InterScan Web Security TM 3 Virtual Appliance Antivirus and Content Security at the Web Gateway Administrator’s Guide ws Web Security Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files, release notes and the latest version of the Getting Started Guide, which are available from Trend Micro’s Web site at: http://www.trendmicro.com/download/documentation/ Trend Micro, the Trend Micro t-ball logo, InterScan, TrendLabs, Trend Micro Control Manager, and Trend Micro Damage Cleanup Services are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners. Copyright© 1998-2008 Trend Micro Incorporated. All rights reserved. No part of this publication may be reproduced, photocopied, stored in a retrieval system, or transmitted without the express prior written consent of Trend Micro Incorporated. Document Part No. IBEM33647/80522 Release Date: July 2008 Protected by U.S. Patent No. 5,951,698 The Administrator’s Guide for Trend Micro is intended to provide in-depth information about the main features of the software. You should read through it prior to installing or using the software. For technical support, please refer to the Technical Support and Troubleshooting chapter for information and contact details. Detailed information about how to use specific features within the software are available in the online help file and online Knowledge Base at Trend Micro’s Web site. Trend Micro is always seeking to improve its documentation. If you have questions, comments, or suggestions about this or any Trend Micro documents, please contact us at [email protected]. Your feedback is always welcome. Please evaluate this documentation on the following site: http://www.trendmicro.com/download/documentation/rating. asp Contents Contents Preface IWSVA Documentation .................................................................................xiv Audience ............................................................................................................xiv Document Conventions ..................................................................................xv Chapter 1: Introducing InterScan Web Security Virtual Appliance HTTP and FTP Security Risk Overview .....................................................1-1 Hardware Specifications ................................................................................1-2 Compatible Directory Servers ..................................................................1-3 Integration with ICAP 1.0-compliant Caching Devices ......................1-3 X-Authenticated ICAP Headers Support ..........................................1-3 What’s New ......................................................................................................1-3 Self-contained Installation ........................................................................1-3 VMware Support ........................................................................................1-4 Integration with Cisco WCCP .................................................................1-4 Network Integration using Transparent Bridge Mode .........................1-4 Command Line Interface ..........................................................................1-5 On-box Caching by Squid 3.0 ..................................................................1-5 Threat Resources Drop-down List .........................................................1-5 Main Features ..................................................................................................1-5 Support for Multiple InterScan Web Security Virtual Appliance Installations .................................................................................1-6 HTTP Virus Scanning ...............................................................................1-6 FTP Scanning .............................................................................................1-6 Improved Deferred Scanning for HTTP and FTP Large File Scans ............................................................................................................1-7 Applets and ActiveX Security ..................................................................1-7 URL Filtering ..............................................................................................1-7 Direct URL Filter Category Selection .....................................................1-7 Access Quota Policies ...............................................................................1-8 URL Access Control ..................................................................................1-8 IP Address, Host Name and LDAP Client Identification ...................1-8 Server and Port Access Control Restrictions ........................................1-8 iii Trend Micro™ InterScan Web Security Virtual Appliance™ Administrator’s Guide Notifications ................................................................................................1-9 PhishTrap ....................................................................................................1-9 Web Reputation ..........................................................................................1-9 Anti-phishing and Anti-pharming Based on Web Reputation .....1-10 IntelliTrap ..................................................................................................1-10 IntelliTunnel ..............................................................................................1-11 Easier Collection of System Information for Support Diagnosis .....1-11 True File-type Blocking Within Compressed Files .............................1-11 Real-time Statistics and Alerts ................................................................1-11 Configurable Threshold Warning ..........................................................1-12 Reverse Proxy Support ............................................................................1-12 Logs and Reports ......................................................................................1-12 Additional Reporting Information .........................................................1-13 Chapter 2: Updates Product Maintenance ......................................................................................2-2 Renewing Your Maintenance Agreement ..............................................2-2 About ActiveUpdate .......................................................................................2-3 Updating From the IWSVA Console ......................................................2-3 Proxy Settings for Updates ............................................................................2-3 Updatable Program Components .................................................................2-4 Virus Pattern File ........................................................................................2-5 How it Works .........................................................................................2-5 Phish Pattern File .......................................................................................2-6 Spyware/Grayware Pattern File ...............................................................2-6 IntelliTrap Pattern and IntelliTrap Exception Pattern Files ................2-7 Scan Engine .................................................................................................2-7 About Scan Engine Updates ................................................................2-8 Web Reputation Database ........................................................................2-9 Incremental Updates of the Pattern Files and Engines ........................2-9 Component Version Information ..........................................................2-10 Manual Updates .............................................................................................2-10 Forced Manual Updates ..........................................................................2-11 Scheduled Updates ........................................................................................2-11 Maintaining Updates .....................................................................................2-12 Verifying a Successful Update ................................................................2-12 Update Notifications ................................................................................2-12 iv Contents Rolling Back an Update ..........................................................................2-13 Deleting Old Pattern Files ......................................................................2-13 Controlled Virus Pattern Releases ..............................................................2-14 Chapter 3: HTTP Configuration Enabling the HTTP Traffic Flow .................................................................3-2 Specifying a Proxy Configuration and Related Settings ............................3-2 Proxy Configurations ................................................................................3-4 No Upstream Proxy (Stand-alone Mode) .........................................3-4 Upstream Proxy (Dependent Mode) .................................................3-5 Transparent Proxy ................................................................................3-7 Reverse Proxy ........................................................................................3-9 Proxy-related Settings ..............................................................................3-10 HTTP Listening Port .........................................................................3-10 Anonymous FTP Logon Over HTTP Email Address ..................3-11 Network Configuration and Load Handling ............................................3-11 Configuring an IWSVA Server Farm .........................................................3-12 Configuring Access Control Settings .........................................................3-13 Identifying Clients and Servers ..............................................................3-13 Client IP .....................................................................................................3-13 Server IP Approved List .........................................................................3-14 Destination Port Restrictions .................................................................3-15 HTTPS Ports ............................................................................................3-16 Setting Up IWSVA ICAP ............................................................................3-17 Setting up an ICAP 1.0-compliant Cache Server ................................3-17 Configuring Virus-scanning Server Clusters ........................................3-23 Deleting a Cluster Configuration or Entry .....................................3-24 Flushing Existing Cached Content from the Appliance ....................3-25 Enabling “X-Virus-ID” and “X-Infection-Found” Headers ............3-25 Chapter 4: Policies and User Identification Method How Policies Work .........................................................................................4-2 Default Global and Guest Policies ...............................................................4-3 About the Guest Policy .............................................................................4-3 Enabling the Guest Port ...........................................................................4-3 Deploying Policies ..........................................................................................4-4 Configuring the User Identification Method ..............................................4-4 v Trend Micro™ InterScan Web Security Virtual Appliance™ Administrator’s Guide IP Address ...................................................................................................4-5 Host Name ..................................................................................................4-5 Client Registration Utility .....................................................................4-7 User/Group Name through Proxy Authorization ................................4-7 LDAP Authentication Method ...........................................................4-7 LDAP Communication Flows .............................................................4-9 Configuring LDAP Settings .................................................................4-9 LDAP Query Matching Across Main and Referral Servers ..........4-13 Cross Domain Active Directory Object Queries ...........................4-13 Configuring the Scope of a Policy .........................................................4-14 Configuring Policies Using IP Addresses ........................................4-14 Configuring Policies Using Host Names .........................................4-15 Configuring Policies Using LDAP ....................................................4-15 Login Accounts .............................................................................................4-16 About Access Rights ................................................................................4-17 Adding a Login Account .........................................................................4-17 Changing a Login Account .....................................................................4-17 Chapter 5: Configuring HTTP Scanning Enabling HTTP Scanning and Applets and ActiveX Security .................5-2 HTTP Scanning Performance Considerations ...........................................5-3 Creating and Modifying HTTP Virus Scanning Policies ...........................5-5 Specifying Web Reputation Rules ............................................................5-6 Anti-phishing and Anti-pharming Detection ....................................5-7 Web Reputation Settings ...........................................................................5-7 Enabling and Disabling Web Reputation ..........................................5-7 When a Web Site is Within the Web Reputation Approved List ...........................................................................................................5-8 Specifying the Web Reputation Query Method ................................5-9 Specifying Web Reputation Exceptions .............................................5-9 Managing Web Reputation Results .....................................................5-9 Clearing the URL Cache ..........................................................................5-11 HTTP Virus Scanning Rules ..................................................................5-11 Specifying File Types to Block ..........................................................5-11 Specifying File Types to Scan ............................................................5-12 Priority for HTTP Scan Configuration ............................................5-16 Configuring Compressed File Scanning Limits ..............................5-16 vi Contents Handling Large Files ...........................................................................5-17 Quarantined File Handling ................................................................5-21 Spyware and Grayware Scanning Rules ................................................5-21 Setting the Scan Action for Viruses ......................................................5-23 Scan Actions ........................................................................................5-23 Scan Events ..........................................................................................5-24 Adding Notes to Your Policy ............................................................5-25 IntelliTunnel Security ...................................................................................5-25 Protocols Used in Instant Messenging and Authentication Connections ..............................................................................................5-26 About Instant Messenger Protocol ..................................................5-26 About Authentication Connections .................................................5-26 Editing an IntelliTunnel Policy ..............................................................5-27 Creating a New IntelliTunnel Policy .....................................................5-27 Java Applet and ActiveX Security ..............................................................5-28 How Applets and ActiveX Security Works .........................................5-29 Step 1. Filtering Applets & ActiveX at the Server .........................5-29 Step 2. Instrumenting Applets ..........................................................5-30 Step 3. Optionally Re-signing Instrumented Applets ....................5-31 Step 4. Monitoring Instrumented Applet Behavior .......................5-31 Enabling Applet/ActiveX Security .......................................................5-32 Adding and Modifying Applet/ActiveX Scanning Policies ..............5-32 Configuring Java Applet Security Rules ...............................................5-33 Signature Status ...................................................................................5-33 Certificate Status ..................................................................................5-33 Instrumentation and Re-signing .......................................................5-34 Applet Instrumentation Settings .......................................................5-34 Configuring Exceptions .....................................................................5-34 Configuring ActiveX Security Rules ................................................5-37 Applet and ActiveX Settings .......................................................................5-38 Java Applet Signature Validation ...........................................................5-38 Adding Certificates for Applet Signature Verification .......................5-39 Certificate Expiration .........................................................................5-39 Untrusted Signature Status ................................................................5-39 Revocation Status ................................................................................5-39 Applet Re-signing .....................................................................................5-40 ActiveX Signature Validation .................................................................5-40 vii Trend Micro™ InterScan Web Security Virtual Appliance™ Administrator’s Guide Managing Digital Certificates for Applet Processing ..........................5-41 Client-side Applet Security Notifications .............................................5-44 Chapter 6: Access Quotas and URL Access Control Introduction to Access Quota Policies ........................................................6-2 Managing Access Quota Policies .............................................................6-2 Overview of URL Access Control ................................................................6-4 Specifying URL Access Control ....................................................................6-5 Configuring Trusted URLs .......................................................................6-5 Blocking URLs ............................................................................................6-7 Using a Local List ..................................................................................6-8 Using a Pattern File (Phish) .................................................................6-9 Chapter 7: URL Filtering Introducing URL Filtering .............................................................................7-2 URL Filtering Workflow ...........................................................................7-3 Managing URL Filtering Policies ..................................................................7-4 Enabling URL Filtering .............................................................................7-4 Creating a New Policy ...............................................................................7-4 Modifying and Deleting Policies ..............................................................7-6 URL Filtering Settings ....................................................................................7-6 Requesting URL Reclassification and URL Lookup ............................7-7 Unrated and Unknown URLs .............................................................7-7 Requesting a Reclassification ...............................................................7-8 URL Filtering Exceptions .........................................................................7-8 Work and Leisure Schedule Settings .....................................................7-10 Chapter 8: FTP Scanning Introduction .....................................................................................................8-2 FTP Settings .....................................................................................................8-2 Proxy Settings .............................................................................................8-2 Passive and Active FTP .............................................................................8-3 Client Requests ...........................................................................................8-3 FTP Scanning Options ...................................................................................8-4 Enabling FTP Traffic and FTP Scanning ...............................................8-4 Scan Direction .............................................................................................8-5 File Blocking ................................................................................................8-5 viii Contents File Scanning ...............................................................................................8-5 Priority for FTP Scan Configuration .................................................8-5 Compressed File Handling .......................................................................8-6 Large File Handling ...................................................................................8-6 Encrypting Quarantined Files ..................................................................8-6 Scanning for Spyware/Grayware .............................................................8-7 Configuring FTP Scanning Settings .............................................................8-7 Setting Scan Actions on Viruses ...................................................................8-9 FTP Access Control Settings ......................................................................8-10 By Client IP ...............................................................................................8-10 Via Server IP Approved List ..................................................................8-11 Via Destination Ports ..............................................................................8-11 Chapter 9: Command Line Interface Commands Chapter 10: Reports, Logs, and Notifications Summary Reports ..........................................................................................10-2 Real-time Statistics ...................................................................................10-2 Virus and Spyware Trend Display ....................................................10-2 Hard Drive Display .............................................................................10-3 Bandwidth Display ..............................................................................10-3 Concurrent Connections Display .....................................................10-4 CPU Usage Display ............................................................................10-4 Physical Memory Usage Display .......................................................10-5 Scanning Activity ..........................................................................................10-5 URL Activity ..................................................................................................10-6 Spyware Activity ............................................................................................10-6 Security Risk Reporting ................................................................................10-7 Introduction to Reports ...............................................................................10-7 Types of Reports ...........................................................................................10-8 Blocking-event Reports ...........................................................................10-8 Individual/per User Reports ..................................................................10-8 Traffic Reports .........................................................................................10-9 Spyware/Grayware Reports ...................................................................10-9 Cleanup Reports .......................................................................................10-9 Report Settings ............................................................................................10-10 Report Scope (Users and Groups) ......................................................10-10 ix
Description: