re-initiate the download process on their POP3 client in order to download
the rest of the messages from the POP3 server.
Note: POP3 client behavior varies from one client to the next. SonicWALL GAV attempts to determine the type
of POP3 client being used, and to compensate for behavioral differences. In rare cases, some clients
may require special GAV settings - these settings have been made available in the /diag.html page.
• Disable Gateway AV POP3 Auto Deletion - When a POP3 client is identified as Outlook Express,
DELE (delete) message sequencing is tailored to Outlook Express' behavior. This setting can resolve
problems caused by misidentification that are encountered during the deletion of virus-infected
emails.
• Disable Gateway AV POP3 UIDL Rewriting - Certain Netscape POP3 clients have difficulty with the
UIDL (unique ID listing - RFC1939) command. When a POP3 client is recognized as Netscape, UIDL
messages are suppressed, which is allowable because they are optional. This setting can resolve
problems caused by misidentification that are encountered during the message retrieval process.
IMAP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from downloading the mail
containing the violation. The user must manually mark the mail deleted and purge it from the server.
Page 14 SonicWALL Gateway Anti-Virus Administrator’s Guide
HTTP
Capabilities: zip (including archives), gzip and deflate decompression. Deflate decompression method is
not supported when HTTP response is Chunk Encoded. All HTTP traffic is inspected, not just TCP port
80. Suppresses the use of HTTP Byte-Range requests to prevent the sectional retrieval and reassembly
of potentially malicious content.
Note: Suppression of HTTP Byte-Range requests may inhibit the use of certain download accelerator
programs that attempt to retrieve files as multiple simultaneous requests.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
FTP
Capabilities: zip (including archives) and gzip decompression. FTP stateful code follows data port
negotiations, allowing FTP data to be inspected across any operating TCP port. Suppresses the use of
the FTP 'REST' (restart) request to prevent the sectional retrieval and reassembly of potentially malicious
content. "The suppression of the 'REST' request can be overridden from the /diag.html page with the
option 'Enable FTP 'REST' requests with Gateway AV’.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
IM, P2P and Proprietary Protocols
Capabilities: zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
Deploying SonicWALL GAV
SonicWALL GAV is designed to provide comprehensive virus protection with minimal configuration. The
following sections provide the key information you need to successfully activate, configure, and administer
SonicWALL GAV on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher):
• “Activating SonicWALL GAV” on page 15 - provides instructions for activating the SonicWALL GAV
license on your SonicWALL security appliance via the management interface. If you already have
SonicWALL GAV activated on your SonicWALL security appliance, skip this section.
• “Setting Up SonicWALL GAV Protection” on page 19 - provides instructions for essential
configuration of SonicWALL IPS to protect your network against the most dangerous and disruptive
attacks.
Alert! After activating your SonicWALL GAV license, you must enable SonicWALL GAV on the SonicWALL
management interface before anti-virus protection are applied to your network traffic.
• “Configuring Client Alerts and an Exclusion List” on page 23 - provides instructions for configuring
SonicWALL GAV client notification alerts and creating a SonicWALL GAV exclusion list.
• “Restricting File Transfers” on page 24 - provides instructions on preventing files with specific
attributes from being transferred.
Page 15
Activating SonicWALL GAV
If you do not have SonicWALL GAV installed on your SonicWALL security appliance, the Security
Services > Gateway Anti-Virus page indicates an upgrade is required and includes a link to activiate it
from your SonicWALL security appliance management interface.
SonicWALL GAV is part of the unified SonicWALL Gateway Anti-Virus/Intrusion Prevention Service that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is also activated.
To activate a SonicWALL Gateway Anti-Virus/Intrusion Prevention Service on your SonicWALL security
appliance, you need the following:
• SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license. You need to purchase a
SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license from a SonicWALL reseller or
through your mySonicWALL.com account (limited to customers in the USA and Canada).
• mySonicWALL.com account. Creating a mySonicWALL.com account is fast, simple, and FREE.
Simply complete an online registration form from your SonicWALL security appliance management
interface. Your mySonicWALL.com account is also accessible at
from any Internet connection with a Web browser.
• Registered SonicWALL security appliance with active Internet connection. Registering your
SonicWALL security appliance is a simple procedure done directly from the management interface.
• SonicOS Standard 3.0 or SonicOS Enhanced 3.0. Your SonicWALL security appliance must be
running SonicOS Standard 3.0 or SonicOS Enhanced 3.0 for SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service.
Tip! If your SonicWALL security appliance is connected to the Internet and registered at
mySonicWALL.com, you can activate a 30-day FREE TRIAL of SonicWALL IPS.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
If you activated SonicWALL GAV at , SonicWALL GAV activation is
automatically enabled on your SonicWALL within 24-hours or you can click the Synchronize button on
the Security Services > Summary page to update your SonicWALL security appliance.
Page 16 SonicWALL Gateway Anti-Virus Administrator’s Guide
Creating a mySonicWALL.com Account
Creating a mySonicWALL.com account is fast, simple, and FREE. Simply complete an online
registration form in the SonicWALL security appliance management interface.
Note: If you already have a mysonicWALL.com account, go to “Registering Your SonicWALL Security
Appliance” on page 17.
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displayed in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link in Your
SonicWALL is not registered. Click here to Register your SonicWALL.
4. In the mySonicWALL.com Login page, click the here link in If you do not have a mySonicWALL
account, please click here to create one.
5. In the MySonicWall Account page, enter in your information in the Account Information, Personal
Information and Preferences fields. All fields marked with an asterisk (*) are required fields.
Note: Remember your username and password to access your mySonicWALL.com account.
6. Click Submit after completing the MySonicWALL Account form.
7. When the mySonicWALL.com server has finished processing your account, you will see a page
saying that your account has been created. Click Continue.
Congratulations. Your mySonicWALL.com account is activated.
Now you need to log into mySonicWALL.com to register your SonicWALL security appliance.
Note: mySonicWALL.com registration information is not sold or shared with any other company.
Page 17
Registering Your SonicWALL Security Appliance
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displaying in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link. The
mySonicWALL.com Login page is displayed.
4. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit.
5. The next several pages inform you about the free trials available to you for SonicWALL’s Security
Services:
• Gateway Anti-Virus - Delivers real-time virus protection for your entire network.
• Network Anti Virus - Provides desktop and server anti-virus protection with software running on
each computer.
• Premium Content Filtering Service - Enhances productivity by limiting access to objectionable
Web content.
• Intrusion Prevention Service - Protects your network against worms, Trojans, and application
layer attacks.
Click Continue on each page.
6. At the top of the Product Survey page, Enter a “friendly name” for your SonicWALL content security
appliance in the Friendly Name field. The friendly name allows you to easily identify your
SonicWALL content security appliance in your mySonicWALL.com account.
7. Please complete the Product Survey. SonicWALL uses this information to further tailor services to fit
your needs.
8. Click Submit.
9. When the mySonicWALL.com server has finished processing your registration, a page is displayed
informing you that the SonicWALL security appliance is registered. Click Continue, and the
System > Licenses page is displayed showing you the available services. You can activate the
service from this page or the specific service page under the Security Services left-navigation
menu in the management interface.
Page 18 SonicWALL Gateway Anti-Virus Administrator’s Guide
Activating SonicWALL GAV
If you do not have a SonicWALL GAV license activated on your SonicWALL security appliance, you must
purchase it from a SonicWALL reseller or through your mySonicWALL.com account (limited to customers
in the USA and Canada).
SonicWALL GAV is part of SonicWALL Gateway Anti-Virus/Intrusion Prevention Service. The Activation
Key you receive is for both SonicWALL GAV and SonicWALL Intrusion Prevention Service. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is automatically activated.
If you have an Activation Key for SonicWALL Gateway Anti-Virus/Intrusion Prevention Service, perform
these steps to activate the combined services:
1. On the Security Services > Intrusion Prevention page, click the SonicWALL Intrusion
Prevention Service Subscription link. The mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already registered to your
mySonicWALL.com account, the System > Licenses page appears.
3. Click Activate or Renew in the Manage Service column in the Manage Services Online table.
4. Type in the Activation Key in the New License Key field and click Submit. Your SonicWALL GAV
subscription is activated on your SonicWALL security appliance.
If you activated the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service subscription on
mySonicWALL.com, the activation is automatically enabled on your SonicWALL security appliance within
24-hours or you can click the Synchronize button on the Security Services > Summary page to
immediately update your SonicWALL security appliance.
Activating the SonicWALL GAV FREE TRIAL
To try a FREE TRIAL of SonicWALL GAV, perform these steps:
1. Click the FREE TRIAL link on the Security Services > Gateway Anti-Virus page. The
mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already connected to your
mySonicWALL.com account, the System > Licenses page appears after you click the FREE TRIAL
link.
3. Click Try in the FREE TRIAL column in the Manage Services Online table. Your SonicWALL GAV
trial subscription is activated on your SonicWALL security appliance.
Page 19
Setting Up SonicWALL GAV Protection
The Security Services > Gateway Anti-Virus page provides the settings for configuring SonicWALL
GAV on your SonicWALL security appliance.
Enabling SonicWALL GAV
You must select Enable Gateway Anti-Virus check box in the Gateway Anti-Virus Global Settings
section to enable SonicWALL GAV on your SonicWALL security appliance. If your SonicWALL security
appliance is running SonicOS Standard 3.0, you must also specify the interfaces you want to apply
SonicWALL GAV protection. If your SonicWALL security appliance is running SonicOS Enhanced 3.0,
you must specify the Zones you want to SonicWALL GAV protection on the Network > Zones page.
Applying SonicWALL GAV Protection on Interfaces
If your SonicWALL security appliance is running SonicOS Standard 3.0, you also need to specify the
interface that you want to enable SonicWALL GAV protection. Depending on the SonicWALL security
appliance model you are using, you can choose the WAN, LAN, DMZ, OPT or WLAN port, depending on
your SonicWALL security appliance model. After selecting the interface(s), click Apply.It is recommended
you select the WAN and LAN interfaces.
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you apply SonicWALL GAV to
Zones on the Network > Zones page.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 20 SonicWALL Gateway Anti-Virus Administrator’s Guide
Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you can enforce SonicWALL
GAV not only between each network zone and the WAN, but also between internal zones. For example,
enabling SonicWALL GAV on the LAN zone enforces anti-virus protection on all incoming and outgoing
LAN traffic.
1. In the SonicWALL security appliance management interface, select Network > Zones or from the
Gateway Anti-Virus Status section, on the Security Services > Gateway Anti-Virus page, click the
Network > Zones link. The Network > Zones page is displayed.
2. In the Configure column in the Zone Settings table, click the edit icon . The Edit Zone window
is displayed.
3. Click the Enable Gateway Anti-Virus Service checkbox. A checkmark appears. To disable Gateway
Anti-Virus Service, uncheck the box.
4. Click OK.
Page 21
Note: You also enable SonicWALL GAV protection for new zones you create on the Network > Zones page.
Clicking the Add button displays the Add Zone window, which includes the same settings as the Edit
Zone window.
Viewing SonicWALL GAV Status Information
The Gateway Anti-Virus Status section shows the state of the anti-virus signature database, including
the database's timestamp, and the time the SonicWALL signature servers were last checked for the most
current database version. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
The Gateway Anti-Virus Status section displays the following information:
• Signature Database indicates whether the signature database needs to be downloaded or has been
downloaded.
• Signature Database Timestamp displays the last update to the SonicWALL GAV signature
database, not the last update to your SonicWALL security appliance.
• Last Checked indicates the last time the SonicWALL security appliance checked the signature
database for updates. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
• Gateway Anti-Virus Expiration Date indicates the date when the SonicWALL GAV service expires.
If your SonicWALL GAV subscription expires, the SonicWALL IPS inspection is stopped and the
SonicWALL GAV configuration settings are removed from the SonicWALL security appliance. These
settings are automatically restored after renewing your SonicWALL GAV license to the previously
configured state.
If your SonicWALL security appliance is running SonicOS Standard 3.0 and no interfaces are specified in
the Gateway Anti-Virus Global Settings section, the message: Warning: No interfaces have Gateway
Anti-Virus enabled is displayed in the Gateway Anti-Virus Status section. You must check the Enable
Gateway Anti-Virus on Interface and specify the interface(s) you want to apply anti-virus scanning.
If your SonicWALL security appliance you are using SonicOS Enhanced 3.0, the Gateway Anti-Virus
Status section displays Note: Enable the Gateway Anti-Virus per zone from the Network > Zones
page. Clicking on the Network > Zones link displays the Network > Zones page for applying SonicWALL
GAV on Zones.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 22 SonicWALL Gateway Anti-Virus Administrator’s Guide
Updating SonicWALL GAV Signatures
By default, the SonicWALL security appliance running SonicWALL GAV automatically checks the
SonicWALL signature servers once an hour. There is no need for an administrator to constantly check for
new signature updates. You can also manually update your SonicWALL GAV database at any time by
clicking the Update button located in the Gateway Anti-Virus Status section.
SonicWALL GAV signature updates are secured. The SonicWALL security appliance must first
authenticate itself with a pre-shared secret, created during the SonicWALL Distributed Enforcement
Architecture licensing registration. The signature request is transported through HTTPS, along with full
server certificate verification.
Specifying Protocol Filtering
Application-level awareness of the type of protocol that is transporting the violation allows SonicWALL
GAV to perform specific actions within the context of the application to gracefully handle the rejection of
the payload.
By default, SonicWALL GAV inspects all inbound HTTP, FTP, IMAP, SMTP and POP3 traffic. Generic
TCP Stream can optionally be enabled to inspect all other TCP based traffic, such as
non-standard ports of operation for SMTP and POP3, and IM and P2P protocols.
Note: Refer to “Protocol Handling” on page 13 for detailed descriptions of how SonicWALL GAV handles
protocol traffic.
Enabling Inbound Inspection
Within the context of SonicWALL GAV, the Enable Inbound Inspection protocol traffic handling refers
to the following:
• Non-SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to any Zone.
• Non-SMTP traffic from a Public Zone destined to an Untrusted Zone.
• SMTP traffic initiating from a non-Trusted Zone destined to a Trusted, Wireless, Encrypted, or Public
Zone.
• SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to a Trusted, Wireless,
or Encrypted Zone.
Page 23
The Enable Inbound Inspection protocol traffic handling represented as a table:
Enabling Outbound SMTP Inspection
The Enable Outbound Inspection feature is available for SMTP traffic, such as for a mail server that
might be hosted on the DMZ. Enabling outbound inspection for SMTP scans mail that is delivered to the
internally hosted SMTP server for viruses.
Configuring Client Alerts and an Exclusion List
Clicking the Configure Gateway AV Settings button in the Gateway Anti-Virus Global Settings section
displays the Gateway AV Config View window, which allows you to configure client notification alerts and
create a SonicWALL GAV exclusion list.
Configuring Client Alerts
If you want clients on your network to receive notifications on their desktop when a HTTP file download is
blocked by GAV, check the Enable Client Notification Alerts (desktop client installation is required)
box. You must install the client software included on the Resource CD for your SonicWALL security
appliance for the client to receive these notifications from SonicWALL GAV.
Page 24 SonicWALL Gateway Anti-Virus Administrator’s Guide
If you want to suppress the sending of e-mail messages (SMTP) to clients from SonicWALL GAV when a
virus is detected in an e-mail or attachment, check the Disable SMTP Responses box.
Configuring a SonicWALL GAV Exclusion List
Any IP addresses listed in the exclusion list bypass virus scanning on their traffic.The Gateway AV
Exclusion List section provides the ability to define a range of IP addresses whose traffic will be excluded
from SonicWALL GAV scanning.
Alert! Use caution when specifying exclusions to SonicWALL GAV protection.
To add an IP address range for exclusion, perform these steps:
1. Click the Enable Gateway AV Exclusion List checkbox to enable the exclusion list.
2. Click the Add button. The Add GAV Range Entry window is displayed.
3. Enter the IP address range in the IP Address Form and IP Address To fields, then click OK. You IP
address range appears in the Gateway AV Exclusion List table. Click the edit icon in the Configure
column to change an entry or click the trashcan icon to delete an entry.
4. Click OK to exit the Gateway AV Config View window.
Restricting File Transfers
The restrict transfer settings listed under the Configure Gateway AV Settings button in the
Gateway Anti-Virus Global Settings section, if enabled, prevent files with specific attributes from being
transferred.
These restrict transfer settings include:
• Restrict Transfer of password-protected Zip files - Disables the transfer of password protected
ZIP files over any enabled protocol. This option only functions on protocols (e.g. HTTP, FTP, SMTP)
that are enabled for inspection.
• Restrict Transfer of MS-Office type files containing macros (VBA 5 and above) - Disables the
transfers of any MS Office 97 and above files that contain VBA macros.
• Restrict Transfer of packed executable files (UPX, FSG, etc.) - Disables the transfer of packed
executable files. Packers are utilities which compress and sometimes encrypt executables. Although
there are legitimate applications for these, they are also sometimes used with the intent of
obfuscation, so as to make the executables less detectable by anti-virus applications. The packer
adds a header that expands the file in memory, and then executes that file. SonicWALL Gateway
Anti-Virus currently recognizes the most common packed formats: UPX, FSG, PKLite32, Petite, and
ASPack. additional formats are dynamically added along with SonicWALL GAV signature updates.
Page 25
Viewing SonicWALL GAV Signatures
The Gateway Anti-Virus Signatures section allows you to view the contents of the SonicWALL GAV
signature database. All the entries displayed in the Gateway Anti-Virus Signatures table are from the
SonicWALL GAV signature database downloaded to your SonicWALL security appliance.
Note: Signature entries in the database change over time in response to new threats.
Displaying Signatures
You can display the signatures in a variety of views using the View Style menu.
• Use Search String - Allows you to display signatures containing a specified string entered in the
Lookup Signatures Containing String field.
• All Signatures - Displays all the signatures in the table, 50 to a page.
• 0 - 9 - Displays signature names beginning with the number you select from the menu.
• A-Z - Displays signature names beginning with the letter you select from menu.
Navigating the Gateway Anti-Virus Signatures Table
The SonicWALL GAV signatures are displayed fifty to a page in the Gateway Anti-Virus Signatures
table. The Items field displays the table number of the first signature. If your displaying the first page of a
signature table, the entry might be Items 1 to 50 (of 58). Use the navigation buttons to navigate the table.
Page 26 SonicWALL Gateway Anti-Virus Administrator’s Guide
Searching the Gateway Anti-Virus Signature Database
You can search the signature database by entering a search string in the Lookup Signatures
Containing String field, then clicking the edit (Notepad) icon.
The signatures that match the specified string are displayed in the Gateway Anti-Virus Signatures table.
Glossary
• Deep Packet Inspection - looking at the data portion of the packet. Enables the firewall to investigate
farther into the protocol to examine information at the application layer and defend against attacks
targeting application vulnerabilities.
• Distributed Enforcement Architecture - SonicWALL’s unified threat management technology that
delivers automated signature updates that provide real-time protection from current and emerging
threats.
• False Positive - a falsely identified attack traffic pattern.
• Signature - code written to detect and prevent viruses, worms, application exploits, and other
malicious code.
• Stateful Packet Inspection - examines the contents of individual packets at all layers of the OSI
model, from network layer to application layer.
Page 27
Index
A
activating Gateway Anti-Virus
overview 15
free trial version 18
activating Gateway Anti-Virus
activation key 18
C
client alerts
configuring 23
concurrency limitations 12
PRO 1260 12
PRO 2040 12
PRO 3060 12
PRO 4060 12
PRO 5060 12
TZ 150 Series 12
TZ 170 Series 12
creating a mysonicwall.com account 16
D
deploying SonicWALL GAV 14
disabling GAV/IPS engine 12
displaying signatures 25
all signatures 25
signatures beginning with letter 25
signatures beginning with number 25
using search strings 25
E
Edit Zone window 20
enable inbound inspection 22
enable outbound SMTP inspection 23
enabling inbound inspection 22
exclusion list
configuring 24
G
Gateway AV Config View window 23
GAV/IPS
real-time scanning 6
GAV/IPS features
application control 6
deep packet inspection 6
distributed enforcement architecture 6
file based scanning protocol support 6
file decompression technology 6
granular management 7
inter-zone scanning 6
logging and reporting 7
real-time scanning 6
glossary 26
deep packet inspection 26
Distributed Enforcement Architecture 26
false positive 26
signature 26
stateful packet inspection 26
H
how DPIv2.0 works
11
protocol handling 13
HTTP file downloads protection 9
I
internal network protection 9
N
navigating signatures table 25
P
protocol handling
FTP 14
HTTP 14
IM, P2P, proprietary 14
IMAP 13
POP3 13
SMTP 13
R
registering your SonicWALL security appliance 17
remote site protection 8
restrict 24
restrict file transfer
MS-Office files 24
packed executable files 24
password protected ZIP files 24
S
searching signature database 26
server protection 10
setting up GAV protection
applying to infaces (SonicOS Standard 3.0) 19
applying to zones (SonicOS Enhanced) 20
enabling 19
overview 19
signatures table 25
SonicWALL Gateway Anti-Virus
overview 5
SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service
overview 5
specifying protocol filtering 22
specifying protocols 22
status information
expiration date 21
last checked 21
overview 21
signature database 21
signature database timestamp 21
surpress SMTP messages 24
U
updating signatures 22
Page 28 SonicWALL Gateway Anti-Virus Administrator’s Guide
© 2005 SonicWALL, I n c . SonicWALL is a registered trademark of SonicWALL, I n c . Other product and company names mentioned herein may be
t rademarks and/ or registered trademarks of their respective companies. Specifications and descriptions subject to change with out notice.
T: 408.745.9600
F: 408.745.9300
www.sonicwall.com
SonicWALL,Inc.
1143 Borregas Avenue
Sunnyvale,CA 94089-1306
P/ N 232- 000610- 00
Rev E 01/05COMPREHENSIVE INTERNET SECURITY™
S SSSSSSSSo n i c WALL Gateway Anti-Virus
Administrator's Guide
Page 1
Table of Contents
Preface .................................................................................................. 1
Copyright Notice ..............................................................................1
Trademarks......................................................................................1
Limited Warranty..............................................................................1
About this Guide.................................................................................... 3
Guide Conventions .......................................................................... 3
Icons Used in this Guide............................................................. 3
SonicWALL Technical Support ........................................................ 4
North America Telephone Support ............................................. 4
International Telephone Support ................................................ 4
SonicWALL Gateway Anti-Virus Overview............................................ 5
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features ...... 6
SonicWALL GAV Multi-Layered Approach............................................ 7
Remote Site Protection ....................................................................8
Internal Network Protection.............................................................. 9
HTTP File Downloads ...................................................................... 9
Server Protection ...........................................................................10
SonicWALL GAV Architecture............................................................. 11
Stream Concurrency Limitations
by SonicWALL Security Appliance................................................. 12
Disabling the SonicWALL GAV/IPS Engine................................... 12
Protocol Handling...........................................................................13
SMTP........................................................................................ 13
POP3 ........................................................................................ 13
IMAP......................................................................................... 13
HTTP ........................................................................................ 14
FTP........................................................................................... 14
IM, P2P and Proprietary Protocols ........................................... 14
Deploying SonicWALL GAV................................................................ 14
Activating SonicWALL GAV ................................................................ 15
Creating a mySonicWALL.com Account ........................................ 16
Registering Your SonicWALL Security Appliance.......................... 17
Activating SonicWALL GAV........................................................... 18
Activating the SonicWALL GAV FREE TRIAL ............................... 18
Setting Up SonicWALL GAV Protection .............................................. 19
Enabling SonicWALL GAV............................................................. 19
Applying SonicWALL GAV Protection on Interfaces...................... 19
Applying SonicWALL GAV Protection on Zones
(SonicOS Enhanced 3.0) ............................................................... 20
Viewing SonicWALL GAV Status Information................................ 21
Updating SonicWALL GAV Signatures .......................................... 22
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
Specifying Protocol Filtering ................................................................22
Enabling Inbound Inspection ..........................................................22
Enabling Outbound SMTP Inspection ............................................23
Configuring Client Alerts and an Exclusion List ...................................23
Configuring Client Alerts.................................................................23
Configuring a SonicWALL GAV Exclusion List...............................24
Restricting File Transfers.....................................................................24
Viewing SonicWALL GAV Signatures..................................................25
Displaying Signatures.....................................................................25
Navigating the Gateway Anti-Virus Signatures Table ....................25
Searching the Gateway Anti-Virus Signature Database.................26
Glossary...............................................................................................26
Index ....................................................................................................27
Page 1 SonicWALL Gateway Anti-Virus Administrator’s Guide
Preface
Copyright Notice
© 2005 SonicWALL, Inc.
All rights reserved.
Under the copyright laws, this manual or the software described within, can not be copied, in whole or part,
without the written consent of the manufacturer, except in the normal use of the software to make a backup
copy. The same proprietary and copyright notices must be affixed to any permitted copies as were affixed
to the original. This exception does not allow copies to be made for others, whether or not sold, but all of
the material purchased (with all backup copies) can be sold, given, or loaned to another person. Under
the law, copying includes translating into another language or format.
Specifications and descriptions subject to change without notice.
Trademarks
SonicWALL is a registered trademark of SonicWALL, Inc.
Microsoft Windows 98, Windows NT, Windows 2000, Windows XP, Windows Server 2003, Internet
Explorer, and Active Directory are trademarks or registered trademarks of Microsoft Corporation.
Netscape is a registered trademark of Netscape Communications Corporation in the U.S. and other
countries. Netscape Navigator and Netscape Communicator are also trademarks of Netscape
Communications Corporation and may be registered outside the U.S.
Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems
Incorporated in the U.S. and/or other countries.
Other product and company names mentioned herein may be trademarks and/or registered trademarks
of their respective companies and are the sole property of their respective manufacturers.
Limited Warranty
SonicWALL, Inc. warrants that commencing from the delivery date to Customer (but in any case
commencing not more than ninety (90) days after the original shipment by SonicWALL), and continuing
for a period of twelve (12) months, that the product will be free from defects in materials and workmanship
under normal use. This Limited Warranty is not transferable and applies only to the original end user of
the product. SonicWALL and its suppliers' entire liability and Customer's sole and exclusive remedy under
this limited warranty will be shipment of a replacement product. At SonicWALL's discretion the
replacement product may be of equal or greater functionality and may be of either new or like-new quality.
SonicWALL's obligations under this warranty are contingent upon the return of the defective product
according to the terms of SonicWALL's then-current Support Services policies.
This warranty does not apply if the product has been subjected to abnormal electrical stress, damaged by
accident, abuse, misuse or misapplication, or has been modified without the written permission of
SonicWALL.
DISCLAIMER OF WARRANTY. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR
IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT
LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, NONINFRINGEMENT, SATISFACTORY QUALITY OR ARISING FROM A
COURSE OF DEALING, LAW, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE
MAXIMUM EXTENT ALLOWED BY APPLICABLE LAW. TO THE EXTENT AN IMPLIED WARRANTY
CANNOT BE EXCLUDED, SUCH WARRANTY IS LIMITED IN DURATION TO THE WARRANTY
PERIOD. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW
LONG AN IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. THIS
WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, AND YOU MAY ALSO HAVE OTHER RIGHTS
WHICH VARY FROM JURISDICTION TO JURISDICTION. This disclaimer and exclusion shall apply
even if the express warranty set forth above fails of its essential purpose.
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
DISCLAIMER OF LIABILITY. SONICWALL'S SOLE LIABILITY IS THE SHIPMENT OF A
REPLACEMENT PRODUCT AS DESCRIBED IN THE ABOVE LIMITED WARRANTY. IN NO EVENT
SHALL SONICWALL OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER,
INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS
INTERRUPTION, LOSS OF INFORMATION, OR OTHER PECUNIARY LOSS ARISING OUT OF THE
USE OR INABILITY TO USE THE PRODUCT, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL,
INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY
OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE HARDWARE OR SOFTWARE
EVEN IF SONICWALL OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. In no event shall SonicWALL or its suppliers' liability to Customer, whether in contract, tort
(including negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shall
apply even if the above-stated warranty fails of its essential purpose. BECAUSE SOME STATES OR
JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR
INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.
Page 3
About this Guide
Welcome to the SonicWALL Gateway Anti-Virus Administrator’s Guide. This manual provides the
information you need to successfully activate, configure, and administer SonicWALL Gateway Anti-Virus
(SonicWALL (GAV) on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher). The audience for this guide is administrators that are familiar with the
features, functions, and operating characteristics of SonicWALL security appliances.
Note: This guide assumes your SonicWALL security appliance is operational with Internet connectivity. If your
SonicWALL security appliance is not setup, refer to the Getting Started Guide for your SonicWALL
security appliance located on the SonicWALL Web site:
.
SonicWALL GAV is part of the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service solution that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate a SonicWALL GAV license, SonicWALL Intrusion Prevention Service is included and activated.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the complete
instructions on configuring SonicWALL Intrusion Prevention Service 2.0, located on the SonicWALL
Web site: .
Guide Conventions
Conventions used in this guide are as follows:
Icons Used in this Guide
These special messages refer to noteworthy information, and include a symbol for quick identification:
Alert! Important information that cautions about features affecting SonicWALL Gateway Anti-Virus
performance, security features, or causing potential problems with your SonicWALL security appliance.
Tip! Useful information about security features and configurations for your SonicWALL Gateway Anti-Virus
running on a SonicWALL security appliance.
Convention Use
Bold Highlights items you can select on the SonicWALL
management interface.
Italic Highlights a value to enter into a field. For example, “type
192.168.168.168 in the IP Address field.”
Top Level Menu Button >
Submenu Item
Indicates a multiple step Management Interface menu
choice. For example, Security Services > Gateway Anti-
Virus means select Security Services, then select
Gateway Anti-Virus.
Page 4 SonicWALL Gateway Anti-Virus Administrator’s Guide
Note: Important information on a feature that requires callout for special attention or reference to other related
resources.
SonicWALL Technical Support
For timely resolution of technical support questions, visit SonicWALL on the Internet at
. Web-based resources are available to help you
resolve most technical issues or contact SonicWALL Technical Support.
To contact SonicWALL telephone support, see the telephone numbers listed below:
North America Telephone Support
U.S./Canada - 888.777.1476 or +1 408.752.7819
International Telephone Support
Australia - + 1800.35.1642
Austria - + 43(0)820.400.105
EMEA - +31(0)411.617.810
France - + 33(0)1.4933.7414
Germany - + 49(0)1805.0800.22
Hong Kong - + 1.800.93.0997
India - + 8026556828
Italy - +39.02.7541.9803
Japan - + 81(0)3.5460.5356
New Zealand - + 0800.446489
Singapore - + 800.110.1441
Spain - + 34(0)9137.53035
Switzerland - +41.1.308.3.977
UK - +44(0)1344.668.484
Note: Please visit for the latest technical support telephone
numbers.
Page 5
SonicWALL Gateway Anti-Virus Overview
SonicWALL Gateway Anti-Virus (SonicWALL GAV) is part of the SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service solution that provides unified threat management. The integration of gateway
anti-virus and intrusion prevention delivers intelligent, real-time network security protection against
sophisticated application layer and content-based attacks. Utilizing a configurable, high-performance
deep packet inspection architecture, SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
secures the network from the core to the perimeter against a comprehensive array of dynamic threats
including viruses, worms, Trojans, and software vulnerabilities, such as buffer overflows, as well as peerto-
peer and instant messenger applications, backdoor exploits, and other malicious code.
SonicWALL GAV delivers real-time virus protection directly on the SonicWALL security appliance by
using SonicWALL’s IPS-Deep Packet Inspection v2.0 engine to inspect all traffic that traverses the
SonicWALL gateway. Building on SonicWALL’s reassembly-free architecture, SonicWALL GAV inspects
multiple application protocols, as well as generic TCP streams, and compressed traffic. Because
SonicWALL GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also performed on a
single-pass, per-packet basis.
SonicWALL GAV delivers threat protection directly on the SonicWALL security appliance by matching
downloaded or e-mailed files against an extensive and dynamically updated database of threat virus
signatures. Virus attacks are caught and suppressed before they travel to desktops. New signatures are
created and added to the database by a combination of SonicWALL’s SonicAlert Team, third-party virus
analysts, open source developers and other sources.
SonicWALL GAV can be configured to protect against internal threats as well as those originating outside
the network. It operates over a multitude of protocols including SMTP, POP3, IMAP, HTTP, FTP,
NetBIOS, instant messaging and peer-to-peer applications and dozens of other stream-based protocols,
to provide administrators with comprehensive network threat prevention and control. Because files
containing malicious code and viruses can also be compressed and therefore inaccessible to
conventional anti-virus solutions, SonicWALL GAV integrates advanced decompression technology that
automatically decompresses and scans files on a per packet basis.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
Page 6 SonicWALL Gateway Anti-Virus Administrator’s Guide
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features
• Integrated Deep Packet Inspection Technology - SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service features a configurable, high-performance deep packet inspection architecture
that uses parallel searching algorithms up through the application layer to deliver increased
application layer, Web and e-mail attack prevention. Parallel processing reduces the performance
impact on the firewall and maximizes available memory for exceptional throughput on SonicWALL
integrated security gateways.
• Real-Time Anti-Virus Gateway Scanning - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers intelligent file-based virus and malicious code prevention by scanning in real-time for
decompressed and compressed files containing viruses, Trojans, worms and other Internet threats
over the corporate network.
• Powerful Intrusion Prevention - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
provides complete protection from a comprehensive array of network-based application layer threats
by scanning packet payloads for worms, Trojans, software vulnerabilities such as buffer overflows,
peer-to-peer and instant messenger applications, backdoor exploits, and other malicious code.
• Ultimate Scalability and Performance - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a per packet scanning engine, making SonicWALL’s solution unique in its ability to
handle unlimited file size and virtually unlimited concurrent downloads, offering ultimate scalability
and performance for today’s networked environment.
• Day Zero Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service ensures
incredibly fast time-to-protection by employing a dynamically-updated database of signatures created
by a combination of SonicWALL’s SonicAlert Team, third-party virus analysts and developers, and
open source databases of known threats.
• Extensive Virus Signature List - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
utilizes an extensive database of thousands of attack and vulnerability signatures written to detect and
prevent intrusions, viruses, worms, Tojans, application exploits, and malicious applications.
• Distributed Enforcement Architecture - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a distributed enforcement architecture to deliver automated signature updates,
providing real-time protection from emerging threats and lowering total cost of ownership.
• Inter-zone Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides
application layer attack protection against malicious code and other threats originating from the
Internet or from internal sources. Administrators have the ability to enforce intrusion prevention and
anti-virus scanning not only between each network zone and the Internet, but also between internal
network zones for added security (Requires SonicOS Enhanced).
• Advanced File Decompression Technology - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service includes advanced decompression technology that can automatically decompress and scan
files on a per packet basis to search for viruses, Trojans, worms and malware. Supported
compression formats include: ZIP, Deflate and GZIP.
• File-Based Scanning Protocol Support - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers protection for high threat viruses and malware by inspecting the most common
protocols used in today’s networked environments, including SMTP, POP3, IMAP, HTTP, FTP,
NETBIOS, instant messaging and peer-to-peer applications, and dozens of other stream-based
protocols. This closes potential backdoors that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Application Control - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides the
ability to prevent instant messaging and peer-to-peer file sharing programs from operating through
the firewall, closing a potential back door that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Simplified Deployment and Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service allows network administrators to create global policies between security zones and group
attacks by priority, simplifying deployment and management across a distributed network.
Page 7
• Granular Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides an
intuitive user interface and granular policy tools, allowing network administrators to configure a
custom set of detection or prevention policies for their specific network environment and reduce the
number of false policies while identifying immediate threats.
• Logging and Reporting - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service offers
comprehensive logging of all intrusion attempts with the ability to filter logs based on priority level,
enabling administrators to highlight high priority attacks. Granular reporting based on attack source,
destination and type of intrusion is available through SonicWALL ViewPoint and Global Management
System.
SonicWALL GAV Multi-Layered Approach
SonicWALL GAV delivers comprehensive, multi-layered anti-virus protection for networks at the desktop,
the network, and at remote sites. SonicWALL GAV enforces anti-virus policies at the gateway to ensure
all users have the latest updates and monitors files as they come into the network.
Page 8 SonicWALL Gateway Anti-Virus Administrator’s Guide
Remote Site Protection
1. Users send typical e-mail and files between remote sites and the corporate office.
2. SonicWALL GAV scans and analyzes files and e-mail messages on the SonicWALL security
appliance.
3. Viruses are found and blocked before infecting remote desktop.
4. Virus is logged and alert is sent to administrator.
Page 9
Internal Network Protection
1. Internal user contracts a virus and releases it internally.
2. All files are scanned at the gateway before being received by other network users.
3. If virus is found, file is discarded.
4. Virus is logged and alert is sent to administrator.
HTTP File Downloads
1. Client makes a request to download a file from the Web.
2. File is downloaded through the Internet.
3. File is analyzed the SonicWALL GAV engine for malicious code and viruses
4. If virus found, file discarded.
5. Virus is logged and alert sent to administrator.
Page 10 SonicWALL Gateway Anti-Virus Administrator’s Guide
Server Protection
1. Outside user sends an incoming e-mail.
2. E-mail is analyzed the SonicWALL GAV engine for malicious code and viruses before received by email
server.
3. If virus found, threat prevented.
4. E-mail is returned to sender, virus is logged, and alert sent to administrator.
Page 11
SonicWALL GAV Architecture
SonicWALL GAV is based on SonicWALL's high performance DPIv2.0 engine (Deep Packet Inspection
version 2.0) engine, which performs all scanning directly on the SonicWALL security appliance.
SonicWALL GAV includes advanced decompression technology that can automatically decompress and
scan files on a per packet basis to search for viruses and malware. The SonicWALL GAV engine can
perform base64 decoding without ever reassembling the entire base64 encoded mail stream. Because
SonicWALL's GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding and ZIP, LHZ, and GZIP (LZ77) decompression are also performed
on a single-pass, per-packet basis. Reassembly free virus scanning functionality of the SonicWALL GAV
engine is inherited from the Deep Packet Inspection engine, which is capable of scanning streams without
ever buffering any of the bytes within the stream.
Building on SonicWALL's reassembly-free architecture, GAV has the ability to inspect multiple application
protocols, as well as generic TCP streams, and compressed traffic. SonicWALL GAV protocol inspection
is based on high performance state machines which are specific to each supported protocol. SonicWALL
GAV delivers protection by inspecting over the most common protocols used in today's networked
environments, including SMTP, POP3, IMAP, HTTP, FTP, NetBIOS, instant messaging and peer-to-peer
applications and dozens of other stream-based protocols. This closes potential backdoors that can be
used to compromise the network while also improving employee productivity and conserving Internet
bandwidth.
Page 12 SonicWALL Gateway Anti-Virus Administrator’s Guide
Stream Concurrency Limitations by SonicWALL Security Appliance
Because SonicWALL GAV does not have to perform reassembly, there are no file-size limitations
imposed by the scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also
performed on a single-pass, per-packet basis. Stream-concurrency are platform dependent as follows:.
Disabling the SonicWALL GAV/IPS Engine
In the unlikely event that SonicWALL Gateway Anti-Virus/Intrusion Prevention Service is not enabled on
your SonicWALL security appliance, the SonicWALL GAV/IPS engine itself can be disabled, and the
resources can be reallocated to the SPI connection cache.
To disable the SonicWALL GAV/IPS engine:
1. Select the Firewall > Advanced page.
2. Select the Disable Gateway AV and IPS Engine (increases maximum SPI connections)
checkbox. This presents an alert informing you that the SonicWALL security appliance must be
rebooted for the change to take effect.
3. Restart your SonicWALL security appliance.
Platform
GAV-Disabled
Connections
Cache Size
GAV-Enabled
Connections
Cache Size
(Concurrent File
Downloads)
Concurrent
Compressed
File Downloads
with GAV
GAV Signatures
TZ 150
Series
2,048 2,048 100 4,500
TZ 170
Series
6,144 6,144 100 4,500
PRO 1260 6,144 6,144 100 4,500
PRO 2040 32,768 16,384 300 25,000
PRO 3060 131,072 65,536 1,000 25,000
PRO 4060 524,288 131,072 1,500 25,000
PRO 5060 750,000 393,216 3,000 25,000
Page 13
Protocol Handling
SonicWALL GAV functionality supports the following protocols: HTTP, SMTP, IMAP, POP3, FTP and the
scanning of generic TCP streams for viruses.
If malicious traffic is detected, appropriate actions are taken based on the protocol. For generic TCP
streams, the traffic is dropped and the connection is reset. If so configured, an encrypted and hashed
message explaining the action is sent to the user's Global Security Client (requires version 2.0 or higher)
and to the user's 'Security Action Notification Applet', and displayed to the user if either application is
active. Application level awareness of the type of protocol that was transporting the violation allows for
very specific actions to be taken to gracefully handle the rejection of the payload:
Note: 8-bit encoding is handled natively for all email based protocols (SMTP, POP3, and IMAP) since no
decoding is required for each encoding scheme.
SMTP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the head of the sent
queue, thus preventing it from being resent, via 552 SMTP response and the connection is terminated.
POP3
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the POP3 server via
'DELE' command and the connection is terminated. Continuation of message downloads following
termination requires the user to re-initiate the download process on their POP3 client in order to download
the rest of the messages from the POP3 server.
Note: POP3 client behavior varies from one client to the next. SonicWALL GAV attempts to determine the type
of POP3 client being used, and to compensate for behavioral differences. In rare cases, some clients
may require special GAV settings - these settings have been made available in the /diag.html page.
• Disable Gateway AV POP3 Auto Deletion - When a POP3 client is identified as Outlook Express,
DELE (delete) message sequencing is tailored to Outlook Express' behavior. This setting can resolve
problems caused by misidentification that are encountered during the deletion of virus-infected
emails.
• Disable Gateway AV POP3 UIDL Rewriting - Certain Netscape POP3 clients have difficulty with the
UIDL (unique ID listing - RFC1939) command. When a POP3 client is recognized as Netscape, UIDL
messages are suppressed, which is allowable because they are optional. This setting can resolve
problems caused by misidentification that are encountered during the message retrieval process.
IMAP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from downloading the mail
containing the violation. The user must manually mark the mail deleted and purge it from the server.
Page 14 SonicWALL Gateway Anti-Virus Administrator’s Guide
HTTP
Capabilities: zip (including archives), gzip and deflate decompression. Deflate decompression method is
not supported when HTTP response is Chunk Encoded. All HTTP traffic is inspected, not just TCP port
80. Suppresses the use of HTTP Byte-Range requests to prevent the sectional retrieval and reassembly
of potentially malicious content.
Note: Suppression of HTTP Byte-Range requests may inhibit the use of certain download accelerator
programs that attempt to retrieve files as multiple simultaneous requests.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
FTP
Capabilities: zip (including archives) and gzip decompression. FTP stateful code follows data port
negotiations, allowing FTP data to be inspected across any operating TCP port. Suppresses the use of
the FTP 'REST' (restart) request to prevent the sectional retrieval and reassembly of potentially malicious
content. "The suppression of the 'REST' request can be overridden from the /diag.html page with the
option 'Enable FTP 'REST' requests with Gateway AV’.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
IM, P2P and Proprietary Protocols
Capabilities: zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
Deploying SonicWALL GAV
SonicWALL GAV is designed to provide comprehensive virus protection with minimal configuration. The
following sections provide the key information you need to successfully activate, configure, and administer
SonicWALL GAV on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher):
• “Activating SonicWALL GAV” on page 15 - provides instructions for activating the SonicWALL GAV
license on your SonicWALL security appliance via the management interface. If you already have
SonicWALL GAV activated on your SonicWALL security appliance, skip this section.
• “Setting Up SonicWALL GAV Protection” on page 19 - provides instructions for essential
configuration of SonicWALL IPS to protect your network against the most dangerous and disruptive
attacks.
Alert! After activating your SonicWALL GAV license, you must enable SonicWALL GAV on the SonicWALL
management interface before anti-virus protection are applied to your network traffic.
• “Configuring Client Alerts and an Exclusion List” on page 23 - provides instructions for configuring
SonicWALL GAV client notification alerts and creating a SonicWALL GAV exclusion list.
• “Restricting File Transfers” on page 24 - provides instructions on preventing files with specific
attributes from being transferred.
Page 15
Activating SonicWALL GAV
If you do not have SonicWALL GAV installed on your SonicWALL security appliance, the Security
Services > Gateway Anti-Virus page indicates an upgrade is required and includes a link to activiate it
from your SonicWALL security appliance management interface.
SonicWALL GAV is part of the unified SonicWALL Gateway Anti-Virus/Intrusion Prevention Service that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is also activated.
To activate a SonicWALL Gateway Anti-Virus/Intrusion Prevention Service on your SonicWALL security
appliance, you need the following:
• SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license. You need to purchase a
SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license from a SonicWALL reseller or
through your mySonicWALL.com account (limited to customers in the USA and Canada).
• mySonicWALL.com account. Creating a mySonicWALL.com account is fast, simple, and FREE.
Simply complete an online registration form from your SonicWALL security appliance management
interface. Your mySonicWALL.com account is also accessible at
from any Internet connection with a Web browser.
• Registered SonicWALL security appliance with active Internet connection. Registering your
SonicWALL security appliance is a simple procedure done directly from the management interface.
• SonicOS Standard 3.0 or SonicOS Enhanced 3.0. Your SonicWALL security appliance must be
running SonicOS Standard 3.0 or SonicOS Enhanced 3.0 for SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service.
Tip! If your SonicWALL security appliance is connected to the Internet and registered at
mySonicWALL.com, you can activate a 30-day FREE TRIAL of SonicWALL IPS.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
If you activated SonicWALL GAV at , SonicWALL GAV activation is
automatically enabled on your SonicWALL within 24-hours or you can click the Synchronize button on
the Security Services > Summary page to update your SonicWALL security appliance.
Page 16 SonicWALL Gateway Anti-Virus Administrator’s Guide
Creating a mySonicWALL.com Account
Creating a mySonicWALL.com account is fast, simple, and FREE. Simply complete an online
registration form in the SonicWALL security appliance management interface.
Note: If you already have a mysonicWALL.com account, go to “Registering Your SonicWALL Security
Appliance” on page 17.
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displayed in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link in Your
SonicWALL is not registered. Click here to Register your SonicWALL.
4. In the mySonicWALL.com Login page, click the here link in If you do not have a mySonicWALL
account, please click here to create one.
5. In the MySonicWall Account page, enter in your information in the Account Information, Personal
Information and Preferences fields. All fields marked with an asterisk (*) are required fields.
Note: Remember your username and password to access your mySonicWALL.com account.
6. Click Submit after completing the MySonicWALL Account form.
7. When the mySonicWALL.com server has finished processing your account, you will see a page
saying that your account has been created. Click Continue.
Congratulations. Your mySonicWALL.com account is activated.
Now you need to log into mySonicWALL.com to register your SonicWALL security appliance.
Note: mySonicWALL.com registration information is not sold or shared with any other company.
Page 17
Registering Your SonicWALL Security Appliance
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displaying in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link. The
mySonicWALL.com Login page is displayed.
4. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit.
5. The next several pages inform you about the free trials available to you for SonicWALL’s Security
Services:
• Gateway Anti-Virus - Delivers real-time virus protection for your entire network.
• Network Anti Virus - Provides desktop and server anti-virus protection with software running on
each computer.
• Premium Content Filtering Service - Enhances productivity by limiting access to objectionable
Web content.
• Intrusion Prevention Service - Protects your network against worms, Trojans, and application
layer attacks.
Click Continue on each page.
6. At the top of the Product Survey page, Enter a “friendly name” for your SonicWALL content security
appliance in the Friendly Name field. The friendly name allows you to easily identify your
SonicWALL content security appliance in your mySonicWALL.com account.
7. Please complete the Product Survey. SonicWALL uses this information to further tailor services to fit
your needs.
8. Click Submit.
9. When the mySonicWALL.com server has finished processing your registration, a page is displayed
informing you that the SonicWALL security appliance is registered. Click Continue, and the
System > Licenses page is displayed showing you the available services. You can activate the
service from this page or the specific service page under the Security Services left-navigation
menu in the management interface.
Page 18 SonicWALL Gateway Anti-Virus Administrator’s Guide
Activating SonicWALL GAV
If you do not have a SonicWALL GAV license activated on your SonicWALL security appliance, you must
purchase it from a SonicWALL reseller or through your mySonicWALL.com account (limited to customers
in the USA and Canada).
SonicWALL GAV is part of SonicWALL Gateway Anti-Virus/Intrusion Prevention Service. The Activation
Key you receive is for both SonicWALL GAV and SonicWALL Intrusion Prevention Service. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is automatically activated.
If you have an Activation Key for SonicWALL Gateway Anti-Virus/Intrusion Prevention Service, perform
these steps to activate the combined services:
1. On the Security Services > Intrusion Prevention page, click the SonicWALL Intrusion
Prevention Service Subscription link. The mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already registered to your
mySonicWALL.com account, the System > Licenses page appears.
3. Click Activate or Renew in the Manage Service column in the Manage Services Online table.
4. Type in the Activation Key in the New License Key field and click Submit. Your SonicWALL GAV
subscription is activated on your SonicWALL security appliance.
If you activated the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service subscription on
mySonicWALL.com, the activation is automatically enabled on your SonicWALL security appliance within
24-hours or you can click the Synchronize button on the Security Services > Summary page to
immediately update your SonicWALL security appliance.
Activating the SonicWALL GAV FREE TRIAL
To try a FREE TRIAL of SonicWALL GAV, perform these steps:
1. Click the FREE TRIAL link on the Security Services > Gateway Anti-Virus page. The
mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already connected to your
mySonicWALL.com account, the System > Licenses page appears after you click the FREE TRIAL
link.
3. Click Try in the FREE TRIAL column in the Manage Services Online table. Your SonicWALL GAV
trial subscription is activated on your SonicWALL security appliance.
Page 19
Setting Up SonicWALL GAV Protection
The Security Services > Gateway Anti-Virus page provides the settings for configuring SonicWALL
GAV on your SonicWALL security appliance.
Enabling SonicWALL GAV
You must select Enable Gateway Anti-Virus check box in the Gateway Anti-Virus Global Settings
section to enable SonicWALL GAV on your SonicWALL security appliance. If your SonicWALL security
appliance is running SonicOS Standard 3.0, you must also specify the interfaces you want to apply
SonicWALL GAV protection. If your SonicWALL security appliance is running SonicOS Enhanced 3.0,
you must specify the Zones you want to SonicWALL GAV protection on the Network > Zones page.
Applying SonicWALL GAV Protection on Interfaces
If your SonicWALL security appliance is running SonicOS Standard 3.0, you also need to specify the
interface that you want to enable SonicWALL GAV protection. Depending on the SonicWALL security
appliance model you are using, you can choose the WAN, LAN, DMZ, OPT or WLAN port, depending on
your SonicWALL security appliance model. After selecting the interface(s), click Apply.It is recommended
you select the WAN and LAN interfaces.
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you apply SonicWALL GAV to
Zones on the Network > Zones page.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 20 SonicWALL Gateway Anti-Virus Administrator’s Guide
Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you can enforce SonicWALL
GAV not only between each network zone and the WAN, but also between internal zones. For example,
enabling SonicWALL GAV on the LAN zone enforces anti-virus protection on all incoming and outgoing
LAN traffic.
1. In the SonicWALL security appliance management interface, select Network > Zones or from the
Gateway Anti-Virus Status section, on the Security Services > Gateway Anti-Virus page, click the
Network > Zones link. The Network > Zones page is displayed.
2. In the Configure column in the Zone Settings table, click the edit icon . The Edit Zone window
is displayed.
3. Click the Enable Gateway Anti-Virus Service checkbox. A checkmark appears. To disable Gateway
Anti-Virus Service, uncheck the box.
4. Click OK.
Page 21
Note: You also enable SonicWALL GAV protection for new zones you create on the Network > Zones page.
Clicking the Add button displays the Add Zone window, which includes the same settings as the Edit
Zone window.
Viewing SonicWALL GAV Status Information
The Gateway Anti-Virus Status section shows the state of the anti-virus signature database, including
the database's timestamp, and the time the SonicWALL signature servers were last checked for the most
current database version. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
The Gateway Anti-Virus Status section displays the following information:
• Signature Database indicates whether the signature database needs to be downloaded or has been
downloaded.
• Signature Database Timestamp displays the last update to the SonicWALL GAV signature
database, not the last update to your SonicWALL security appliance.
• Last Checked indicates the last time the SonicWALL security appliance checked the signature
database for updates. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
• Gateway Anti-Virus Expiration Date indicates the date when the SonicWALL GAV service expires.
If your SonicWALL GAV subscription expires, the SonicWALL IPS inspection is stopped and the
SonicWALL GAV configuration settings are removed from the SonicWALL security appliance. These
settings are automatically restored after renewing your SonicWALL GAV license to the previously
configured state.
If your SonicWALL security appliance is running SonicOS Standard 3.0 and no interfaces are specified in
the Gateway Anti-Virus Global Settings section, the message: Warning: No interfaces have Gateway
Anti-Virus enabled is displayed in the Gateway Anti-Virus Status section. You must check the Enable
Gateway Anti-Virus on Interface and specify the interface(s) you want to apply anti-virus scanning.
If your SonicWALL security appliance you are using SonicOS Enhanced 3.0, the Gateway Anti-Virus
Status section displays Note: Enable the Gateway Anti-Virus per zone from the Network > Zones
page. Clicking on the Network > Zones link displays the Network > Zones page for applying SonicWALL
GAV on Zones.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 22 SonicWALL Gateway Anti-Virus Administrator’s Guide
Updating SonicWALL GAV Signatures
By default, the SonicWALL security appliance running SonicWALL GAV automatically checks the
SonicWALL signature servers once an hour. There is no need for an administrator to constantly check for
new signature updates. You can also manually update your SonicWALL GAV database at any time by
clicking the Update button located in the Gateway Anti-Virus Status section.
SonicWALL GAV signature updates are secured. The SonicWALL security appliance must first
authenticate itself with a pre-shared secret, created during the SonicWALL Distributed Enforcement
Architecture licensing registration. The signature request is transported through HTTPS, along with full
server certificate verification.
Specifying Protocol Filtering
Application-level awareness of the type of protocol that is transporting the violation allows SonicWALL
GAV to perform specific actions within the context of the application to gracefully handle the rejection of
the payload.
By default, SonicWALL GAV inspects all inbound HTTP, FTP, IMAP, SMTP and POP3 traffic. Generic
TCP Stream can optionally be enabled to inspect all other TCP based traffic, such as
non-standard ports of operation for SMTP and POP3, and IM and P2P protocols.
Note: Refer to “Protocol Handling” on page 13 for detailed descriptions of how SonicWALL GAV handles
protocol traffic.
Enabling Inbound Inspection
Within the context of SonicWALL GAV, the Enable Inbound Inspection protocol traffic handling refers
to the following:
• Non-SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to any Zone.
• Non-SMTP traffic from a Public Zone destined to an Untrusted Zone.
• SMTP traffic initiating from a non-Trusted Zone destined to a Trusted, Wireless, Encrypted, or Public
Zone.
• SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to a Trusted, Wireless,
or Encrypted Zone.
Page 23
The Enable Inbound Inspection protocol traffic handling represented as a table:
Enabling Outbound SMTP Inspection
The Enable Outbound Inspection feature is available for SMTP traffic, such as for a mail server that
might be hosted on the DMZ. Enabling outbound inspection for SMTP scans mail that is delivered to the
internally hosted SMTP server for viruses.
Configuring Client Alerts and an Exclusion List
Clicking the Configure Gateway AV Settings button in the Gateway Anti-Virus Global Settings section
displays the Gateway AV Config View window, which allows you to configure client notification alerts and
create a SonicWALL GAV exclusion list.
Configuring Client Alerts
If you want clients on your network to receive notifications on their desktop when a HTTP file download is
blocked by GAV, check the Enable Client Notification Alerts (desktop client installation is required)
box. You must install the client software included on the Resource CD for your SonicWALL security
appliance for the client to receive these notifications from SonicWALL GAV.
Page 24 SonicWALL Gateway Anti-Virus Administrator’s Guide
If you want to suppress the sending of e-mail messages (SMTP) to clients from SonicWALL GAV when a
virus is detected in an e-mail or attachment, check the Disable SMTP Responses box.
Configuring a SonicWALL GAV Exclusion List
Any IP addresses listed in the exclusion list bypass virus scanning on their traffic.The Gateway AV
Exclusion List section provides the ability to define a range of IP addresses whose traffic will be excluded
from SonicWALL GAV scanning.
Alert! Use caution when specifying exclusions to SonicWALL GAV protection.
To add an IP address range for exclusion, perform these steps:
1. Click the Enable Gateway AV Exclusion List checkbox to enable the exclusion list.
2. Click the Add button. The Add GAV Range Entry window is displayed.
3. Enter the IP address range in the IP Address Form and IP Address To fields, then click OK. You IP
address range appears in the Gateway AV Exclusion List table. Click the edit icon in the Configure
column to change an entry or click the trashcan icon to delete an entry.
4. Click OK to exit the Gateway AV Config View window.
Restricting File Transfers
The restrict transfer settings listed under the Configure Gateway AV Settings button in the
Gateway Anti-Virus Global Settings section, if enabled, prevent files with specific attributes from being
transferred.
These restrict transfer settings include:
• Restrict Transfer of password-protected Zip files - Disables the transfer of password protected
ZIP files over any enabled protocol. This option only functions on protocols (e.g. HTTP, FTP, SMTP)
that are enabled for inspection.
• Restrict Transfer of MS-Office type files containing macros (VBA 5 and above) - Disables the
transfers of any MS Office 97 and above files that contain VBA macros.
• Restrict Transfer of packed executable files (UPX, FSG, etc.) - Disables the transfer of packed
executable files. Packers are utilities which compress and sometimes encrypt executables. Although
there are legitimate applications for these, they are also sometimes used with the intent of
obfuscation, so as to make the executables less detectable by anti-virus applications. The packer
adds a header that expands the file in memory, and then executes that file. SonicWALL Gateway
Anti-Virus currently recognizes the most common packed formats: UPX, FSG, PKLite32, Petite, and
ASPack. additional formats are dynamically added along with SonicWALL GAV signature updates.
Page 25
Viewing SonicWALL GAV Signatures
The Gateway Anti-Virus Signatures section allows you to view the contents of the SonicWALL GAV
signature database. All the entries displayed in the Gateway Anti-Virus Signatures table are from the
SonicWALL GAV signature database downloaded to your SonicWALL security appliance.
Note: Signature entries in the database change over time in response to new threats.
Displaying Signatures
You can display the signatures in a variety of views using the View Style menu.
• Use Search String - Allows you to display signatures containing a specified string entered in the
Lookup Signatures Containing String field.
• All Signatures - Displays all the signatures in the table, 50 to a page.
• 0 - 9 - Displays signature names beginning with the number you select from the menu.
• A-Z - Displays signature names beginning with the letter you select from menu.
Navigating the Gateway Anti-Virus Signatures Table
The SonicWALL GAV signatures are displayed fifty to a page in the Gateway Anti-Virus Signatures
table. The Items field displays the table number of the first signature. If your displaying the first page of a
signature table, the entry might be Items 1 to 50 (of 58). Use the navigation buttons to navigate the table.
Page 26 SonicWALL Gateway Anti-Virus Administrator’s Guide
Searching the Gateway Anti-Virus Signature Database
You can search the signature database by entering a search string in the Lookup Signatures
Containing String field, then clicking the edit (Notepad) icon.
The signatures that match the specified string are displayed in the Gateway Anti-Virus Signatures table.
Glossary
• Deep Packet Inspection - looking at the data portion of the packet. Enables the firewall to investigate
farther into the protocol to examine information at the application layer and defend against attacks
targeting application vulnerabilities.
• Distributed Enforcement Architecture - SonicWALL’s unified threat management technology that
delivers automated signature updates that provide real-time protection from current and emerging
threats.
• False Positive - a falsely identified attack traffic pattern.
• Signature - code written to detect and prevent viruses, worms, application exploits, and other
malicious code.
• Stateful Packet Inspection - examines the contents of individual packets at all layers of the OSI
model, from network layer to application layer.
Page 27
Index
A
activating Gateway Anti-Virus
overview 15
free trial version 18
activating Gateway Anti-Virus
activation key 18
C
client alerts
configuring 23
concurrency limitations 12
PRO 1260 12
PRO 2040 12
PRO 3060 12
PRO 4060 12
PRO 5060 12
TZ 150 Series 12
TZ 170 Series 12
creating a mysonicwall.com account 16
D
deploying SonicWALL GAV 14
disabling GAV/IPS engine 12
displaying signatures 25
all signatures 25
signatures beginning with letter 25
signatures beginning with number 25
using search strings 25
E
Edit Zone window 20
enable inbound inspection 22
enable outbound SMTP inspection 23
enabling inbound inspection 22
exclusion list
configuring 24
G
Gateway AV Config View window 23
GAV/IPS
real-time scanning 6
GAV/IPS features
application control 6
deep packet inspection 6
distributed enforcement architecture 6
file based scanning protocol support 6
file decompression technology 6
granular management 7
inter-zone scanning 6
logging and reporting 7
real-time scanning 6
glossary 26
deep packet inspection 26
Distributed Enforcement Architecture 26
false positive 26
signature 26
stateful packet inspection 26
H
how DPIv2.0 works
11
protocol handling 13
HTTP file downloads protection 9
I
internal network protection 9
N
navigating signatures table 25
P
protocol handling
FTP 14
HTTP 14
IM, P2P, proprietary 14
IMAP 13
POP3 13
SMTP 13
R
registering your SonicWALL security appliance 17
remote site protection 8
restrict 24
restrict file transfer
MS-Office files 24
packed executable files 24
password protected ZIP files 24
S
searching signature database 26
server protection 10
setting up GAV protection
applying to infaces (SonicOS Standard 3.0) 19
applying to zones (SonicOS Enhanced) 20
enabling 19
overview 19
signatures table 25
SonicWALL Gateway Anti-Virus
overview 5
SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service
overview 5
specifying protocol filtering 22
specifying protocols 22
status information
expiration date 21
last checked 21
overview 21
signature database 21
signature database timestamp 21
surpress SMTP messages 24
U
updating signatures 22
Page 28 SonicWALL Gateway Anti-Virus Administrator’s Guide
© 2005 SonicWALL, I n c . SonicWALL is a registered trademark of SonicWALL, I n c . Other product and company names mentioned herein may be
t rademarks and/ or registered trademarks of their respective companies. Specifications and descriptions subject to change with out notice.
T: 408.745.9600
F: 408.745.9300
www.sonicwall.com
SonicWALL,Inc.
1143 Borregas Avenue
Sunnyvale,CA 94089-1306
P/ N 232- 000610- 00
Rev E 01/05COMPREHENSIVE INTERNET SECURITY™
S SSSSSSSSo n i c WALL Gateway Anti-Virus
Administrator's Guide
Page 1
Table of Contents
Preface .................................................................................................. 1
Copyright Notice ..............................................................................1
Trademarks......................................................................................1
Limited Warranty..............................................................................1
About this Guide.................................................................................... 3
Guide Conventions .......................................................................... 3
Icons Used in this Guide............................................................. 3
SonicWALL Technical Support ........................................................ 4
North America Telephone Support ............................................. 4
International Telephone Support ................................................ 4
SonicWALL Gateway Anti-Virus Overview............................................ 5
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features ...... 6
SonicWALL GAV Multi-Layered Approach............................................ 7
Remote Site Protection ....................................................................8
Internal Network Protection.............................................................. 9
HTTP File Downloads ...................................................................... 9
Server Protection ...........................................................................10
SonicWALL GAV Architecture............................................................. 11
Stream Concurrency Limitations
by SonicWALL Security Appliance................................................. 12
Disabling the SonicWALL GAV/IPS Engine................................... 12
Protocol Handling...........................................................................13
SMTP........................................................................................ 13
POP3 ........................................................................................ 13
IMAP......................................................................................... 13
HTTP ........................................................................................ 14
FTP........................................................................................... 14
IM, P2P and Proprietary Protocols ........................................... 14
Deploying SonicWALL GAV................................................................ 14
Activating SonicWALL GAV ................................................................ 15
Creating a mySonicWALL.com Account ........................................ 16
Registering Your SonicWALL Security Appliance.......................... 17
Activating SonicWALL GAV........................................................... 18
Activating the SonicWALL GAV FREE TRIAL ............................... 18
Setting Up SonicWALL GAV Protection .............................................. 19
Enabling SonicWALL GAV............................................................. 19
Applying SonicWALL GAV Protection on Interfaces...................... 19
Applying SonicWALL GAV Protection on Zones
(SonicOS Enhanced 3.0) ............................................................... 20
Viewing SonicWALL GAV Status Information................................ 21
Updating SonicWALL GAV Signatures .......................................... 22
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
Specifying Protocol Filtering ................................................................22
Enabling Inbound Inspection ..........................................................22
Enabling Outbound SMTP Inspection ............................................23
Configuring Client Alerts and an Exclusion List ...................................23
Configuring Client Alerts.................................................................23
Configuring a SonicWALL GAV Exclusion List...............................24
Restricting File Transfers.....................................................................24
Viewing SonicWALL GAV Signatures..................................................25
Displaying Signatures.....................................................................25
Navigating the Gateway Anti-Virus Signatures Table ....................25
Searching the Gateway Anti-Virus Signature Database.................26
Glossary...............................................................................................26
Index ....................................................................................................27
Page 1 SonicWALL Gateway Anti-Virus Administrator’s Guide
Preface
Copyright Notice
© 2005 SonicWALL, Inc.
All rights reserved.
Under the copyright laws, this manual or the software described within, can not be copied, in whole or part,
without the written consent of the manufacturer, except in the normal use of the software to make a backup
copy. The same proprietary and copyright notices must be affixed to any permitted copies as were affixed
to the original. This exception does not allow copies to be made for others, whether or not sold, but all of
the material purchased (with all backup copies) can be sold, given, or loaned to another person. Under
the law, copying includes translating into another language or format.
Specifications and descriptions subject to change without notice.
Trademarks
SonicWALL is a registered trademark of SonicWALL, Inc.
Microsoft Windows 98, Windows NT, Windows 2000, Windows XP, Windows Server 2003, Internet
Explorer, and Active Directory are trademarks or registered trademarks of Microsoft Corporation.
Netscape is a registered trademark of Netscape Communications Corporation in the U.S. and other
countries. Netscape Navigator and Netscape Communicator are also trademarks of Netscape
Communications Corporation and may be registered outside the U.S.
Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems
Incorporated in the U.S. and/or other countries.
Other product and company names mentioned herein may be trademarks and/or registered trademarks
of their respective companies and are the sole property of their respective manufacturers.
Limited Warranty
SonicWALL, Inc. warrants that commencing from the delivery date to Customer (but in any case
commencing not more than ninety (90) days after the original shipment by SonicWALL), and continuing
for a period of twelve (12) months, that the product will be free from defects in materials and workmanship
under normal use. This Limited Warranty is not transferable and applies only to the original end user of
the product. SonicWALL and its suppliers' entire liability and Customer's sole and exclusive remedy under
this limited warranty will be shipment of a replacement product. At SonicWALL's discretion the
replacement product may be of equal or greater functionality and may be of either new or like-new quality.
SonicWALL's obligations under this warranty are contingent upon the return of the defective product
according to the terms of SonicWALL's then-current Support Services policies.
This warranty does not apply if the product has been subjected to abnormal electrical stress, damaged by
accident, abuse, misuse or misapplication, or has been modified without the written permission of
SonicWALL.
DISCLAIMER OF WARRANTY. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR
IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT
LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, NONINFRINGEMENT, SATISFACTORY QUALITY OR ARISING FROM A
COURSE OF DEALING, LAW, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE
MAXIMUM EXTENT ALLOWED BY APPLICABLE LAW. TO THE EXTENT AN IMPLIED WARRANTY
CANNOT BE EXCLUDED, SUCH WARRANTY IS LIMITED IN DURATION TO THE WARRANTY
PERIOD. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW
LONG AN IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. THIS
WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, AND YOU MAY ALSO HAVE OTHER RIGHTS
WHICH VARY FROM JURISDICTION TO JURISDICTION. This disclaimer and exclusion shall apply
even if the express warranty set forth above fails of its essential purpose.
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
DISCLAIMER OF LIABILITY. SONICWALL'S SOLE LIABILITY IS THE SHIPMENT OF A
REPLACEMENT PRODUCT AS DESCRIBED IN THE ABOVE LIMITED WARRANTY. IN NO EVENT
SHALL SONICWALL OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER,
INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS
INTERRUPTION, LOSS OF INFORMATION, OR OTHER PECUNIARY LOSS ARISING OUT OF THE
USE OR INABILITY TO USE THE PRODUCT, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL,
INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY
OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE HARDWARE OR SOFTWARE
EVEN IF SONICWALL OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. In no event shall SonicWALL or its suppliers' liability to Customer, whether in contract, tort
(including negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shall
apply even if the above-stated warranty fails of its essential purpose. BECAUSE SOME STATES OR
JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR
INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.
Page 3
About this Guide
Welcome to the SonicWALL Gateway Anti-Virus Administrator’s Guide. This manual provides the
information you need to successfully activate, configure, and administer SonicWALL Gateway Anti-Virus
(SonicWALL (GAV) on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher). The audience for this guide is administrators that are familiar with the
features, functions, and operating characteristics of SonicWALL security appliances.
Note: This guide assumes your SonicWALL security appliance is operational with Internet connectivity. If your
SonicWALL security appliance is not setup, refer to the Getting Started Guide for your SonicWALL
security appliance located on the SonicWALL Web site:
.
SonicWALL GAV is part of the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service solution that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate a SonicWALL GAV license, SonicWALL Intrusion Prevention Service is included and activated.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the complete
instructions on configuring SonicWALL Intrusion Prevention Service 2.0, located on the SonicWALL
Web site: .
Guide Conventions
Conventions used in this guide are as follows:
Icons Used in this Guide
These special messages refer to noteworthy information, and include a symbol for quick identification:
Alert! Important information that cautions about features affecting SonicWALL Gateway Anti-Virus
performance, security features, or causing potential problems with your SonicWALL security appliance.
Tip! Useful information about security features and configurations for your SonicWALL Gateway Anti-Virus
running on a SonicWALL security appliance.
Convention Use
Bold Highlights items you can select on the SonicWALL
management interface.
Italic Highlights a value to enter into a field. For example, “type
192.168.168.168 in the IP Address field.”
Top Level Menu Button >
Submenu Item
Indicates a multiple step Management Interface menu
choice. For example, Security Services > Gateway Anti-
Virus means select Security Services, then select
Gateway Anti-Virus.
Page 4 SonicWALL Gateway Anti-Virus Administrator’s Guide
Note: Important information on a feature that requires callout for special attention or reference to other related
resources.
SonicWALL Technical Support
For timely resolution of technical support questions, visit SonicWALL on the Internet at
. Web-based resources are available to help you
resolve most technical issues or contact SonicWALL Technical Support.
To contact SonicWALL telephone support, see the telephone numbers listed below:
North America Telephone Support
U.S./Canada - 888.777.1476 or +1 408.752.7819
International Telephone Support
Australia - + 1800.35.1642
Austria - + 43(0)820.400.105
EMEA - +31(0)411.617.810
France - + 33(0)1.4933.7414
Germany - + 49(0)1805.0800.22
Hong Kong - + 1.800.93.0997
India - + 8026556828
Italy - +39.02.7541.9803
Japan - + 81(0)3.5460.5356
New Zealand - + 0800.446489
Singapore - + 800.110.1441
Spain - + 34(0)9137.53035
Switzerland - +41.1.308.3.977
UK - +44(0)1344.668.484
Note: Please visit for the latest technical support telephone
numbers.
Page 5
SonicWALL Gateway Anti-Virus Overview
SonicWALL Gateway Anti-Virus (SonicWALL GAV) is part of the SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service solution that provides unified threat management. The integration of gateway
anti-virus and intrusion prevention delivers intelligent, real-time network security protection against
sophisticated application layer and content-based attacks. Utilizing a configurable, high-performance
deep packet inspection architecture, SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
secures the network from the core to the perimeter against a comprehensive array of dynamic threats
including viruses, worms, Trojans, and software vulnerabilities, such as buffer overflows, as well as peerto-
peer and instant messenger applications, backdoor exploits, and other malicious code.
SonicWALL GAV delivers real-time virus protection directly on the SonicWALL security appliance by
using SonicWALL’s IPS-Deep Packet Inspection v2.0 engine to inspect all traffic that traverses the
SonicWALL gateway. Building on SonicWALL’s reassembly-free architecture, SonicWALL GAV inspects
multiple application protocols, as well as generic TCP streams, and compressed traffic. Because
SonicWALL GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also performed on a
single-pass, per-packet basis.
SonicWALL GAV delivers threat protection directly on the SonicWALL security appliance by matching
downloaded or e-mailed files against an extensive and dynamically updated database of threat virus
signatures. Virus attacks are caught and suppressed before they travel to desktops. New signatures are
created and added to the database by a combination of SonicWALL’s SonicAlert Team, third-party virus
analysts, open source developers and other sources.
SonicWALL GAV can be configured to protect against internal threats as well as those originating outside
the network. It operates over a multitude of protocols including SMTP, POP3, IMAP, HTTP, FTP,
NetBIOS, instant messaging and peer-to-peer applications and dozens of other stream-based protocols,
to provide administrators with comprehensive network threat prevention and control. Because files
containing malicious code and viruses can also be compressed and therefore inaccessible to
conventional anti-virus solutions, SonicWALL GAV integrates advanced decompression technology that
automatically decompresses and scans files on a per packet basis.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
Page 6 SonicWALL Gateway Anti-Virus Administrator’s Guide
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features
• Integrated Deep Packet Inspection Technology - SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service features a configurable, high-performance deep packet inspection architecture
that uses parallel searching algorithms up through the application layer to deliver increased
application layer, Web and e-mail attack prevention. Parallel processing reduces the performance
impact on the firewall and maximizes available memory for exceptional throughput on SonicWALL
integrated security gateways.
• Real-Time Anti-Virus Gateway Scanning - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers intelligent file-based virus and malicious code prevention by scanning in real-time for
decompressed and compressed files containing viruses, Trojans, worms and other Internet threats
over the corporate network.
• Powerful Intrusion Prevention - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
provides complete protection from a comprehensive array of network-based application layer threats
by scanning packet payloads for worms, Trojans, software vulnerabilities such as buffer overflows,
peer-to-peer and instant messenger applications, backdoor exploits, and other malicious code.
• Ultimate Scalability and Performance - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a per packet scanning engine, making SonicWALL’s solution unique in its ability to
handle unlimited file size and virtually unlimited concurrent downloads, offering ultimate scalability
and performance for today’s networked environment.
• Day Zero Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service ensures
incredibly fast time-to-protection by employing a dynamically-updated database of signatures created
by a combination of SonicWALL’s SonicAlert Team, third-party virus analysts and developers, and
open source databases of known threats.
• Extensive Virus Signature List - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
utilizes an extensive database of thousands of attack and vulnerability signatures written to detect and
prevent intrusions, viruses, worms, Tojans, application exploits, and malicious applications.
• Distributed Enforcement Architecture - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a distributed enforcement architecture to deliver automated signature updates,
providing real-time protection from emerging threats and lowering total cost of ownership.
• Inter-zone Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides
application layer attack protection against malicious code and other threats originating from the
Internet or from internal sources. Administrators have the ability to enforce intrusion prevention and
anti-virus scanning not only between each network zone and the Internet, but also between internal
network zones for added security (Requires SonicOS Enhanced).
• Advanced File Decompression Technology - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service includes advanced decompression technology that can automatically decompress and scan
files on a per packet basis to search for viruses, Trojans, worms and malware. Supported
compression formats include: ZIP, Deflate and GZIP.
• File-Based Scanning Protocol Support - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers protection for high threat viruses and malware by inspecting the most common
protocols used in today’s networked environments, including SMTP, POP3, IMAP, HTTP, FTP,
NETBIOS, instant messaging and peer-to-peer applications, and dozens of other stream-based
protocols. This closes potential backdoors that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Application Control - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides the
ability to prevent instant messaging and peer-to-peer file sharing programs from operating through
the firewall, closing a potential back door that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Simplified Deployment and Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service allows network administrators to create global policies between security zones and group
attacks by priority, simplifying deployment and management across a distributed network.
Page 7
• Granular Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides an
intuitive user interface and granular policy tools, allowing network administrators to configure a
custom set of detection or prevention policies for their specific network environment and reduce the
number of false policies while identifying immediate threats.
• Logging and Reporting - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service offers
comprehensive logging of all intrusion attempts with the ability to filter logs based on priority level,
enabling administrators to highlight high priority attacks. Granular reporting based on attack source,
destination and type of intrusion is available through SonicWALL ViewPoint and Global Management
System.
SonicWALL GAV Multi-Layered Approach
SonicWALL GAV delivers comprehensive, multi-layered anti-virus protection for networks at the desktop,
the network, and at remote sites. SonicWALL GAV enforces anti-virus policies at the gateway to ensure
all users have the latest updates and monitors files as they come into the network.
Page 8 SonicWALL Gateway Anti-Virus Administrator’s Guide
Remote Site Protection
1. Users send typical e-mail and files between remote sites and the corporate office.
2. SonicWALL GAV scans and analyzes files and e-mail messages on the SonicWALL security
appliance.
3. Viruses are found and blocked before infecting remote desktop.
4. Virus is logged and alert is sent to administrator.
Page 9
Internal Network Protection
1. Internal user contracts a virus and releases it internally.
2. All files are scanned at the gateway before being received by other network users.
3. If virus is found, file is discarded.
4. Virus is logged and alert is sent to administrator.
HTTP File Downloads
1. Client makes a request to download a file from the Web.
2. File is downloaded through the Internet.
3. File is analyzed the SonicWALL GAV engine for malicious code and viruses
4. If virus found, file discarded.
5. Virus is logged and alert sent to administrator.
Page 10 SonicWALL Gateway Anti-Virus Administrator’s Guide
Server Protection
1. Outside user sends an incoming e-mail.
2. E-mail is analyzed the SonicWALL GAV engine for malicious code and viruses before received by email
server.
3. If virus found, threat prevented.
4. E-mail is returned to sender, virus is logged, and alert sent to administrator.
Page 11
SonicWALL GAV Architecture
SonicWALL GAV is based on SonicWALL's high performance DPIv2.0 engine (Deep Packet Inspection
version 2.0) engine, which performs all scanning directly on the SonicWALL security appliance.
SonicWALL GAV includes advanced decompression technology that can automatically decompress and
scan files on a per packet basis to search for viruses and malware. The SonicWALL GAV engine can
perform base64 decoding without ever reassembling the entire base64 encoded mail stream. Because
SonicWALL's GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding and ZIP, LHZ, and GZIP (LZ77) decompression are also performed
on a single-pass, per-packet basis. Reassembly free virus scanning functionality of the SonicWALL GAV
engine is inherited from the Deep Packet Inspection engine, which is capable of scanning streams without
ever buffering any of the bytes within the stream.
Building on SonicWALL's reassembly-free architecture, GAV has the ability to inspect multiple application
protocols, as well as generic TCP streams, and compressed traffic. SonicWALL GAV protocol inspection
is based on high performance state machines which are specific to each supported protocol. SonicWALL
GAV delivers protection by inspecting over the most common protocols used in today's networked
environments, including SMTP, POP3, IMAP, HTTP, FTP, NetBIOS, instant messaging and peer-to-peer
applications and dozens of other stream-based protocols. This closes potential backdoors that can be
used to compromise the network while also improving employee productivity and conserving Internet
bandwidth.
Page 12 SonicWALL Gateway Anti-Virus Administrator’s Guide
Stream Concurrency Limitations by SonicWALL Security Appliance
Because SonicWALL GAV does not have to perform reassembly, there are no file-size limitations
imposed by the scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also
performed on a single-pass, per-packet basis. Stream-concurrency are platform dependent as follows:.
Disabling the SonicWALL GAV/IPS Engine
In the unlikely event that SonicWALL Gateway Anti-Virus/Intrusion Prevention Service is not enabled on
your SonicWALL security appliance, the SonicWALL GAV/IPS engine itself can be disabled, and the
resources can be reallocated to the SPI connection cache.
To disable the SonicWALL GAV/IPS engine:
1. Select the Firewall > Advanced page.
2. Select the Disable Gateway AV and IPS Engine (increases maximum SPI connections)
checkbox. This presents an alert informing you that the SonicWALL security appliance must be
rebooted for the change to take effect.
3. Restart your SonicWALL security appliance.
Platform
GAV-Disabled
Connections
Cache Size
GAV-Enabled
Connections
Cache Size
(Concurrent File
Downloads)
Concurrent
Compressed
File Downloads
with GAV
GAV Signatures
TZ 150
Series
2,048 2,048 100 4,500
TZ 170
Series
6,144 6,144 100 4,500
PRO 1260 6,144 6,144 100 4,500
PRO 2040 32,768 16,384 300 25,000
PRO 3060 131,072 65,536 1,000 25,000
PRO 4060 524,288 131,072 1,500 25,000
PRO 5060 750,000 393,216 3,000 25,000
Page 13
Protocol Handling
SonicWALL GAV functionality supports the following protocols: HTTP, SMTP, IMAP, POP3, FTP and the
scanning of generic TCP streams for viruses.
If malicious traffic is detected, appropriate actions are taken based on the protocol. For generic TCP
streams, the traffic is dropped and the connection is reset. If so configured, an encrypted and hashed
message explaining the action is sent to the user's Global Security Client (requires version 2.0 or higher)
and to the user's 'Security Action Notification Applet', and displayed to the user if either application is
active. Application level awareness of the type of protocol that was transporting the violation allows for
very specific actions to be taken to gracefully handle the rejection of the payload:
Note: 8-bit encoding is handled natively for all email based protocols (SMTP, POP3, and IMAP) since no
decoding is required for each encoding scheme.
SMTP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the head of the sent
queue, thus preventing it from being resent, via 552 SMTP response and the connection is terminated.
POP3
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the POP3 server via
'DELE' command and the connection is terminated. Continuation of message downloads following
termination requires the user to re-initiate the download process on their POP3 client in order to download
the rest of the messages from the POP3 server.
Note: POP3 client behavior varies from one client to the next. SonicWALL GAV attempts to determine the type
of POP3 client being used, and to compensate for behavioral differences. In rare cases, some clients
may require special GAV settings - these settings have been made available in the /diag.html page.
• Disable Gateway AV POP3 Auto Deletion - When a POP3 client is identified as Outlook Express,
DELE (delete) message sequencing is tailored to Outlook Express' behavior. This setting can resolve
problems caused by misidentification that are encountered during the deletion of virus-infected
emails.
• Disable Gateway AV POP3 UIDL Rewriting - Certain Netscape POP3 clients have difficulty with the
UIDL (unique ID listing - RFC1939) command. When a POP3 client is recognized as Netscape, UIDL
messages are suppressed, which is allowable because they are optional. This setting can resolve
problems caused by misidentification that are encountered during the message retrieval process.
IMAP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from downloading the mail
containing the violation. The user must manually mark the mail deleted and purge it from the server.
Page 14 SonicWALL Gateway Anti-Virus Administrator’s Guide
HTTP
Capabilities: zip (including archives), gzip and deflate decompression. Deflate decompression method is
not supported when HTTP response is Chunk Encoded. All HTTP traffic is inspected, not just TCP port
80. Suppresses the use of HTTP Byte-Range requests to prevent the sectional retrieval and reassembly
of potentially malicious content.
Note: Suppression of HTTP Byte-Range requests may inhibit the use of certain download accelerator
programs that attempt to retrieve files as multiple simultaneous requests.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
FTP
Capabilities: zip (including archives) and gzip decompression. FTP stateful code follows data port
negotiations, allowing FTP data to be inspected across any operating TCP port. Suppresses the use of
the FTP 'REST' (restart) request to prevent the sectional retrieval and reassembly of potentially malicious
content. "The suppression of the 'REST' request can be overridden from the /diag.html page with the
option 'Enable FTP 'REST' requests with Gateway AV’.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
IM, P2P and Proprietary Protocols
Capabilities: zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
Deploying SonicWALL GAV
SonicWALL GAV is designed to provide comprehensive virus protection with minimal configuration. The
following sections provide the key information you need to successfully activate, configure, and administer
SonicWALL GAV on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher):
• “Activating SonicWALL GAV” on page 15 - provides instructions for activating the SonicWALL GAV
license on your SonicWALL security appliance via the management interface. If you already have
SonicWALL GAV activated on your SonicWALL security appliance, skip this section.
• “Setting Up SonicWALL GAV Protection” on page 19 - provides instructions for essential
configuration of SonicWALL IPS to protect your network against the most dangerous and disruptive
attacks.
Alert! After activating your SonicWALL GAV license, you must enable SonicWALL GAV on the SonicWALL
management interface before anti-virus protection are applied to your network traffic.
• “Configuring Client Alerts and an Exclusion List” on page 23 - provides instructions for configuring
SonicWALL GAV client notification alerts and creating a SonicWALL GAV exclusion list.
• “Restricting File Transfers” on page 24 - provides instructions on preventing files with specific
attributes from being transferred.
Page 15
Activating SonicWALL GAV
If you do not have SonicWALL GAV installed on your SonicWALL security appliance, the Security
Services > Gateway Anti-Virus page indicates an upgrade is required and includes a link to activiate it
from your SonicWALL security appliance management interface.
SonicWALL GAV is part of the unified SonicWALL Gateway Anti-Virus/Intrusion Prevention Service that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is also activated.
To activate a SonicWALL Gateway Anti-Virus/Intrusion Prevention Service on your SonicWALL security
appliance, you need the following:
• SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license. You need to purchase a
SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license from a SonicWALL reseller or
through your mySonicWALL.com account (limited to customers in the USA and Canada).
• mySonicWALL.com account. Creating a mySonicWALL.com account is fast, simple, and FREE.
Simply complete an online registration form from your SonicWALL security appliance management
interface. Your mySonicWALL.com account is also accessible at
from any Internet connection with a Web browser.
• Registered SonicWALL security appliance with active Internet connection. Registering your
SonicWALL security appliance is a simple procedure done directly from the management interface.
• SonicOS Standard 3.0 or SonicOS Enhanced 3.0. Your SonicWALL security appliance must be
running SonicOS Standard 3.0 or SonicOS Enhanced 3.0 for SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service.
Tip! If your SonicWALL security appliance is connected to the Internet and registered at
mySonicWALL.com, you can activate a 30-day FREE TRIAL of SonicWALL IPS.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
If you activated SonicWALL GAV at , SonicWALL GAV activation is
automatically enabled on your SonicWALL within 24-hours or you can click the Synchronize button on
the Security Services > Summary page to update your SonicWALL security appliance.
Page 16 SonicWALL Gateway Anti-Virus Administrator’s Guide
Creating a mySonicWALL.com Account
Creating a mySonicWALL.com account is fast, simple, and FREE. Simply complete an online
registration form in the SonicWALL security appliance management interface.
Note: If you already have a mysonicWALL.com account, go to “Registering Your SonicWALL Security
Appliance” on page 17.
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displayed in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link in Your
SonicWALL is not registered. Click here to Register your SonicWALL.
4. In the mySonicWALL.com Login page, click the here link in If you do not have a mySonicWALL
account, please click here to create one.
5. In the MySonicWall Account page, enter in your information in the Account Information, Personal
Information and Preferences fields. All fields marked with an asterisk (*) are required fields.
Note: Remember your username and password to access your mySonicWALL.com account.
6. Click Submit after completing the MySonicWALL Account form.
7. When the mySonicWALL.com server has finished processing your account, you will see a page
saying that your account has been created. Click Continue.
Congratulations. Your mySonicWALL.com account is activated.
Now you need to log into mySonicWALL.com to register your SonicWALL security appliance.
Note: mySonicWALL.com registration information is not sold or shared with any other company.
Page 17
Registering Your SonicWALL Security Appliance
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displaying in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link. The
mySonicWALL.com Login page is displayed.
4. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit.
5. The next several pages inform you about the free trials available to you for SonicWALL’s Security
Services:
• Gateway Anti-Virus - Delivers real-time virus protection for your entire network.
• Network Anti Virus - Provides desktop and server anti-virus protection with software running on
each computer.
• Premium Content Filtering Service - Enhances productivity by limiting access to objectionable
Web content.
• Intrusion Prevention Service - Protects your network against worms, Trojans, and application
layer attacks.
Click Continue on each page.
6. At the top of the Product Survey page, Enter a “friendly name” for your SonicWALL content security
appliance in the Friendly Name field. The friendly name allows you to easily identify your
SonicWALL content security appliance in your mySonicWALL.com account.
7. Please complete the Product Survey. SonicWALL uses this information to further tailor services to fit
your needs.
8. Click Submit.
9. When the mySonicWALL.com server has finished processing your registration, a page is displayed
informing you that the SonicWALL security appliance is registered. Click Continue, and the
System > Licenses page is displayed showing you the available services. You can activate the
service from this page or the specific service page under the Security Services left-navigation
menu in the management interface.
Page 18 SonicWALL Gateway Anti-Virus Administrator’s Guide
Activating SonicWALL GAV
If you do not have a SonicWALL GAV license activated on your SonicWALL security appliance, you must
purchase it from a SonicWALL reseller or through your mySonicWALL.com account (limited to customers
in the USA and Canada).
SonicWALL GAV is part of SonicWALL Gateway Anti-Virus/Intrusion Prevention Service. The Activation
Key you receive is for both SonicWALL GAV and SonicWALL Intrusion Prevention Service. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is automatically activated.
If you have an Activation Key for SonicWALL Gateway Anti-Virus/Intrusion Prevention Service, perform
these steps to activate the combined services:
1. On the Security Services > Intrusion Prevention page, click the SonicWALL Intrusion
Prevention Service Subscription link. The mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already registered to your
mySonicWALL.com account, the System > Licenses page appears.
3. Click Activate or Renew in the Manage Service column in the Manage Services Online table.
4. Type in the Activation Key in the New License Key field and click Submit. Your SonicWALL GAV
subscription is activated on your SonicWALL security appliance.
If you activated the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service subscription on
mySonicWALL.com, the activation is automatically enabled on your SonicWALL security appliance within
24-hours or you can click the Synchronize button on the Security Services > Summary page to
immediately update your SonicWALL security appliance.
Activating the SonicWALL GAV FREE TRIAL
To try a FREE TRIAL of SonicWALL GAV, perform these steps:
1. Click the FREE TRIAL link on the Security Services > Gateway Anti-Virus page. The
mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already connected to your
mySonicWALL.com account, the System > Licenses page appears after you click the FREE TRIAL
link.
3. Click Try in the FREE TRIAL column in the Manage Services Online table. Your SonicWALL GAV
trial subscription is activated on your SonicWALL security appliance.
Page 19
Setting Up SonicWALL GAV Protection
The Security Services > Gateway Anti-Virus page provides the settings for configuring SonicWALL
GAV on your SonicWALL security appliance.
Enabling SonicWALL GAV
You must select Enable Gateway Anti-Virus check box in the Gateway Anti-Virus Global Settings
section to enable SonicWALL GAV on your SonicWALL security appliance. If your SonicWALL security
appliance is running SonicOS Standard 3.0, you must also specify the interfaces you want to apply
SonicWALL GAV protection. If your SonicWALL security appliance is running SonicOS Enhanced 3.0,
you must specify the Zones you want to SonicWALL GAV protection on the Network > Zones page.
Applying SonicWALL GAV Protection on Interfaces
If your SonicWALL security appliance is running SonicOS Standard 3.0, you also need to specify the
interface that you want to enable SonicWALL GAV protection. Depending on the SonicWALL security
appliance model you are using, you can choose the WAN, LAN, DMZ, OPT or WLAN port, depending on
your SonicWALL security appliance model. After selecting the interface(s), click Apply.It is recommended
you select the WAN and LAN interfaces.
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you apply SonicWALL GAV to
Zones on the Network > Zones page.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 20 SonicWALL Gateway Anti-Virus Administrator’s Guide
Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you can enforce SonicWALL
GAV not only between each network zone and the WAN, but also between internal zones. For example,
enabling SonicWALL GAV on the LAN zone enforces anti-virus protection on all incoming and outgoing
LAN traffic.
1. In the SonicWALL security appliance management interface, select Network > Zones or from the
Gateway Anti-Virus Status section, on the Security Services > Gateway Anti-Virus page, click the
Network > Zones link. The Network > Zones page is displayed.
2. In the Configure column in the Zone Settings table, click the edit icon . The Edit Zone window
is displayed.
3. Click the Enable Gateway Anti-Virus Service checkbox. A checkmark appears. To disable Gateway
Anti-Virus Service, uncheck the box.
4. Click OK.
Page 21
Note: You also enable SonicWALL GAV protection for new zones you create on the Network > Zones page.
Clicking the Add button displays the Add Zone window, which includes the same settings as the Edit
Zone window.
Viewing SonicWALL GAV Status Information
The Gateway Anti-Virus Status section shows the state of the anti-virus signature database, including
the database's timestamp, and the time the SonicWALL signature servers were last checked for the most
current database version. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
The Gateway Anti-Virus Status section displays the following information:
• Signature Database indicates whether the signature database needs to be downloaded or has been
downloaded.
• Signature Database Timestamp displays the last update to the SonicWALL GAV signature
database, not the last update to your SonicWALL security appliance.
• Last Checked indicates the last time the SonicWALL security appliance checked the signature
database for updates. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
• Gateway Anti-Virus Expiration Date indicates the date when the SonicWALL GAV service expires.
If your SonicWALL GAV subscription expires, the SonicWALL IPS inspection is stopped and the
SonicWALL GAV configuration settings are removed from the SonicWALL security appliance. These
settings are automatically restored after renewing your SonicWALL GAV license to the previously
configured state.
If your SonicWALL security appliance is running SonicOS Standard 3.0 and no interfaces are specified in
the Gateway Anti-Virus Global Settings section, the message: Warning: No interfaces have Gateway
Anti-Virus enabled is displayed in the Gateway Anti-Virus Status section. You must check the Enable
Gateway Anti-Virus on Interface and specify the interface(s) you want to apply anti-virus scanning.
If your SonicWALL security appliance you are using SonicOS Enhanced 3.0, the Gateway Anti-Virus
Status section displays Note: Enable the Gateway Anti-Virus per zone from the Network > Zones
page. Clicking on the Network > Zones link displays the Network > Zones page for applying SonicWALL
GAV on Zones.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 22 SonicWALL Gateway Anti-Virus Administrator’s Guide
Updating SonicWALL GAV Signatures
By default, the SonicWALL security appliance running SonicWALL GAV automatically checks the
SonicWALL signature servers once an hour. There is no need for an administrator to constantly check for
new signature updates. You can also manually update your SonicWALL GAV database at any time by
clicking the Update button located in the Gateway Anti-Virus Status section.
SonicWALL GAV signature updates are secured. The SonicWALL security appliance must first
authenticate itself with a pre-shared secret, created during the SonicWALL Distributed Enforcement
Architecture licensing registration. The signature request is transported through HTTPS, along with full
server certificate verification.
Specifying Protocol Filtering
Application-level awareness of the type of protocol that is transporting the violation allows SonicWALL
GAV to perform specific actions within the context of the application to gracefully handle the rejection of
the payload.
By default, SonicWALL GAV inspects all inbound HTTP, FTP, IMAP, SMTP and POP3 traffic. Generic
TCP Stream can optionally be enabled to inspect all other TCP based traffic, such as
non-standard ports of operation for SMTP and POP3, and IM and P2P protocols.
Note: Refer to “Protocol Handling” on page 13 for detailed descriptions of how SonicWALL GAV handles
protocol traffic.
Enabling Inbound Inspection
Within the context of SonicWALL GAV, the Enable Inbound Inspection protocol traffic handling refers
to the following:
• Non-SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to any Zone.
• Non-SMTP traffic from a Public Zone destined to an Untrusted Zone.
• SMTP traffic initiating from a non-Trusted Zone destined to a Trusted, Wireless, Encrypted, or Public
Zone.
• SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to a Trusted, Wireless,
or Encrypted Zone.
Page 23
The Enable Inbound Inspection protocol traffic handling represented as a table:
Enabling Outbound SMTP Inspection
The Enable Outbound Inspection feature is available for SMTP traffic, such as for a mail server that
might be hosted on the DMZ. Enabling outbound inspection for SMTP scans mail that is delivered to the
internally hosted SMTP server for viruses.
Configuring Client Alerts and an Exclusion List
Clicking the Configure Gateway AV Settings button in the Gateway Anti-Virus Global Settings section
displays the Gateway AV Config View window, which allows you to configure client notification alerts and
create a SonicWALL GAV exclusion list.
Configuring Client Alerts
If you want clients on your network to receive notifications on their desktop when a HTTP file download is
blocked by GAV, check the Enable Client Notification Alerts (desktop client installation is required)
box. You must install the client software included on the Resource CD for your SonicWALL security
appliance for the client to receive these notifications from SonicWALL GAV.
Page 24 SonicWALL Gateway Anti-Virus Administrator’s Guide
If you want to suppress the sending of e-mail messages (SMTP) to clients from SonicWALL GAV when a
virus is detected in an e-mail or attachment, check the Disable SMTP Responses box.
Configuring a SonicWALL GAV Exclusion List
Any IP addresses listed in the exclusion list bypass virus scanning on their traffic.The Gateway AV
Exclusion List section provides the ability to define a range of IP addresses whose traffic will be excluded
from SonicWALL GAV scanning.
Alert! Use caution when specifying exclusions to SonicWALL GAV protection.
To add an IP address range for exclusion, perform these steps:
1. Click the Enable Gateway AV Exclusion List checkbox to enable the exclusion list.
2. Click the Add button. The Add GAV Range Entry window is displayed.
3. Enter the IP address range in the IP Address Form and IP Address To fields, then click OK. You IP
address range appears in the Gateway AV Exclusion List table. Click the edit icon in the Configure
column to change an entry or click the trashcan icon to delete an entry.
4. Click OK to exit the Gateway AV Config View window.
Restricting File Transfers
The restrict transfer settings listed under the Configure Gateway AV Settings button in the
Gateway Anti-Virus Global Settings section, if enabled, prevent files with specific attributes from being
transferred.
These restrict transfer settings include:
• Restrict Transfer of password-protected Zip files - Disables the transfer of password protected
ZIP files over any enabled protocol. This option only functions on protocols (e.g. HTTP, FTP, SMTP)
that are enabled for inspection.
• Restrict Transfer of MS-Office type files containing macros (VBA 5 and above) - Disables the
transfers of any MS Office 97 and above files that contain VBA macros.
• Restrict Transfer of packed executable files (UPX, FSG, etc.) - Disables the transfer of packed
executable files. Packers are utilities which compress and sometimes encrypt executables. Although
there are legitimate applications for these, they are also sometimes used with the intent of
obfuscation, so as to make the executables less detectable by anti-virus applications. The packer
adds a header that expands the file in memory, and then executes that file. SonicWALL Gateway
Anti-Virus currently recognizes the most common packed formats: UPX, FSG, PKLite32, Petite, and
ASPack. additional formats are dynamically added along with SonicWALL GAV signature updates.
Page 25
Viewing SonicWALL GAV Signatures
The Gateway Anti-Virus Signatures section allows you to view the contents of the SonicWALL GAV
signature database. All the entries displayed in the Gateway Anti-Virus Signatures table are from the
SonicWALL GAV signature database downloaded to your SonicWALL security appliance.
Note: Signature entries in the database change over time in response to new threats.
Displaying Signatures
You can display the signatures in a variety of views using the View Style menu.
• Use Search String - Allows you to display signatures containing a specified string entered in the
Lookup Signatures Containing String field.
• All Signatures - Displays all the signatures in the table, 50 to a page.
• 0 - 9 - Displays signature names beginning with the number you select from the menu.
• A-Z - Displays signature names beginning with the letter you select from menu.
Navigating the Gateway Anti-Virus Signatures Table
The SonicWALL GAV signatures are displayed fifty to a page in the Gateway Anti-Virus Signatures
table. The Items field displays the table number of the first signature. If your displaying the first page of a
signature table, the entry might be Items 1 to 50 (of 58). Use the navigation buttons to navigate the table.
Page 26 SonicWALL Gateway Anti-Virus Administrator’s Guide
Searching the Gateway Anti-Virus Signature Database
You can search the signature database by entering a search string in the Lookup Signatures
Containing String field, then clicking the edit (Notepad) icon.
The signatures that match the specified string are displayed in the Gateway Anti-Virus Signatures table.
Glossary
• Deep Packet Inspection - looking at the data portion of the packet. Enables the firewall to investigate
farther into the protocol to examine information at the application layer and defend against attacks
targeting application vulnerabilities.
• Distributed Enforcement Architecture - SonicWALL’s unified threat management technology that
delivers automated signature updates that provide real-time protection from current and emerging
threats.
• False Positive - a falsely identified attack traffic pattern.
• Signature - code written to detect and prevent viruses, worms, application exploits, and other
malicious code.
• Stateful Packet Inspection - examines the contents of individual packets at all layers of the OSI
model, from network layer to application layer.
Page 27
Index
A
activating Gateway Anti-Virus
overview 15
free trial version 18
activating Gateway Anti-Virus
activation key 18
C
client alerts
configuring 23
concurrency limitations 12
PRO 1260 12
PRO 2040 12
PRO 3060 12
PRO 4060 12
PRO 5060 12
TZ 150 Series 12
TZ 170 Series 12
creating a mysonicwall.com account 16
D
deploying SonicWALL GAV 14
disabling GAV/IPS engine 12
displaying signatures 25
all signatures 25
signatures beginning with letter 25
signatures beginning with number 25
using search strings 25
E
Edit Zone window 20
enable inbound inspection 22
enable outbound SMTP inspection 23
enabling inbound inspection 22
exclusion list
configuring 24
G
Gateway AV Config View window 23
GAV/IPS
real-time scanning 6
GAV/IPS features
application control 6
deep packet inspection 6
distributed enforcement architecture 6
file based scanning protocol support 6
file decompression technology 6
granular management 7
inter-zone scanning 6
logging and reporting 7
real-time scanning 6
glossary 26
deep packet inspection 26
Distributed Enforcement Architecture 26
false positive 26
signature 26
stateful packet inspection 26
H
how DPIv2.0 works
11
protocol handling 13
HTTP file downloads protection 9
I
internal network protection 9
N
navigating signatures table 25
P
protocol handling
FTP 14
HTTP 14
IM, P2P, proprietary 14
IMAP 13
POP3 13
SMTP 13
R
registering your SonicWALL security appliance 17
remote site protection 8
restrict 24
restrict file transfer
MS-Office files 24
packed executable files 24
password protected ZIP files 24
S
searching signature database 26
server protection 10
setting up GAV protection
applying to infaces (SonicOS Standard 3.0) 19
applying to zones (SonicOS Enhanced) 20
enabling 19
overview 19
signatures table 25
SonicWALL Gateway Anti-Virus
overview 5
SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service
overview 5
specifying protocol filtering 22
specifying protocols 22
status information
expiration date 21
last checked 21
overview 21
signature database 21
signature database timestamp 21
surpress SMTP messages 24
U
updating signatures 22
Page 28 SonicWALL Gateway Anti-Virus Administrator’s Guide
© 2005 SonicWALL, I n c . SonicWALL is a registered trademark of SonicWALL, I n c . Other product and company names mentioned herein may be
t rademarks and/ or registered trademarks of their respective companies. Specifications and descriptions subject to change with out notice.
T: 408.745.9600
F: 408.745.9300
www.sonicwall.com
SonicWALL,Inc.
1143 Borregas Avenue
Sunnyvale,CA 94089-1306
P/ N 232- 000610- 00
Rev E 01/05COMPREHENSIVE INTERNET SECURITY™
S SSSSSSSSo n i c WALL Gateway Anti-Virus
Administrator's Guide
Page 1
Table of Contents
Preface .................................................................................................. 1
Copyright Notice ..............................................................................1
Trademarks......................................................................................1
Limited Warranty..............................................................................1
About this Guide.................................................................................... 3
Guide Conventions .......................................................................... 3
Icons Used in this Guide............................................................. 3
SonicWALL Technical Support ........................................................ 4
North America Telephone Support ............................................. 4
International Telephone Support ................................................ 4
SonicWALL Gateway Anti-Virus Overview............................................ 5
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features ...... 6
SonicWALL GAV Multi-Layered Approach............................................ 7
Remote Site Protection ....................................................................8
Internal Network Protection.............................................................. 9
HTTP File Downloads ...................................................................... 9
Server Protection ...........................................................................10
SonicWALL GAV Architecture............................................................. 11
Stream Concurrency Limitations
by SonicWALL Security Appliance................................................. 12
Disabling the SonicWALL GAV/IPS Engine................................... 12
Protocol Handling...........................................................................13
SMTP........................................................................................ 13
POP3 ........................................................................................ 13
IMAP......................................................................................... 13
HTTP ........................................................................................ 14
FTP........................................................................................... 14
IM, P2P and Proprietary Protocols ........................................... 14
Deploying SonicWALL GAV................................................................ 14
Activating SonicWALL GAV ................................................................ 15
Creating a mySonicWALL.com Account ........................................ 16
Registering Your SonicWALL Security Appliance.......................... 17
Activating SonicWALL GAV........................................................... 18
Activating the SonicWALL GAV FREE TRIAL ............................... 18
Setting Up SonicWALL GAV Protection .............................................. 19
Enabling SonicWALL GAV............................................................. 19
Applying SonicWALL GAV Protection on Interfaces...................... 19
Applying SonicWALL GAV Protection on Zones
(SonicOS Enhanced 3.0) ............................................................... 20
Viewing SonicWALL GAV Status Information................................ 21
Updating SonicWALL GAV Signatures .......................................... 22
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
Specifying Protocol Filtering ................................................................22
Enabling Inbound Inspection ..........................................................22
Enabling Outbound SMTP Inspection ............................................23
Configuring Client Alerts and an Exclusion List ...................................23
Configuring Client Alerts.................................................................23
Configuring a SonicWALL GAV Exclusion List...............................24
Restricting File Transfers.....................................................................24
Viewing SonicWALL GAV Signatures..................................................25
Displaying Signatures.....................................................................25
Navigating the Gateway Anti-Virus Signatures Table ....................25
Searching the Gateway Anti-Virus Signature Database.................26
Glossary...............................................................................................26
Index ....................................................................................................27
Page 1 SonicWALL Gateway Anti-Virus Administrator’s Guide
Preface
Copyright Notice
© 2005 SonicWALL, Inc.
All rights reserved.
Under the copyright laws, this manual or the software described within, can not be copied, in whole or part,
without the written consent of the manufacturer, except in the normal use of the software to make a backup
copy. The same proprietary and copyright notices must be affixed to any permitted copies as were affixed
to the original. This exception does not allow copies to be made for others, whether or not sold, but all of
the material purchased (with all backup copies) can be sold, given, or loaned to another person. Under
the law, copying includes translating into another language or format.
Specifications and descriptions subject to change without notice.
Trademarks
SonicWALL is a registered trademark of SonicWALL, Inc.
Microsoft Windows 98, Windows NT, Windows 2000, Windows XP, Windows Server 2003, Internet
Explorer, and Active Directory are trademarks or registered trademarks of Microsoft Corporation.
Netscape is a registered trademark of Netscape Communications Corporation in the U.S. and other
countries. Netscape Navigator and Netscape Communicator are also trademarks of Netscape
Communications Corporation and may be registered outside the U.S.
Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems
Incorporated in the U.S. and/or other countries.
Other product and company names mentioned herein may be trademarks and/or registered trademarks
of their respective companies and are the sole property of their respective manufacturers.
Limited Warranty
SonicWALL, Inc. warrants that commencing from the delivery date to Customer (but in any case
commencing not more than ninety (90) days after the original shipment by SonicWALL), and continuing
for a period of twelve (12) months, that the product will be free from defects in materials and workmanship
under normal use. This Limited Warranty is not transferable and applies only to the original end user of
the product. SonicWALL and its suppliers' entire liability and Customer's sole and exclusive remedy under
this limited warranty will be shipment of a replacement product. At SonicWALL's discretion the
replacement product may be of equal or greater functionality and may be of either new or like-new quality.
SonicWALL's obligations under this warranty are contingent upon the return of the defective product
according to the terms of SonicWALL's then-current Support Services policies.
This warranty does not apply if the product has been subjected to abnormal electrical stress, damaged by
accident, abuse, misuse or misapplication, or has been modified without the written permission of
SonicWALL.
DISCLAIMER OF WARRANTY. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR
IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT
LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, NONINFRINGEMENT, SATISFACTORY QUALITY OR ARISING FROM A
COURSE OF DEALING, LAW, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE
MAXIMUM EXTENT ALLOWED BY APPLICABLE LAW. TO THE EXTENT AN IMPLIED WARRANTY
CANNOT BE EXCLUDED, SUCH WARRANTY IS LIMITED IN DURATION TO THE WARRANTY
PERIOD. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW
LONG AN IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. THIS
WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, AND YOU MAY ALSO HAVE OTHER RIGHTS
WHICH VARY FROM JURISDICTION TO JURISDICTION. This disclaimer and exclusion shall apply
even if the express warranty set forth above fails of its essential purpose.
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
DISCLAIMER OF LIABILITY. SONICWALL'S SOLE LIABILITY IS THE SHIPMENT OF A
REPLACEMENT PRODUCT AS DESCRIBED IN THE ABOVE LIMITED WARRANTY. IN NO EVENT
SHALL SONICWALL OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER,
INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS
INTERRUPTION, LOSS OF INFORMATION, OR OTHER PECUNIARY LOSS ARISING OUT OF THE
USE OR INABILITY TO USE THE PRODUCT, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL,
INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY
OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE HARDWARE OR SOFTWARE
EVEN IF SONICWALL OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. In no event shall SonicWALL or its suppliers' liability to Customer, whether in contract, tort
(including negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shall
apply even if the above-stated warranty fails of its essential purpose. BECAUSE SOME STATES OR
JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR
INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.
Page 3
About this Guide
Welcome to the SonicWALL Gateway Anti-Virus Administrator’s Guide. This manual provides the
information you need to successfully activate, configure, and administer SonicWALL Gateway Anti-Virus
(SonicWALL (GAV) on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher). The audience for this guide is administrators that are familiar with the
features, functions, and operating characteristics of SonicWALL security appliances.
Note: This guide assumes your SonicWALL security appliance is operational with Internet connectivity. If your
SonicWALL security appliance is not setup, refer to the Getting Started Guide for your SonicWALL
security appliance located on the SonicWALL Web site:
.
SonicWALL GAV is part of the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service solution that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate a SonicWALL GAV license, SonicWALL Intrusion Prevention Service is included and activated.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the complete
instructions on configuring SonicWALL Intrusion Prevention Service 2.0, located on the SonicWALL
Web site: .
Guide Conventions
Conventions used in this guide are as follows:
Icons Used in this Guide
These special messages refer to noteworthy information, and include a symbol for quick identification:
Alert! Important information that cautions about features affecting SonicWALL Gateway Anti-Virus
performance, security features, or causing potential problems with your SonicWALL security appliance.
Tip! Useful information about security features and configurations for your SonicWALL Gateway Anti-Virus
running on a SonicWALL security appliance.
Convention Use
Bold Highlights items you can select on the SonicWALL
management interface.
Italic Highlights a value to enter into a field. For example, “type
192.168.168.168 in the IP Address field.”
Top Level Menu Button >
Submenu Item
Indicates a multiple step Management Interface menu
choice. For example, Security Services > Gateway Anti-
Virus means select Security Services, then select
Gateway Anti-Virus.
Page 4 SonicWALL Gateway Anti-Virus Administrator’s Guide
Note: Important information on a feature that requires callout for special attention or reference to other related
resources.
SonicWALL Technical Support
For timely resolution of technical support questions, visit SonicWALL on the Internet at
. Web-based resources are available to help you
resolve most technical issues or contact SonicWALL Technical Support.
To contact SonicWALL telephone support, see the telephone numbers listed below:
North America Telephone Support
U.S./Canada - 888.777.1476 or +1 408.752.7819
International Telephone Support
Australia - + 1800.35.1642
Austria - + 43(0)820.400.105
EMEA - +31(0)411.617.810
France - + 33(0)1.4933.7414
Germany - + 49(0)1805.0800.22
Hong Kong - + 1.800.93.0997
India - + 8026556828
Italy - +39.02.7541.9803
Japan - + 81(0)3.5460.5356
New Zealand - + 0800.446489
Singapore - + 800.110.1441
Spain - + 34(0)9137.53035
Switzerland - +41.1.308.3.977
UK - +44(0)1344.668.484
Note: Please visit for the latest technical support telephone
numbers.
Page 5
SonicWALL Gateway Anti-Virus Overview
SonicWALL Gateway Anti-Virus (SonicWALL GAV) is part of the SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service solution that provides unified threat management. The integration of gateway
anti-virus and intrusion prevention delivers intelligent, real-time network security protection against
sophisticated application layer and content-based attacks. Utilizing a configurable, high-performance
deep packet inspection architecture, SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
secures the network from the core to the perimeter against a comprehensive array of dynamic threats
including viruses, worms, Trojans, and software vulnerabilities, such as buffer overflows, as well as peerto-
peer and instant messenger applications, backdoor exploits, and other malicious code.
SonicWALL GAV delivers real-time virus protection directly on the SonicWALL security appliance by
using SonicWALL’s IPS-Deep Packet Inspection v2.0 engine to inspect all traffic that traverses the
SonicWALL gateway. Building on SonicWALL’s reassembly-free architecture, SonicWALL GAV inspects
multiple application protocols, as well as generic TCP streams, and compressed traffic. Because
SonicWALL GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also performed on a
single-pass, per-packet basis.
SonicWALL GAV delivers threat protection directly on the SonicWALL security appliance by matching
downloaded or e-mailed files against an extensive and dynamically updated database of threat virus
signatures. Virus attacks are caught and suppressed before they travel to desktops. New signatures are
created and added to the database by a combination of SonicWALL’s SonicAlert Team, third-party virus
analysts, open source developers and other sources.
SonicWALL GAV can be configured to protect against internal threats as well as those originating outside
the network. It operates over a multitude of protocols including SMTP, POP3, IMAP, HTTP, FTP,
NetBIOS, instant messaging and peer-to-peer applications and dozens of other stream-based protocols,
to provide administrators with comprehensive network threat prevention and control. Because files
containing malicious code and viruses can also be compressed and therefore inaccessible to
conventional anti-virus solutions, SonicWALL GAV integrates advanced decompression technology that
automatically decompresses and scans files on a per packet basis.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
Page 6 SonicWALL Gateway Anti-Virus Administrator’s Guide
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features
• Integrated Deep Packet Inspection Technology - SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service features a configurable, high-performance deep packet inspection architecture
that uses parallel searching algorithms up through the application layer to deliver increased
application layer, Web and e-mail attack prevention. Parallel processing reduces the performance
impact on the firewall and maximizes available memory for exceptional throughput on SonicWALL
integrated security gateways.
• Real-Time Anti-Virus Gateway Scanning - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers intelligent file-based virus and malicious code prevention by scanning in real-time for
decompressed and compressed files containing viruses, Trojans, worms and other Internet threats
over the corporate network.
• Powerful Intrusion Prevention - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
provides complete protection from a comprehensive array of network-based application layer threats
by scanning packet payloads for worms, Trojans, software vulnerabilities such as buffer overflows,
peer-to-peer and instant messenger applications, backdoor exploits, and other malicious code.
• Ultimate Scalability and Performance - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a per packet scanning engine, making SonicWALL’s solution unique in its ability to
handle unlimited file size and virtually unlimited concurrent downloads, offering ultimate scalability
and performance for today’s networked environment.
• Day Zero Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service ensures
incredibly fast time-to-protection by employing a dynamically-updated database of signatures created
by a combination of SonicWALL’s SonicAlert Team, third-party virus analysts and developers, and
open source databases of known threats.
• Extensive Virus Signature List - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
utilizes an extensive database of thousands of attack and vulnerability signatures written to detect and
prevent intrusions, viruses, worms, Tojans, application exploits, and malicious applications.
• Distributed Enforcement Architecture - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a distributed enforcement architecture to deliver automated signature updates,
providing real-time protection from emerging threats and lowering total cost of ownership.
• Inter-zone Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides
application layer attack protection against malicious code and other threats originating from the
Internet or from internal sources. Administrators have the ability to enforce intrusion prevention and
anti-virus scanning not only between each network zone and the Internet, but also between internal
network zones for added security (Requires SonicOS Enhanced).
• Advanced File Decompression Technology - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service includes advanced decompression technology that can automatically decompress and scan
files on a per packet basis to search for viruses, Trojans, worms and malware. Supported
compression formats include: ZIP, Deflate and GZIP.
• File-Based Scanning Protocol Support - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers protection for high threat viruses and malware by inspecting the most common
protocols used in today’s networked environments, including SMTP, POP3, IMAP, HTTP, FTP,
NETBIOS, instant messaging and peer-to-peer applications, and dozens of other stream-based
protocols. This closes potential backdoors that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Application Control - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides the
ability to prevent instant messaging and peer-to-peer file sharing programs from operating through
the firewall, closing a potential back door that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Simplified Deployment and Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service allows network administrators to create global policies between security zones and group
attacks by priority, simplifying deployment and management across a distributed network.
Page 7
• Granular Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides an
intuitive user interface and granular policy tools, allowing network administrators to configure a
custom set of detection or prevention policies for their specific network environment and reduce the
number of false policies while identifying immediate threats.
• Logging and Reporting - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service offers
comprehensive logging of all intrusion attempts with the ability to filter logs based on priority level,
enabling administrators to highlight high priority attacks. Granular reporting based on attack source,
destination and type of intrusion is available through SonicWALL ViewPoint and Global Management
System.
SonicWALL GAV Multi-Layered Approach
SonicWALL GAV delivers comprehensive, multi-layered anti-virus protection for networks at the desktop,
the network, and at remote sites. SonicWALL GAV enforces anti-virus policies at the gateway to ensure
all users have the latest updates and monitors files as they come into the network.
Page 8 SonicWALL Gateway Anti-Virus Administrator’s Guide
Remote Site Protection
1. Users send typical e-mail and files between remote sites and the corporate office.
2. SonicWALL GAV scans and analyzes files and e-mail messages on the SonicWALL security
appliance.
3. Viruses are found and blocked before infecting remote desktop.
4. Virus is logged and alert is sent to administrator.
Page 9
Internal Network Protection
1. Internal user contracts a virus and releases it internally.
2. All files are scanned at the gateway before being received by other network users.
3. If virus is found, file is discarded.
4. Virus is logged and alert is sent to administrator.
HTTP File Downloads
1. Client makes a request to download a file from the Web.
2. File is downloaded through the Internet.
3. File is analyzed the SonicWALL GAV engine for malicious code and viruses
4. If virus found, file discarded.
5. Virus is logged and alert sent to administrator.
Page 10 SonicWALL Gateway Anti-Virus Administrator’s Guide
Server Protection
1. Outside user sends an incoming e-mail.
2. E-mail is analyzed the SonicWALL GAV engine for malicious code and viruses before received by email
server.
3. If virus found, threat prevented.
4. E-mail is returned to sender, virus is logged, and alert sent to administrator.
Page 11
SonicWALL GAV Architecture
SonicWALL GAV is based on SonicWALL's high performance DPIv2.0 engine (Deep Packet Inspection
version 2.0) engine, which performs all scanning directly on the SonicWALL security appliance.
SonicWALL GAV includes advanced decompression technology that can automatically decompress and
scan files on a per packet basis to search for viruses and malware. The SonicWALL GAV engine can
perform base64 decoding without ever reassembling the entire base64 encoded mail stream. Because
SonicWALL's GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding and ZIP, LHZ, and GZIP (LZ77) decompression are also performed
on a single-pass, per-packet basis. Reassembly free virus scanning functionality of the SonicWALL GAV
engine is inherited from the Deep Packet Inspection engine, which is capable of scanning streams without
ever buffering any of the bytes within the stream.
Building on SonicWALL's reassembly-free architecture, GAV has the ability to inspect multiple application
protocols, as well as generic TCP streams, and compressed traffic. SonicWALL GAV protocol inspection
is based on high performance state machines which are specific to each supported protocol. SonicWALL
GAV delivers protection by inspecting over the most common protocols used in today's networked
environments, including SMTP, POP3, IMAP, HTTP, FTP, NetBIOS, instant messaging and peer-to-peer
applications and dozens of other stream-based protocols. This closes potential backdoors that can be
used to compromise the network while also improving employee productivity and conserving Internet
bandwidth.
Page 12 SonicWALL Gateway Anti-Virus Administrator’s Guide
Stream Concurrency Limitations by SonicWALL Security Appliance
Because SonicWALL GAV does not have to perform reassembly, there are no file-size limitations
imposed by the scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also
performed on a single-pass, per-packet basis. Stream-concurrency are platform dependent as follows:.
Disabling the SonicWALL GAV/IPS Engine
In the unlikely event that SonicWALL Gateway Anti-Virus/Intrusion Prevention Service is not enabled on
your SonicWALL security appliance, the SonicWALL GAV/IPS engine itself can be disabled, and the
resources can be reallocated to the SPI connection cache.
To disable the SonicWALL GAV/IPS engine:
1. Select the Firewall > Advanced page.
2. Select the Disable Gateway AV and IPS Engine (increases maximum SPI connections)
checkbox. This presents an alert informing you that the SonicWALL security appliance must be
rebooted for the change to take effect.
3. Restart your SonicWALL security appliance.
Platform
GAV-Disabled
Connections
Cache Size
GAV-Enabled
Connections
Cache Size
(Concurrent File
Downloads)
Concurrent
Compressed
File Downloads
with GAV
GAV Signatures
TZ 150
Series
2,048 2,048 100 4,500
TZ 170
Series
6,144 6,144 100 4,500
PRO 1260 6,144 6,144 100 4,500
PRO 2040 32,768 16,384 300 25,000
PRO 3060 131,072 65,536 1,000 25,000
PRO 4060 524,288 131,072 1,500 25,000
PRO 5060 750,000 393,216 3,000 25,000
Page 13
Protocol Handling
SonicWALL GAV functionality supports the following protocols: HTTP, SMTP, IMAP, POP3, FTP and the
scanning of generic TCP streams for viruses.
If malicious traffic is detected, appropriate actions are taken based on the protocol. For generic TCP
streams, the traffic is dropped and the connection is reset. If so configured, an encrypted and hashed
message explaining the action is sent to the user's Global Security Client (requires version 2.0 or higher)
and to the user's 'Security Action Notification Applet', and displayed to the user if either application is
active. Application level awareness of the type of protocol that was transporting the violation allows for
very specific actions to be taken to gracefully handle the rejection of the payload:
Note: 8-bit encoding is handled natively for all email based protocols (SMTP, POP3, and IMAP) since no
decoding is required for each encoding scheme.
SMTP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the head of the sent
queue, thus preventing it from being resent, via 552 SMTP response and the connection is terminated.
POP3
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the POP3 server via
'DELE' command and the connection is terminated. Continuation of message downloads following
termination requires the user to re-initiate the download process on their POP3 client in order to download
the rest of the messages from the POP3 server.
Note: POP3 client behavior varies from one client to the next. SonicWALL GAV attempts to determine the type
of POP3 client being used, and to compensate for behavioral differences. In rare cases, some clients
may require special GAV settings - these settings have been made available in the /diag.html page.
• Disable Gateway AV POP3 Auto Deletion - When a POP3 client is identified as Outlook Express,
DELE (delete) message sequencing is tailored to Outlook Express' behavior. This setting can resolve
problems caused by misidentification that are encountered during the deletion of virus-infected
emails.
• Disable Gateway AV POP3 UIDL Rewriting - Certain Netscape POP3 clients have difficulty with the
UIDL (unique ID listing - RFC1939) command. When a POP3 client is recognized as Netscape, UIDL
messages are suppressed, which is allowable because they are optional. This setting can resolve
problems caused by misidentification that are encountered during the message retrieval process.
IMAP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from downloading the mail
containing the violation. The user must manually mark the mail deleted and purge it from the server.
Page 14 SonicWALL Gateway Anti-Virus Administrator’s Guide
HTTP
Capabilities: zip (including archives), gzip and deflate decompression. Deflate decompression method is
not supported when HTTP response is Chunk Encoded. All HTTP traffic is inspected, not just TCP port
80. Suppresses the use of HTTP Byte-Range requests to prevent the sectional retrieval and reassembly
of potentially malicious content.
Note: Suppression of HTTP Byte-Range requests may inhibit the use of certain download accelerator
programs that attempt to retrieve files as multiple simultaneous requests.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
FTP
Capabilities: zip (including archives) and gzip decompression. FTP stateful code follows data port
negotiations, allowing FTP data to be inspected across any operating TCP port. Suppresses the use of
the FTP 'REST' (restart) request to prevent the sectional retrieval and reassembly of potentially malicious
content. "The suppression of the 'REST' request can be overridden from the /diag.html page with the
option 'Enable FTP 'REST' requests with Gateway AV’.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
IM, P2P and Proprietary Protocols
Capabilities: zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
Deploying SonicWALL GAV
SonicWALL GAV is designed to provide comprehensive virus protection with minimal configuration. The
following sections provide the key information you need to successfully activate, configure, and administer
SonicWALL GAV on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher):
• “Activating SonicWALL GAV” on page 15 - provides instructions for activating the SonicWALL GAV
license on your SonicWALL security appliance via the management interface. If you already have
SonicWALL GAV activated on your SonicWALL security appliance, skip this section.
• “Setting Up SonicWALL GAV Protection” on page 19 - provides instructions for essential
configuration of SonicWALL IPS to protect your network against the most dangerous and disruptive
attacks.
Alert! After activating your SonicWALL GAV license, you must enable SonicWALL GAV on the SonicWALL
management interface before anti-virus protection are applied to your network traffic.
• “Configuring Client Alerts and an Exclusion List” on page 23 - provides instructions for configuring
SonicWALL GAV client notification alerts and creating a SonicWALL GAV exclusion list.
• “Restricting File Transfers” on page 24 - provides instructions on preventing files with specific
attributes from being transferred.
Page 15
Activating SonicWALL GAV
If you do not have SonicWALL GAV installed on your SonicWALL security appliance, the Security
Services > Gateway Anti-Virus page indicates an upgrade is required and includes a link to activiate it
from your SonicWALL security appliance management interface.
SonicWALL GAV is part of the unified SonicWALL Gateway Anti-Virus/Intrusion Prevention Service that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is also activated.
To activate a SonicWALL Gateway Anti-Virus/Intrusion Prevention Service on your SonicWALL security
appliance, you need the following:
• SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license. You need to purchase a
SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license from a SonicWALL reseller or
through your mySonicWALL.com account (limited to customers in the USA and Canada).
• mySonicWALL.com account. Creating a mySonicWALL.com account is fast, simple, and FREE.
Simply complete an online registration form from your SonicWALL security appliance management
interface. Your mySonicWALL.com account is also accessible at
from any Internet connection with a Web browser.
• Registered SonicWALL security appliance with active Internet connection. Registering your
SonicWALL security appliance is a simple procedure done directly from the management interface.
• SonicOS Standard 3.0 or SonicOS Enhanced 3.0. Your SonicWALL security appliance must be
running SonicOS Standard 3.0 or SonicOS Enhanced 3.0 for SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service.
Tip! If your SonicWALL security appliance is connected to the Internet and registered at
mySonicWALL.com, you can activate a 30-day FREE TRIAL of SonicWALL IPS.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
If you activated SonicWALL GAV at , SonicWALL GAV activation is
automatically enabled on your SonicWALL within 24-hours or you can click the Synchronize button on
the Security Services > Summary page to update your SonicWALL security appliance.
Page 16 SonicWALL Gateway Anti-Virus Administrator’s Guide
Creating a mySonicWALL.com Account
Creating a mySonicWALL.com account is fast, simple, and FREE. Simply complete an online
registration form in the SonicWALL security appliance management interface.
Note: If you already have a mysonicWALL.com account, go to “Registering Your SonicWALL Security
Appliance” on page 17.
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displayed in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link in Your
SonicWALL is not registered. Click here to Register your SonicWALL.
4. In the mySonicWALL.com Login page, click the here link in If you do not have a mySonicWALL
account, please click here to create one.
5. In the MySonicWall Account page, enter in your information in the Account Information, Personal
Information and Preferences fields. All fields marked with an asterisk (*) are required fields.
Note: Remember your username and password to access your mySonicWALL.com account.
6. Click Submit after completing the MySonicWALL Account form.
7. When the mySonicWALL.com server has finished processing your account, you will see a page
saying that your account has been created. Click Continue.
Congratulations. Your mySonicWALL.com account is activated.
Now you need to log into mySonicWALL.com to register your SonicWALL security appliance.
Note: mySonicWALL.com registration information is not sold or shared with any other company.
Page 17
Registering Your SonicWALL Security Appliance
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displaying in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link. The
mySonicWALL.com Login page is displayed.
4. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit.
5. The next several pages inform you about the free trials available to you for SonicWALL’s Security
Services:
• Gateway Anti-Virus - Delivers real-time virus protection for your entire network.
• Network Anti Virus - Provides desktop and server anti-virus protection with software running on
each computer.
• Premium Content Filtering Service - Enhances productivity by limiting access to objectionable
Web content.
• Intrusion Prevention Service - Protects your network against worms, Trojans, and application
layer attacks.
Click Continue on each page.
6. At the top of the Product Survey page, Enter a “friendly name” for your SonicWALL content security
appliance in the Friendly Name field. The friendly name allows you to easily identify your
SonicWALL content security appliance in your mySonicWALL.com account.
7. Please complete the Product Survey. SonicWALL uses this information to further tailor services to fit
your needs.
8. Click Submit.
9. When the mySonicWALL.com server has finished processing your registration, a page is displayed
informing you that the SonicWALL security appliance is registered. Click Continue, and the
System > Licenses page is displayed showing you the available services. You can activate the
service from this page or the specific service page under the Security Services left-navigation
menu in the management interface.
Page 18 SonicWALL Gateway Anti-Virus Administrator’s Guide
Activating SonicWALL GAV
If you do not have a SonicWALL GAV license activated on your SonicWALL security appliance, you must
purchase it from a SonicWALL reseller or through your mySonicWALL.com account (limited to customers
in the USA and Canada).
SonicWALL GAV is part of SonicWALL Gateway Anti-Virus/Intrusion Prevention Service. The Activation
Key you receive is for both SonicWALL GAV and SonicWALL Intrusion Prevention Service. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is automatically activated.
If you have an Activation Key for SonicWALL Gateway Anti-Virus/Intrusion Prevention Service, perform
these steps to activate the combined services:
1. On the Security Services > Intrusion Prevention page, click the SonicWALL Intrusion
Prevention Service Subscription link. The mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already registered to your
mySonicWALL.com account, the System > Licenses page appears.
3. Click Activate or Renew in the Manage Service column in the Manage Services Online table.
4. Type in the Activation Key in the New License Key field and click Submit. Your SonicWALL GAV
subscription is activated on your SonicWALL security appliance.
If you activated the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service subscription on
mySonicWALL.com, the activation is automatically enabled on your SonicWALL security appliance within
24-hours or you can click the Synchronize button on the Security Services > Summary page to
immediately update your SonicWALL security appliance.
Activating the SonicWALL GAV FREE TRIAL
To try a FREE TRIAL of SonicWALL GAV, perform these steps:
1. Click the FREE TRIAL link on the Security Services > Gateway Anti-Virus page. The
mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already connected to your
mySonicWALL.com account, the System > Licenses page appears after you click the FREE TRIAL
link.
3. Click Try in the FREE TRIAL column in the Manage Services Online table. Your SonicWALL GAV
trial subscription is activated on your SonicWALL security appliance.
Page 19
Setting Up SonicWALL GAV Protection
The Security Services > Gateway Anti-Virus page provides the settings for configuring SonicWALL
GAV on your SonicWALL security appliance.
Enabling SonicWALL GAV
You must select Enable Gateway Anti-Virus check box in the Gateway Anti-Virus Global Settings
section to enable SonicWALL GAV on your SonicWALL security appliance. If your SonicWALL security
appliance is running SonicOS Standard 3.0, you must also specify the interfaces you want to apply
SonicWALL GAV protection. If your SonicWALL security appliance is running SonicOS Enhanced 3.0,
you must specify the Zones you want to SonicWALL GAV protection on the Network > Zones page.
Applying SonicWALL GAV Protection on Interfaces
If your SonicWALL security appliance is running SonicOS Standard 3.0, you also need to specify the
interface that you want to enable SonicWALL GAV protection. Depending on the SonicWALL security
appliance model you are using, you can choose the WAN, LAN, DMZ, OPT or WLAN port, depending on
your SonicWALL security appliance model. After selecting the interface(s), click Apply.It is recommended
you select the WAN and LAN interfaces.
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you apply SonicWALL GAV to
Zones on the Network > Zones page.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 20 SonicWALL Gateway Anti-Virus Administrator’s Guide
Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you can enforce SonicWALL
GAV not only between each network zone and the WAN, but also between internal zones. For example,
enabling SonicWALL GAV on the LAN zone enforces anti-virus protection on all incoming and outgoing
LAN traffic.
1. In the SonicWALL security appliance management interface, select Network > Zones or from the
Gateway Anti-Virus Status section, on the Security Services > Gateway Anti-Virus page, click the
Network > Zones link. The Network > Zones page is displayed.
2. In the Configure column in the Zone Settings table, click the edit icon . The Edit Zone window
is displayed.
3. Click the Enable Gateway Anti-Virus Service checkbox. A checkmark appears. To disable Gateway
Anti-Virus Service, uncheck the box.
4. Click OK.
Page 21
Note: You also enable SonicWALL GAV protection for new zones you create on the Network > Zones page.
Clicking the Add button displays the Add Zone window, which includes the same settings as the Edit
Zone window.
Viewing SonicWALL GAV Status Information
The Gateway Anti-Virus Status section shows the state of the anti-virus signature database, including
the database's timestamp, and the time the SonicWALL signature servers were last checked for the most
current database version. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
The Gateway Anti-Virus Status section displays the following information:
• Signature Database indicates whether the signature database needs to be downloaded or has been
downloaded.
• Signature Database Timestamp displays the last update to the SonicWALL GAV signature
database, not the last update to your SonicWALL security appliance.
• Last Checked indicates the last time the SonicWALL security appliance checked the signature
database for updates. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
• Gateway Anti-Virus Expiration Date indicates the date when the SonicWALL GAV service expires.
If your SonicWALL GAV subscription expires, the SonicWALL IPS inspection is stopped and the
SonicWALL GAV configuration settings are removed from the SonicWALL security appliance. These
settings are automatically restored after renewing your SonicWALL GAV license to the previously
configured state.
If your SonicWALL security appliance is running SonicOS Standard 3.0 and no interfaces are specified in
the Gateway Anti-Virus Global Settings section, the message: Warning: No interfaces have Gateway
Anti-Virus enabled is displayed in the Gateway Anti-Virus Status section. You must check the Enable
Gateway Anti-Virus on Interface and specify the interface(s) you want to apply anti-virus scanning.
If your SonicWALL security appliance you are using SonicOS Enhanced 3.0, the Gateway Anti-Virus
Status section displays Note: Enable the Gateway Anti-Virus per zone from the Network > Zones
page. Clicking on the Network > Zones link displays the Network > Zones page for applying SonicWALL
GAV on Zones.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 22 SonicWALL Gateway Anti-Virus Administrator’s Guide
Updating SonicWALL GAV Signatures
By default, the SonicWALL security appliance running SonicWALL GAV automatically checks the
SonicWALL signature servers once an hour. There is no need for an administrator to constantly check for
new signature updates. You can also manually update your SonicWALL GAV database at any time by
clicking the Update button located in the Gateway Anti-Virus Status section.
SonicWALL GAV signature updates are secured. The SonicWALL security appliance must first
authenticate itself with a pre-shared secret, created during the SonicWALL Distributed Enforcement
Architecture licensing registration. The signature request is transported through HTTPS, along with full
server certificate verification.
Specifying Protocol Filtering
Application-level awareness of the type of protocol that is transporting the violation allows SonicWALL
GAV to perform specific actions within the context of the application to gracefully handle the rejection of
the payload.
By default, SonicWALL GAV inspects all inbound HTTP, FTP, IMAP, SMTP and POP3 traffic. Generic
TCP Stream can optionally be enabled to inspect all other TCP based traffic, such as
non-standard ports of operation for SMTP and POP3, and IM and P2P protocols.
Note: Refer to “Protocol Handling” on page 13 for detailed descriptions of how SonicWALL GAV handles
protocol traffic.
Enabling Inbound Inspection
Within the context of SonicWALL GAV, the Enable Inbound Inspection protocol traffic handling refers
to the following:
• Non-SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to any Zone.
• Non-SMTP traffic from a Public Zone destined to an Untrusted Zone.
• SMTP traffic initiating from a non-Trusted Zone destined to a Trusted, Wireless, Encrypted, or Public
Zone.
• SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to a Trusted, Wireless,
or Encrypted Zone.
Page 23
The Enable Inbound Inspection protocol traffic handling represented as a table:
Enabling Outbound SMTP Inspection
The Enable Outbound Inspection feature is available for SMTP traffic, such as for a mail server that
might be hosted on the DMZ. Enabling outbound inspection for SMTP scans mail that is delivered to the
internally hosted SMTP server for viruses.
Configuring Client Alerts and an Exclusion List
Clicking the Configure Gateway AV Settings button in the Gateway Anti-Virus Global Settings section
displays the Gateway AV Config View window, which allows you to configure client notification alerts and
create a SonicWALL GAV exclusion list.
Configuring Client Alerts
If you want clients on your network to receive notifications on their desktop when a HTTP file download is
blocked by GAV, check the Enable Client Notification Alerts (desktop client installation is required)
box. You must install the client software included on the Resource CD for your SonicWALL security
appliance for the client to receive these notifications from SonicWALL GAV.
Page 24 SonicWALL Gateway Anti-Virus Administrator’s Guide
If you want to suppress the sending of e-mail messages (SMTP) to clients from SonicWALL GAV when a
virus is detected in an e-mail or attachment, check the Disable SMTP Responses box.
Configuring a SonicWALL GAV Exclusion List
Any IP addresses listed in the exclusion list bypass virus scanning on their traffic.The Gateway AV
Exclusion List section provides the ability to define a range of IP addresses whose traffic will be excluded
from SonicWALL GAV scanning.
Alert! Use caution when specifying exclusions to SonicWALL GAV protection.
To add an IP address range for exclusion, perform these steps:
1. Click the Enable Gateway AV Exclusion List checkbox to enable the exclusion list.
2. Click the Add button. The Add GAV Range Entry window is displayed.
3. Enter the IP address range in the IP Address Form and IP Address To fields, then click OK. You IP
address range appears in the Gateway AV Exclusion List table. Click the edit icon in the Configure
column to change an entry or click the trashcan icon to delete an entry.
4. Click OK to exit the Gateway AV Config View window.
Restricting File Transfers
The restrict transfer settings listed under the Configure Gateway AV Settings button in the
Gateway Anti-Virus Global Settings section, if enabled, prevent files with specific attributes from being
transferred.
These restrict transfer settings include:
• Restrict Transfer of password-protected Zip files - Disables the transfer of password protected
ZIP files over any enabled protocol. This option only functions on protocols (e.g. HTTP, FTP, SMTP)
that are enabled for inspection.
• Restrict Transfer of MS-Office type files containing macros (VBA 5 and above) - Disables the
transfers of any MS Office 97 and above files that contain VBA macros.
• Restrict Transfer of packed executable files (UPX, FSG, etc.) - Disables the transfer of packed
executable files. Packers are utilities which compress and sometimes encrypt executables. Although
there are legitimate applications for these, they are also sometimes used with the intent of
obfuscation, so as to make the executables less detectable by anti-virus applications. The packer
adds a header that expands the file in memory, and then executes that file. SonicWALL Gateway
Anti-Virus currently recognizes the most common packed formats: UPX, FSG, PKLite32, Petite, and
ASPack. additional formats are dynamically added along with SonicWALL GAV signature updates.
Page 25
Viewing SonicWALL GAV Signatures
The Gateway Anti-Virus Signatures section allows you to view the contents of the SonicWALL GAV
signature database. All the entries displayed in the Gateway Anti-Virus Signatures table are from the
SonicWALL GAV signature database downloaded to your SonicWALL security appliance.
Note: Signature entries in the database change over time in response to new threats.
Displaying Signatures
You can display the signatures in a variety of views using the View Style menu.
• Use Search String - Allows you to display signatures containing a specified string entered in the
Lookup Signatures Containing String field.
• All Signatures - Displays all the signatures in the table, 50 to a page.
• 0 - 9 - Displays signature names beginning with the number you select from the menu.
• A-Z - Displays signature names beginning with the letter you select from menu.
Navigating the Gateway Anti-Virus Signatures Table
The SonicWALL GAV signatures are displayed fifty to a page in the Gateway Anti-Virus Signatures
table. The Items field displays the table number of the first signature. If your displaying the first page of a
signature table, the entry might be Items 1 to 50 (of 58). Use the navigation buttons to navigate the table.
Page 26 SonicWALL Gateway Anti-Virus Administrator’s Guide
Searching the Gateway Anti-Virus Signature Database
You can search the signature database by entering a search string in the Lookup Signatures
Containing String field, then clicking the edit (Notepad) icon.
The signatures that match the specified string are displayed in the Gateway Anti-Virus Signatures table.
Glossary
• Deep Packet Inspection - looking at the data portion of the packet. Enables the firewall to investigate
farther into the protocol to examine information at the application layer and defend against attacks
targeting application vulnerabilities.
• Distributed Enforcement Architecture - SonicWALL’s unified threat management technology that
delivers automated signature updates that provide real-time protection from current and emerging
threats.
• False Positive - a falsely identified attack traffic pattern.
• Signature - code written to detect and prevent viruses, worms, application exploits, and other
malicious code.
• Stateful Packet Inspection - examines the contents of individual packets at all layers of the OSI
model, from network layer to application layer.
Page 27
Index
A
activating Gateway Anti-Virus
overview 15
free trial version 18
activating Gateway Anti-Virus
activation key 18
C
client alerts
configuring 23
concurrency limitations 12
PRO 1260 12
PRO 2040 12
PRO 3060 12
PRO 4060 12
PRO 5060 12
TZ 150 Series 12
TZ 170 Series 12
creating a mysonicwall.com account 16
D
deploying SonicWALL GAV 14
disabling GAV/IPS engine 12
displaying signatures 25
all signatures 25
signatures beginning with letter 25
signatures beginning with number 25
using search strings 25
E
Edit Zone window 20
enable inbound inspection 22
enable outbound SMTP inspection 23
enabling inbound inspection 22
exclusion list
configuring 24
G
Gateway AV Config View window 23
GAV/IPS
real-time scanning 6
GAV/IPS features
application control 6
deep packet inspection 6
distributed enforcement architecture 6
file based scanning protocol support 6
file decompression technology 6
granular management 7
inter-zone scanning 6
logging and reporting 7
real-time scanning 6
glossary 26
deep packet inspection 26
Distributed Enforcement Architecture 26
false positive 26
signature 26
stateful packet inspection 26
H
how DPIv2.0 works
11
protocol handling 13
HTTP file downloads protection 9
I
internal network protection 9
N
navigating signatures table 25
P
protocol handling
FTP 14
HTTP 14
IM, P2P, proprietary 14
IMAP 13
POP3 13
SMTP 13
R
registering your SonicWALL security appliance 17
remote site protection 8
restrict 24
restrict file transfer
MS-Office files 24
packed executable files 24
password protected ZIP files 24
S
searching signature database 26
server protection 10
setting up GAV protection
applying to infaces (SonicOS Standard 3.0) 19
applying to zones (SonicOS Enhanced) 20
enabling 19
overview 19
signatures table 25
SonicWALL Gateway Anti-Virus
overview 5
SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service
overview 5
specifying protocol filtering 22
specifying protocols 22
status information
expiration date 21
last checked 21
overview 21
signature database 21
signature database timestamp 21
surpress SMTP messages 24
U
updating signatures 22
Page 28 SonicWALL Gateway Anti-Virus Administrator’s Guide
© 2005 SonicWALL, I n c . SonicWALL is a registered trademark of SonicWALL, I n c . Other product and company names mentioned herein may be
t rademarks and/ or registered trademarks of their respective companies. Specifications and descriptions subject to change with out notice.
T: 408.745.9600
F: 408.745.9300
www.sonicwall.com
SonicWALL,Inc.
1143 Borregas Avenue
Sunnyvale,CA 94089-1306
P/ N 232- 000610- 00
Rev E 01/05COMPREHENSIVE INTERNET SECURITY™
S SSSSSSSSo n i c WALL Gateway Anti-Virus
Administrator's Guide
Page 1
Table of Contents
Preface .................................................................................................. 1
Copyright Notice ..............................................................................1
Trademarks......................................................................................1
Limited Warranty..............................................................................1
About this Guide.................................................................................... 3
Guide Conventions .......................................................................... 3
Icons Used in this Guide............................................................. 3
SonicWALL Technical Support ........................................................ 4
North America Telephone Support ............................................. 4
International Telephone Support ................................................ 4
SonicWALL Gateway Anti-Virus Overview............................................ 5
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features ...... 6
SonicWALL GAV Multi-Layered Approach............................................ 7
Remote Site Protection ....................................................................8
Internal Network Protection.............................................................. 9
HTTP File Downloads ...................................................................... 9
Server Protection ...........................................................................10
SonicWALL GAV Architecture............................................................. 11
Stream Concurrency Limitations
by SonicWALL Security Appliance................................................. 12
Disabling the SonicWALL GAV/IPS Engine................................... 12
Protocol Handling...........................................................................13
SMTP........................................................................................ 13
POP3 ........................................................................................ 13
IMAP......................................................................................... 13
HTTP ........................................................................................ 14
FTP........................................................................................... 14
IM, P2P and Proprietary Protocols ........................................... 14
Deploying SonicWALL GAV................................................................ 14
Activating SonicWALL GAV ................................................................ 15
Creating a mySonicWALL.com Account ........................................ 16
Registering Your SonicWALL Security Appliance.......................... 17
Activating SonicWALL GAV........................................................... 18
Activating the SonicWALL GAV FREE TRIAL ............................... 18
Setting Up SonicWALL GAV Protection .............................................. 19
Enabling SonicWALL GAV............................................................. 19
Applying SonicWALL GAV Protection on Interfaces...................... 19
Applying SonicWALL GAV Protection on Zones
(SonicOS Enhanced 3.0) ............................................................... 20
Viewing SonicWALL GAV Status Information................................ 21
Updating SonicWALL GAV Signatures .......................................... 22
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
Specifying Protocol Filtering ................................................................22
Enabling Inbound Inspection ..........................................................22
Enabling Outbound SMTP Inspection ............................................23
Configuring Client Alerts and an Exclusion List ...................................23
Configuring Client Alerts.................................................................23
Configuring a SonicWALL GAV Exclusion List...............................24
Restricting File Transfers.....................................................................24
Viewing SonicWALL GAV Signatures..................................................25
Displaying Signatures.....................................................................25
Navigating the Gateway Anti-Virus Signatures Table ....................25
Searching the Gateway Anti-Virus Signature Database.................26
Glossary...............................................................................................26
Index ....................................................................................................27
Page 1 SonicWALL Gateway Anti-Virus Administrator’s Guide
Preface
Copyright Notice
© 2005 SonicWALL, Inc.
All rights reserved.
Under the copyright laws, this manual or the software described within, can not be copied, in whole or part,
without the written consent of the manufacturer, except in the normal use of the software to make a backup
copy. The same proprietary and copyright notices must be affixed to any permitted copies as were affixed
to the original. This exception does not allow copies to be made for others, whether or not sold, but all of
the material purchased (with all backup copies) can be sold, given, or loaned to another person. Under
the law, copying includes translating into another language or format.
Specifications and descriptions subject to change without notice.
Trademarks
SonicWALL is a registered trademark of SonicWALL, Inc.
Microsoft Windows 98, Windows NT, Windows 2000, Windows XP, Windows Server 2003, Internet
Explorer, and Active Directory are trademarks or registered trademarks of Microsoft Corporation.
Netscape is a registered trademark of Netscape Communications Corporation in the U.S. and other
countries. Netscape Navigator and Netscape Communicator are also trademarks of Netscape
Communications Corporation and may be registered outside the U.S.
Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems
Incorporated in the U.S. and/or other countries.
Other product and company names mentioned herein may be trademarks and/or registered trademarks
of their respective companies and are the sole property of their respective manufacturers.
Limited Warranty
SonicWALL, Inc. warrants that commencing from the delivery date to Customer (but in any case
commencing not more than ninety (90) days after the original shipment by SonicWALL), and continuing
for a period of twelve (12) months, that the product will be free from defects in materials and workmanship
under normal use. This Limited Warranty is not transferable and applies only to the original end user of
the product. SonicWALL and its suppliers' entire liability and Customer's sole and exclusive remedy under
this limited warranty will be shipment of a replacement product. At SonicWALL's discretion the
replacement product may be of equal or greater functionality and may be of either new or like-new quality.
SonicWALL's obligations under this warranty are contingent upon the return of the defective product
according to the terms of SonicWALL's then-current Support Services policies.
This warranty does not apply if the product has been subjected to abnormal electrical stress, damaged by
accident, abuse, misuse or misapplication, or has been modified without the written permission of
SonicWALL.
DISCLAIMER OF WARRANTY. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR
IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT
LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, NONINFRINGEMENT, SATISFACTORY QUALITY OR ARISING FROM A
COURSE OF DEALING, LAW, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE
MAXIMUM EXTENT ALLOWED BY APPLICABLE LAW. TO THE EXTENT AN IMPLIED WARRANTY
CANNOT BE EXCLUDED, SUCH WARRANTY IS LIMITED IN DURATION TO THE WARRANTY
PERIOD. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW
LONG AN IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. THIS
WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, AND YOU MAY ALSO HAVE OTHER RIGHTS
WHICH VARY FROM JURISDICTION TO JURISDICTION. This disclaimer and exclusion shall apply
even if the express warranty set forth above fails of its essential purpose.
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
DISCLAIMER OF LIABILITY. SONICWALL'S SOLE LIABILITY IS THE SHIPMENT OF A
REPLACEMENT PRODUCT AS DESCRIBED IN THE ABOVE LIMITED WARRANTY. IN NO EVENT
SHALL SONICWALL OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER,
INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS
INTERRUPTION, LOSS OF INFORMATION, OR OTHER PECUNIARY LOSS ARISING OUT OF THE
USE OR INABILITY TO USE THE PRODUCT, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL,
INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY
OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE HARDWARE OR SOFTWARE
EVEN IF SONICWALL OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. In no event shall SonicWALL or its suppliers' liability to Customer, whether in contract, tort
(including negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shall
apply even if the above-stated warranty fails of its essential purpose. BECAUSE SOME STATES OR
JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR
INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.
Page 3
About this Guide
Welcome to the SonicWALL Gateway Anti-Virus Administrator’s Guide. This manual provides the
information you need to successfully activate, configure, and administer SonicWALL Gateway Anti-Virus
(SonicWALL (GAV) on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher). The audience for this guide is administrators that are familiar with the
features, functions, and operating characteristics of SonicWALL security appliances.
Note: This guide assumes your SonicWALL security appliance is operational with Internet connectivity. If your
SonicWALL security appliance is not setup, refer to the Getting Started Guide for your SonicWALL
security appliance located on the SonicWALL Web site:
.
SonicWALL GAV is part of the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service solution that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate a SonicWALL GAV license, SonicWALL Intrusion Prevention Service is included and activated.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the complete
instructions on configuring SonicWALL Intrusion Prevention Service 2.0, located on the SonicWALL
Web site: .
Guide Conventions
Conventions used in this guide are as follows:
Icons Used in this Guide
These special messages refer to noteworthy information, and include a symbol for quick identification:
Alert! Important information that cautions about features affecting SonicWALL Gateway Anti-Virus
performance, security features, or causing potential problems with your SonicWALL security appliance.
Tip! Useful information about security features and configurations for your SonicWALL Gateway Anti-Virus
running on a SonicWALL security appliance.
Convention Use
Bold Highlights items you can select on the SonicWALL
management interface.
Italic Highlights a value to enter into a field. For example, “type
192.168.168.168 in the IP Address field.”
Top Level Menu Button >
Submenu Item
Indicates a multiple step Management Interface menu
choice. For example, Security Services > Gateway Anti-
Virus means select Security Services, then select
Gateway Anti-Virus.
Page 4 SonicWALL Gateway Anti-Virus Administrator’s Guide
Note: Important information on a feature that requires callout for special attention or reference to other related
resources.
SonicWALL Technical Support
For timely resolution of technical support questions, visit SonicWALL on the Internet at
. Web-based resources are available to help you
resolve most technical issues or contact SonicWALL Technical Support.
To contact SonicWALL telephone support, see the telephone numbers listed below:
North America Telephone Support
U.S./Canada - 888.777.1476 or +1 408.752.7819
International Telephone Support
Australia - + 1800.35.1642
Austria - + 43(0)820.400.105
EMEA - +31(0)411.617.810
France - + 33(0)1.4933.7414
Germany - + 49(0)1805.0800.22
Hong Kong - + 1.800.93.0997
India - + 8026556828
Italy - +39.02.7541.9803
Japan - + 81(0)3.5460.5356
New Zealand - + 0800.446489
Singapore - + 800.110.1441
Spain - + 34(0)9137.53035
Switzerland - +41.1.308.3.977
UK - +44(0)1344.668.484
Note: Please visit for the latest technical support telephone
numbers.
Page 5
SonicWALL Gateway Anti-Virus Overview
SonicWALL Gateway Anti-Virus (SonicWALL GAV) is part of the SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service solution that provides unified threat management. The integration of gateway
anti-virus and intrusion prevention delivers intelligent, real-time network security protection against
sophisticated application layer and content-based attacks. Utilizing a configurable, high-performance
deep packet inspection architecture, SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
secures the network from the core to the perimeter against a comprehensive array of dynamic threats
including viruses, worms, Trojans, and software vulnerabilities, such as buffer overflows, as well as peerto-
peer and instant messenger applications, backdoor exploits, and other malicious code.
SonicWALL GAV delivers real-time virus protection directly on the SonicWALL security appliance by
using SonicWALL’s IPS-Deep Packet Inspection v2.0 engine to inspect all traffic that traverses the
SonicWALL gateway. Building on SonicWALL’s reassembly-free architecture, SonicWALL GAV inspects
multiple application protocols, as well as generic TCP streams, and compressed traffic. Because
SonicWALL GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also performed on a
single-pass, per-packet basis.
SonicWALL GAV delivers threat protection directly on the SonicWALL security appliance by matching
downloaded or e-mailed files against an extensive and dynamically updated database of threat virus
signatures. Virus attacks are caught and suppressed before they travel to desktops. New signatures are
created and added to the database by a combination of SonicWALL’s SonicAlert Team, third-party virus
analysts, open source developers and other sources.
SonicWALL GAV can be configured to protect against internal threats as well as those originating outside
the network. It operates over a multitude of protocols including SMTP, POP3, IMAP, HTTP, FTP,
NetBIOS, instant messaging and peer-to-peer applications and dozens of other stream-based protocols,
to provide administrators with comprehensive network threat prevention and control. Because files
containing malicious code and viruses can also be compressed and therefore inaccessible to
conventional anti-virus solutions, SonicWALL GAV integrates advanced decompression technology that
automatically decompresses and scans files on a per packet basis.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
Page 6 SonicWALL Gateway Anti-Virus Administrator’s Guide
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features
• Integrated Deep Packet Inspection Technology - SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service features a configurable, high-performance deep packet inspection architecture
that uses parallel searching algorithms up through the application layer to deliver increased
application layer, Web and e-mail attack prevention. Parallel processing reduces the performance
impact on the firewall and maximizes available memory for exceptional throughput on SonicWALL
integrated security gateways.
• Real-Time Anti-Virus Gateway Scanning - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers intelligent file-based virus and malicious code prevention by scanning in real-time for
decompressed and compressed files containing viruses, Trojans, worms and other Internet threats
over the corporate network.
• Powerful Intrusion Prevention - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
provides complete protection from a comprehensive array of network-based application layer threats
by scanning packet payloads for worms, Trojans, software vulnerabilities such as buffer overflows,
peer-to-peer and instant messenger applications, backdoor exploits, and other malicious code.
• Ultimate Scalability and Performance - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a per packet scanning engine, making SonicWALL’s solution unique in its ability to
handle unlimited file size and virtually unlimited concurrent downloads, offering ultimate scalability
and performance for today’s networked environment.
• Day Zero Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service ensures
incredibly fast time-to-protection by employing a dynamically-updated database of signatures created
by a combination of SonicWALL’s SonicAlert Team, third-party virus analysts and developers, and
open source databases of known threats.
• Extensive Virus Signature List - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
utilizes an extensive database of thousands of attack and vulnerability signatures written to detect and
prevent intrusions, viruses, worms, Tojans, application exploits, and malicious applications.
• Distributed Enforcement Architecture - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a distributed enforcement architecture to deliver automated signature updates,
providing real-time protection from emerging threats and lowering total cost of ownership.
• Inter-zone Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides
application layer attack protection against malicious code and other threats originating from the
Internet or from internal sources. Administrators have the ability to enforce intrusion prevention and
anti-virus scanning not only between each network zone and the Internet, but also between internal
network zones for added security (Requires SonicOS Enhanced).
• Advanced File Decompression Technology - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service includes advanced decompression technology that can automatically decompress and scan
files on a per packet basis to search for viruses, Trojans, worms and malware. Supported
compression formats include: ZIP, Deflate and GZIP.
• File-Based Scanning Protocol Support - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers protection for high threat viruses and malware by inspecting the most common
protocols used in today’s networked environments, including SMTP, POP3, IMAP, HTTP, FTP,
NETBIOS, instant messaging and peer-to-peer applications, and dozens of other stream-based
protocols. This closes potential backdoors that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Application Control - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides the
ability to prevent instant messaging and peer-to-peer file sharing programs from operating through
the firewall, closing a potential back door that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Simplified Deployment and Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service allows network administrators to create global policies between security zones and group
attacks by priority, simplifying deployment and management across a distributed network.
Page 7
• Granular Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides an
intuitive user interface and granular policy tools, allowing network administrators to configure a
custom set of detection or prevention policies for their specific network environment and reduce the
number of false policies while identifying immediate threats.
• Logging and Reporting - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service offers
comprehensive logging of all intrusion attempts with the ability to filter logs based on priority level,
enabling administrators to highlight high priority attacks. Granular reporting based on attack source,
destination and type of intrusion is available through SonicWALL ViewPoint and Global Management
System.
SonicWALL GAV Multi-Layered Approach
SonicWALL GAV delivers comprehensive, multi-layered anti-virus protection for networks at the desktop,
the network, and at remote sites. SonicWALL GAV enforces anti-virus policies at the gateway to ensure
all users have the latest updates and monitors files as they come into the network.
Page 8 SonicWALL Gateway Anti-Virus Administrator’s Guide
Remote Site Protection
1. Users send typical e-mail and files between remote sites and the corporate office.
2. SonicWALL GAV scans and analyzes files and e-mail messages on the SonicWALL security
appliance.
3. Viruses are found and blocked before infecting remote desktop.
4. Virus is logged and alert is sent to administrator.
Page 9
Internal Network Protection
1. Internal user contracts a virus and releases it internally.
2. All files are scanned at the gateway before being received by other network users.
3. If virus is found, file is discarded.
4. Virus is logged and alert is sent to administrator.
HTTP File Downloads
1. Client makes a request to download a file from the Web.
2. File is downloaded through the Internet.
3. File is analyzed the SonicWALL GAV engine for malicious code and viruses
4. If virus found, file discarded.
5. Virus is logged and alert sent to administrator.
Page 10 SonicWALL Gateway Anti-Virus Administrator’s Guide
Server Protection
1. Outside user sends an incoming e-mail.
2. E-mail is analyzed the SonicWALL GAV engine for malicious code and viruses before received by email
server.
3. If virus found, threat prevented.
4. E-mail is returned to sender, virus is logged, and alert sent to administrator.
Page 11
SonicWALL GAV Architecture
SonicWALL GAV is based on SonicWALL's high performance DPIv2.0 engine (Deep Packet Inspection
version 2.0) engine, which performs all scanning directly on the SonicWALL security appliance.
SonicWALL GAV includes advanced decompression technology that can automatically decompress and
scan files on a per packet basis to search for viruses and malware. The SonicWALL GAV engine can
perform base64 decoding without ever reassembling the entire base64 encoded mail stream. Because
SonicWALL's GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding and ZIP, LHZ, and GZIP (LZ77) decompression are also performed
on a single-pass, per-packet basis. Reassembly free virus scanning functionality of the SonicWALL GAV
engine is inherited from the Deep Packet Inspection engine, which is capable of scanning streams without
ever buffering any of the bytes within the stream.
Building on SonicWALL's reassembly-free architecture, GAV has the ability to inspect multiple application
protocols, as well as generic TCP streams, and compressed traffic. SonicWALL GAV protocol inspection
is based on high performance state machines which are specific to each supported protocol. SonicWALL
GAV delivers protection by inspecting over the most common protocols used in today's networked
environments, including SMTP, POP3, IMAP, HTTP, FTP, NetBIOS, instant messaging and peer-to-peer
applications and dozens of other stream-based protocols. This closes potential backdoors that can be
used to compromise the network while also improving employee productivity and conserving Internet
bandwidth.
Page 12 SonicWALL Gateway Anti-Virus Administrator’s Guide
Stream Concurrency Limitations by SonicWALL Security Appliance
Because SonicWALL GAV does not have to perform reassembly, there are no file-size limitations
imposed by the scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also
performed on a single-pass, per-packet basis. Stream-concurrency are platform dependent as follows:.
Disabling the SonicWALL GAV/IPS Engine
In the unlikely event that SonicWALL Gateway Anti-Virus/Intrusion Prevention Service is not enabled on
your SonicWALL security appliance, the SonicWALL GAV/IPS engine itself can be disabled, and the
resources can be reallocated to the SPI connection cache.
To disable the SonicWALL GAV/IPS engine:
1. Select the Firewall > Advanced page.
2. Select the Disable Gateway AV and IPS Engine (increases maximum SPI connections)
checkbox. This presents an alert informing you that the SonicWALL security appliance must be
rebooted for the change to take effect.
3. Restart your SonicWALL security appliance.
Platform
GAV-Disabled
Connections
Cache Size
GAV-Enabled
Connections
Cache Size
(Concurrent File
Downloads)
Concurrent
Compressed
File Downloads
with GAV
GAV Signatures
TZ 150
Series
2,048 2,048 100 4,500
TZ 170
Series
6,144 6,144 100 4,500
PRO 1260 6,144 6,144 100 4,500
PRO 2040 32,768 16,384 300 25,000
PRO 3060 131,072 65,536 1,000 25,000
PRO 4060 524,288 131,072 1,500 25,000
PRO 5060 750,000 393,216 3,000 25,000
Page 13
Protocol Handling
SonicWALL GAV functionality supports the following protocols: HTTP, SMTP, IMAP, POP3, FTP and the
scanning of generic TCP streams for viruses.
If malicious traffic is detected, appropriate actions are taken based on the protocol. For generic TCP
streams, the traffic is dropped and the connection is reset. If so configured, an encrypted and hashed
message explaining the action is sent to the user's Global Security Client (requires version 2.0 or higher)
and to the user's 'Security Action Notification Applet', and displayed to the user if either application is
active. Application level awareness of the type of protocol that was transporting the violation allows for
very specific actions to be taken to gracefully handle the rejection of the payload:
Note: 8-bit encoding is handled natively for all email based protocols (SMTP, POP3, and IMAP) since no
decoding is required for each encoding scheme.
SMTP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the head of the sent
queue, thus preventing it from being resent, via 552 SMTP response and the connection is terminated.
POP3
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the POP3 server via
'DELE' command and the connection is terminated. Continuation of message downloads following
termination requires the user to re-initiate the download process on their POP3 client in order to download
the rest of the messages from the POP3 server.
Note: POP3 client behavior varies from one client to the next. SonicWALL GAV attempts to determine the type
of POP3 client being used, and to compensate for behavioral differences. In rare cases, some clients
may require special GAV settings - these settings have been made available in the /diag.html page.
• Disable Gateway AV POP3 Auto Deletion - When a POP3 client is identified as Outlook Express,
DELE (delete) message sequencing is tailored to Outlook Express' behavior. This setting can resolve
problems caused by misidentification that are encountered during the deletion of virus-infected
emails.
• Disable Gateway AV POP3 UIDL Rewriting - Certain Netscape POP3 clients have difficulty with the
UIDL (unique ID listing - RFC1939) command. When a POP3 client is recognized as Netscape, UIDL
messages are suppressed, which is allowable because they are optional. This setting can resolve
problems caused by misidentification that are encountered during the message retrieval process.
IMAP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from downloading the mail
containing the violation. The user must manually mark the mail deleted and purge it from the server.
Page 14 SonicWALL Gateway Anti-Virus Administrator’s Guide
HTTP
Capabilities: zip (including archives), gzip and deflate decompression. Deflate decompression method is
not supported when HTTP response is Chunk Encoded. All HTTP traffic is inspected, not just TCP port
80. Suppresses the use of HTTP Byte-Range requests to prevent the sectional retrieval and reassembly
of potentially malicious content.
Note: Suppression of HTTP Byte-Range requests may inhibit the use of certain download accelerator
programs that attempt to retrieve files as multiple simultaneous requests.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
FTP
Capabilities: zip (including archives) and gzip decompression. FTP stateful code follows data port
negotiations, allowing FTP data to be inspected across any operating TCP port. Suppresses the use of
the FTP 'REST' (restart) request to prevent the sectional retrieval and reassembly of potentially malicious
content. "The suppression of the 'REST' request can be overridden from the /diag.html page with the
option 'Enable FTP 'REST' requests with Gateway AV’.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
IM, P2P and Proprietary Protocols
Capabilities: zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
Deploying SonicWALL GAV
SonicWALL GAV is designed to provide comprehensive virus protection with minimal configuration. The
following sections provide the key information you need to successfully activate, configure, and administer
SonicWALL GAV on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher):
• “Activating SonicWALL GAV” on page 15 - provides instructions for activating the SonicWALL GAV
license on your SonicWALL security appliance via the management interface. If you already have
SonicWALL GAV activated on your SonicWALL security appliance, skip this section.
• “Setting Up SonicWALL GAV Protection” on page 19 - provides instructions for essential
configuration of SonicWALL IPS to protect your network against the most dangerous and disruptive
attacks.
Alert! After activating your SonicWALL GAV license, you must enable SonicWALL GAV on the SonicWALL
management interface before anti-virus protection are applied to your network traffic.
• “Configuring Client Alerts and an Exclusion List” on page 23 - provides instructions for configuring
SonicWALL GAV client notification alerts and creating a SonicWALL GAV exclusion list.
• “Restricting File Transfers” on page 24 - provides instructions on preventing files with specific
attributes from being transferred.
Page 15
Activating SonicWALL GAV
If you do not have SonicWALL GAV installed on your SonicWALL security appliance, the Security
Services > Gateway Anti-Virus page indicates an upgrade is required and includes a link to activiate it
from your SonicWALL security appliance management interface.
SonicWALL GAV is part of the unified SonicWALL Gateway Anti-Virus/Intrusion Prevention Service that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is also activated.
To activate a SonicWALL Gateway Anti-Virus/Intrusion Prevention Service on your SonicWALL security
appliance, you need the following:
• SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license. You need to purchase a
SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license from a SonicWALL reseller or
through your mySonicWALL.com account (limited to customers in the USA and Canada).
• mySonicWALL.com account. Creating a mySonicWALL.com account is fast, simple, and FREE.
Simply complete an online registration form from your SonicWALL security appliance management
interface. Your mySonicWALL.com account is also accessible at
from any Internet connection with a Web browser.
• Registered SonicWALL security appliance with active Internet connection. Registering your
SonicWALL security appliance is a simple procedure done directly from the management interface.
• SonicOS Standard 3.0 or SonicOS Enhanced 3.0. Your SonicWALL security appliance must be
running SonicOS Standard 3.0 or SonicOS Enhanced 3.0 for SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service.
Tip! If your SonicWALL security appliance is connected to the Internet and registered at
mySonicWALL.com, you can activate a 30-day FREE TRIAL of SonicWALL IPS.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
If you activated SonicWALL GAV at , SonicWALL GAV activation is
automatically enabled on your SonicWALL within 24-hours or you can click the Synchronize button on
the Security Services > Summary page to update your SonicWALL security appliance.
Page 16 SonicWALL Gateway Anti-Virus Administrator’s Guide
Creating a mySonicWALL.com Account
Creating a mySonicWALL.com account is fast, simple, and FREE. Simply complete an online
registration form in the SonicWALL security appliance management interface.
Note: If you already have a mysonicWALL.com account, go to “Registering Your SonicWALL Security
Appliance” on page 17.
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displayed in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link in Your
SonicWALL is not registered. Click here to Register your SonicWALL.
4. In the mySonicWALL.com Login page, click the here link in If you do not have a mySonicWALL
account, please click here to create one.
5. In the MySonicWall Account page, enter in your information in the Account Information, Personal
Information and Preferences fields. All fields marked with an asterisk (*) are required fields.
Note: Remember your username and password to access your mySonicWALL.com account.
6. Click Submit after completing the MySonicWALL Account form.
7. When the mySonicWALL.com server has finished processing your account, you will see a page
saying that your account has been created. Click Continue.
Congratulations. Your mySonicWALL.com account is activated.
Now you need to log into mySonicWALL.com to register your SonicWALL security appliance.
Note: mySonicWALL.com registration information is not sold or shared with any other company.
Page 17
Registering Your SonicWALL Security Appliance
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displaying in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link. The
mySonicWALL.com Login page is displayed.
4. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit.
5. The next several pages inform you about the free trials available to you for SonicWALL’s Security
Services:
• Gateway Anti-Virus - Delivers real-time virus protection for your entire network.
• Network Anti Virus - Provides desktop and server anti-virus protection with software running on
each computer.
• Premium Content Filtering Service - Enhances productivity by limiting access to objectionable
Web content.
• Intrusion Prevention Service - Protects your network against worms, Trojans, and application
layer attacks.
Click Continue on each page.
6. At the top of the Product Survey page, Enter a “friendly name” for your SonicWALL content security
appliance in the Friendly Name field. The friendly name allows you to easily identify your
SonicWALL content security appliance in your mySonicWALL.com account.
7. Please complete the Product Survey. SonicWALL uses this information to further tailor services to fit
your needs.
8. Click Submit.
9. When the mySonicWALL.com server has finished processing your registration, a page is displayed
informing you that the SonicWALL security appliance is registered. Click Continue, and the
System > Licenses page is displayed showing you the available services. You can activate the
service from this page or the specific service page under the Security Services left-navigation
menu in the management interface.
Page 18 SonicWALL Gateway Anti-Virus Administrator’s Guide
Activating SonicWALL GAV
If you do not have a SonicWALL GAV license activated on your SonicWALL security appliance, you must
purchase it from a SonicWALL reseller or through your mySonicWALL.com account (limited to customers
in the USA and Canada).
SonicWALL GAV is part of SonicWALL Gateway Anti-Virus/Intrusion Prevention Service. The Activation
Key you receive is for both SonicWALL GAV and SonicWALL Intrusion Prevention Service. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is automatically activated.
If you have an Activation Key for SonicWALL Gateway Anti-Virus/Intrusion Prevention Service, perform
these steps to activate the combined services:
1. On the Security Services > Intrusion Prevention page, click the SonicWALL Intrusion
Prevention Service Subscription link. The mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already registered to your
mySonicWALL.com account, the System > Licenses page appears.
3. Click Activate or Renew in the Manage Service column in the Manage Services Online table.
4. Type in the Activation Key in the New License Key field and click Submit. Your SonicWALL GAV
subscription is activated on your SonicWALL security appliance.
If you activated the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service subscription on
mySonicWALL.com, the activation is automatically enabled on your SonicWALL security appliance within
24-hours or you can click the Synchronize button on the Security Services > Summary page to
immediately update your SonicWALL security appliance.
Activating the SonicWALL GAV FREE TRIAL
To try a FREE TRIAL of SonicWALL GAV, perform these steps:
1. Click the FREE TRIAL link on the Security Services > Gateway Anti-Virus page. The
mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already connected to your
mySonicWALL.com account, the System > Licenses page appears after you click the FREE TRIAL
link.
3. Click Try in the FREE TRIAL column in the Manage Services Online table. Your SonicWALL GAV
trial subscription is activated on your SonicWALL security appliance.
Page 19
Setting Up SonicWALL GAV Protection
The Security Services > Gateway Anti-Virus page provides the settings for configuring SonicWALL
GAV on your SonicWALL security appliance.
Enabling SonicWALL GAV
You must select Enable Gateway Anti-Virus check box in the Gateway Anti-Virus Global Settings
section to enable SonicWALL GAV on your SonicWALL security appliance. If your SonicWALL security
appliance is running SonicOS Standard 3.0, you must also specify the interfaces you want to apply
SonicWALL GAV protection. If your SonicWALL security appliance is running SonicOS Enhanced 3.0,
you must specify the Zones you want to SonicWALL GAV protection on the Network > Zones page.
Applying SonicWALL GAV Protection on Interfaces
If your SonicWALL security appliance is running SonicOS Standard 3.0, you also need to specify the
interface that you want to enable SonicWALL GAV protection. Depending on the SonicWALL security
appliance model you are using, you can choose the WAN, LAN, DMZ, OPT or WLAN port, depending on
your SonicWALL security appliance model. After selecting the interface(s), click Apply.It is recommended
you select the WAN and LAN interfaces.
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you apply SonicWALL GAV to
Zones on the Network > Zones page.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 20 SonicWALL Gateway Anti-Virus Administrator’s Guide
Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you can enforce SonicWALL
GAV not only between each network zone and the WAN, but also between internal zones. For example,
enabling SonicWALL GAV on the LAN zone enforces anti-virus protection on all incoming and outgoing
LAN traffic.
1. In the SonicWALL security appliance management interface, select Network > Zones or from the
Gateway Anti-Virus Status section, on the Security Services > Gateway Anti-Virus page, click the
Network > Zones link. The Network > Zones page is displayed.
2. In the Configure column in the Zone Settings table, click the edit icon . The Edit Zone window
is displayed.
3. Click the Enable Gateway Anti-Virus Service checkbox. A checkmark appears. To disable Gateway
Anti-Virus Service, uncheck the box.
4. Click OK.
Page 21
Note: You also enable SonicWALL GAV protection for new zones you create on the Network > Zones page.
Clicking the Add button displays the Add Zone window, which includes the same settings as the Edit
Zone window.
Viewing SonicWALL GAV Status Information
The Gateway Anti-Virus Status section shows the state of the anti-virus signature database, including
the database's timestamp, and the time the SonicWALL signature servers were last checked for the most
current database version. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
The Gateway Anti-Virus Status section displays the following information:
• Signature Database indicates whether the signature database needs to be downloaded or has been
downloaded.
• Signature Database Timestamp displays the last update to the SonicWALL GAV signature
database, not the last update to your SonicWALL security appliance.
• Last Checked indicates the last time the SonicWALL security appliance checked the signature
database for updates. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
• Gateway Anti-Virus Expiration Date indicates the date when the SonicWALL GAV service expires.
If your SonicWALL GAV subscription expires, the SonicWALL IPS inspection is stopped and the
SonicWALL GAV configuration settings are removed from the SonicWALL security appliance. These
settings are automatically restored after renewing your SonicWALL GAV license to the previously
configured state.
If your SonicWALL security appliance is running SonicOS Standard 3.0 and no interfaces are specified in
the Gateway Anti-Virus Global Settings section, the message: Warning: No interfaces have Gateway
Anti-Virus enabled is displayed in the Gateway Anti-Virus Status section. You must check the Enable
Gateway Anti-Virus on Interface and specify the interface(s) you want to apply anti-virus scanning.
If your SonicWALL security appliance you are using SonicOS Enhanced 3.0, the Gateway Anti-Virus
Status section displays Note: Enable the Gateway Anti-Virus per zone from the Network > Zones
page. Clicking on the Network > Zones link displays the Network > Zones page for applying SonicWALL
GAV on Zones.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 22 SonicWALL Gateway Anti-Virus Administrator’s Guide
Updating SonicWALL GAV Signatures
By default, the SonicWALL security appliance running SonicWALL GAV automatically checks the
SonicWALL signature servers once an hour. There is no need for an administrator to constantly check for
new signature updates. You can also manually update your SonicWALL GAV database at any time by
clicking the Update button located in the Gateway Anti-Virus Status section.
SonicWALL GAV signature updates are secured. The SonicWALL security appliance must first
authenticate itself with a pre-shared secret, created during the SonicWALL Distributed Enforcement
Architecture licensing registration. The signature request is transported through HTTPS, along with full
server certificate verification.
Specifying Protocol Filtering
Application-level awareness of the type of protocol that is transporting the violation allows SonicWALL
GAV to perform specific actions within the context of the application to gracefully handle the rejection of
the payload.
By default, SonicWALL GAV inspects all inbound HTTP, FTP, IMAP, SMTP and POP3 traffic. Generic
TCP Stream can optionally be enabled to inspect all other TCP based traffic, such as
non-standard ports of operation for SMTP and POP3, and IM and P2P protocols.
Note: Refer to “Protocol Handling” on page 13 for detailed descriptions of how SonicWALL GAV handles
protocol traffic.
Enabling Inbound Inspection
Within the context of SonicWALL GAV, the Enable Inbound Inspection protocol traffic handling refers
to the following:
• Non-SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to any Zone.
• Non-SMTP traffic from a Public Zone destined to an Untrusted Zone.
• SMTP traffic initiating from a non-Trusted Zone destined to a Trusted, Wireless, Encrypted, or Public
Zone.
• SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to a Trusted, Wireless,
or Encrypted Zone.
Page 23
The Enable Inbound Inspection protocol traffic handling represented as a table:
Enabling Outbound SMTP Inspection
The Enable Outbound Inspection feature is available for SMTP traffic, such as for a mail server that
might be hosted on the DMZ. Enabling outbound inspection for SMTP scans mail that is delivered to the
internally hosted SMTP server for viruses.
Configuring Client Alerts and an Exclusion List
Clicking the Configure Gateway AV Settings button in the Gateway Anti-Virus Global Settings section
displays the Gateway AV Config View window, which allows you to configure client notification alerts and
create a SonicWALL GAV exclusion list.
Configuring Client Alerts
If you want clients on your network to receive notifications on their desktop when a HTTP file download is
blocked by GAV, check the Enable Client Notification Alerts (desktop client installation is required)
box. You must install the client software included on the Resource CD for your SonicWALL security
appliance for the client to receive these notifications from SonicWALL GAV.
Page 24 SonicWALL Gateway Anti-Virus Administrator’s Guide
If you want to suppress the sending of e-mail messages (SMTP) to clients from SonicWALL GAV when a
virus is detected in an e-mail or attachment, check the Disable SMTP Responses box.
Configuring a SonicWALL GAV Exclusion List
Any IP addresses listed in the exclusion list bypass virus scanning on their traffic.The Gateway AV
Exclusion List section provides the ability to define a range of IP addresses whose traffic will be excluded
from SonicWALL GAV scanning.
Alert! Use caution when specifying exclusions to SonicWALL GAV protection.
To add an IP address range for exclusion, perform these steps:
1. Click the Enable Gateway AV Exclusion List checkbox to enable the exclusion list.
2. Click the Add button. The Add GAV Range Entry window is displayed.
3. Enter the IP address range in the IP Address Form and IP Address To fields, then click OK. You IP
address range appears in the Gateway AV Exclusion List table. Click the edit icon in the Configure
column to change an entry or click the trashcan icon to delete an entry.
4. Click OK to exit the Gateway AV Config View window.
Restricting File Transfers
The restrict transfer settings listed under the Configure Gateway AV Settings button in the
Gateway Anti-Virus Global Settings section, if enabled, prevent files with specific attributes from being
transferred.
These restrict transfer settings include:
• Restrict Transfer of password-protected Zip files - Disables the transfer of password protected
ZIP files over any enabled protocol. This option only functions on protocols (e.g. HTTP, FTP, SMTP)
that are enabled for inspection.
• Restrict Transfer of MS-Office type files containing macros (VBA 5 and above) - Disables the
transfers of any MS Office 97 and above files that contain VBA macros.
• Restrict Transfer of packed executable files (UPX, FSG, etc.) - Disables the transfer of packed
executable files. Packers are utilities which compress and sometimes encrypt executables. Although
there are legitimate applications for these, they are also sometimes used with the intent of
obfuscation, so as to make the executables less detectable by anti-virus applications. The packer
adds a header that expands the file in memory, and then executes that file. SonicWALL Gateway
Anti-Virus currently recognizes the most common packed formats: UPX, FSG, PKLite32, Petite, and
ASPack. additional formats are dynamically added along with SonicWALL GAV signature updates.
Page 25
Viewing SonicWALL GAV Signatures
The Gateway Anti-Virus Signatures section allows you to view the contents of the SonicWALL GAV
signature database. All the entries displayed in the Gateway Anti-Virus Signatures table are from the
SonicWALL GAV signature database downloaded to your SonicWALL security appliance.
Note: Signature entries in the database change over time in response to new threats.
Displaying Signatures
You can display the signatures in a variety of views using the View Style menu.
• Use Search String - Allows you to display signatures containing a specified string entered in the
Lookup Signatures Containing String field.
• All Signatures - Displays all the signatures in the table, 50 to a page.
• 0 - 9 - Displays signature names beginning with the number you select from the menu.
• A-Z - Displays signature names beginning with the letter you select from menu.
Navigating the Gateway Anti-Virus Signatures Table
The SonicWALL GAV signatures are displayed fifty to a page in the Gateway Anti-Virus Signatures
table. The Items field displays the table number of the first signature. If your displaying the first page of a
signature table, the entry might be Items 1 to 50 (of 58). Use the navigation buttons to navigate the table.
Page 26 SonicWALL Gateway Anti-Virus Administrator’s Guide
Searching the Gateway Anti-Virus Signature Database
You can search the signature database by entering a search string in the Lookup Signatures
Containing String field, then clicking the edit (Notepad) icon.
The signatures that match the specified string are displayed in the Gateway Anti-Virus Signatures table.
Glossary
• Deep Packet Inspection - looking at the data portion of the packet. Enables the firewall to investigate
farther into the protocol to examine information at the application layer and defend against attacks
targeting application vulnerabilities.
• Distributed Enforcement Architecture - SonicWALL’s unified threat management technology that
delivers automated signature updates that provide real-time protection from current and emerging
threats.
• False Positive - a falsely identified attack traffic pattern.
• Signature - code written to detect and prevent viruses, worms, application exploits, and other
malicious code.
• Stateful Packet Inspection - examines the contents of individual packets at all layers of the OSI
model, from network layer to application layer.
Page 27
Index
A
activating Gateway Anti-Virus
overview 15
free trial version 18
activating Gateway Anti-Virus
activation key 18
C
client alerts
configuring 23
concurrency limitations 12
PRO 1260 12
PRO 2040 12
PRO 3060 12
PRO 4060 12
PRO 5060 12
TZ 150 Series 12
TZ 170 Series 12
creating a mysonicwall.com account 16
D
deploying SonicWALL GAV 14
disabling GAV/IPS engine 12
displaying signatures 25
all signatures 25
signatures beginning with letter 25
signatures beginning with number 25
using search strings 25
E
Edit Zone window 20
enable inbound inspection 22
enable outbound SMTP inspection 23
enabling inbound inspection 22
exclusion list
configuring 24
G
Gateway AV Config View window 23
GAV/IPS
real-time scanning 6
GAV/IPS features
application control 6
deep packet inspection 6
distributed enforcement architecture 6
file based scanning protocol support 6
file decompression technology 6
granular management 7
inter-zone scanning 6
logging and reporting 7
real-time scanning 6
glossary 26
deep packet inspection 26
Distributed Enforcement Architecture 26
false positive 26
signature 26
stateful packet inspection 26
H
how DPIv2.0 works
11
protocol handling 13
HTTP file downloads protection 9
I
internal network protection 9
N
navigating signatures table 25
P
protocol handling
FTP 14
HTTP 14
IM, P2P, proprietary 14
IMAP 13
POP3 13
SMTP 13
R
registering your SonicWALL security appliance 17
remote site protection 8
restrict 24
restrict file transfer
MS-Office files 24
packed executable files 24
password protected ZIP files 24
S
searching signature database 26
server protection 10
setting up GAV protection
applying to infaces (SonicOS Standard 3.0) 19
applying to zones (SonicOS Enhanced) 20
enabling 19
overview 19
signatures table 25
SonicWALL Gateway Anti-Virus
overview 5
SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service
overview 5
specifying protocol filtering 22
specifying protocols 22
status information
expiration date 21
last checked 21
overview 21
signature database 21
signature database timestamp 21
surpress SMTP messages 24
U
updating signatures 22
Page 28 SonicWALL Gateway Anti-Virus Administrator’s Guide
© 2005 SonicWALL, I n c . SonicWALL is a registered trademark of SonicWALL, I n c . Other product and company names mentioned herein may be
t rademarks and/ or registered trademarks of their respective companies. Specifications and descriptions subject to change with out notice.
T: 408.745.9600
F: 408.745.9300
www.sonicwall.com
SonicWALL,Inc.
1143 Borregas Avenue
Sunnyvale,CA 94089-1306
P/ N 232- 000610- 00
Rev E 01/05COMPREHENSIVE INTERNET SECURITY™
S SSSSSSSSo n i c WALL Gateway Anti-Virus
Administrator's Guide
Page 1
Table of Contents
Preface .................................................................................................. 1
Copyright Notice ..............................................................................1
Trademarks......................................................................................1
Limited Warranty..............................................................................1
About this Guide.................................................................................... 3
Guide Conventions .......................................................................... 3
Icons Used in this Guide............................................................. 3
SonicWALL Technical Support ........................................................ 4
North America Telephone Support ............................................. 4
International Telephone Support ................................................ 4
SonicWALL Gateway Anti-Virus Overview............................................ 5
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features ...... 6
SonicWALL GAV Multi-Layered Approach............................................ 7
Remote Site Protection ....................................................................8
Internal Network Protection.............................................................. 9
HTTP File Downloads ...................................................................... 9
Server Protection ...........................................................................10
SonicWALL GAV Architecture............................................................. 11
Stream Concurrency Limitations
by SonicWALL Security Appliance................................................. 12
Disabling the SonicWALL GAV/IPS Engine................................... 12
Protocol Handling...........................................................................13
SMTP........................................................................................ 13
POP3 ........................................................................................ 13
IMAP......................................................................................... 13
HTTP ........................................................................................ 14
FTP........................................................................................... 14
IM, P2P and Proprietary Protocols ........................................... 14
Deploying SonicWALL GAV................................................................ 14
Activating SonicWALL GAV ................................................................ 15
Creating a mySonicWALL.com Account ........................................ 16
Registering Your SonicWALL Security Appliance.......................... 17
Activating SonicWALL GAV........................................................... 18
Activating the SonicWALL GAV FREE TRIAL ............................... 18
Setting Up SonicWALL GAV Protection .............................................. 19
Enabling SonicWALL GAV............................................................. 19
Applying SonicWALL GAV Protection on Interfaces...................... 19
Applying SonicWALL GAV Protection on Zones
(SonicOS Enhanced 3.0) ............................................................... 20
Viewing SonicWALL GAV Status Information................................ 21
Updating SonicWALL GAV Signatures .......................................... 22
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
Specifying Protocol Filtering ................................................................22
Enabling Inbound Inspection ..........................................................22
Enabling Outbound SMTP Inspection ............................................23
Configuring Client Alerts and an Exclusion List ...................................23
Configuring Client Alerts.................................................................23
Configuring a SonicWALL GAV Exclusion List...............................24
Restricting File Transfers.....................................................................24
Viewing SonicWALL GAV Signatures..................................................25
Displaying Signatures.....................................................................25
Navigating the Gateway Anti-Virus Signatures Table ....................25
Searching the Gateway Anti-Virus Signature Database.................26
Glossary...............................................................................................26
Index ....................................................................................................27
Page 1 SonicWALL Gateway Anti-Virus Administrator’s Guide
Preface
Copyright Notice
© 2005 SonicWALL, Inc.
All rights reserved.
Under the copyright laws, this manual or the software described within, can not be copied, in whole or part,
without the written consent of the manufacturer, except in the normal use of the software to make a backup
copy. The same proprietary and copyright notices must be affixed to any permitted copies as were affixed
to the original. This exception does not allow copies to be made for others, whether or not sold, but all of
the material purchased (with all backup copies) can be sold, given, or loaned to another person. Under
the law, copying includes translating into another language or format.
Specifications and descriptions subject to change without notice.
Trademarks
SonicWALL is a registered trademark of SonicWALL, Inc.
Microsoft Windows 98, Windows NT, Windows 2000, Windows XP, Windows Server 2003, Internet
Explorer, and Active Directory are trademarks or registered trademarks of Microsoft Corporation.
Netscape is a registered trademark of Netscape Communications Corporation in the U.S. and other
countries. Netscape Navigator and Netscape Communicator are also trademarks of Netscape
Communications Corporation and may be registered outside the U.S.
Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems
Incorporated in the U.S. and/or other countries.
Other product and company names mentioned herein may be trademarks and/or registered trademarks
of their respective companies and are the sole property of their respective manufacturers.
Limited Warranty
SonicWALL, Inc. warrants that commencing from the delivery date to Customer (but in any case
commencing not more than ninety (90) days after the original shipment by SonicWALL), and continuing
for a period of twelve (12) months, that the product will be free from defects in materials and workmanship
under normal use. This Limited Warranty is not transferable and applies only to the original end user of
the product. SonicWALL and its suppliers' entire liability and Customer's sole and exclusive remedy under
this limited warranty will be shipment of a replacement product. At SonicWALL's discretion the
replacement product may be of equal or greater functionality and may be of either new or like-new quality.
SonicWALL's obligations under this warranty are contingent upon the return of the defective product
according to the terms of SonicWALL's then-current Support Services policies.
This warranty does not apply if the product has been subjected to abnormal electrical stress, damaged by
accident, abuse, misuse or misapplication, or has been modified without the written permission of
SonicWALL.
DISCLAIMER OF WARRANTY. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR
IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT
LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, NONINFRINGEMENT, SATISFACTORY QUALITY OR ARISING FROM A
COURSE OF DEALING, LAW, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE
MAXIMUM EXTENT ALLOWED BY APPLICABLE LAW. TO THE EXTENT AN IMPLIED WARRANTY
CANNOT BE EXCLUDED, SUCH WARRANTY IS LIMITED IN DURATION TO THE WARRANTY
PERIOD. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW
LONG AN IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. THIS
WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, AND YOU MAY ALSO HAVE OTHER RIGHTS
WHICH VARY FROM JURISDICTION TO JURISDICTION. This disclaimer and exclusion shall apply
even if the express warranty set forth above fails of its essential purpose.
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
DISCLAIMER OF LIABILITY. SONICWALL'S SOLE LIABILITY IS THE SHIPMENT OF A
REPLACEMENT PRODUCT AS DESCRIBED IN THE ABOVE LIMITED WARRANTY. IN NO EVENT
SHALL SONICWALL OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER,
INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS
INTERRUPTION, LOSS OF INFORMATION, OR OTHER PECUNIARY LOSS ARISING OUT OF THE
USE OR INABILITY TO USE THE PRODUCT, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL,
INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY
OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE HARDWARE OR SOFTWARE
EVEN IF SONICWALL OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. In no event shall SonicWALL or its suppliers' liability to Customer, whether in contract, tort
(including negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shall
apply even if the above-stated warranty fails of its essential purpose. BECAUSE SOME STATES OR
JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR
INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.
Page 3
About this Guide
Welcome to the SonicWALL Gateway Anti-Virus Administrator’s Guide. This manual provides the
information you need to successfully activate, configure, and administer SonicWALL Gateway Anti-Virus
(SonicWALL (GAV) on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher). The audience for this guide is administrators that are familiar with the
features, functions, and operating characteristics of SonicWALL security appliances.
Note: This guide assumes your SonicWALL security appliance is operational with Internet connectivity. If your
SonicWALL security appliance is not setup, refer to the Getting Started Guide for your SonicWALL
security appliance located on the SonicWALL Web site:
.
SonicWALL GAV is part of the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service solution that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate a SonicWALL GAV license, SonicWALL Intrusion Prevention Service is included and activated.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the complete
instructions on configuring SonicWALL Intrusion Prevention Service 2.0, located on the SonicWALL
Web site: .
Guide Conventions
Conventions used in this guide are as follows:
Icons Used in this Guide
These special messages refer to noteworthy information, and include a symbol for quick identification:
Alert! Important information that cautions about features affecting SonicWALL Gateway Anti-Virus
performance, security features, or causing potential problems with your SonicWALL security appliance.
Tip! Useful information about security features and configurations for your SonicWALL Gateway Anti-Virus
running on a SonicWALL security appliance.
Convention Use
Bold Highlights items you can select on the SonicWALL
management interface.
Italic Highlights a value to enter into a field. For example, “type
192.168.168.168 in the IP Address field.”
Top Level Menu Button >
Submenu Item
Indicates a multiple step Management Interface menu
choice. For example, Security Services > Gateway Anti-
Virus means select Security Services, then select
Gateway Anti-Virus.
Page 4 SonicWALL Gateway Anti-Virus Administrator’s Guide
Note: Important information on a feature that requires callout for special attention or reference to other related
resources.
SonicWALL Technical Support
For timely resolution of technical support questions, visit SonicWALL on the Internet at
. Web-based resources are available to help you
resolve most technical issues or contact SonicWALL Technical Support.
To contact SonicWALL telephone support, see the telephone numbers listed below:
North America Telephone Support
U.S./Canada - 888.777.1476 or +1 408.752.7819
International Telephone Support
Australia - + 1800.35.1642
Austria - + 43(0)820.400.105
EMEA - +31(0)411.617.810
France - + 33(0)1.4933.7414
Germany - + 49(0)1805.0800.22
Hong Kong - + 1.800.93.0997
India - + 8026556828
Italy - +39.02.7541.9803
Japan - + 81(0)3.5460.5356
New Zealand - + 0800.446489
Singapore - + 800.110.1441
Spain - + 34(0)9137.53035
Switzerland - +41.1.308.3.977
UK - +44(0)1344.668.484
Note: Please visit for the latest technical support telephone
numbers.
Page 5
SonicWALL Gateway Anti-Virus Overview
SonicWALL Gateway Anti-Virus (SonicWALL GAV) is part of the SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service solution that provides unified threat management. The integration of gateway
anti-virus and intrusion prevention delivers intelligent, real-time network security protection against
sophisticated application layer and content-based attacks. Utilizing a configurable, high-performance
deep packet inspection architecture, SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
secures the network from the core to the perimeter against a comprehensive array of dynamic threats
including viruses, worms, Trojans, and software vulnerabilities, such as buffer overflows, as well as peerto-
peer and instant messenger applications, backdoor exploits, and other malicious code.
SonicWALL GAV delivers real-time virus protection directly on the SonicWALL security appliance by
using SonicWALL’s IPS-Deep Packet Inspection v2.0 engine to inspect all traffic that traverses the
SonicWALL gateway. Building on SonicWALL’s reassembly-free architecture, SonicWALL GAV inspects
multiple application protocols, as well as generic TCP streams, and compressed traffic. Because
SonicWALL GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also performed on a
single-pass, per-packet basis.
SonicWALL GAV delivers threat protection directly on the SonicWALL security appliance by matching
downloaded or e-mailed files against an extensive and dynamically updated database of threat virus
signatures. Virus attacks are caught and suppressed before they travel to desktops. New signatures are
created and added to the database by a combination of SonicWALL’s SonicAlert Team, third-party virus
analysts, open source developers and other sources.
SonicWALL GAV can be configured to protect against internal threats as well as those originating outside
the network. It operates over a multitude of protocols including SMTP, POP3, IMAP, HTTP, FTP,
NetBIOS, instant messaging and peer-to-peer applications and dozens of other stream-based protocols,
to provide administrators with comprehensive network threat prevention and control. Because files
containing malicious code and viruses can also be compressed and therefore inaccessible to
conventional anti-virus solutions, SonicWALL GAV integrates advanced decompression technology that
automatically decompresses and scans files on a per packet basis.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
Page 6 SonicWALL Gateway Anti-Virus Administrator’s Guide
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features
• Integrated Deep Packet Inspection Technology - SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service features a configurable, high-performance deep packet inspection architecture
that uses parallel searching algorithms up through the application layer to deliver increased
application layer, Web and e-mail attack prevention. Parallel processing reduces the performance
impact on the firewall and maximizes available memory for exceptional throughput on SonicWALL
integrated security gateways.
• Real-Time Anti-Virus Gateway Scanning - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers intelligent file-based virus and malicious code prevention by scanning in real-time for
decompressed and compressed files containing viruses, Trojans, worms and other Internet threats
over the corporate network.
• Powerful Intrusion Prevention - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
provides complete protection from a comprehensive array of network-based application layer threats
by scanning packet payloads for worms, Trojans, software vulnerabilities such as buffer overflows,
peer-to-peer and instant messenger applications, backdoor exploits, and other malicious code.
• Ultimate Scalability and Performance - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a per packet scanning engine, making SonicWALL’s solution unique in its ability to
handle unlimited file size and virtually unlimited concurrent downloads, offering ultimate scalability
and performance for today’s networked environment.
• Day Zero Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service ensures
incredibly fast time-to-protection by employing a dynamically-updated database of signatures created
by a combination of SonicWALL’s SonicAlert Team, third-party virus analysts and developers, and
open source databases of known threats.
• Extensive Virus Signature List - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
utilizes an extensive database of thousands of attack and vulnerability signatures written to detect and
prevent intrusions, viruses, worms, Tojans, application exploits, and malicious applications.
• Distributed Enforcement Architecture - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a distributed enforcement architecture to deliver automated signature updates,
providing real-time protection from emerging threats and lowering total cost of ownership.
• Inter-zone Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides
application layer attack protection against malicious code and other threats originating from the
Internet or from internal sources. Administrators have the ability to enforce intrusion prevention and
anti-virus scanning not only between each network zone and the Internet, but also between internal
network zones for added security (Requires SonicOS Enhanced).
• Advanced File Decompression Technology - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service includes advanced decompression technology that can automatically decompress and scan
files on a per packet basis to search for viruses, Trojans, worms and malware. Supported
compression formats include: ZIP, Deflate and GZIP.
• File-Based Scanning Protocol Support - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers protection for high threat viruses and malware by inspecting the most common
protocols used in today’s networked environments, including SMTP, POP3, IMAP, HTTP, FTP,
NETBIOS, instant messaging and peer-to-peer applications, and dozens of other stream-based
protocols. This closes potential backdoors that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Application Control - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides the
ability to prevent instant messaging and peer-to-peer file sharing programs from operating through
the firewall, closing a potential back door that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Simplified Deployment and Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service allows network administrators to create global policies between security zones and group
attacks by priority, simplifying deployment and management across a distributed network.
Page 7
• Granular Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides an
intuitive user interface and granular policy tools, allowing network administrators to configure a
custom set of detection or prevention policies for their specific network environment and reduce the
number of false policies while identifying immediate threats.
• Logging and Reporting - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service offers
comprehensive logging of all intrusion attempts with the ability to filter logs based on priority level,
enabling administrators to highlight high priority attacks. Granular reporting based on attack source,
destination and type of intrusion is available through SonicWALL ViewPoint and Global Management
System.
SonicWALL GAV Multi-Layered Approach
SonicWALL GAV delivers comprehensive, multi-layered anti-virus protection for networks at the desktop,
the network, and at remote sites. SonicWALL GAV enforces anti-virus policies at the gateway to ensure
all users have the latest updates and monitors files as they come into the network.
Page 8 SonicWALL Gateway Anti-Virus Administrator’s Guide
Remote Site Protection
1. Users send typical e-mail and files between remote sites and the corporate office.
2. SonicWALL GAV scans and analyzes files and e-mail messages on the SonicWALL security
appliance.
3. Viruses are found and blocked before infecting remote desktop.
4. Virus is logged and alert is sent to administrator.
Page 9
Internal Network Protection
1. Internal user contracts a virus and releases it internally.
2. All files are scanned at the gateway before being received by other network users.
3. If virus is found, file is discarded.
4. Virus is logged and alert is sent to administrator.
HTTP File Downloads
1. Client makes a request to download a file from the Web.
2. File is downloaded through the Internet.
3. File is analyzed the SonicWALL GAV engine for malicious code and viruses
4. If virus found, file discarded.
5. Virus is logged and alert sent to administrator.
Page 10 SonicWALL Gateway Anti-Virus Administrator’s Guide
Server Protection
1. Outside user sends an incoming e-mail.
2. E-mail is analyzed the SonicWALL GAV engine for malicious code and viruses before received by email
server.
3. If virus found, threat prevented.
4. E-mail is returned to sender, virus is logged, and alert sent to administrator.
Page 11
SonicWALL GAV Architecture
SonicWALL GAV is based on SonicWALL's high performance DPIv2.0 engine (Deep Packet Inspection
version 2.0) engine, which performs all scanning directly on the SonicWALL security appliance.
SonicWALL GAV includes advanced decompression technology that can automatically decompress and
scan files on a per packet basis to search for viruses and malware. The SonicWALL GAV engine can
perform base64 decoding without ever reassembling the entire base64 encoded mail stream. Because
SonicWALL's GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding and ZIP, LHZ, and GZIP (LZ77) decompression are also performed
on a single-pass, per-packet basis. Reassembly free virus scanning functionality of the SonicWALL GAV
engine is inherited from the Deep Packet Inspection engine, which is capable of scanning streams without
ever buffering any of the bytes within the stream.
Building on SonicWALL's reassembly-free architecture, GAV has the ability to inspect multiple application
protocols, as well as generic TCP streams, and compressed traffic. SonicWALL GAV protocol inspection
is based on high performance state machines which are specific to each supported protocol. SonicWALL
GAV delivers protection by inspecting over the most common protocols used in today's networked
environments, including SMTP, POP3, IMAP, HTTP, FTP, NetBIOS, instant messaging and peer-to-peer
applications and dozens of other stream-based protocols. This closes potential backdoors that can be
used to compromise the network while also improving employee productivity and conserving Internet
bandwidth.
Page 12 SonicWALL Gateway Anti-Virus Administrator’s Guide
Stream Concurrency Limitations by SonicWALL Security Appliance
Because SonicWALL GAV does not have to perform reassembly, there are no file-size limitations
imposed by the scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also
performed on a single-pass, per-packet basis. Stream-concurrency are platform dependent as follows:.
Disabling the SonicWALL GAV/IPS Engine
In the unlikely event that SonicWALL Gateway Anti-Virus/Intrusion Prevention Service is not enabled on
your SonicWALL security appliance, the SonicWALL GAV/IPS engine itself can be disabled, and the
resources can be reallocated to the SPI connection cache.
To disable the SonicWALL GAV/IPS engine:
1. Select the Firewall > Advanced page.
2. Select the Disable Gateway AV and IPS Engine (increases maximum SPI connections)
checkbox. This presents an alert informing you that the SonicWALL security appliance must be
rebooted for the change to take effect.
3. Restart your SonicWALL security appliance.
Platform
GAV-Disabled
Connections
Cache Size
GAV-Enabled
Connections
Cache Size
(Concurrent File
Downloads)
Concurrent
Compressed
File Downloads
with GAV
GAV Signatures
TZ 150
Series
2,048 2,048 100 4,500
TZ 170
Series
6,144 6,144 100 4,500
PRO 1260 6,144 6,144 100 4,500
PRO 2040 32,768 16,384 300 25,000
PRO 3060 131,072 65,536 1,000 25,000
PRO 4060 524,288 131,072 1,500 25,000
PRO 5060 750,000 393,216 3,000 25,000
Page 13
Protocol Handling
SonicWALL GAV functionality supports the following protocols: HTTP, SMTP, IMAP, POP3, FTP and the
scanning of generic TCP streams for viruses.
If malicious traffic is detected, appropriate actions are taken based on the protocol. For generic TCP
streams, the traffic is dropped and the connection is reset. If so configured, an encrypted and hashed
message explaining the action is sent to the user's Global Security Client (requires version 2.0 or higher)
and to the user's 'Security Action Notification Applet', and displayed to the user if either application is
active. Application level awareness of the type of protocol that was transporting the violation allows for
very specific actions to be taken to gracefully handle the rejection of the payload:
Note: 8-bit encoding is handled natively for all email based protocols (SMTP, POP3, and IMAP) since no
decoding is required for each encoding scheme.
SMTP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the head of the sent
queue, thus preventing it from being resent, via 552 SMTP response and the connection is terminated.
POP3
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the POP3 server via
'DELE' command and the connection is terminated. Continuation of message downloads following
termination requires the user to re-initiate the download process on their POP3 client in order to download
the rest of the messages from the POP3 server.
Note: POP3 client behavior varies from one client to the next. SonicWALL GAV attempts to determine the type
of POP3 client being used, and to compensate for behavioral differences. In rare cases, some clients
may require special GAV settings - these settings have been made available in the /diag.html page.
• Disable Gateway AV POP3 Auto Deletion - When a POP3 client is identified as Outlook Express,
DELE (delete) message sequencing is tailored to Outlook Express' behavior. This setting can resolve
problems caused by misidentification that are encountered during the deletion of virus-infected
emails.
• Disable Gateway AV POP3 UIDL Rewriting - Certain Netscape POP3 clients have difficulty with the
UIDL (unique ID listing - RFC1939) command. When a POP3 client is recognized as Netscape, UIDL
messages are suppressed, which is allowable because they are optional. This setting can resolve
problems caused by misidentification that are encountered during the message retrieval process.
IMAP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from downloading the mail
containing the violation. The user must manually mark the mail deleted and purge it from the server.
Page 14 SonicWALL Gateway Anti-Virus Administrator’s Guide
HTTP
Capabilities: zip (including archives), gzip and deflate decompression. Deflate decompression method is
not supported when HTTP response is Chunk Encoded. All HTTP traffic is inspected, not just TCP port
80. Suppresses the use of HTTP Byte-Range requests to prevent the sectional retrieval and reassembly
of potentially malicious content.
Note: Suppression of HTTP Byte-Range requests may inhibit the use of certain download accelerator
programs that attempt to retrieve files as multiple simultaneous requests.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
FTP
Capabilities: zip (including archives) and gzip decompression. FTP stateful code follows data port
negotiations, allowing FTP data to be inspected across any operating TCP port. Suppresses the use of
the FTP 'REST' (restart) request to prevent the sectional retrieval and reassembly of potentially malicious
content. "The suppression of the 'REST' request can be overridden from the /diag.html page with the
option 'Enable FTP 'REST' requests with Gateway AV’.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
IM, P2P and Proprietary Protocols
Capabilities: zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
Deploying SonicWALL GAV
SonicWALL GAV is designed to provide comprehensive virus protection with minimal configuration. The
following sections provide the key information you need to successfully activate, configure, and administer
SonicWALL GAV on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher):
• “Activating SonicWALL GAV” on page 15 - provides instructions for activating the SonicWALL GAV
license on your SonicWALL security appliance via the management interface. If you already have
SonicWALL GAV activated on your SonicWALL security appliance, skip this section.
• “Setting Up SonicWALL GAV Protection” on page 19 - provides instructions for essential
configuration of SonicWALL IPS to protect your network against the most dangerous and disruptive
attacks.
Alert! After activating your SonicWALL GAV license, you must enable SonicWALL GAV on the SonicWALL
management interface before anti-virus protection are applied to your network traffic.
• “Configuring Client Alerts and an Exclusion List” on page 23 - provides instructions for configuring
SonicWALL GAV client notification alerts and creating a SonicWALL GAV exclusion list.
• “Restricting File Transfers” on page 24 - provides instructions on preventing files with specific
attributes from being transferred.
Page 15
Activating SonicWALL GAV
If you do not have SonicWALL GAV installed on your SonicWALL security appliance, the Security
Services > Gateway Anti-Virus page indicates an upgrade is required and includes a link to activiate it
from your SonicWALL security appliance management interface.
SonicWALL GAV is part of the unified SonicWALL Gateway Anti-Virus/Intrusion Prevention Service that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is also activated.
To activate a SonicWALL Gateway Anti-Virus/Intrusion Prevention Service on your SonicWALL security
appliance, you need the following:
• SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license. You need to purchase a
SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license from a SonicWALL reseller or
through your mySonicWALL.com account (limited to customers in the USA and Canada).
• mySonicWALL.com account. Creating a mySonicWALL.com account is fast, simple, and FREE.
Simply complete an online registration form from your SonicWALL security appliance management
interface. Your mySonicWALL.com account is also accessible at
from any Internet connection with a Web browser.
• Registered SonicWALL security appliance with active Internet connection. Registering your
SonicWALL security appliance is a simple procedure done directly from the management interface.
• SonicOS Standard 3.0 or SonicOS Enhanced 3.0. Your SonicWALL security appliance must be
running SonicOS Standard 3.0 or SonicOS Enhanced 3.0 for SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service.
Tip! If your SonicWALL security appliance is connected to the Internet and registered at
mySonicWALL.com, you can activate a 30-day FREE TRIAL of SonicWALL IPS.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
If you activated SonicWALL GAV at , SonicWALL GAV activation is
automatically enabled on your SonicWALL within 24-hours or you can click the Synchronize button on
the Security Services > Summary page to update your SonicWALL security appliance.
Page 16 SonicWALL Gateway Anti-Virus Administrator’s Guide
Creating a mySonicWALL.com Account
Creating a mySonicWALL.com account is fast, simple, and FREE. Simply complete an online
registration form in the SonicWALL security appliance management interface.
Note: If you already have a mysonicWALL.com account, go to “Registering Your SonicWALL Security
Appliance” on page 17.
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displayed in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link in Your
SonicWALL is not registered. Click here to Register your SonicWALL.
4. In the mySonicWALL.com Login page, click the here link in If you do not have a mySonicWALL
account, please click here to create one.
5. In the MySonicWall Account page, enter in your information in the Account Information, Personal
Information and Preferences fields. All fields marked with an asterisk (*) are required fields.
Note: Remember your username and password to access your mySonicWALL.com account.
6. Click Submit after completing the MySonicWALL Account form.
7. When the mySonicWALL.com server has finished processing your account, you will see a page
saying that your account has been created. Click Continue.
Congratulations. Your mySonicWALL.com account is activated.
Now you need to log into mySonicWALL.com to register your SonicWALL security appliance.
Note: mySonicWALL.com registration information is not sold or shared with any other company.
Page 17
Registering Your SonicWALL Security Appliance
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displaying in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link. The
mySonicWALL.com Login page is displayed.
4. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit.
5. The next several pages inform you about the free trials available to you for SonicWALL’s Security
Services:
• Gateway Anti-Virus - Delivers real-time virus protection for your entire network.
• Network Anti Virus - Provides desktop and server anti-virus protection with software running on
each computer.
• Premium Content Filtering Service - Enhances productivity by limiting access to objectionable
Web content.
• Intrusion Prevention Service - Protects your network against worms, Trojans, and application
layer attacks.
Click Continue on each page.
6. At the top of the Product Survey page, Enter a “friendly name” for your SonicWALL content security
appliance in the Friendly Name field. The friendly name allows you to easily identify your
SonicWALL content security appliance in your mySonicWALL.com account.
7. Please complete the Product Survey. SonicWALL uses this information to further tailor services to fit
your needs.
8. Click Submit.
9. When the mySonicWALL.com server has finished processing your registration, a page is displayed
informing you that the SonicWALL security appliance is registered. Click Continue, and the
System > Licenses page is displayed showing you the available services. You can activate the
service from this page or the specific service page under the Security Services left-navigation
menu in the management interface.
Page 18 SonicWALL Gateway Anti-Virus Administrator’s Guide
Activating SonicWALL GAV
If you do not have a SonicWALL GAV license activated on your SonicWALL security appliance, you must
purchase it from a SonicWALL reseller or through your mySonicWALL.com account (limited to customers
in the USA and Canada).
SonicWALL GAV is part of SonicWALL Gateway Anti-Virus/Intrusion Prevention Service. The Activation
Key you receive is for both SonicWALL GAV and SonicWALL Intrusion Prevention Service. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is automatically activated.
If you have an Activation Key for SonicWALL Gateway Anti-Virus/Intrusion Prevention Service, perform
these steps to activate the combined services:
1. On the Security Services > Intrusion Prevention page, click the SonicWALL Intrusion
Prevention Service Subscription link. The mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already registered to your
mySonicWALL.com account, the System > Licenses page appears.
3. Click Activate or Renew in the Manage Service column in the Manage Services Online table.
4. Type in the Activation Key in the New License Key field and click Submit. Your SonicWALL GAV
subscription is activated on your SonicWALL security appliance.
If you activated the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service subscription on
mySonicWALL.com, the activation is automatically enabled on your SonicWALL security appliance within
24-hours or you can click the Synchronize button on the Security Services > Summary page to
immediately update your SonicWALL security appliance.
Activating the SonicWALL GAV FREE TRIAL
To try a FREE TRIAL of SonicWALL GAV, perform these steps:
1. Click the FREE TRIAL link on the Security Services > Gateway Anti-Virus page. The
mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already connected to your
mySonicWALL.com account, the System > Licenses page appears after you click the FREE TRIAL
link.
3. Click Try in the FREE TRIAL column in the Manage Services Online table. Your SonicWALL GAV
trial subscription is activated on your SonicWALL security appliance.
Page 19
Setting Up SonicWALL GAV Protection
The Security Services > Gateway Anti-Virus page provides the settings for configuring SonicWALL
GAV on your SonicWALL security appliance.
Enabling SonicWALL GAV
You must select Enable Gateway Anti-Virus check box in the Gateway Anti-Virus Global Settings
section to enable SonicWALL GAV on your SonicWALL security appliance. If your SonicWALL security
appliance is running SonicOS Standard 3.0, you must also specify the interfaces you want to apply
SonicWALL GAV protection. If your SonicWALL security appliance is running SonicOS Enhanced 3.0,
you must specify the Zones you want to SonicWALL GAV protection on the Network > Zones page.
Applying SonicWALL GAV Protection on Interfaces
If your SonicWALL security appliance is running SonicOS Standard 3.0, you also need to specify the
interface that you want to enable SonicWALL GAV protection. Depending on the SonicWALL security
appliance model you are using, you can choose the WAN, LAN, DMZ, OPT or WLAN port, depending on
your SonicWALL security appliance model. After selecting the interface(s), click Apply.It is recommended
you select the WAN and LAN interfaces.
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you apply SonicWALL GAV to
Zones on the Network > Zones page.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 20 SonicWALL Gateway Anti-Virus Administrator’s Guide
Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you can enforce SonicWALL
GAV not only between each network zone and the WAN, but also between internal zones. For example,
enabling SonicWALL GAV on the LAN zone enforces anti-virus protection on all incoming and outgoing
LAN traffic.
1. In the SonicWALL security appliance management interface, select Network > Zones or from the
Gateway Anti-Virus Status section, on the Security Services > Gateway Anti-Virus page, click the
Network > Zones link. The Network > Zones page is displayed.
2. In the Configure column in the Zone Settings table, click the edit icon . The Edit Zone window
is displayed.
3. Click the Enable Gateway Anti-Virus Service checkbox. A checkmark appears. To disable Gateway
Anti-Virus Service, uncheck the box.
4. Click OK.
Page 21
Note: You also enable SonicWALL GAV protection for new zones you create on the Network > Zones page.
Clicking the Add button displays the Add Zone window, which includes the same settings as the Edit
Zone window.
Viewing SonicWALL GAV Status Information
The Gateway Anti-Virus Status section shows the state of the anti-virus signature database, including
the database's timestamp, and the time the SonicWALL signature servers were last checked for the most
current database version. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
The Gateway Anti-Virus Status section displays the following information:
• Signature Database indicates whether the signature database needs to be downloaded or has been
downloaded.
• Signature Database Timestamp displays the last update to the SonicWALL GAV signature
database, not the last update to your SonicWALL security appliance.
• Last Checked indicates the last time the SonicWALL security appliance checked the signature
database for updates. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
• Gateway Anti-Virus Expiration Date indicates the date when the SonicWALL GAV service expires.
If your SonicWALL GAV subscription expires, the SonicWALL IPS inspection is stopped and the
SonicWALL GAV configuration settings are removed from the SonicWALL security appliance. These
settings are automatically restored after renewing your SonicWALL GAV license to the previously
configured state.
If your SonicWALL security appliance is running SonicOS Standard 3.0 and no interfaces are specified in
the Gateway Anti-Virus Global Settings section, the message: Warning: No interfaces have Gateway
Anti-Virus enabled is displayed in the Gateway Anti-Virus Status section. You must check the Enable
Gateway Anti-Virus on Interface and specify the interface(s) you want to apply anti-virus scanning.
If your SonicWALL security appliance you are using SonicOS Enhanced 3.0, the Gateway Anti-Virus
Status section displays Note: Enable the Gateway Anti-Virus per zone from the Network > Zones
page. Clicking on the Network > Zones link displays the Network > Zones page for applying SonicWALL
GAV on Zones.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 22 SonicWALL Gateway Anti-Virus Administrator’s Guide
Updating SonicWALL GAV Signatures
By default, the SonicWALL security appliance running SonicWALL GAV automatically checks the
SonicWALL signature servers once an hour. There is no need for an administrator to constantly check for
new signature updates. You can also manually update your SonicWALL GAV database at any time by
clicking the Update button located in the Gateway Anti-Virus Status section.
SonicWALL GAV signature updates are secured. The SonicWALL security appliance must first
authenticate itself with a pre-shared secret, created during the SonicWALL Distributed Enforcement
Architecture licensing registration. The signature request is transported through HTTPS, along with full
server certificate verification.
Specifying Protocol Filtering
Application-level awareness of the type of protocol that is transporting the violation allows SonicWALL
GAV to perform specific actions within the context of the application to gracefully handle the rejection of
the payload.
By default, SonicWALL GAV inspects all inbound HTTP, FTP, IMAP, SMTP and POP3 traffic. Generic
TCP Stream can optionally be enabled to inspect all other TCP based traffic, such as
non-standard ports of operation for SMTP and POP3, and IM and P2P protocols.
Note: Refer to “Protocol Handling” on page 13 for detailed descriptions of how SonicWALL GAV handles
protocol traffic.
Enabling Inbound Inspection
Within the context of SonicWALL GAV, the Enable Inbound Inspection protocol traffic handling refers
to the following:
• Non-SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to any Zone.
• Non-SMTP traffic from a Public Zone destined to an Untrusted Zone.
• SMTP traffic initiating from a non-Trusted Zone destined to a Trusted, Wireless, Encrypted, or Public
Zone.
• SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to a Trusted, Wireless,
or Encrypted Zone.
Page 23
The Enable Inbound Inspection protocol traffic handling represented as a table:
Enabling Outbound SMTP Inspection
The Enable Outbound Inspection feature is available for SMTP traffic, such as for a mail server that
might be hosted on the DMZ. Enabling outbound inspection for SMTP scans mail that is delivered to the
internally hosted SMTP server for viruses.
Configuring Client Alerts and an Exclusion List
Clicking the Configure Gateway AV Settings button in the Gateway Anti-Virus Global Settings section
displays the Gateway AV Config View window, which allows you to configure client notification alerts and
create a SonicWALL GAV exclusion list.
Configuring Client Alerts
If you want clients on your network to receive notifications on their desktop when a HTTP file download is
blocked by GAV, check the Enable Client Notification Alerts (desktop client installation is required)
box. You must install the client software included on the Resource CD for your SonicWALL security
appliance for the client to receive these notifications from SonicWALL GAV.
Page 24 SonicWALL Gateway Anti-Virus Administrator’s Guide
If you want to suppress the sending of e-mail messages (SMTP) to clients from SonicWALL GAV when a
virus is detected in an e-mail or attachment, check the Disable SMTP Responses box.
Configuring a SonicWALL GAV Exclusion List
Any IP addresses listed in the exclusion list bypass virus scanning on their traffic.The Gateway AV
Exclusion List section provides the ability to define a range of IP addresses whose traffic will be excluded
from SonicWALL GAV scanning.
Alert! Use caution when specifying exclusions to SonicWALL GAV protection.
To add an IP address range for exclusion, perform these steps:
1. Click the Enable Gateway AV Exclusion List checkbox to enable the exclusion list.
2. Click the Add button. The Add GAV Range Entry window is displayed.
3. Enter the IP address range in the IP Address Form and IP Address To fields, then click OK. You IP
address range appears in the Gateway AV Exclusion List table. Click the edit icon in the Configure
column to change an entry or click the trashcan icon to delete an entry.
4. Click OK to exit the Gateway AV Config View window.
Restricting File Transfers
The restrict transfer settings listed under the Configure Gateway AV Settings button in the
Gateway Anti-Virus Global Settings section, if enabled, prevent files with specific attributes from being
transferred.
These restrict transfer settings include:
• Restrict Transfer of password-protected Zip files - Disables the transfer of password protected
ZIP files over any enabled protocol. This option only functions on protocols (e.g. HTTP, FTP, SMTP)
that are enabled for inspection.
• Restrict Transfer of MS-Office type files containing macros (VBA 5 and above) - Disables the
transfers of any MS Office 97 and above files that contain VBA macros.
• Restrict Transfer of packed executable files (UPX, FSG, etc.) - Disables the transfer of packed
executable files. Packers are utilities which compress and sometimes encrypt executables. Although
there are legitimate applications for these, they are also sometimes used with the intent of
obfuscation, so as to make the executables less detectable by anti-virus applications. The packer
adds a header that expands the file in memory, and then executes that file. SonicWALL Gateway
Anti-Virus currently recognizes the most common packed formats: UPX, FSG, PKLite32, Petite, and
ASPack. additional formats are dynamically added along with SonicWALL GAV signature updates.
Page 25
Viewing SonicWALL GAV Signatures
The Gateway Anti-Virus Signatures section allows you to view the contents of the SonicWALL GAV
signature database. All the entries displayed in the Gateway Anti-Virus Signatures table are from the
SonicWALL GAV signature database downloaded to your SonicWALL security appliance.
Note: Signature entries in the database change over time in response to new threats.
Displaying Signatures
You can display the signatures in a variety of views using the View Style menu.
• Use Search String - Allows you to display signatures containing a specified string entered in the
Lookup Signatures Containing String field.
• All Signatures - Displays all the signatures in the table, 50 to a page.
• 0 - 9 - Displays signature names beginning with the number you select from the menu.
• A-Z - Displays signature names beginning with the letter you select from menu.
Navigating the Gateway Anti-Virus Signatures Table
The SonicWALL GAV signatures are displayed fifty to a page in the Gateway Anti-Virus Signatures
table. The Items field displays the table number of the first signature. If your displaying the first page of a
signature table, the entry might be Items 1 to 50 (of 58). Use the navigation buttons to navigate the table.
Page 26 SonicWALL Gateway Anti-Virus Administrator’s Guide
Searching the Gateway Anti-Virus Signature Database
You can search the signature database by entering a search string in the Lookup Signatures
Containing String field, then clicking the edit (Notepad) icon.
The signatures that match the specified string are displayed in the Gateway Anti-Virus Signatures table.
Glossary
• Deep Packet Inspection - looking at the data portion of the packet. Enables the firewall to investigate
farther into the protocol to examine information at the application layer and defend against attacks
targeting application vulnerabilities.
• Distributed Enforcement Architecture - SonicWALL’s unified threat management technology that
delivers automated signature updates that provide real-time protection from current and emerging
threats.
• False Positive - a falsely identified attack traffic pattern.
• Signature - code written to detect and prevent viruses, worms, application exploits, and other
malicious code.
• Stateful Packet Inspection - examines the contents of individual packets at all layers of the OSI
model, from network layer to application layer.
Page 27
Index
A
activating Gateway Anti-Virus
overview 15
free trial version 18
activating Gateway Anti-Virus
activation key 18
C
client alerts
configuring 23
concurrency limitations 12
PRO 1260 12
PRO 2040 12
PRO 3060 12
PRO 4060 12
PRO 5060 12
TZ 150 Series 12
TZ 170 Series 12
creating a mysonicwall.com account 16
D
deploying SonicWALL GAV 14
disabling GAV/IPS engine 12
displaying signatures 25
all signatures 25
signatures beginning with letter 25
signatures beginning with number 25
using search strings 25
E
Edit Zone window 20
enable inbound inspection 22
enable outbound SMTP inspection 23
enabling inbound inspection 22
exclusion list
configuring 24
G
Gateway AV Config View window 23
GAV/IPS
real-time scanning 6
GAV/IPS features
application control 6
deep packet inspection 6
distributed enforcement architecture 6
file based scanning protocol support 6
file decompression technology 6
granular management 7
inter-zone scanning 6
logging and reporting 7
real-time scanning 6
glossary 26
deep packet inspection 26
Distributed Enforcement Architecture 26
false positive 26
signature 26
stateful packet inspection 26
H
how DPIv2.0 works
11
protocol handling 13
HTTP file downloads protection 9
I
internal network protection 9
N
navigating signatures table 25
P
protocol handling
FTP 14
HTTP 14
IM, P2P, proprietary 14
IMAP 13
POP3 13
SMTP 13
R
registering your SonicWALL security appliance 17
remote site protection 8
restrict 24
restrict file transfer
MS-Office files 24
packed executable files 24
password protected ZIP files 24
S
searching signature database 26
server protection 10
setting up GAV protection
applying to infaces (SonicOS Standard 3.0) 19
applying to zones (SonicOS Enhanced) 20
enabling 19
overview 19
signatures table 25
SonicWALL Gateway Anti-Virus
overview 5
SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service
overview 5
specifying protocol filtering 22
specifying protocols 22
status information
expiration date 21
last checked 21
overview 21
signature database 21
signature database timestamp 21
surpress SMTP messages 24
U
updating signatures 22
Page 28 SonicWALL Gateway Anti-Virus Administrator’s Guide
© 2005 SonicWALL, I n c . SonicWALL is a registered trademark of SonicWALL, I n c . Other product and company names mentioned herein may be
t rademarks and/ or registered trademarks of their respective companies. Specifications and descriptions subject to change with out notice.
T: 408.745.9600
F: 408.745.9300
www.sonicwall.com
SonicWALL,Inc.
1143 Borregas Avenue
Sunnyvale,CA 94089-1306
P/ N 232- 000610- 00
Rev E 01/05COMPREHENSIVE INTERNET SECURITY™
S SSSSSSSSo n i c WALL Gateway Anti-Virus
Administrator's Guide
Page 1
Table of Contents
Preface .................................................................................................. 1
Copyright Notice ..............................................................................1
Trademarks......................................................................................1
Limited Warranty..............................................................................1
About this Guide.................................................................................... 3
Guide Conventions .......................................................................... 3
Icons Used in this Guide............................................................. 3
SonicWALL Technical Support ........................................................ 4
North America Telephone Support ............................................. 4
International Telephone Support ................................................ 4
SonicWALL Gateway Anti-Virus Overview............................................ 5
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features ...... 6
SonicWALL GAV Multi-Layered Approach............................................ 7
Remote Site Protection ....................................................................8
Internal Network Protection.............................................................. 9
HTTP File Downloads ...................................................................... 9
Server Protection ...........................................................................10
SonicWALL GAV Architecture............................................................. 11
Stream Concurrency Limitations
by SonicWALL Security Appliance................................................. 12
Disabling the SonicWALL GAV/IPS Engine................................... 12
Protocol Handling...........................................................................13
SMTP........................................................................................ 13
POP3 ........................................................................................ 13
IMAP......................................................................................... 13
HTTP ........................................................................................ 14
FTP........................................................................................... 14
IM, P2P and Proprietary Protocols ........................................... 14
Deploying SonicWALL GAV................................................................ 14
Activating SonicWALL GAV ................................................................ 15
Creating a mySonicWALL.com Account ........................................ 16
Registering Your SonicWALL Security Appliance.......................... 17
Activating SonicWALL GAV........................................................... 18
Activating the SonicWALL GAV FREE TRIAL ............................... 18
Setting Up SonicWALL GAV Protection .............................................. 19
Enabling SonicWALL GAV............................................................. 19
Applying SonicWALL GAV Protection on Interfaces...................... 19
Applying SonicWALL GAV Protection on Zones
(SonicOS Enhanced 3.0) ............................................................... 20
Viewing SonicWALL GAV Status Information................................ 21
Updating SonicWALL GAV Signatures .......................................... 22
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
Specifying Protocol Filtering ................................................................22
Enabling Inbound Inspection ..........................................................22
Enabling Outbound SMTP Inspection ............................................23
Configuring Client Alerts and an Exclusion List ...................................23
Configuring Client Alerts.................................................................23
Configuring a SonicWALL GAV Exclusion List...............................24
Restricting File Transfers.....................................................................24
Viewing SonicWALL GAV Signatures..................................................25
Displaying Signatures.....................................................................25
Navigating the Gateway Anti-Virus Signatures Table ....................25
Searching the Gateway Anti-Virus Signature Database.................26
Glossary...............................................................................................26
Index ....................................................................................................27
Page 1 SonicWALL Gateway Anti-Virus Administrator’s Guide
Preface
Copyright Notice
© 2005 SonicWALL, Inc.
All rights reserved.
Under the copyright laws, this manual or the software described within, can not be copied, in whole or part,
without the written consent of the manufacturer, except in the normal use of the software to make a backup
copy. The same proprietary and copyright notices must be affixed to any permitted copies as were affixed
to the original. This exception does not allow copies to be made for others, whether or not sold, but all of
the material purchased (with all backup copies) can be sold, given, or loaned to another person. Under
the law, copying includes translating into another language or format.
Specifications and descriptions subject to change without notice.
Trademarks
SonicWALL is a registered trademark of SonicWALL, Inc.
Microsoft Windows 98, Windows NT, Windows 2000, Windows XP, Windows Server 2003, Internet
Explorer, and Active Directory are trademarks or registered trademarks of Microsoft Corporation.
Netscape is a registered trademark of Netscape Communications Corporation in the U.S. and other
countries. Netscape Navigator and Netscape Communicator are also trademarks of Netscape
Communications Corporation and may be registered outside the U.S.
Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems
Incorporated in the U.S. and/or other countries.
Other product and company names mentioned herein may be trademarks and/or registered trademarks
of their respective companies and are the sole property of their respective manufacturers.
Limited Warranty
SonicWALL, Inc. warrants that commencing from the delivery date to Customer (but in any case
commencing not more than ninety (90) days after the original shipment by SonicWALL), and continuing
for a period of twelve (12) months, that the product will be free from defects in materials and workmanship
under normal use. This Limited Warranty is not transferable and applies only to the original end user of
the product. SonicWALL and its suppliers' entire liability and Customer's sole and exclusive remedy under
this limited warranty will be shipment of a replacement product. At SonicWALL's discretion the
replacement product may be of equal or greater functionality and may be of either new or like-new quality.
SonicWALL's obligations under this warranty are contingent upon the return of the defective product
according to the terms of SonicWALL's then-current Support Services policies.
This warranty does not apply if the product has been subjected to abnormal electrical stress, damaged by
accident, abuse, misuse or misapplication, or has been modified without the written permission of
SonicWALL.
DISCLAIMER OF WARRANTY. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR
IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT
LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, NONINFRINGEMENT, SATISFACTORY QUALITY OR ARISING FROM A
COURSE OF DEALING, LAW, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE
MAXIMUM EXTENT ALLOWED BY APPLICABLE LAW. TO THE EXTENT AN IMPLIED WARRANTY
CANNOT BE EXCLUDED, SUCH WARRANTY IS LIMITED IN DURATION TO THE WARRANTY
PERIOD. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW
LONG AN IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. THIS
WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, AND YOU MAY ALSO HAVE OTHER RIGHTS
WHICH VARY FROM JURISDICTION TO JURISDICTION. This disclaimer and exclusion shall apply
even if the express warranty set forth above fails of its essential purpose.
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
DISCLAIMER OF LIABILITY. SONICWALL'S SOLE LIABILITY IS THE SHIPMENT OF A
REPLACEMENT PRODUCT AS DESCRIBED IN THE ABOVE LIMITED WARRANTY. IN NO EVENT
SHALL SONICWALL OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER,
INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS
INTERRUPTION, LOSS OF INFORMATION, OR OTHER PECUNIARY LOSS ARISING OUT OF THE
USE OR INABILITY TO USE THE PRODUCT, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL,
INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY
OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE HARDWARE OR SOFTWARE
EVEN IF SONICWALL OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. In no event shall SonicWALL or its suppliers' liability to Customer, whether in contract, tort
(including negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shall
apply even if the above-stated warranty fails of its essential purpose. BECAUSE SOME STATES OR
JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR
INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.
Page 3
About this Guide
Welcome to the SonicWALL Gateway Anti-Virus Administrator’s Guide. This manual provides the
information you need to successfully activate, configure, and administer SonicWALL Gateway Anti-Virus
(SonicWALL (GAV) on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher). The audience for this guide is administrators that are familiar with the
features, functions, and operating characteristics of SonicWALL security appliances.
Note: This guide assumes your SonicWALL security appliance is operational with Internet connectivity. If your
SonicWALL security appliance is not setup, refer to the Getting Started Guide for your SonicWALL
security appliance located on the SonicWALL Web site:
.
SonicWALL GAV is part of the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service solution that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate a SonicWALL GAV license, SonicWALL Intrusion Prevention Service is included and activated.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the complete
instructions on configuring SonicWALL Intrusion Prevention Service 2.0, located on the SonicWALL
Web site: .
Guide Conventions
Conventions used in this guide are as follows:
Icons Used in this Guide
These special messages refer to noteworthy information, and include a symbol for quick identification:
Alert! Important information that cautions about features affecting SonicWALL Gateway Anti-Virus
performance, security features, or causing potential problems with your SonicWALL security appliance.
Tip! Useful information about security features and configurations for your SonicWALL Gateway Anti-Virus
running on a SonicWALL security appliance.
Convention Use
Bold Highlights items you can select on the SonicWALL
management interface.
Italic Highlights a value to enter into a field. For example, “type
192.168.168.168 in the IP Address field.”
Top Level Menu Button >
Submenu Item
Indicates a multiple step Management Interface menu
choice. For example, Security Services > Gateway Anti-
Virus means select Security Services, then select
Gateway Anti-Virus.
Page 4 SonicWALL Gateway Anti-Virus Administrator’s Guide
Note: Important information on a feature that requires callout for special attention or reference to other related
resources.
SonicWALL Technical Support
For timely resolution of technical support questions, visit SonicWALL on the Internet at
. Web-based resources are available to help you
resolve most technical issues or contact SonicWALL Technical Support.
To contact SonicWALL telephone support, see the telephone numbers listed below:
North America Telephone Support
U.S./Canada - 888.777.1476 or +1 408.752.7819
International Telephone Support
Australia - + 1800.35.1642
Austria - + 43(0)820.400.105
EMEA - +31(0)411.617.810
France - + 33(0)1.4933.7414
Germany - + 49(0)1805.0800.22
Hong Kong - + 1.800.93.0997
India - + 8026556828
Italy - +39.02.7541.9803
Japan - + 81(0)3.5460.5356
New Zealand - + 0800.446489
Singapore - + 800.110.1441
Spain - + 34(0)9137.53035
Switzerland - +41.1.308.3.977
UK - +44(0)1344.668.484
Note: Please visit for the latest technical support telephone
numbers.
Page 5
SonicWALL Gateway Anti-Virus Overview
SonicWALL Gateway Anti-Virus (SonicWALL GAV) is part of the SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service solution that provides unified threat management. The integration of gateway
anti-virus and intrusion prevention delivers intelligent, real-time network security protection against
sophisticated application layer and content-based attacks. Utilizing a configurable, high-performance
deep packet inspection architecture, SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
secures the network from the core to the perimeter against a comprehensive array of dynamic threats
including viruses, worms, Trojans, and software vulnerabilities, such as buffer overflows, as well as peerto-
peer and instant messenger applications, backdoor exploits, and other malicious code.
SonicWALL GAV delivers real-time virus protection directly on the SonicWALL security appliance by
using SonicWALL’s IPS-Deep Packet Inspection v2.0 engine to inspect all traffic that traverses the
SonicWALL gateway. Building on SonicWALL’s reassembly-free architecture, SonicWALL GAV inspects
multiple application protocols, as well as generic TCP streams, and compressed traffic. Because
SonicWALL GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also performed on a
single-pass, per-packet basis.
SonicWALL GAV delivers threat protection directly on the SonicWALL security appliance by matching
downloaded or e-mailed files against an extensive and dynamically updated database of threat virus
signatures. Virus attacks are caught and suppressed before they travel to desktops. New signatures are
created and added to the database by a combination of SonicWALL’s SonicAlert Team, third-party virus
analysts, open source developers and other sources.
SonicWALL GAV can be configured to protect against internal threats as well as those originating outside
the network. It operates over a multitude of protocols including SMTP, POP3, IMAP, HTTP, FTP,
NetBIOS, instant messaging and peer-to-peer applications and dozens of other stream-based protocols,
to provide administrators with comprehensive network threat prevention and control. Because files
containing malicious code and viruses can also be compressed and therefore inaccessible to
conventional anti-virus solutions, SonicWALL GAV integrates advanced decompression technology that
automatically decompresses and scans files on a per packet basis.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
Page 6 SonicWALL Gateway Anti-Virus Administrator’s Guide
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features
• Integrated Deep Packet Inspection Technology - SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service features a configurable, high-performance deep packet inspection architecture
that uses parallel searching algorithms up through the application layer to deliver increased
application layer, Web and e-mail attack prevention. Parallel processing reduces the performance
impact on the firewall and maximizes available memory for exceptional throughput on SonicWALL
integrated security gateways.
• Real-Time Anti-Virus Gateway Scanning - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers intelligent file-based virus and malicious code prevention by scanning in real-time for
decompressed and compressed files containing viruses, Trojans, worms and other Internet threats
over the corporate network.
• Powerful Intrusion Prevention - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
provides complete protection from a comprehensive array of network-based application layer threats
by scanning packet payloads for worms, Trojans, software vulnerabilities such as buffer overflows,
peer-to-peer and instant messenger applications, backdoor exploits, and other malicious code.
• Ultimate Scalability and Performance - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a per packet scanning engine, making SonicWALL’s solution unique in its ability to
handle unlimited file size and virtually unlimited concurrent downloads, offering ultimate scalability
and performance for today’s networked environment.
• Day Zero Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service ensures
incredibly fast time-to-protection by employing a dynamically-updated database of signatures created
by a combination of SonicWALL’s SonicAlert Team, third-party virus analysts and developers, and
open source databases of known threats.
• Extensive Virus Signature List - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
utilizes an extensive database of thousands of attack and vulnerability signatures written to detect and
prevent intrusions, viruses, worms, Tojans, application exploits, and malicious applications.
• Distributed Enforcement Architecture - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a distributed enforcement architecture to deliver automated signature updates,
providing real-time protection from emerging threats and lowering total cost of ownership.
• Inter-zone Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides
application layer attack protection against malicious code and other threats originating from the
Internet or from internal sources. Administrators have the ability to enforce intrusion prevention and
anti-virus scanning not only between each network zone and the Internet, but also between internal
network zones for added security (Requires SonicOS Enhanced).
• Advanced File Decompression Technology - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service includes advanced decompression technology that can automatically decompress and scan
files on a per packet basis to search for viruses, Trojans, worms and malware. Supported
compression formats include: ZIP, Deflate and GZIP.
• File-Based Scanning Protocol Support - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers protection for high threat viruses and malware by inspecting the most common
protocols used in today’s networked environments, including SMTP, POP3, IMAP, HTTP, FTP,
NETBIOS, instant messaging and peer-to-peer applications, and dozens of other stream-based
protocols. This closes potential backdoors that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Application Control - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides the
ability to prevent instant messaging and peer-to-peer file sharing programs from operating through
the firewall, closing a potential back door that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Simplified Deployment and Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service allows network administrators to create global policies between security zones and group
attacks by priority, simplifying deployment and management across a distributed network.
Page 7
• Granular Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides an
intuitive user interface and granular policy tools, allowing network administrators to configure a
custom set of detection or prevention policies for their specific network environment and reduce the
number of false policies while identifying immediate threats.
• Logging and Reporting - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service offers
comprehensive logging of all intrusion attempts with the ability to filter logs based on priority level,
enabling administrators to highlight high priority attacks. Granular reporting based on attack source,
destination and type of intrusion is available through SonicWALL ViewPoint and Global Management
System.
SonicWALL GAV Multi-Layered Approach
SonicWALL GAV delivers comprehensive, multi-layered anti-virus protection for networks at the desktop,
the network, and at remote sites. SonicWALL GAV enforces anti-virus policies at the gateway to ensure
all users have the latest updates and monitors files as they come into the network.
Page 8 SonicWALL Gateway Anti-Virus Administrator’s Guide
Remote Site Protection
1. Users send typical e-mail and files between remote sites and the corporate office.
2. SonicWALL GAV scans and analyzes files and e-mail messages on the SonicWALL security
appliance.
3. Viruses are found and blocked before infecting remote desktop.
4. Virus is logged and alert is sent to administrator.
Page 9
Internal Network Protection
1. Internal user contracts a virus and releases it internally.
2. All files are scanned at the gateway before being received by other network users.
3. If virus is found, file is discarded.
4. Virus is logged and alert is sent to administrator.
HTTP File Downloads
1. Client makes a request to download a file from the Web.
2. File is downloaded through the Internet.
3. File is analyzed the SonicWALL GAV engine for malicious code and viruses
4. If virus found, file discarded.
5. Virus is logged and alert sent to administrator.
Page 10 SonicWALL Gateway Anti-Virus Administrator’s Guide
Server Protection
1. Outside user sends an incoming e-mail.
2. E-mail is analyzed the SonicWALL GAV engine for malicious code and viruses before received by email
server.
3. If virus found, threat prevented.
4. E-mail is returned to sender, virus is logged, and alert sent to administrator.
Page 11
SonicWALL GAV Architecture
SonicWALL GAV is based on SonicWALL's high performance DPIv2.0 engine (Deep Packet Inspection
version 2.0) engine, which performs all scanning directly on the SonicWALL security appliance.
SonicWALL GAV includes advanced decompression technology that can automatically decompress and
scan files on a per packet basis to search for viruses and malware. The SonicWALL GAV engine can
perform base64 decoding without ever reassembling the entire base64 encoded mail stream. Because
SonicWALL's GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding and ZIP, LHZ, and GZIP (LZ77) decompression are also performed
on a single-pass, per-packet basis. Reassembly free virus scanning functionality of the SonicWALL GAV
engine is inherited from the Deep Packet Inspection engine, which is capable of scanning streams without
ever buffering any of the bytes within the stream.
Building on SonicWALL's reassembly-free architecture, GAV has the ability to inspect multiple application
protocols, as well as generic TCP streams, and compressed traffic. SonicWALL GAV protocol inspection
is based on high performance state machines which are specific to each supported protocol. SonicWALL
GAV delivers protection by inspecting over the most common protocols used in today's networked
environments, including SMTP, POP3, IMAP, HTTP, FTP, NetBIOS, instant messaging and peer-to-peer
applications and dozens of other stream-based protocols. This closes potential backdoors that can be
used to compromise the network while also improving employee productivity and conserving Internet
bandwidth.
Page 12 SonicWALL Gateway Anti-Virus Administrator’s Guide
Stream Concurrency Limitations by SonicWALL Security Appliance
Because SonicWALL GAV does not have to perform reassembly, there are no file-size limitations
imposed by the scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also
performed on a single-pass, per-packet basis. Stream-concurrency are platform dependent as follows:.
Disabling the SonicWALL GAV/IPS Engine
In the unlikely event that SonicWALL Gateway Anti-Virus/Intrusion Prevention Service is not enabled on
your SonicWALL security appliance, the SonicWALL GAV/IPS engine itself can be disabled, and the
resources can be reallocated to the SPI connection cache.
To disable the SonicWALL GAV/IPS engine:
1. Select the Firewall > Advanced page.
2. Select the Disable Gateway AV and IPS Engine (increases maximum SPI connections)
checkbox. This presents an alert informing you that the SonicWALL security appliance must be
rebooted for the change to take effect.
3. Restart your SonicWALL security appliance.
Platform
GAV-Disabled
Connections
Cache Size
GAV-Enabled
Connections
Cache Size
(Concurrent File
Downloads)
Concurrent
Compressed
File Downloads
with GAV
GAV Signatures
TZ 150
Series
2,048 2,048 100 4,500
TZ 170
Series
6,144 6,144 100 4,500
PRO 1260 6,144 6,144 100 4,500
PRO 2040 32,768 16,384 300 25,000
PRO 3060 131,072 65,536 1,000 25,000
PRO 4060 524,288 131,072 1,500 25,000
PRO 5060 750,000 393,216 3,000 25,000
Page 13
Protocol Handling
SonicWALL GAV functionality supports the following protocols: HTTP, SMTP, IMAP, POP3, FTP and the
scanning of generic TCP streams for viruses.
If malicious traffic is detected, appropriate actions are taken based on the protocol. For generic TCP
streams, the traffic is dropped and the connection is reset. If so configured, an encrypted and hashed
message explaining the action is sent to the user's Global Security Client (requires version 2.0 or higher)
and to the user's 'Security Action Notification Applet', and displayed to the user if either application is
active. Application level awareness of the type of protocol that was transporting the violation allows for
very specific actions to be taken to gracefully handle the rejection of the payload:
Note: 8-bit encoding is handled natively for all email based protocols (SMTP, POP3, and IMAP) since no
decoding is required for each encoding scheme.
SMTP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the head of the sent
queue, thus preventing it from being resent, via 552 SMTP response and the connection is terminated.
POP3
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the POP3 server via
'DELE' command and the connection is terminated. Continuation of message downloads following
termination requires the user to re-initiate the download process on their POP3 client in order to download
the rest of the messages from the POP3 server.
Note: POP3 client behavior varies from one client to the next. SonicWALL GAV attempts to determine the type
of POP3 client being used, and to compensate for behavioral differences. In rare cases, some clients
may require special GAV settings - these settings have been made available in the /diag.html page.
• Disable Gateway AV POP3 Auto Deletion - When a POP3 client is identified as Outlook Express,
DELE (delete) message sequencing is tailored to Outlook Express' behavior. This setting can resolve
problems caused by misidentification that are encountered during the deletion of virus-infected
emails.
• Disable Gateway AV POP3 UIDL Rewriting - Certain Netscape POP3 clients have difficulty with the
UIDL (unique ID listing - RFC1939) command. When a POP3 client is recognized as Netscape, UIDL
messages are suppressed, which is allowable because they are optional. This setting can resolve
problems caused by misidentification that are encountered during the message retrieval process.
IMAP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from downloading the mail
containing the violation. The user must manually mark the mail deleted and purge it from the server.
Page 14 SonicWALL Gateway Anti-Virus Administrator’s Guide
HTTP
Capabilities: zip (including archives), gzip and deflate decompression. Deflate decompression method is
not supported when HTTP response is Chunk Encoded. All HTTP traffic is inspected, not just TCP port
80. Suppresses the use of HTTP Byte-Range requests to prevent the sectional retrieval and reassembly
of potentially malicious content.
Note: Suppression of HTTP Byte-Range requests may inhibit the use of certain download accelerator
programs that attempt to retrieve files as multiple simultaneous requests.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
FTP
Capabilities: zip (including archives) and gzip decompression. FTP stateful code follows data port
negotiations, allowing FTP data to be inspected across any operating TCP port. Suppresses the use of
the FTP 'REST' (restart) request to prevent the sectional retrieval and reassembly of potentially malicious
content. "The suppression of the 'REST' request can be overridden from the /diag.html page with the
option 'Enable FTP 'REST' requests with Gateway AV’.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
IM, P2P and Proprietary Protocols
Capabilities: zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
Deploying SonicWALL GAV
SonicWALL GAV is designed to provide comprehensive virus protection with minimal configuration. The
following sections provide the key information you need to successfully activate, configure, and administer
SonicWALL GAV on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher):
• “Activating SonicWALL GAV” on page 15 - provides instructions for activating the SonicWALL GAV
license on your SonicWALL security appliance via the management interface. If you already have
SonicWALL GAV activated on your SonicWALL security appliance, skip this section.
• “Setting Up SonicWALL GAV Protection” on page 19 - provides instructions for essential
configuration of SonicWALL IPS to protect your network against the most dangerous and disruptive
attacks.
Alert! After activating your SonicWALL GAV license, you must enable SonicWALL GAV on the SonicWALL
management interface before anti-virus protection are applied to your network traffic.
• “Configuring Client Alerts and an Exclusion List” on page 23 - provides instructions for configuring
SonicWALL GAV client notification alerts and creating a SonicWALL GAV exclusion list.
• “Restricting File Transfers” on page 24 - provides instructions on preventing files with specific
attributes from being transferred.
Page 15
Activating SonicWALL GAV
If you do not have SonicWALL GAV installed on your SonicWALL security appliance, the Security
Services > Gateway Anti-Virus page indicates an upgrade is required and includes a link to activiate it
from your SonicWALL security appliance management interface.
SonicWALL GAV is part of the unified SonicWALL Gateway Anti-Virus/Intrusion Prevention Service that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is also activated.
To activate a SonicWALL Gateway Anti-Virus/Intrusion Prevention Service on your SonicWALL security
appliance, you need the following:
• SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license. You need to purchase a
SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license from a SonicWALL reseller or
through your mySonicWALL.com account (limited to customers in the USA and Canada).
• mySonicWALL.com account. Creating a mySonicWALL.com account is fast, simple, and FREE.
Simply complete an online registration form from your SonicWALL security appliance management
interface. Your mySonicWALL.com account is also accessible at
from any Internet connection with a Web browser.
• Registered SonicWALL security appliance with active Internet connection. Registering your
SonicWALL security appliance is a simple procedure done directly from the management interface.
• SonicOS Standard 3.0 or SonicOS Enhanced 3.0. Your SonicWALL security appliance must be
running SonicOS Standard 3.0 or SonicOS Enhanced 3.0 for SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service.
Tip! If your SonicWALL security appliance is connected to the Internet and registered at
mySonicWALL.com, you can activate a 30-day FREE TRIAL of SonicWALL IPS.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
If you activated SonicWALL GAV at , SonicWALL GAV activation is
automatically enabled on your SonicWALL within 24-hours or you can click the Synchronize button on
the Security Services > Summary page to update your SonicWALL security appliance.
Page 16 SonicWALL Gateway Anti-Virus Administrator’s Guide
Creating a mySonicWALL.com Account
Creating a mySonicWALL.com account is fast, simple, and FREE. Simply complete an online
registration form in the SonicWALL security appliance management interface.
Note: If you already have a mysonicWALL.com account, go to “Registering Your SonicWALL Security
Appliance” on page 17.
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displayed in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link in Your
SonicWALL is not registered. Click here to Register your SonicWALL.
4. In the mySonicWALL.com Login page, click the here link in If you do not have a mySonicWALL
account, please click here to create one.
5. In the MySonicWall Account page, enter in your information in the Account Information, Personal
Information and Preferences fields. All fields marked with an asterisk (*) are required fields.
Note: Remember your username and password to access your mySonicWALL.com account.
6. Click Submit after completing the MySonicWALL Account form.
7. When the mySonicWALL.com server has finished processing your account, you will see a page
saying that your account has been created. Click Continue.
Congratulations. Your mySonicWALL.com account is activated.
Now you need to log into mySonicWALL.com to register your SonicWALL security appliance.
Note: mySonicWALL.com registration information is not sold or shared with any other company.
Page 17
Registering Your SonicWALL Security Appliance
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displaying in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link. The
mySonicWALL.com Login page is displayed.
4. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit.
5. The next several pages inform you about the free trials available to you for SonicWALL’s Security
Services:
• Gateway Anti-Virus - Delivers real-time virus protection for your entire network.
• Network Anti Virus - Provides desktop and server anti-virus protection with software running on
each computer.
• Premium Content Filtering Service - Enhances productivity by limiting access to objectionable
Web content.
• Intrusion Prevention Service - Protects your network against worms, Trojans, and application
layer attacks.
Click Continue on each page.
6. At the top of the Product Survey page, Enter a “friendly name” for your SonicWALL content security
appliance in the Friendly Name field. The friendly name allows you to easily identify your
SonicWALL content security appliance in your mySonicWALL.com account.
7. Please complete the Product Survey. SonicWALL uses this information to further tailor services to fit
your needs.
8. Click Submit.
9. When the mySonicWALL.com server has finished processing your registration, a page is displayed
informing you that the SonicWALL security appliance is registered. Click Continue, and the
System > Licenses page is displayed showing you the available services. You can activate the
service from this page or the specific service page under the Security Services left-navigation
menu in the management interface.
Page 18 SonicWALL Gateway Anti-Virus Administrator’s Guide
Activating SonicWALL GAV
If you do not have a SonicWALL GAV license activated on your SonicWALL security appliance, you must
purchase it from a SonicWALL reseller or through your mySonicWALL.com account (limited to customers
in the USA and Canada).
SonicWALL GAV is part of SonicWALL Gateway Anti-Virus/Intrusion Prevention Service. The Activation
Key you receive is for both SonicWALL GAV and SonicWALL Intrusion Prevention Service. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is automatically activated.
If you have an Activation Key for SonicWALL Gateway Anti-Virus/Intrusion Prevention Service, perform
these steps to activate the combined services:
1. On the Security Services > Intrusion Prevention page, click the SonicWALL Intrusion
Prevention Service Subscription link. The mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already registered to your
mySonicWALL.com account, the System > Licenses page appears.
3. Click Activate or Renew in the Manage Service column in the Manage Services Online table.
4. Type in the Activation Key in the New License Key field and click Submit. Your SonicWALL GAV
subscription is activated on your SonicWALL security appliance.
If you activated the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service subscription on
mySonicWALL.com, the activation is automatically enabled on your SonicWALL security appliance within
24-hours or you can click the Synchronize button on the Security Services > Summary page to
immediately update your SonicWALL security appliance.
Activating the SonicWALL GAV FREE TRIAL
To try a FREE TRIAL of SonicWALL GAV, perform these steps:
1. Click the FREE TRIAL link on the Security Services > Gateway Anti-Virus page. The
mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already connected to your
mySonicWALL.com account, the System > Licenses page appears after you click the FREE TRIAL
link.
3. Click Try in the FREE TRIAL column in the Manage Services Online table. Your SonicWALL GAV
trial subscription is activated on your SonicWALL security appliance.
Page 19
Setting Up SonicWALL GAV Protection
The Security Services > Gateway Anti-Virus page provides the settings for configuring SonicWALL
GAV on your SonicWALL security appliance.
Enabling SonicWALL GAV
You must select Enable Gateway Anti-Virus check box in the Gateway Anti-Virus Global Settings
section to enable SonicWALL GAV on your SonicWALL security appliance. If your SonicWALL security
appliance is running SonicOS Standard 3.0, you must also specify the interfaces you want to apply
SonicWALL GAV protection. If your SonicWALL security appliance is running SonicOS Enhanced 3.0,
you must specify the Zones you want to SonicWALL GAV protection on the Network > Zones page.
Applying SonicWALL GAV Protection on Interfaces
If your SonicWALL security appliance is running SonicOS Standard 3.0, you also need to specify the
interface that you want to enable SonicWALL GAV protection. Depending on the SonicWALL security
appliance model you are using, you can choose the WAN, LAN, DMZ, OPT or WLAN port, depending on
your SonicWALL security appliance model. After selecting the interface(s), click Apply.It is recommended
you select the WAN and LAN interfaces.
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you apply SonicWALL GAV to
Zones on the Network > Zones page.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 20 SonicWALL Gateway Anti-Virus Administrator’s Guide
Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you can enforce SonicWALL
GAV not only between each network zone and the WAN, but also between internal zones. For example,
enabling SonicWALL GAV on the LAN zone enforces anti-virus protection on all incoming and outgoing
LAN traffic.
1. In the SonicWALL security appliance management interface, select Network > Zones or from the
Gateway Anti-Virus Status section, on the Security Services > Gateway Anti-Virus page, click the
Network > Zones link. The Network > Zones page is displayed.
2. In the Configure column in the Zone Settings table, click the edit icon . The Edit Zone window
is displayed.
3. Click the Enable Gateway Anti-Virus Service checkbox. A checkmark appears. To disable Gateway
Anti-Virus Service, uncheck the box.
4. Click OK.
Page 21
Note: You also enable SonicWALL GAV protection for new zones you create on the Network > Zones page.
Clicking the Add button displays the Add Zone window, which includes the same settings as the Edit
Zone window.
Viewing SonicWALL GAV Status Information
The Gateway Anti-Virus Status section shows the state of the anti-virus signature database, including
the database's timestamp, and the time the SonicWALL signature servers were last checked for the most
current database version. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
The Gateway Anti-Virus Status section displays the following information:
• Signature Database indicates whether the signature database needs to be downloaded or has been
downloaded.
• Signature Database Timestamp displays the last update to the SonicWALL GAV signature
database, not the last update to your SonicWALL security appliance.
• Last Checked indicates the last time the SonicWALL security appliance checked the signature
database for updates. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
• Gateway Anti-Virus Expiration Date indicates the date when the SonicWALL GAV service expires.
If your SonicWALL GAV subscription expires, the SonicWALL IPS inspection is stopped and the
SonicWALL GAV configuration settings are removed from the SonicWALL security appliance. These
settings are automatically restored after renewing your SonicWALL GAV license to the previously
configured state.
If your SonicWALL security appliance is running SonicOS Standard 3.0 and no interfaces are specified in
the Gateway Anti-Virus Global Settings section, the message: Warning: No interfaces have Gateway
Anti-Virus enabled is displayed in the Gateway Anti-Virus Status section. You must check the Enable
Gateway Anti-Virus on Interface and specify the interface(s) you want to apply anti-virus scanning.
If your SonicWALL security appliance you are using SonicOS Enhanced 3.0, the Gateway Anti-Virus
Status section displays Note: Enable the Gateway Anti-Virus per zone from the Network > Zones
page. Clicking on the Network > Zones link displays the Network > Zones page for applying SonicWALL
GAV on Zones.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 22 SonicWALL Gateway Anti-Virus Administrator’s Guide
Updating SonicWALL GAV Signatures
By default, the SonicWALL security appliance running SonicWALL GAV automatically checks the
SonicWALL signature servers once an hour. There is no need for an administrator to constantly check for
new signature updates. You can also manually update your SonicWALL GAV database at any time by
clicking the Update button located in the Gateway Anti-Virus Status section.
SonicWALL GAV signature updates are secured. The SonicWALL security appliance must first
authenticate itself with a pre-shared secret, created during the SonicWALL Distributed Enforcement
Architecture licensing registration. The signature request is transported through HTTPS, along with full
server certificate verification.
Specifying Protocol Filtering
Application-level awareness of the type of protocol that is transporting the violation allows SonicWALL
GAV to perform specific actions within the context of the application to gracefully handle the rejection of
the payload.
By default, SonicWALL GAV inspects all inbound HTTP, FTP, IMAP, SMTP and POP3 traffic. Generic
TCP Stream can optionally be enabled to inspect all other TCP based traffic, such as
non-standard ports of operation for SMTP and POP3, and IM and P2P protocols.
Note: Refer to “Protocol Handling” on page 13 for detailed descriptions of how SonicWALL GAV handles
protocol traffic.
Enabling Inbound Inspection
Within the context of SonicWALL GAV, the Enable Inbound Inspection protocol traffic handling refers
to the following:
• Non-SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to any Zone.
• Non-SMTP traffic from a Public Zone destined to an Untrusted Zone.
• SMTP traffic initiating from a non-Trusted Zone destined to a Trusted, Wireless, Encrypted, or Public
Zone.
• SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to a Trusted, Wireless,
or Encrypted Zone.
Page 23
The Enable Inbound Inspection protocol traffic handling represented as a table:
Enabling Outbound SMTP Inspection
The Enable Outbound Inspection feature is available for SMTP traffic, such as for a mail server that
might be hosted on the DMZ. Enabling outbound inspection for SMTP scans mail that is delivered to the
internally hosted SMTP server for viruses.
Configuring Client Alerts and an Exclusion List
Clicking the Configure Gateway AV Settings button in the Gateway Anti-Virus Global Settings section
displays the Gateway AV Config View window, which allows you to configure client notification alerts and
create a SonicWALL GAV exclusion list.
Configuring Client Alerts
If you want clients on your network to receive notifications on their desktop when a HTTP file download is
blocked by GAV, check the Enable Client Notification Alerts (desktop client installation is required)
box. You must install the client software included on the Resource CD for your SonicWALL security
appliance for the client to receive these notifications from SonicWALL GAV.
Page 24 SonicWALL Gateway Anti-Virus Administrator’s Guide
If you want to suppress the sending of e-mail messages (SMTP) to clients from SonicWALL GAV when a
virus is detected in an e-mail or attachment, check the Disable SMTP Responses box.
Configuring a SonicWALL GAV Exclusion List
Any IP addresses listed in the exclusion list bypass virus scanning on their traffic.The Gateway AV
Exclusion List section provides the ability to define a range of IP addresses whose traffic will be excluded
from SonicWALL GAV scanning.
Alert! Use caution when specifying exclusions to SonicWALL GAV protection.
To add an IP address range for exclusion, perform these steps:
1. Click the Enable Gateway AV Exclusion List checkbox to enable the exclusion list.
2. Click the Add button. The Add GAV Range Entry window is displayed.
3. Enter the IP address range in the IP Address Form and IP Address To fields, then click OK. You IP
address range appears in the Gateway AV Exclusion List table. Click the edit icon in the Configure
column to change an entry or click the trashcan icon to delete an entry.
4. Click OK to exit the Gateway AV Config View window.
Restricting File Transfers
The restrict transfer settings listed under the Configure Gateway AV Settings button in the
Gateway Anti-Virus Global Settings section, if enabled, prevent files with specific attributes from being
transferred.
These restrict transfer settings include:
• Restrict Transfer of password-protected Zip files - Disables the transfer of password protected
ZIP files over any enabled protocol. This option only functions on protocols (e.g. HTTP, FTP, SMTP)
that are enabled for inspection.
• Restrict Transfer of MS-Office type files containing macros (VBA 5 and above) - Disables the
transfers of any MS Office 97 and above files that contain VBA macros.
• Restrict Transfer of packed executable files (UPX, FSG, etc.) - Disables the transfer of packed
executable files. Packers are utilities which compress and sometimes encrypt executables. Although
there are legitimate applications for these, they are also sometimes used with the intent of
obfuscation, so as to make the executables less detectable by anti-virus applications. The packer
adds a header that expands the file in memory, and then executes that file. SonicWALL Gateway
Anti-Virus currently recognizes the most common packed formats: UPX, FSG, PKLite32, Petite, and
ASPack. additional formats are dynamically added along with SonicWALL GAV signature updates.
Page 25
Viewing SonicWALL GAV Signatures
The Gateway Anti-Virus Signatures section allows you to view the contents of the SonicWALL GAV
signature database. All the entries displayed in the Gateway Anti-Virus Signatures table are from the
SonicWALL GAV signature database downloaded to your SonicWALL security appliance.
Note: Signature entries in the database change over time in response to new threats.
Displaying Signatures
You can display the signatures in a variety of views using the View Style menu.
• Use Search String - Allows you to display signatures containing a specified string entered in the
Lookup Signatures Containing String field.
• All Signatures - Displays all the signatures in the table, 50 to a page.
• 0 - 9 - Displays signature names beginning with the number you select from the menu.
• A-Z - Displays signature names beginning with the letter you select from menu.
Navigating the Gateway Anti-Virus Signatures Table
The SonicWALL GAV signatures are displayed fifty to a page in the Gateway Anti-Virus Signatures
table. The Items field displays the table number of the first signature. If your displaying the first page of a
signature table, the entry might be Items 1 to 50 (of 58). Use the navigation buttons to navigate the table.
Page 26 SonicWALL Gateway Anti-Virus Administrator’s Guide
Searching the Gateway Anti-Virus Signature Database
You can search the signature database by entering a search string in the Lookup Signatures
Containing String field, then clicking the edit (Notepad) icon.
The signatures that match the specified string are displayed in the Gateway Anti-Virus Signatures table.
Glossary
• Deep Packet Inspection - looking at the data portion of the packet. Enables the firewall to investigate
farther into the protocol to examine information at the application layer and defend against attacks
targeting application vulnerabilities.
• Distributed Enforcement Architecture - SonicWALL’s unified threat management technology that
delivers automated signature updates that provide real-time protection from current and emerging
threats.
• False Positive - a falsely identified attack traffic pattern.
• Signature - code written to detect and prevent viruses, worms, application exploits, and other
malicious code.
• Stateful Packet Inspection - examines the contents of individual packets at all layers of the OSI
model, from network layer to application layer.
Page 27
Index
A
activating Gateway Anti-Virus
overview 15
free trial version 18
activating Gateway Anti-Virus
activation key 18
C
client alerts
configuring 23
concurrency limitations 12
PRO 1260 12
PRO 2040 12
PRO 3060 12
PRO 4060 12
PRO 5060 12
TZ 150 Series 12
TZ 170 Series 12
creating a mysonicwall.com account 16
D
deploying SonicWALL GAV 14
disabling GAV/IPS engine 12
displaying signatures 25
all signatures 25
signatures beginning with letter 25
signatures beginning with number 25
using search strings 25
E
Edit Zone window 20
enable inbound inspection 22
enable outbound SMTP inspection 23
enabling inbound inspection 22
exclusion list
configuring 24
G
Gateway AV Config View window 23
GAV/IPS
real-time scanning 6
GAV/IPS features
application control 6
deep packet inspection 6
distributed enforcement architecture 6
file based scanning protocol support 6
file decompression technology 6
granular management 7
inter-zone scanning 6
logging and reporting 7
real-time scanning 6
glossary 26
deep packet inspection 26
Distributed Enforcement Architecture 26
false positive 26
signature 26
stateful packet inspection 26
H
how DPIv2.0 works
11
protocol handling 13
HTTP file downloads protection 9
I
internal network protection 9
N
navigating signatures table 25
P
protocol handling
FTP 14
HTTP 14
IM, P2P, proprietary 14
IMAP 13
POP3 13
SMTP 13
R
registering your SonicWALL security appliance 17
remote site protection 8
restrict 24
restrict file transfer
MS-Office files 24
packed executable files 24
password protected ZIP files 24
S
searching signature database 26
server protection 10
setting up GAV protection
applying to infaces (SonicOS Standard 3.0) 19
applying to zones (SonicOS Enhanced) 20
enabling 19
overview 19
signatures table 25
SonicWALL Gateway Anti-Virus
overview 5
SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service
overview 5
specifying protocol filtering 22
specifying protocols 22
status information
expiration date 21
last checked 21
overview 21
signature database 21
signature database timestamp 21
surpress SMTP messages 24
U
updating signatures 22
Page 28 SonicWALL Gateway Anti-Virus Administrator’s Guide
© 2005 SonicWALL, I n c . SonicWALL is a registered trademark of SonicWALL, I n c . Other product and company names mentioned herein may be
t rademarks and/ or registered trademarks of their respective companies. Specifications and descriptions subject to change with out notice.
T: 408.745.9600
F: 408.745.9300
www.sonicwall.com
SonicWALL,Inc.
1143 Borregas Avenue
Sunnyvale,CA 94089-1306
P/ N 232- 000610- 00
Rev E 01/05COMPREHENSIVE INTERNET SECURITY™
S SSSSSSSSo n i c WALL Gateway Anti-Virus
Administrator's Guide
Page 1
Table of Contents
Preface .................................................................................................. 1
Copyright Notice ..............................................................................1
Trademarks......................................................................................1
Limited Warranty..............................................................................1
About this Guide.................................................................................... 3
Guide Conventions .......................................................................... 3
Icons Used in this Guide............................................................. 3
SonicWALL Technical Support ........................................................ 4
North America Telephone Support ............................................. 4
International Telephone Support ................................................ 4
SonicWALL Gateway Anti-Virus Overview............................................ 5
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features ...... 6
SonicWALL GAV Multi-Layered Approach............................................ 7
Remote Site Protection ....................................................................8
Internal Network Protection.............................................................. 9
HTTP File Downloads ...................................................................... 9
Server Protection ...........................................................................10
SonicWALL GAV Architecture............................................................. 11
Stream Concurrency Limitations
by SonicWALL Security Appliance................................................. 12
Disabling the SonicWALL GAV/IPS Engine................................... 12
Protocol Handling...........................................................................13
SMTP........................................................................................ 13
POP3 ........................................................................................ 13
IMAP......................................................................................... 13
HTTP ........................................................................................ 14
FTP........................................................................................... 14
IM, P2P and Proprietary Protocols ........................................... 14
Deploying SonicWALL GAV................................................................ 14
Activating SonicWALL GAV ................................................................ 15
Creating a mySonicWALL.com Account ........................................ 16
Registering Your SonicWALL Security Appliance.......................... 17
Activating SonicWALL GAV........................................................... 18
Activating the SonicWALL GAV FREE TRIAL ............................... 18
Setting Up SonicWALL GAV Protection .............................................. 19
Enabling SonicWALL GAV............................................................. 19
Applying SonicWALL GAV Protection on Interfaces...................... 19
Applying SonicWALL GAV Protection on Zones
(SonicOS Enhanced 3.0) ............................................................... 20
Viewing SonicWALL GAV Status Information................................ 21
Updating SonicWALL GAV Signatures .......................................... 22
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
Specifying Protocol Filtering ................................................................22
Enabling Inbound Inspection ..........................................................22
Enabling Outbound SMTP Inspection ............................................23
Configuring Client Alerts and an Exclusion List ...................................23
Configuring Client Alerts.................................................................23
Configuring a SonicWALL GAV Exclusion List...............................24
Restricting File Transfers.....................................................................24
Viewing SonicWALL GAV Signatures..................................................25
Displaying Signatures.....................................................................25
Navigating the Gateway Anti-Virus Signatures Table ....................25
Searching the Gateway Anti-Virus Signature Database.................26
Glossary...............................................................................................26
Index ....................................................................................................27
Page 1 SonicWALL Gateway Anti-Virus Administrator’s Guide
Preface
Copyright Notice
© 2005 SonicWALL, Inc.
All rights reserved.
Under the copyright laws, this manual or the software described within, can not be copied, in whole or part,
without the written consent of the manufacturer, except in the normal use of the software to make a backup
copy. The same proprietary and copyright notices must be affixed to any permitted copies as were affixed
to the original. This exception does not allow copies to be made for others, whether or not sold, but all of
the material purchased (with all backup copies) can be sold, given, or loaned to another person. Under
the law, copying includes translating into another language or format.
Specifications and descriptions subject to change without notice.
Trademarks
SonicWALL is a registered trademark of SonicWALL, Inc.
Microsoft Windows 98, Windows NT, Windows 2000, Windows XP, Windows Server 2003, Internet
Explorer, and Active Directory are trademarks or registered trademarks of Microsoft Corporation.
Netscape is a registered trademark of Netscape Communications Corporation in the U.S. and other
countries. Netscape Navigator and Netscape Communicator are also trademarks of Netscape
Communications Corporation and may be registered outside the U.S.
Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems
Incorporated in the U.S. and/or other countries.
Other product and company names mentioned herein may be trademarks and/or registered trademarks
of their respective companies and are the sole property of their respective manufacturers.
Limited Warranty
SonicWALL, Inc. warrants that commencing from the delivery date to Customer (but in any case
commencing not more than ninety (90) days after the original shipment by SonicWALL), and continuing
for a period of twelve (12) months, that the product will be free from defects in materials and workmanship
under normal use. This Limited Warranty is not transferable and applies only to the original end user of
the product. SonicWALL and its suppliers' entire liability and Customer's sole and exclusive remedy under
this limited warranty will be shipment of a replacement product. At SonicWALL's discretion the
replacement product may be of equal or greater functionality and may be of either new or like-new quality.
SonicWALL's obligations under this warranty are contingent upon the return of the defective product
according to the terms of SonicWALL's then-current Support Services policies.
This warranty does not apply if the product has been subjected to abnormal electrical stress, damaged by
accident, abuse, misuse or misapplication, or has been modified without the written permission of
SonicWALL.
DISCLAIMER OF WARRANTY. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR
IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT
LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, NONINFRINGEMENT, SATISFACTORY QUALITY OR ARISING FROM A
COURSE OF DEALING, LAW, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE
MAXIMUM EXTENT ALLOWED BY APPLICABLE LAW. TO THE EXTENT AN IMPLIED WARRANTY
CANNOT BE EXCLUDED, SUCH WARRANTY IS LIMITED IN DURATION TO THE WARRANTY
PERIOD. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW
LONG AN IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. THIS
WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, AND YOU MAY ALSO HAVE OTHER RIGHTS
WHICH VARY FROM JURISDICTION TO JURISDICTION. This disclaimer and exclusion shall apply
even if the express warranty set forth above fails of its essential purpose.
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
DISCLAIMER OF LIABILITY. SONICWALL'S SOLE LIABILITY IS THE SHIPMENT OF A
REPLACEMENT PRODUCT AS DESCRIBED IN THE ABOVE LIMITED WARRANTY. IN NO EVENT
SHALL SONICWALL OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER,
INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS
INTERRUPTION, LOSS OF INFORMATION, OR OTHER PECUNIARY LOSS ARISING OUT OF THE
USE OR INABILITY TO USE THE PRODUCT, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL,
INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY
OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE HARDWARE OR SOFTWARE
EVEN IF SONICWALL OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. In no event shall SonicWALL or its suppliers' liability to Customer, whether in contract, tort
(including negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shall
apply even if the above-stated warranty fails of its essential purpose. BECAUSE SOME STATES OR
JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR
INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.
Page 3
About this Guide
Welcome to the SonicWALL Gateway Anti-Virus Administrator’s Guide. This manual provides the
information you need to successfully activate, configure, and administer SonicWALL Gateway Anti-Virus
(SonicWALL (GAV) on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher). The audience for this guide is administrators that are familiar with the
features, functions, and operating characteristics of SonicWALL security appliances.
Note: This guide assumes your SonicWALL security appliance is operational with Internet connectivity. If your
SonicWALL security appliance is not setup, refer to the Getting Started Guide for your SonicWALL
security appliance located on the SonicWALL Web site:
.
SonicWALL GAV is part of the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service solution that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate a SonicWALL GAV license, SonicWALL Intrusion Prevention Service is included and activated.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the complete
instructions on configuring SonicWALL Intrusion Prevention Service 2.0, located on the SonicWALL
Web site: .
Guide Conventions
Conventions used in this guide are as follows:
Icons Used in this Guide
These special messages refer to noteworthy information, and include a symbol for quick identification:
Alert! Important information that cautions about features affecting SonicWALL Gateway Anti-Virus
performance, security features, or causing potential problems with your SonicWALL security appliance.
Tip! Useful information about security features and configurations for your SonicWALL Gateway Anti-Virus
running on a SonicWALL security appliance.
Convention Use
Bold Highlights items you can select on the SonicWALL
management interface.
Italic Highlights a value to enter into a field. For example, “type
192.168.168.168 in the IP Address field.”
Top Level Menu Button >
Submenu Item
Indicates a multiple step Management Interface menu
choice. For example, Security Services > Gateway Anti-
Virus means select Security Services, then select
Gateway Anti-Virus.
Page 4 SonicWALL Gateway Anti-Virus Administrator’s Guide
Note: Important information on a feature that requires callout for special attention or reference to other related
resources.
SonicWALL Technical Support
For timely resolution of technical support questions, visit SonicWALL on the Internet at
. Web-based resources are available to help you
resolve most technical issues or contact SonicWALL Technical Support.
To contact SonicWALL telephone support, see the telephone numbers listed below:
North America Telephone Support
U.S./Canada - 888.777.1476 or +1 408.752.7819
International Telephone Support
Australia - + 1800.35.1642
Austria - + 43(0)820.400.105
EMEA - +31(0)411.617.810
France - + 33(0)1.4933.7414
Germany - + 49(0)1805.0800.22
Hong Kong - + 1.800.93.0997
India - + 8026556828
Italy - +39.02.7541.9803
Japan - + 81(0)3.5460.5356
New Zealand - + 0800.446489
Singapore - + 800.110.1441
Spain - + 34(0)9137.53035
Switzerland - +41.1.308.3.977
UK - +44(0)1344.668.484
Note: Please visit for the latest technical support telephone
numbers.
Page 5
SonicWALL Gateway Anti-Virus Overview
SonicWALL Gateway Anti-Virus (SonicWALL GAV) is part of the SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service solution that provides unified threat management. The integration of gateway
anti-virus and intrusion prevention delivers intelligent, real-time network security protection against
sophisticated application layer and content-based attacks. Utilizing a configurable, high-performance
deep packet inspection architecture, SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
secures the network from the core to the perimeter against a comprehensive array of dynamic threats
including viruses, worms, Trojans, and software vulnerabilities, such as buffer overflows, as well as peerto-
peer and instant messenger applications, backdoor exploits, and other malicious code.
SonicWALL GAV delivers real-time virus protection directly on the SonicWALL security appliance by
using SonicWALL’s IPS-Deep Packet Inspection v2.0 engine to inspect all traffic that traverses the
SonicWALL gateway. Building on SonicWALL’s reassembly-free architecture, SonicWALL GAV inspects
multiple application protocols, as well as generic TCP streams, and compressed traffic. Because
SonicWALL GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also performed on a
single-pass, per-packet basis.
SonicWALL GAV delivers threat protection directly on the SonicWALL security appliance by matching
downloaded or e-mailed files against an extensive and dynamically updated database of threat virus
signatures. Virus attacks are caught and suppressed before they travel to desktops. New signatures are
created and added to the database by a combination of SonicWALL’s SonicAlert Team, third-party virus
analysts, open source developers and other sources.
SonicWALL GAV can be configured to protect against internal threats as well as those originating outside
the network. It operates over a multitude of protocols including SMTP, POP3, IMAP, HTTP, FTP,
NetBIOS, instant messaging and peer-to-peer applications and dozens of other stream-based protocols,
to provide administrators with comprehensive network threat prevention and control. Because files
containing malicious code and viruses can also be compressed and therefore inaccessible to
conventional anti-virus solutions, SonicWALL GAV integrates advanced decompression technology that
automatically decompresses and scans files on a per packet basis.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
Page 6 SonicWALL Gateway Anti-Virus Administrator’s Guide
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features
• Integrated Deep Packet Inspection Technology - SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service features a configurable, high-performance deep packet inspection architecture
that uses parallel searching algorithms up through the application layer to deliver increased
application layer, Web and e-mail attack prevention. Parallel processing reduces the performance
impact on the firewall and maximizes available memory for exceptional throughput on SonicWALL
integrated security gateways.
• Real-Time Anti-Virus Gateway Scanning - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers intelligent file-based virus and malicious code prevention by scanning in real-time for
decompressed and compressed files containing viruses, Trojans, worms and other Internet threats
over the corporate network.
• Powerful Intrusion Prevention - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
provides complete protection from a comprehensive array of network-based application layer threats
by scanning packet payloads for worms, Trojans, software vulnerabilities such as buffer overflows,
peer-to-peer and instant messenger applications, backdoor exploits, and other malicious code.
• Ultimate Scalability and Performance - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a per packet scanning engine, making SonicWALL’s solution unique in its ability to
handle unlimited file size and virtually unlimited concurrent downloads, offering ultimate scalability
and performance for today’s networked environment.
• Day Zero Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service ensures
incredibly fast time-to-protection by employing a dynamically-updated database of signatures created
by a combination of SonicWALL’s SonicAlert Team, third-party virus analysts and developers, and
open source databases of known threats.
• Extensive Virus Signature List - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
utilizes an extensive database of thousands of attack and vulnerability signatures written to detect and
prevent intrusions, viruses, worms, Tojans, application exploits, and malicious applications.
• Distributed Enforcement Architecture - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a distributed enforcement architecture to deliver automated signature updates,
providing real-time protection from emerging threats and lowering total cost of ownership.
• Inter-zone Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides
application layer attack protection against malicious code and other threats originating from the
Internet or from internal sources. Administrators have the ability to enforce intrusion prevention and
anti-virus scanning not only between each network zone and the Internet, but also between internal
network zones for added security (Requires SonicOS Enhanced).
• Advanced File Decompression Technology - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service includes advanced decompression technology that can automatically decompress and scan
files on a per packet basis to search for viruses, Trojans, worms and malware. Supported
compression formats include: ZIP, Deflate and GZIP.
• File-Based Scanning Protocol Support - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers protection for high threat viruses and malware by inspecting the most common
protocols used in today’s networked environments, including SMTP, POP3, IMAP, HTTP, FTP,
NETBIOS, instant messaging and peer-to-peer applications, and dozens of other stream-based
protocols. This closes potential backdoors that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Application Control - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides the
ability to prevent instant messaging and peer-to-peer file sharing programs from operating through
the firewall, closing a potential back door that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Simplified Deployment and Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service allows network administrators to create global policies between security zones and group
attacks by priority, simplifying deployment and management across a distributed network.
Page 7
• Granular Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides an
intuitive user interface and granular policy tools, allowing network administrators to configure a
custom set of detection or prevention policies for their specific network environment and reduce the
number of false policies while identifying immediate threats.
• Logging and Reporting - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service offers
comprehensive logging of all intrusion attempts with the ability to filter logs based on priority level,
enabling administrators to highlight high priority attacks. Granular reporting based on attack source,
destination and type of intrusion is available through SonicWALL ViewPoint and Global Management
System.
SonicWALL GAV Multi-Layered Approach
SonicWALL GAV delivers comprehensive, multi-layered anti-virus protection for networks at the desktop,
the network, and at remote sites. SonicWALL GAV enforces anti-virus policies at the gateway to ensure
all users have the latest updates and monitors files as they come into the network.
Page 8 SonicWALL Gateway Anti-Virus Administrator’s Guide
Remote Site Protection
1. Users send typical e-mail and files between remote sites and the corporate office.
2. SonicWALL GAV scans and analyzes files and e-mail messages on the SonicWALL security
appliance.
3. Viruses are found and blocked before infecting remote desktop.
4. Virus is logged and alert is sent to administrator.
Page 9
Internal Network Protection
1. Internal user contracts a virus and releases it internally.
2. All files are scanned at the gateway before being received by other network users.
3. If virus is found, file is discarded.
4. Virus is logged and alert is sent to administrator.
HTTP File Downloads
1. Client makes a request to download a file from the Web.
2. File is downloaded through the Internet.
3. File is analyzed the SonicWALL GAV engine for malicious code and viruses
4. If virus found, file discarded.
5. Virus is logged and alert sent to administrator.
Page 10 SonicWALL Gateway Anti-Virus Administrator’s Guide
Server Protection
1. Outside user sends an incoming e-mail.
2. E-mail is analyzed the SonicWALL GAV engine for malicious code and viruses before received by email
server.
3. If virus found, threat prevented.
4. E-mail is returned to sender, virus is logged, and alert sent to administrator.
Page 11
SonicWALL GAV Architecture
SonicWALL GAV is based on SonicWALL's high performance DPIv2.0 engine (Deep Packet Inspection
version 2.0) engine, which performs all scanning directly on the SonicWALL security appliance.
SonicWALL GAV includes advanced decompression technology that can automatically decompress and
scan files on a per packet basis to search for viruses and malware. The SonicWALL GAV engine can
perform base64 decoding without ever reassembling the entire base64 encoded mail stream. Because
SonicWALL's GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding and ZIP, LHZ, and GZIP (LZ77) decompression are also performed
on a single-pass, per-packet basis. Reassembly free virus scanning functionality of the SonicWALL GAV
engine is inherited from the Deep Packet Inspection engine, which is capable of scanning streams without
ever buffering any of the bytes within the stream.
Building on SonicWALL's reassembly-free architecture, GAV has the ability to inspect multiple application
protocols, as well as generic TCP streams, and compressed traffic. SonicWALL GAV protocol inspection
is based on high performance state machines which are specific to each supported protocol. SonicWALL
GAV delivers protection by inspecting over the most common protocols used in today's networked
environments, including SMTP, POP3, IMAP, HTTP, FTP, NetBIOS, instant messaging and peer-to-peer
applications and dozens of other stream-based protocols. This closes potential backdoors that can be
used to compromise the network while also improving employee productivity and conserving Internet
bandwidth.
Page 12 SonicWALL Gateway Anti-Virus Administrator’s Guide
Stream Concurrency Limitations by SonicWALL Security Appliance
Because SonicWALL GAV does not have to perform reassembly, there are no file-size limitations
imposed by the scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also
performed on a single-pass, per-packet basis. Stream-concurrency are platform dependent as follows:.
Disabling the SonicWALL GAV/IPS Engine
In the unlikely event that SonicWALL Gateway Anti-Virus/Intrusion Prevention Service is not enabled on
your SonicWALL security appliance, the SonicWALL GAV/IPS engine itself can be disabled, and the
resources can be reallocated to the SPI connection cache.
To disable the SonicWALL GAV/IPS engine:
1. Select the Firewall > Advanced page.
2. Select the Disable Gateway AV and IPS Engine (increases maximum SPI connections)
checkbox. This presents an alert informing you that the SonicWALL security appliance must be
rebooted for the change to take effect.
3. Restart your SonicWALL security appliance.
Platform
GAV-Disabled
Connections
Cache Size
GAV-Enabled
Connections
Cache Size
(Concurrent File
Downloads)
Concurrent
Compressed
File Downloads
with GAV
GAV Signatures
TZ 150
Series
2,048 2,048 100 4,500
TZ 170
Series
6,144 6,144 100 4,500
PRO 1260 6,144 6,144 100 4,500
PRO 2040 32,768 16,384 300 25,000
PRO 3060 131,072 65,536 1,000 25,000
PRO 4060 524,288 131,072 1,500 25,000
PRO 5060 750,000 393,216 3,000 25,000
Page 13
Protocol Handling
SonicWALL GAV functionality supports the following protocols: HTTP, SMTP, IMAP, POP3, FTP and the
scanning of generic TCP streams for viruses.
If malicious traffic is detected, appropriate actions are taken based on the protocol. For generic TCP
streams, the traffic is dropped and the connection is reset. If so configured, an encrypted and hashed
message explaining the action is sent to the user's Global Security Client (requires version 2.0 or higher)
and to the user's 'Security Action Notification Applet', and displayed to the user if either application is
active. Application level awareness of the type of protocol that was transporting the violation allows for
very specific actions to be taken to gracefully handle the rejection of the payload:
Note: 8-bit encoding is handled natively for all email based protocols (SMTP, POP3, and IMAP) since no
decoding is required for each encoding scheme.
SMTP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the head of the sent
queue, thus preventing it from being resent, via 552 SMTP response and the connection is terminated.
POP3
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the POP3 server via
'DELE' command and the connection is terminated. Continuation of message downloads following
termination requires the user to re-initiate the download process on their POP3 client in order to download
the rest of the messages from the POP3 server.
Note: POP3 client behavior varies from one client to the next. SonicWALL GAV attempts to determine the type
of POP3 client being used, and to compensate for behavioral differences. In rare cases, some clients
may require special GAV settings - these settings have been made available in the /diag.html page.
• Disable Gateway AV POP3 Auto Deletion - When a POP3 client is identified as Outlook Express,
DELE (delete) message sequencing is tailored to Outlook Express' behavior. This setting can resolve
problems caused by misidentification that are encountered during the deletion of virus-infected
emails.
• Disable Gateway AV POP3 UIDL Rewriting - Certain Netscape POP3 clients have difficulty with the
UIDL (unique ID listing - RFC1939) command. When a POP3 client is recognized as Netscape, UIDL
messages are suppressed, which is allowable because they are optional. This setting can resolve
problems caused by misidentification that are encountered during the message retrieval process.
IMAP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from downloading the mail
containing the violation. The user must manually mark the mail deleted and purge it from the server.
Page 14 SonicWALL Gateway Anti-Virus Administrator’s Guide
HTTP
Capabilities: zip (including archives), gzip and deflate decompression. Deflate decompression method is
not supported when HTTP response is Chunk Encoded. All HTTP traffic is inspected, not just TCP port
80. Suppresses the use of HTTP Byte-Range requests to prevent the sectional retrieval and reassembly
of potentially malicious content.
Note: Suppression of HTTP Byte-Range requests may inhibit the use of certain download accelerator
programs that attempt to retrieve files as multiple simultaneous requests.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
FTP
Capabilities: zip (including archives) and gzip decompression. FTP stateful code follows data port
negotiations, allowing FTP data to be inspected across any operating TCP port. Suppresses the use of
the FTP 'REST' (restart) request to prevent the sectional retrieval and reassembly of potentially malicious
content. "The suppression of the 'REST' request can be overridden from the /diag.html page with the
option 'Enable FTP 'REST' requests with Gateway AV’.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
IM, P2P and Proprietary Protocols
Capabilities: zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
Deploying SonicWALL GAV
SonicWALL GAV is designed to provide comprehensive virus protection with minimal configuration. The
following sections provide the key information you need to successfully activate, configure, and administer
SonicWALL GAV on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher):
• “Activating SonicWALL GAV” on page 15 - provides instructions for activating the SonicWALL GAV
license on your SonicWALL security appliance via the management interface. If you already have
SonicWALL GAV activated on your SonicWALL security appliance, skip this section.
• “Setting Up SonicWALL GAV Protection” on page 19 - provides instructions for essential
configuration of SonicWALL IPS to protect your network against the most dangerous and disruptive
attacks.
Alert! After activating your SonicWALL GAV license, you must enable SonicWALL GAV on the SonicWALL
management interface before anti-virus protection are applied to your network traffic.
• “Configuring Client Alerts and an Exclusion List” on page 23 - provides instructions for configuring
SonicWALL GAV client notification alerts and creating a SonicWALL GAV exclusion list.
• “Restricting File Transfers” on page 24 - provides instructions on preventing files with specific
attributes from being transferred.
Page 15
Activating SonicWALL GAV
If you do not have SonicWALL GAV installed on your SonicWALL security appliance, the Security
Services > Gateway Anti-Virus page indicates an upgrade is required and includes a link to activiate it
from your SonicWALL security appliance management interface.
SonicWALL GAV is part of the unified SonicWALL Gateway Anti-Virus/Intrusion Prevention Service that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is also activated.
To activate a SonicWALL Gateway Anti-Virus/Intrusion Prevention Service on your SonicWALL security
appliance, you need the following:
• SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license. You need to purchase a
SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license from a SonicWALL reseller or
through your mySonicWALL.com account (limited to customers in the USA and Canada).
• mySonicWALL.com account. Creating a mySonicWALL.com account is fast, simple, and FREE.
Simply complete an online registration form from your SonicWALL security appliance management
interface. Your mySonicWALL.com account is also accessible at
from any Internet connection with a Web browser.
• Registered SonicWALL security appliance with active Internet connection. Registering your
SonicWALL security appliance is a simple procedure done directly from the management interface.
• SonicOS Standard 3.0 or SonicOS Enhanced 3.0. Your SonicWALL security appliance must be
running SonicOS Standard 3.0 or SonicOS Enhanced 3.0 for SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service.
Tip! If your SonicWALL security appliance is connected to the Internet and registered at
mySonicWALL.com, you can activate a 30-day FREE TRIAL of SonicWALL IPS.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
If you activated SonicWALL GAV at , SonicWALL GAV activation is
automatically enabled on your SonicWALL within 24-hours or you can click the Synchronize button on
the Security Services > Summary page to update your SonicWALL security appliance.
Page 16 SonicWALL Gateway Anti-Virus Administrator’s Guide
Creating a mySonicWALL.com Account
Creating a mySonicWALL.com account is fast, simple, and FREE. Simply complete an online
registration form in the SonicWALL security appliance management interface.
Note: If you already have a mysonicWALL.com account, go to “Registering Your SonicWALL Security
Appliance” on page 17.
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displayed in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link in Your
SonicWALL is not registered. Click here to Register your SonicWALL.
4. In the mySonicWALL.com Login page, click the here link in If you do not have a mySonicWALL
account, please click here to create one.
5. In the MySonicWall Account page, enter in your information in the Account Information, Personal
Information and Preferences fields. All fields marked with an asterisk (*) are required fields.
Note: Remember your username and password to access your mySonicWALL.com account.
6. Click Submit after completing the MySonicWALL Account form.
7. When the mySonicWALL.com server has finished processing your account, you will see a page
saying that your account has been created. Click Continue.
Congratulations. Your mySonicWALL.com account is activated.
Now you need to log into mySonicWALL.com to register your SonicWALL security appliance.
Note: mySonicWALL.com registration information is not sold or shared with any other company.
Page 17
Registering Your SonicWALL Security Appliance
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displaying in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link. The
mySonicWALL.com Login page is displayed.
4. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit.
5. The next several pages inform you about the free trials available to you for SonicWALL’s Security
Services:
• Gateway Anti-Virus - Delivers real-time virus protection for your entire network.
• Network Anti Virus - Provides desktop and server anti-virus protection with software running on
each computer.
• Premium Content Filtering Service - Enhances productivity by limiting access to objectionable
Web content.
• Intrusion Prevention Service - Protects your network against worms, Trojans, and application
layer attacks.
Click Continue on each page.
6. At the top of the Product Survey page, Enter a “friendly name” for your SonicWALL content security
appliance in the Friendly Name field. The friendly name allows you to easily identify your
SonicWALL content security appliance in your mySonicWALL.com account.
7. Please complete the Product Survey. SonicWALL uses this information to further tailor services to fit
your needs.
8. Click Submit.
9. When the mySonicWALL.com server has finished processing your registration, a page is displayed
informing you that the SonicWALL security appliance is registered. Click Continue, and the
System > Licenses page is displayed showing you the available services. You can activate the
service from this page or the specific service page under the Security Services left-navigation
menu in the management interface.
Page 18 SonicWALL Gateway Anti-Virus Administrator’s Guide
Activating SonicWALL GAV
If you do not have a SonicWALL GAV license activated on your SonicWALL security appliance, you must
purchase it from a SonicWALL reseller or through your mySonicWALL.com account (limited to customers
in the USA and Canada).
SonicWALL GAV is part of SonicWALL Gateway Anti-Virus/Intrusion Prevention Service. The Activation
Key you receive is for both SonicWALL GAV and SonicWALL Intrusion Prevention Service. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is automatically activated.
If you have an Activation Key for SonicWALL Gateway Anti-Virus/Intrusion Prevention Service, perform
these steps to activate the combined services:
1. On the Security Services > Intrusion Prevention page, click the SonicWALL Intrusion
Prevention Service Subscription link. The mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already registered to your
mySonicWALL.com account, the System > Licenses page appears.
3. Click Activate or Renew in the Manage Service column in the Manage Services Online table.
4. Type in the Activation Key in the New License Key field and click Submit. Your SonicWALL GAV
subscription is activated on your SonicWALL security appliance.
If you activated the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service subscription on
mySonicWALL.com, the activation is automatically enabled on your SonicWALL security appliance within
24-hours or you can click the Synchronize button on the Security Services > Summary page to
immediately update your SonicWALL security appliance.
Activating the SonicWALL GAV FREE TRIAL
To try a FREE TRIAL of SonicWALL GAV, perform these steps:
1. Click the FREE TRIAL link on the Security Services > Gateway Anti-Virus page. The
mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already connected to your
mySonicWALL.com account, the System > Licenses page appears after you click the FREE TRIAL
link.
3. Click Try in the FREE TRIAL column in the Manage Services Online table. Your SonicWALL GAV
trial subscription is activated on your SonicWALL security appliance.
Page 19
Setting Up SonicWALL GAV Protection
The Security Services > Gateway Anti-Virus page provides the settings for configuring SonicWALL
GAV on your SonicWALL security appliance.
Enabling SonicWALL GAV
You must select Enable Gateway Anti-Virus check box in the Gateway Anti-Virus Global Settings
section to enable SonicWALL GAV on your SonicWALL security appliance. If your SonicWALL security
appliance is running SonicOS Standard 3.0, you must also specify the interfaces you want to apply
SonicWALL GAV protection. If your SonicWALL security appliance is running SonicOS Enhanced 3.0,
you must specify the Zones you want to SonicWALL GAV protection on the Network > Zones page.
Applying SonicWALL GAV Protection on Interfaces
If your SonicWALL security appliance is running SonicOS Standard 3.0, you also need to specify the
interface that you want to enable SonicWALL GAV protection. Depending on the SonicWALL security
appliance model you are using, you can choose the WAN, LAN, DMZ, OPT or WLAN port, depending on
your SonicWALL security appliance model. After selecting the interface(s), click Apply.It is recommended
you select the WAN and LAN interfaces.
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you apply SonicWALL GAV to
Zones on the Network > Zones page.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 20 SonicWALL Gateway Anti-Virus Administrator’s Guide
Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you can enforce SonicWALL
GAV not only between each network zone and the WAN, but also between internal zones. For example,
enabling SonicWALL GAV on the LAN zone enforces anti-virus protection on all incoming and outgoing
LAN traffic.
1. In the SonicWALL security appliance management interface, select Network > Zones or from the
Gateway Anti-Virus Status section, on the Security Services > Gateway Anti-Virus page, click the
Network > Zones link. The Network > Zones page is displayed.
2. In the Configure column in the Zone Settings table, click the edit icon . The Edit Zone window
is displayed.
3. Click the Enable Gateway Anti-Virus Service checkbox. A checkmark appears. To disable Gateway
Anti-Virus Service, uncheck the box.
4. Click OK.
Page 21
Note: You also enable SonicWALL GAV protection for new zones you create on the Network > Zones page.
Clicking the Add button displays the Add Zone window, which includes the same settings as the Edit
Zone window.
Viewing SonicWALL GAV Status Information
The Gateway Anti-Virus Status section shows the state of the anti-virus signature database, including
the database's timestamp, and the time the SonicWALL signature servers were last checked for the most
current database version. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
The Gateway Anti-Virus Status section displays the following information:
• Signature Database indicates whether the signature database needs to be downloaded or has been
downloaded.
• Signature Database Timestamp displays the last update to the SonicWALL GAV signature
database, not the last update to your SonicWALL security appliance.
• Last Checked indicates the last time the SonicWALL security appliance checked the signature
database for updates. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
• Gateway Anti-Virus Expiration Date indicates the date when the SonicWALL GAV service expires.
If your SonicWALL GAV subscription expires, the SonicWALL IPS inspection is stopped and the
SonicWALL GAV configuration settings are removed from the SonicWALL security appliance. These
settings are automatically restored after renewing your SonicWALL GAV license to the previously
configured state.
If your SonicWALL security appliance is running SonicOS Standard 3.0 and no interfaces are specified in
the Gateway Anti-Virus Global Settings section, the message: Warning: No interfaces have Gateway
Anti-Virus enabled is displayed in the Gateway Anti-Virus Status section. You must check the Enable
Gateway Anti-Virus on Interface and specify the interface(s) you want to apply anti-virus scanning.
If your SonicWALL security appliance you are using SonicOS Enhanced 3.0, the Gateway Anti-Virus
Status section displays Note: Enable the Gateway Anti-Virus per zone from the Network > Zones
page. Clicking on the Network > Zones link displays the Network > Zones page for applying SonicWALL
GAV on Zones.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 22 SonicWALL Gateway Anti-Virus Administrator’s Guide
Updating SonicWALL GAV Signatures
By default, the SonicWALL security appliance running SonicWALL GAV automatically checks the
SonicWALL signature servers once an hour. There is no need for an administrator to constantly check for
new signature updates. You can also manually update your SonicWALL GAV database at any time by
clicking the Update button located in the Gateway Anti-Virus Status section.
SonicWALL GAV signature updates are secured. The SonicWALL security appliance must first
authenticate itself with a pre-shared secret, created during the SonicWALL Distributed Enforcement
Architecture licensing registration. The signature request is transported through HTTPS, along with full
server certificate verification.
Specifying Protocol Filtering
Application-level awareness of the type of protocol that is transporting the violation allows SonicWALL
GAV to perform specific actions within the context of the application to gracefully handle the rejection of
the payload.
By default, SonicWALL GAV inspects all inbound HTTP, FTP, IMAP, SMTP and POP3 traffic. Generic
TCP Stream can optionally be enabled to inspect all other TCP based traffic, such as
non-standard ports of operation for SMTP and POP3, and IM and P2P protocols.
Note: Refer to “Protocol Handling” on page 13 for detailed descriptions of how SonicWALL GAV handles
protocol traffic.
Enabling Inbound Inspection
Within the context of SonicWALL GAV, the Enable Inbound Inspection protocol traffic handling refers
to the following:
• Non-SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to any Zone.
• Non-SMTP traffic from a Public Zone destined to an Untrusted Zone.
• SMTP traffic initiating from a non-Trusted Zone destined to a Trusted, Wireless, Encrypted, or Public
Zone.
• SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to a Trusted, Wireless,
or Encrypted Zone.
Page 23
The Enable Inbound Inspection protocol traffic handling represented as a table:
Enabling Outbound SMTP Inspection
The Enable Outbound Inspection feature is available for SMTP traffic, such as for a mail server that
might be hosted on the DMZ. Enabling outbound inspection for SMTP scans mail that is delivered to the
internally hosted SMTP server for viruses.
Configuring Client Alerts and an Exclusion List
Clicking the Configure Gateway AV Settings button in the Gateway Anti-Virus Global Settings section
displays the Gateway AV Config View window, which allows you to configure client notification alerts and
create a SonicWALL GAV exclusion list.
Configuring Client Alerts
If you want clients on your network to receive notifications on their desktop when a HTTP file download is
blocked by GAV, check the Enable Client Notification Alerts (desktop client installation is required)
box. You must install the client software included on the Resource CD for your SonicWALL security
appliance for the client to receive these notifications from SonicWALL GAV.
Page 24 SonicWALL Gateway Anti-Virus Administrator’s Guide
If you want to suppress the sending of e-mail messages (SMTP) to clients from SonicWALL GAV when a
virus is detected in an e-mail or attachment, check the Disable SMTP Responses box.
Configuring a SonicWALL GAV Exclusion List
Any IP addresses listed in the exclusion list bypass virus scanning on their traffic.The Gateway AV
Exclusion List section provides the ability to define a range of IP addresses whose traffic will be excluded
from SonicWALL GAV scanning.
Alert! Use caution when specifying exclusions to SonicWALL GAV protection.
To add an IP address range for exclusion, perform these steps:
1. Click the Enable Gateway AV Exclusion List checkbox to enable the exclusion list.
2. Click the Add button. The Add GAV Range Entry window is displayed.
3. Enter the IP address range in the IP Address Form and IP Address To fields, then click OK. You IP
address range appears in the Gateway AV Exclusion List table. Click the edit icon in the Configure
column to change an entry or click the trashcan icon to delete an entry.
4. Click OK to exit the Gateway AV Config View window.
Restricting File Transfers
The restrict transfer settings listed under the Configure Gateway AV Settings button in the
Gateway Anti-Virus Global Settings section, if enabled, prevent files with specific attributes from being
transferred.
These restrict transfer settings include:
• Restrict Transfer of password-protected Zip files - Disables the transfer of password protected
ZIP files over any enabled protocol. This option only functions on protocols (e.g. HTTP, FTP, SMTP)
that are enabled for inspection.
• Restrict Transfer of MS-Office type files containing macros (VBA 5 and above) - Disables the
transfers of any MS Office 97 and above files that contain VBA macros.
• Restrict Transfer of packed executable files (UPX, FSG, etc.) - Disables the transfer of packed
executable files. Packers are utilities which compress and sometimes encrypt executables. Although
there are legitimate applications for these, they are also sometimes used with the intent of
obfuscation, so as to make the executables less detectable by anti-virus applications. The packer
adds a header that expands the file in memory, and then executes that file. SonicWALL Gateway
Anti-Virus currently recognizes the most common packed formats: UPX, FSG, PKLite32, Petite, and
ASPack. additional formats are dynamically added along with SonicWALL GAV signature updates.
Page 25
Viewing SonicWALL GAV Signatures
The Gateway Anti-Virus Signatures section allows you to view the contents of the SonicWALL GAV
signature database. All the entries displayed in the Gateway Anti-Virus Signatures table are from the
SonicWALL GAV signature database downloaded to your SonicWALL security appliance.
Note: Signature entries in the database change over time in response to new threats.
Displaying Signatures
You can display the signatures in a variety of views using the View Style menu.
• Use Search String - Allows you to display signatures containing a specified string entered in the
Lookup Signatures Containing String field.
• All Signatures - Displays all the signatures in the table, 50 to a page.
• 0 - 9 - Displays signature names beginning with the number you select from the menu.
• A-Z - Displays signature names beginning with the letter you select from menu.
Navigating the Gateway Anti-Virus Signatures Table
The SonicWALL GAV signatures are displayed fifty to a page in the Gateway Anti-Virus Signatures
table. The Items field displays the table number of the first signature. If your displaying the first page of a
signature table, the entry might be Items 1 to 50 (of 58). Use the navigation buttons to navigate the table.
Page 26 SonicWALL Gateway Anti-Virus Administrator’s Guide
Searching the Gateway Anti-Virus Signature Database
You can search the signature database by entering a search string in the Lookup Signatures
Containing String field, then clicking the edit (Notepad) icon.
The signatures that match the specified string are displayed in the Gateway Anti-Virus Signatures table.
Glossary
• Deep Packet Inspection - looking at the data portion of the packet. Enables the firewall to investigate
farther into the protocol to examine information at the application layer and defend against attacks
targeting application vulnerabilities.
• Distributed Enforcement Architecture - SonicWALL’s unified threat management technology that
delivers automated signature updates that provide real-time protection from current and emerging
threats.
• False Positive - a falsely identified attack traffic pattern.
• Signature - code written to detect and prevent viruses, worms, application exploits, and other
malicious code.
• Stateful Packet Inspection - examines the contents of individual packets at all layers of the OSI
model, from network layer to application layer.
Page 27
Index
A
activating Gateway Anti-Virus
overview 15
free trial version 18
activating Gateway Anti-Virus
activation key 18
C
client alerts
configuring 23
concurrency limitations 12
PRO 1260 12
PRO 2040 12
PRO 3060 12
PRO 4060 12
PRO 5060 12
TZ 150 Series 12
TZ 170 Series 12
creating a mysonicwall.com account 16
D
deploying SonicWALL GAV 14
disabling GAV/IPS engine 12
displaying signatures 25
all signatures 25
signatures beginning with letter 25
signatures beginning with number 25
using search strings 25
E
Edit Zone window 20
enable inbound inspection 22
enable outbound SMTP inspection 23
enabling inbound inspection 22
exclusion list
configuring 24
G
Gateway AV Config View window 23
GAV/IPS
real-time scanning 6
GAV/IPS features
application control 6
deep packet inspection 6
distributed enforcement architecture 6
file based scanning protocol support 6
file decompression technology 6
granular management 7
inter-zone scanning 6
logging and reporting 7
real-time scanning 6
glossary 26
deep packet inspection 26
Distributed Enforcement Architecture 26
false positive 26
signature 26
stateful packet inspection 26
H
how DPIv2.0 works
11
protocol handling 13
HTTP file downloads protection 9
I
internal network protection 9
N
navigating signatures table 25
P
protocol handling
FTP 14
HTTP 14
IM, P2P, proprietary 14
IMAP 13
POP3 13
SMTP 13
R
registering your SonicWALL security appliance 17
remote site protection 8
restrict 24
restrict file transfer
MS-Office files 24
packed executable files 24
password protected ZIP files 24
S
searching signature database 26
server protection 10
setting up GAV protection
applying to infaces (SonicOS Standard 3.0) 19
applying to zones (SonicOS Enhanced) 20
enabling 19
overview 19
signatures table 25
SonicWALL Gateway Anti-Virus
overview 5
SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service
overview 5
specifying protocol filtering 22
specifying protocols 22
status information
expiration date 21
last checked 21
overview 21
signature database 21
signature database timestamp 21
surpress SMTP messages 24
U
updating signatures 22
Page 28 SonicWALL Gateway Anti-Virus Administrator’s Guide
© 2005 SonicWALL, I n c . SonicWALL is a registered trademark of SonicWALL, I n c . Other product and company names mentioned herein may be
t rademarks and/ or registered trademarks of their respective companies. Specifications and descriptions subject to change with out notice.
T: 408.745.9600
F: 408.745.9300
www.sonicwall.com
SonicWALL,Inc.
1143 Borregas Avenue
Sunnyvale,CA 94089-1306
P/ N 232- 000610- 00
Rev E 01/05COMPREHENSIVE INTERNET SECURITY™
S SSSSSSSSo n i c WALL Gateway Anti-Virus
Administrator's Guide
Page 1
Table of Contents
Preface .................................................................................................. 1
Copyright Notice ..............................................................................1
Trademarks......................................................................................1
Limited Warranty..............................................................................1
About this Guide.................................................................................... 3
Guide Conventions .......................................................................... 3
Icons Used in this Guide............................................................. 3
SonicWALL Technical Support ........................................................ 4
North America Telephone Support ............................................. 4
International Telephone Support ................................................ 4
SonicWALL Gateway Anti-Virus Overview............................................ 5
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features ...... 6
SonicWALL GAV Multi-Layered Approach............................................ 7
Remote Site Protection ....................................................................8
Internal Network Protection.............................................................. 9
HTTP File Downloads ...................................................................... 9
Server Protection ...........................................................................10
SonicWALL GAV Architecture............................................................. 11
Stream Concurrency Limitations
by SonicWALL Security Appliance................................................. 12
Disabling the SonicWALL GAV/IPS Engine................................... 12
Protocol Handling...........................................................................13
SMTP........................................................................................ 13
POP3 ........................................................................................ 13
IMAP......................................................................................... 13
HTTP ........................................................................................ 14
FTP........................................................................................... 14
IM, P2P and Proprietary Protocols ........................................... 14
Deploying SonicWALL GAV................................................................ 14
Activating SonicWALL GAV ................................................................ 15
Creating a mySonicWALL.com Account ........................................ 16
Registering Your SonicWALL Security Appliance.......................... 17
Activating SonicWALL GAV........................................................... 18
Activating the SonicWALL GAV FREE TRIAL ............................... 18
Setting Up SonicWALL GAV Protection .............................................. 19
Enabling SonicWALL GAV............................................................. 19
Applying SonicWALL GAV Protection on Interfaces...................... 19
Applying SonicWALL GAV Protection on Zones
(SonicOS Enhanced 3.0) ............................................................... 20
Viewing SonicWALL GAV Status Information................................ 21
Updating SonicWALL GAV Signatures .......................................... 22
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
Specifying Protocol Filtering ................................................................22
Enabling Inbound Inspection ..........................................................22
Enabling Outbound SMTP Inspection ............................................23
Configuring Client Alerts and an Exclusion List ...................................23
Configuring Client Alerts.................................................................23
Configuring a SonicWALL GAV Exclusion List...............................24
Restricting File Transfers.....................................................................24
Viewing SonicWALL GAV Signatures..................................................25
Displaying Signatures.....................................................................25
Navigating the Gateway Anti-Virus Signatures Table ....................25
Searching the Gateway Anti-Virus Signature Database.................26
Glossary...............................................................................................26
Index ....................................................................................................27
Page 1 SonicWALL Gateway Anti-Virus Administrator’s Guide
Preface
Copyright Notice
© 2005 SonicWALL, Inc.
All rights reserved.
Under the copyright laws, this manual or the software described within, can not be copied, in whole or part,
without the written consent of the manufacturer, except in the normal use of the software to make a backup
copy. The same proprietary and copyright notices must be affixed to any permitted copies as were affixed
to the original. This exception does not allow copies to be made for others, whether or not sold, but all of
the material purchased (with all backup copies) can be sold, given, or loaned to another person. Under
the law, copying includes translating into another language or format.
Specifications and descriptions subject to change without notice.
Trademarks
SonicWALL is a registered trademark of SonicWALL, Inc.
Microsoft Windows 98, Windows NT, Windows 2000, Windows XP, Windows Server 2003, Internet
Explorer, and Active Directory are trademarks or registered trademarks of Microsoft Corporation.
Netscape is a registered trademark of Netscape Communications Corporation in the U.S. and other
countries. Netscape Navigator and Netscape Communicator are also trademarks of Netscape
Communications Corporation and may be registered outside the U.S.
Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems
Incorporated in the U.S. and/or other countries.
Other product and company names mentioned herein may be trademarks and/or registered trademarks
of their respective companies and are the sole property of their respective manufacturers.
Limited Warranty
SonicWALL, Inc. warrants that commencing from the delivery date to Customer (but in any case
commencing not more than ninety (90) days after the original shipment by SonicWALL), and continuing
for a period of twelve (12) months, that the product will be free from defects in materials and workmanship
under normal use. This Limited Warranty is not transferable and applies only to the original end user of
the product. SonicWALL and its suppliers' entire liability and Customer's sole and exclusive remedy under
this limited warranty will be shipment of a replacement product. At SonicWALL's discretion the
replacement product may be of equal or greater functionality and may be of either new or like-new quality.
SonicWALL's obligations under this warranty are contingent upon the return of the defective product
according to the terms of SonicWALL's then-current Support Services policies.
This warranty does not apply if the product has been subjected to abnormal electrical stress, damaged by
accident, abuse, misuse or misapplication, or has been modified without the written permission of
SonicWALL.
DISCLAIMER OF WARRANTY. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR
IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT
LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, NONINFRINGEMENT, SATISFACTORY QUALITY OR ARISING FROM A
COURSE OF DEALING, LAW, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE
MAXIMUM EXTENT ALLOWED BY APPLICABLE LAW. TO THE EXTENT AN IMPLIED WARRANTY
CANNOT BE EXCLUDED, SUCH WARRANTY IS LIMITED IN DURATION TO THE WARRANTY
PERIOD. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW
LONG AN IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. THIS
WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, AND YOU MAY ALSO HAVE OTHER RIGHTS
WHICH VARY FROM JURISDICTION TO JURISDICTION. This disclaimer and exclusion shall apply
even if the express warranty set forth above fails of its essential purpose.
Page 2 SonicWALL Gateway Anti-Virus Administrator’s Guide
DISCLAIMER OF LIABILITY. SONICWALL'S SOLE LIABILITY IS THE SHIPMENT OF A
REPLACEMENT PRODUCT AS DESCRIBED IN THE ABOVE LIMITED WARRANTY. IN NO EVENT
SHALL SONICWALL OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER,
INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS
INTERRUPTION, LOSS OF INFORMATION, OR OTHER PECUNIARY LOSS ARISING OUT OF THE
USE OR INABILITY TO USE THE PRODUCT, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL,
INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY
OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE HARDWARE OR SOFTWARE
EVEN IF SONICWALL OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. In no event shall SonicWALL or its suppliers' liability to Customer, whether in contract, tort
(including negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shall
apply even if the above-stated warranty fails of its essential purpose. BECAUSE SOME STATES OR
JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR
INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.
Page 3
About this Guide
Welcome to the SonicWALL Gateway Anti-Virus Administrator’s Guide. This manual provides the
information you need to successfully activate, configure, and administer SonicWALL Gateway Anti-Virus
(SonicWALL (GAV) on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher). The audience for this guide is administrators that are familiar with the
features, functions, and operating characteristics of SonicWALL security appliances.
Note: This guide assumes your SonicWALL security appliance is operational with Internet connectivity. If your
SonicWALL security appliance is not setup, refer to the Getting Started Guide for your SonicWALL
security appliance located on the SonicWALL Web site:
.
SonicWALL GAV is part of the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service solution that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate a SonicWALL GAV license, SonicWALL Intrusion Prevention Service is included and activated.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the complete
instructions on configuring SonicWALL Intrusion Prevention Service 2.0, located on the SonicWALL
Web site: .
Guide Conventions
Conventions used in this guide are as follows:
Icons Used in this Guide
These special messages refer to noteworthy information, and include a symbol for quick identification:
Alert! Important information that cautions about features affecting SonicWALL Gateway Anti-Virus
performance, security features, or causing potential problems with your SonicWALL security appliance.
Tip! Useful information about security features and configurations for your SonicWALL Gateway Anti-Virus
running on a SonicWALL security appliance.
Convention Use
Bold Highlights items you can select on the SonicWALL
management interface.
Italic Highlights a value to enter into a field. For example, “type
192.168.168.168 in the IP Address field.”
Top Level Menu Button >
Submenu Item
Indicates a multiple step Management Interface menu
choice. For example, Security Services > Gateway Anti-
Virus means select Security Services, then select
Gateway Anti-Virus.
Page 4 SonicWALL Gateway Anti-Virus Administrator’s Guide
Note: Important information on a feature that requires callout for special attention or reference to other related
resources.
SonicWALL Technical Support
For timely resolution of technical support questions, visit SonicWALL on the Internet at
. Web-based resources are available to help you
resolve most technical issues or contact SonicWALL Technical Support.
To contact SonicWALL telephone support, see the telephone numbers listed below:
North America Telephone Support
U.S./Canada - 888.777.1476 or +1 408.752.7819
International Telephone Support
Australia - + 1800.35.1642
Austria - + 43(0)820.400.105
EMEA - +31(0)411.617.810
France - + 33(0)1.4933.7414
Germany - + 49(0)1805.0800.22
Hong Kong - + 1.800.93.0997
India - + 8026556828
Italy - +39.02.7541.9803
Japan - + 81(0)3.5460.5356
New Zealand - + 0800.446489
Singapore - + 800.110.1441
Spain - + 34(0)9137.53035
Switzerland - +41.1.308.3.977
UK - +44(0)1344.668.484
Note: Please visit for the latest technical support telephone
numbers.
Page 5
SonicWALL Gateway Anti-Virus Overview
SonicWALL Gateway Anti-Virus (SonicWALL GAV) is part of the SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service solution that provides unified threat management. The integration of gateway
anti-virus and intrusion prevention delivers intelligent, real-time network security protection against
sophisticated application layer and content-based attacks. Utilizing a configurable, high-performance
deep packet inspection architecture, SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
secures the network from the core to the perimeter against a comprehensive array of dynamic threats
including viruses, worms, Trojans, and software vulnerabilities, such as buffer overflows, as well as peerto-
peer and instant messenger applications, backdoor exploits, and other malicious code.
SonicWALL GAV delivers real-time virus protection directly on the SonicWALL security appliance by
using SonicWALL’s IPS-Deep Packet Inspection v2.0 engine to inspect all traffic that traverses the
SonicWALL gateway. Building on SonicWALL’s reassembly-free architecture, SonicWALL GAV inspects
multiple application protocols, as well as generic TCP streams, and compressed traffic. Because
SonicWALL GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also performed on a
single-pass, per-packet basis.
SonicWALL GAV delivers threat protection directly on the SonicWALL security appliance by matching
downloaded or e-mailed files against an extensive and dynamically updated database of threat virus
signatures. Virus attacks are caught and suppressed before they travel to desktops. New signatures are
created and added to the database by a combination of SonicWALL’s SonicAlert Team, third-party virus
analysts, open source developers and other sources.
SonicWALL GAV can be configured to protect against internal threats as well as those originating outside
the network. It operates over a multitude of protocols including SMTP, POP3, IMAP, HTTP, FTP,
NetBIOS, instant messaging and peer-to-peer applications and dozens of other stream-based protocols,
to provide administrators with comprehensive network threat prevention and control. Because files
containing malicious code and viruses can also be compressed and therefore inaccessible to
conventional anti-virus solutions, SonicWALL GAV integrates advanced decompression technology that
automatically decompresses and scans files on a per packet basis.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
Page 6 SonicWALL Gateway Anti-Virus Administrator’s Guide
SonicWALL Gateway Anti-Virus/Intrusion Prevention Features
• Integrated Deep Packet Inspection Technology - SonicWALL Gateway Anti-Virus/Intrusion
Prevention Service features a configurable, high-performance deep packet inspection architecture
that uses parallel searching algorithms up through the application layer to deliver increased
application layer, Web and e-mail attack prevention. Parallel processing reduces the performance
impact on the firewall and maximizes available memory for exceptional throughput on SonicWALL
integrated security gateways.
• Real-Time Anti-Virus Gateway Scanning - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers intelligent file-based virus and malicious code prevention by scanning in real-time for
decompressed and compressed files containing viruses, Trojans, worms and other Internet threats
over the corporate network.
• Powerful Intrusion Prevention - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
provides complete protection from a comprehensive array of network-based application layer threats
by scanning packet payloads for worms, Trojans, software vulnerabilities such as buffer overflows,
peer-to-peer and instant messenger applications, backdoor exploits, and other malicious code.
• Ultimate Scalability and Performance - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a per packet scanning engine, making SonicWALL’s solution unique in its ability to
handle unlimited file size and virtually unlimited concurrent downloads, offering ultimate scalability
and performance for today’s networked environment.
• Day Zero Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service ensures
incredibly fast time-to-protection by employing a dynamically-updated database of signatures created
by a combination of SonicWALL’s SonicAlert Team, third-party virus analysts and developers, and
open source databases of known threats.
• Extensive Virus Signature List - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service
utilizes an extensive database of thousands of attack and vulnerability signatures written to detect and
prevent intrusions, viruses, worms, Tojans, application exploits, and malicious applications.
• Distributed Enforcement Architecture - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service utilizes a distributed enforcement architecture to deliver automated signature updates,
providing real-time protection from emerging threats and lowering total cost of ownership.
• Inter-zone Protection - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides
application layer attack protection against malicious code and other threats originating from the
Internet or from internal sources. Administrators have the ability to enforce intrusion prevention and
anti-virus scanning not only between each network zone and the Internet, but also between internal
network zones for added security (Requires SonicOS Enhanced).
• Advanced File Decompression Technology - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service includes advanced decompression technology that can automatically decompress and scan
files on a per packet basis to search for viruses, Trojans, worms and malware. Supported
compression formats include: ZIP, Deflate and GZIP.
• File-Based Scanning Protocol Support - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service delivers protection for high threat viruses and malware by inspecting the most common
protocols used in today’s networked environments, including SMTP, POP3, IMAP, HTTP, FTP,
NETBIOS, instant messaging and peer-to-peer applications, and dozens of other stream-based
protocols. This closes potential backdoors that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Application Control - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides the
ability to prevent instant messaging and peer-to-peer file sharing programs from operating through
the firewall, closing a potential back door that can be used to compromise the network while also
improving employee productivity and conserving Internet bandwidth.
• Simplified Deployment and Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention
Service allows network administrators to create global policies between security zones and group
attacks by priority, simplifying deployment and management across a distributed network.
Page 7
• Granular Management - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service provides an
intuitive user interface and granular policy tools, allowing network administrators to configure a
custom set of detection or prevention policies for their specific network environment and reduce the
number of false policies while identifying immediate threats.
• Logging and Reporting - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service offers
comprehensive logging of all intrusion attempts with the ability to filter logs based on priority level,
enabling administrators to highlight high priority attacks. Granular reporting based on attack source,
destination and type of intrusion is available through SonicWALL ViewPoint and Global Management
System.
SonicWALL GAV Multi-Layered Approach
SonicWALL GAV delivers comprehensive, multi-layered anti-virus protection for networks at the desktop,
the network, and at remote sites. SonicWALL GAV enforces anti-virus policies at the gateway to ensure
all users have the latest updates and monitors files as they come into the network.
Page 8 SonicWALL Gateway Anti-Virus Administrator’s Guide
Remote Site Protection
1. Users send typical e-mail and files between remote sites and the corporate office.
2. SonicWALL GAV scans and analyzes files and e-mail messages on the SonicWALL security
appliance.
3. Viruses are found and blocked before infecting remote desktop.
4. Virus is logged and alert is sent to administrator.
Page 9
Internal Network Protection
1. Internal user contracts a virus and releases it internally.
2. All files are scanned at the gateway before being received by other network users.
3. If virus is found, file is discarded.
4. Virus is logged and alert is sent to administrator.
HTTP File Downloads
1. Client makes a request to download a file from the Web.
2. File is downloaded through the Internet.
3. File is analyzed the SonicWALL GAV engine for malicious code and viruses
4. If virus found, file discarded.
5. Virus is logged and alert sent to administrator.
Page 10 SonicWALL Gateway Anti-Virus Administrator’s Guide
Server Protection
1. Outside user sends an incoming e-mail.
2. E-mail is analyzed the SonicWALL GAV engine for malicious code and viruses before received by email
server.
3. If virus found, threat prevented.
4. E-mail is returned to sender, virus is logged, and alert sent to administrator.
Page 11
SonicWALL GAV Architecture
SonicWALL GAV is based on SonicWALL's high performance DPIv2.0 engine (Deep Packet Inspection
version 2.0) engine, which performs all scanning directly on the SonicWALL security appliance.
SonicWALL GAV includes advanced decompression technology that can automatically decompress and
scan files on a per packet basis to search for viruses and malware. The SonicWALL GAV engine can
perform base64 decoding without ever reassembling the entire base64 encoded mail stream. Because
SonicWALL's GAV does not have to perform reassembly, there are no file-size limitations imposed by the
scanning engine. Base64 decoding and ZIP, LHZ, and GZIP (LZ77) decompression are also performed
on a single-pass, per-packet basis. Reassembly free virus scanning functionality of the SonicWALL GAV
engine is inherited from the Deep Packet Inspection engine, which is capable of scanning streams without
ever buffering any of the bytes within the stream.
Building on SonicWALL's reassembly-free architecture, GAV has the ability to inspect multiple application
protocols, as well as generic TCP streams, and compressed traffic. SonicWALL GAV protocol inspection
is based on high performance state machines which are specific to each supported protocol. SonicWALL
GAV delivers protection by inspecting over the most common protocols used in today's networked
environments, including SMTP, POP3, IMAP, HTTP, FTP, NetBIOS, instant messaging and peer-to-peer
applications and dozens of other stream-based protocols. This closes potential backdoors that can be
used to compromise the network while also improving employee productivity and conserving Internet
bandwidth.
Page 12 SonicWALL Gateway Anti-Virus Administrator’s Guide
Stream Concurrency Limitations by SonicWALL Security Appliance
Because SonicWALL GAV does not have to perform reassembly, there are no file-size limitations
imposed by the scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also
performed on a single-pass, per-packet basis. Stream-concurrency are platform dependent as follows:.
Disabling the SonicWALL GAV/IPS Engine
In the unlikely event that SonicWALL Gateway Anti-Virus/Intrusion Prevention Service is not enabled on
your SonicWALL security appliance, the SonicWALL GAV/IPS engine itself can be disabled, and the
resources can be reallocated to the SPI connection cache.
To disable the SonicWALL GAV/IPS engine:
1. Select the Firewall > Advanced page.
2. Select the Disable Gateway AV and IPS Engine (increases maximum SPI connections)
checkbox. This presents an alert informing you that the SonicWALL security appliance must be
rebooted for the change to take effect.
3. Restart your SonicWALL security appliance.
Platform
GAV-Disabled
Connections
Cache Size
GAV-Enabled
Connections
Cache Size
(Concurrent File
Downloads)
Concurrent
Compressed
File Downloads
with GAV
GAV Signatures
TZ 150
Series
2,048 2,048 100 4,500
TZ 170
Series
6,144 6,144 100 4,500
PRO 1260 6,144 6,144 100 4,500
PRO 2040 32,768 16,384 300 25,000
PRO 3060 131,072 65,536 1,000 25,000
PRO 4060 524,288 131,072 1,500 25,000
PRO 5060 750,000 393,216 3,000 25,000
Page 13
Protocol Handling
SonicWALL GAV functionality supports the following protocols: HTTP, SMTP, IMAP, POP3, FTP and the
scanning of generic TCP streams for viruses.
If malicious traffic is detected, appropriate actions are taken based on the protocol. For generic TCP
streams, the traffic is dropped and the connection is reset. If so configured, an encrypted and hashed
message explaining the action is sent to the user's Global Security Client (requires version 2.0 or higher)
and to the user's 'Security Action Notification Applet', and displayed to the user if either application is
active. Application level awareness of the type of protocol that was transporting the violation allows for
very specific actions to be taken to gracefully handle the rejection of the payload:
Note: 8-bit encoding is handled natively for all email based protocols (SMTP, POP3, and IMAP) since no
decoding is required for each encoding scheme.
SMTP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the head of the sent
queue, thus preventing it from being resent, via 552 SMTP response and the connection is terminated.
POP3
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the POP3 server via
'DELE' command and the connection is terminated. Continuation of message downloads following
termination requires the user to re-initiate the download process on their POP3 client in order to download
the rest of the messages from the POP3 server.
Note: POP3 client behavior varies from one client to the next. SonicWALL GAV attempts to determine the type
of POP3 client being used, and to compensate for behavioral differences. In rare cases, some clients
may require special GAV settings - these settings have been made available in the /diag.html page.
• Disable Gateway AV POP3 Auto Deletion - When a POP3 client is identified as Outlook Express,
DELE (delete) message sequencing is tailored to Outlook Express' behavior. This setting can resolve
problems caused by misidentification that are encountered during the deletion of virus-infected
emails.
• Disable Gateway AV POP3 UIDL Rewriting - Certain Netscape POP3 clients have difficulty with the
UIDL (unique ID listing - RFC1939) command. When a POP3 client is recognized as Netscape, UIDL
messages are suppressed, which is allowable because they are optional. This setting can resolve
problems caused by misidentification that are encountered during the message retrieval process.
IMAP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from downloading the mail
containing the violation. The user must manually mark the mail deleted and purge it from the server.
Page 14 SonicWALL Gateway Anti-Virus Administrator’s Guide
HTTP
Capabilities: zip (including archives), gzip and deflate decompression. Deflate decompression method is
not supported when HTTP response is Chunk Encoded. All HTTP traffic is inspected, not just TCP port
80. Suppresses the use of HTTP Byte-Range requests to prevent the sectional retrieval and reassembly
of potentially malicious content.
Note: Suppression of HTTP Byte-Range requests may inhibit the use of certain download accelerator
programs that attempt to retrieve files as multiple simultaneous requests.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
FTP
Capabilities: zip (including archives) and gzip decompression. FTP stateful code follows data port
negotiations, allowing FTP data to be inspected across any operating TCP port. Suppresses the use of
the FTP 'REST' (restart) request to prevent the sectional retrieval and reassembly of potentially malicious
content. "The suppression of the 'REST' request can be overridden from the /diag.html page with the
option 'Enable FTP 'REST' requests with Gateway AV’.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
IM, P2P and Proprietary Protocols
Capabilities: zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious
payload.
Deploying SonicWALL GAV
SonicWALL GAV is designed to provide comprehensive virus protection with minimal configuration. The
following sections provide the key information you need to successfully activate, configure, and administer
SonicWALL GAV on a SonicWALL security appliance running SonicOS Standard 3.0 (or higher) or
SonicOS Enhanced 3.0 (or higher):
• “Activating SonicWALL GAV” on page 15 - provides instructions for activating the SonicWALL GAV
license on your SonicWALL security appliance via the management interface. If you already have
SonicWALL GAV activated on your SonicWALL security appliance, skip this section.
• “Setting Up SonicWALL GAV Protection” on page 19 - provides instructions for essential
configuration of SonicWALL IPS to protect your network against the most dangerous and disruptive
attacks.
Alert! After activating your SonicWALL GAV license, you must enable SonicWALL GAV on the SonicWALL
management interface before anti-virus protection are applied to your network traffic.
• “Configuring Client Alerts and an Exclusion List” on page 23 - provides instructions for configuring
SonicWALL GAV client notification alerts and creating a SonicWALL GAV exclusion list.
• “Restricting File Transfers” on page 24 - provides instructions on preventing files with specific
attributes from being transferred.
Page 15
Activating SonicWALL GAV
If you do not have SonicWALL GAV installed on your SonicWALL security appliance, the Security
Services > Gateway Anti-Virus page indicates an upgrade is required and includes a link to activiate it
from your SonicWALL security appliance management interface.
SonicWALL GAV is part of the unified SonicWALL Gateway Anti-Virus/Intrusion Prevention Service that
provides comprehensive protection against viruses, worms, Trojans, and other vulnerabilities. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is also activated.
To activate a SonicWALL Gateway Anti-Virus/Intrusion Prevention Service on your SonicWALL security
appliance, you need the following:
• SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license. You need to purchase a
SonicWALL Gateway Anti-Virus/Intrusion Prevention Service license from a SonicWALL reseller or
through your mySonicWALL.com account (limited to customers in the USA and Canada).
• mySonicWALL.com account. Creating a mySonicWALL.com account is fast, simple, and FREE.
Simply complete an online registration form from your SonicWALL security appliance management
interface. Your mySonicWALL.com account is also accessible at
from any Internet connection with a Web browser.
• Registered SonicWALL security appliance with active Internet connection. Registering your
SonicWALL security appliance is a simple procedure done directly from the management interface.
• SonicOS Standard 3.0 or SonicOS Enhanced 3.0. Your SonicWALL security appliance must be
running SonicOS Standard 3.0 or SonicOS Enhanced 3.0 for SonicWALL Gateway Anti-Virus/
Intrusion Prevention Service.
Tip! If your SonicWALL security appliance is connected to the Internet and registered at
mySonicWALL.com, you can activate a 30-day FREE TRIAL of SonicWALL IPS.
Note: Refer to the SonicWALL Intrusion Prevention Service 2.0 Administrator’s Guide for the information you
need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service 2.0
on a SonicWALL security appliance.
If you activated SonicWALL GAV at , SonicWALL GAV activation is
automatically enabled on your SonicWALL within 24-hours or you can click the Synchronize button on
the Security Services > Summary page to update your SonicWALL security appliance.
Page 16 SonicWALL Gateway Anti-Virus Administrator’s Guide
Creating a mySonicWALL.com Account
Creating a mySonicWALL.com account is fast, simple, and FREE. Simply complete an online
registration form in the SonicWALL security appliance management interface.
Note: If you already have a mysonicWALL.com account, go to “Registering Your SonicWALL Security
Appliance” on page 17.
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displayed in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link in Your
SonicWALL is not registered. Click here to Register your SonicWALL.
4. In the mySonicWALL.com Login page, click the here link in If you do not have a mySonicWALL
account, please click here to create one.
5. In the MySonicWall Account page, enter in your information in the Account Information, Personal
Information and Preferences fields. All fields marked with an asterisk (*) are required fields.
Note: Remember your username and password to access your mySonicWALL.com account.
6. Click Submit after completing the MySonicWALL Account form.
7. When the mySonicWALL.com server has finished processing your account, you will see a page
saying that your account has been created. Click Continue.
Congratulations. Your mySonicWALL.com account is activated.
Now you need to log into mySonicWALL.com to register your SonicWALL security appliance.
Note: mySonicWALL.com registration information is not sold or shared with any other company.
Page 17
Registering Your SonicWALL Security Appliance
1. Log into the SonicWALL security appliance management interface.
2. If the System > Status page is not displaying in the management interface, click System in the leftnavigation
menu, and then click Status.
3. On the System > Status page, in the Security Services section, click the Register link. The
mySonicWALL.com Login page is displayed.
4. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit.
5. The next several pages inform you about the free trials available to you for SonicWALL’s Security
Services:
• Gateway Anti-Virus - Delivers real-time virus protection for your entire network.
• Network Anti Virus - Provides desktop and server anti-virus protection with software running on
each computer.
• Premium Content Filtering Service - Enhances productivity by limiting access to objectionable
Web content.
• Intrusion Prevention Service - Protects your network against worms, Trojans, and application
layer attacks.
Click Continue on each page.
6. At the top of the Product Survey page, Enter a “friendly name” for your SonicWALL content security
appliance in the Friendly Name field. The friendly name allows you to easily identify your
SonicWALL content security appliance in your mySonicWALL.com account.
7. Please complete the Product Survey. SonicWALL uses this information to further tailor services to fit
your needs.
8. Click Submit.
9. When the mySonicWALL.com server has finished processing your registration, a page is displayed
informing you that the SonicWALL security appliance is registered. Click Continue, and the
System > Licenses page is displayed showing you the available services. You can activate the
service from this page or the specific service page under the Security Services left-navigation
menu in the management interface.
Page 18 SonicWALL Gateway Anti-Virus Administrator’s Guide
Activating SonicWALL GAV
If you do not have a SonicWALL GAV license activated on your SonicWALL security appliance, you must
purchase it from a SonicWALL reseller or through your mySonicWALL.com account (limited to customers
in the USA and Canada).
SonicWALL GAV is part of SonicWALL Gateway Anti-Virus/Intrusion Prevention Service. The Activation
Key you receive is for both SonicWALL GAV and SonicWALL Intrusion Prevention Service. When you
activate SonicWALL Intrusion Prevention Service, SonicWALL GAV is automatically activated.
If you have an Activation Key for SonicWALL Gateway Anti-Virus/Intrusion Prevention Service, perform
these steps to activate the combined services:
1. On the Security Services > Intrusion Prevention page, click the SonicWALL Intrusion
Prevention Service Subscription link. The mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already registered to your
mySonicWALL.com account, the System > Licenses page appears.
3. Click Activate or Renew in the Manage Service column in the Manage Services Online table.
4. Type in the Activation Key in the New License Key field and click Submit. Your SonicWALL GAV
subscription is activated on your SonicWALL security appliance.
If you activated the SonicWALL Gateway Anti-Virus/Intrusion Prevention Service subscription on
mySonicWALL.com, the activation is automatically enabled on your SonicWALL security appliance within
24-hours or you can click the Synchronize button on the Security Services > Summary page to
immediately update your SonicWALL security appliance.
Activating the SonicWALL GAV FREE TRIAL
To try a FREE TRIAL of SonicWALL GAV, perform these steps:
1. Click the FREE TRIAL link on the Security Services > Gateway Anti-Virus page. The
mySonicWALL.com Login page is displayed.
2. Enter your mySonicWALL.com account username and password in the User Name and Password
fields, then click Submit. If your SonicWALL security appliance is already connected to your
mySonicWALL.com account, the System > Licenses page appears after you click the FREE TRIAL
link.
3. Click Try in the FREE TRIAL column in the Manage Services Online table. Your SonicWALL GAV
trial subscription is activated on your SonicWALL security appliance.
Page 19
Setting Up SonicWALL GAV Protection
The Security Services > Gateway Anti-Virus page provides the settings for configuring SonicWALL
GAV on your SonicWALL security appliance.
Enabling SonicWALL GAV
You must select Enable Gateway Anti-Virus check box in the Gateway Anti-Virus Global Settings
section to enable SonicWALL GAV on your SonicWALL security appliance. If your SonicWALL security
appliance is running SonicOS Standard 3.0, you must also specify the interfaces you want to apply
SonicWALL GAV protection. If your SonicWALL security appliance is running SonicOS Enhanced 3.0,
you must specify the Zones you want to SonicWALL GAV protection on the Network > Zones page.
Applying SonicWALL GAV Protection on Interfaces
If your SonicWALL security appliance is running SonicOS Standard 3.0, you also need to specify the
interface that you want to enable SonicWALL GAV protection. Depending on the SonicWALL security
appliance model you are using, you can choose the WAN, LAN, DMZ, OPT or WLAN port, depending on
your SonicWALL security appliance model. After selecting the interface(s), click Apply.It is recommended
you select the WAN and LAN interfaces.
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you apply SonicWALL GAV to
Zones on the Network > Zones page.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 20 SonicWALL Gateway Anti-Virus Administrator’s Guide
Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)
If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you can enforce SonicWALL
GAV not only between each network zone and the WAN, but also between internal zones. For example,
enabling SonicWALL GAV on the LAN zone enforces anti-virus protection on all incoming and outgoing
LAN traffic.
1. In the SonicWALL security appliance management interface, select Network > Zones or from the
Gateway Anti-Virus Status section, on the Security Services > Gateway Anti-Virus page, click the
Network > Zones link. The Network > Zones page is displayed.
2. In the Configure column in the Zone Settings table, click the edit icon . The Edit Zone window
is displayed.
3. Click the Enable Gateway Anti-Virus Service checkbox. A checkmark appears. To disable Gateway
Anti-Virus Service, uncheck the box.
4. Click OK.
Page 21
Note: You also enable SonicWALL GAV protection for new zones you create on the Network > Zones page.
Clicking the Add button displays the Add Zone window, which includes the same settings as the Edit
Zone window.
Viewing SonicWALL GAV Status Information
The Gateway Anti-Virus Status section shows the state of the anti-virus signature database, including
the database's timestamp, and the time the SonicWALL signature servers were last checked for the most
current database version. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
The Gateway Anti-Virus Status section displays the following information:
• Signature Database indicates whether the signature database needs to be downloaded or has been
downloaded.
• Signature Database Timestamp displays the last update to the SonicWALL GAV signature
database, not the last update to your SonicWALL security appliance.
• Last Checked indicates the last time the SonicWALL security appliance checked the signature
database for updates. The SonicWALL security appliance automatically attempts to synchronize the
database on startup, and once every hour.
• Gateway Anti-Virus Expiration Date indicates the date when the SonicWALL GAV service expires.
If your SonicWALL GAV subscription expires, the SonicWALL IPS inspection is stopped and the
SonicWALL GAV configuration settings are removed from the SonicWALL security appliance. These
settings are automatically restored after renewing your SonicWALL GAV license to the previously
configured state.
If your SonicWALL security appliance is running SonicOS Standard 3.0 and no interfaces are specified in
the Gateway Anti-Virus Global Settings section, the message: Warning: No interfaces have Gateway
Anti-Virus enabled is displayed in the Gateway Anti-Virus Status section. You must check the Enable
Gateway Anti-Virus on Interface and specify the interface(s) you want to apply anti-virus scanning.
If your SonicWALL security appliance you are using SonicOS Enhanced 3.0, the Gateway Anti-Virus
Status section displays Note: Enable the Gateway Anti-Virus per zone from the Network > Zones
page. Clicking on the Network > Zones link displays the Network > Zones page for applying SonicWALL
GAV on Zones.
Note: Refer to “Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0)” on page 20 for
instructions on applying SonicWALL GAV protection to zones.
Page 22 SonicWALL Gateway Anti-Virus Administrator’s Guide
Updating SonicWALL GAV Signatures
By default, the SonicWALL security appliance running SonicWALL GAV automatically checks the
SonicWALL signature servers once an hour. There is no need for an administrator to constantly check for
new signature updates. You can also manually update your SonicWALL GAV database at any time by
clicking the Update button located in the Gateway Anti-Virus Status section.
SonicWALL GAV signature updates are secured. The SonicWALL security appliance must first
authenticate itself with a pre-shared secret, created during the SonicWALL Distributed Enforcement
Architecture licensing registration. The signature request is transported through HTTPS, along with full
server certificate verification.
Specifying Protocol Filtering
Application-level awareness of the type of protocol that is transporting the violation allows SonicWALL
GAV to perform specific actions within the context of the application to gracefully handle the rejection of
the payload.
By default, SonicWALL GAV inspects all inbound HTTP, FTP, IMAP, SMTP and POP3 traffic. Generic
TCP Stream can optionally be enabled to inspect all other TCP based traffic, such as
non-standard ports of operation for SMTP and POP3, and IM and P2P protocols.
Note: Refer to “Protocol Handling” on page 13 for detailed descriptions of how SonicWALL GAV handles
protocol traffic.
Enabling Inbound Inspection
Within the context of SonicWALL GAV, the Enable Inbound Inspection protocol traffic handling refers
to the following:
• Non-SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to any Zone.
• Non-SMTP traffic from a Public Zone destined to an Untrusted Zone.
• SMTP traffic initiating from a non-Trusted Zone destined to a Trusted, Wireless, Encrypted, or Public
Zone.
• SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to a Trusted, Wireless,
or Encrypted Zone.
Page 23
The Enable Inbound Inspection protocol traffic handling represented as a table:
Enabling Outbound SMTP Inspection
The Enable Outbound Inspection feature is available for SMTP traffic, such as for a mail server that
might be hosted on the DMZ. Enabling outbound inspection for SMTP scans mail that is delivered to the
internally hosted SMTP server for viruses.
Configuring Client Alerts and an Exclusion List
Clicking the Configure Gateway AV Settings button in the Gateway Anti-Virus Global Settings section
displays the Gateway AV Config View window, which allows you to configure client notification alerts and
create a SonicWALL GAV exclusion list.
Configuring Client Alerts
If you want clients on your network to receive notifications on their desktop when a HTTP file download is
blocked by GAV, check the Enable Client Notification Alerts (desktop client installation is required)
box. You must install the client software included on the Resource CD for your SonicWALL security
appliance for the client to receive these notifications from SonicWALL GAV.
Page 24 SonicWALL Gateway Anti-Virus Administrator’s Guide
If you want to suppress the sending of e-mail messages (SMTP) to clients from SonicWALL GAV when a
virus is detected in an e-mail or attachment, check the Disable SMTP Responses box.
Configuring a SonicWALL GAV Exclusion List
Any IP addresses listed in the exclusion list bypass virus scanning on their traffic.The Gateway AV
Exclusion List section provides the ability to define a range of IP addresses whose traffic will be excluded
from SonicWALL GAV scanning.
Alert! Use caution when specifying exclusions to SonicWALL GAV protection.
To add an IP address range for exclusion, perform these steps:
1. Click the Enable Gateway AV Exclusion List checkbox to enable the exclusion list.
2. Click the Add button. The Add GAV Range Entry window is displayed.
3. Enter the IP address range in the IP Address Form and IP Address To fields, then click OK. You IP
address range appears in the Gateway AV Exclusion List table. Click the edit icon in the Configure
column to change an entry or click the trashcan icon to delete an entry.
4. Click OK to exit the Gateway AV Config View window.
Restricting File Transfers
The restrict transfer settings listed under the Configure Gateway AV Settings button in the
Gateway Anti-Virus Global Settings section, if enabled, prevent files with specific attributes from being
transferred.
These restrict transfer settings include:
• Restrict Transfer of password-protected Zip files - Disables the transfer of password protected
ZIP files over any enabled protocol. This option only functions on protocols (e.g. HTTP, FTP, SMTP)
that are enabled for inspection.
• Restrict Transfer of MS-Office type files containing macros (VBA 5 and above) - Disables the
transfers of any MS Office 97 and above files that contain VBA macros.
• Restrict Transfer of packed executable files (UPX, FSG, etc.) - Disables the transfer of packed
executable files. Packers are utilities which compress and sometimes encrypt executables. Although
there are legitimate applica