Default Settings and Behaviors

The following are enabled:

• HTTP and FTP virus scanning

• Java Applets and ActiveX security

• URL blocking

• URL filtering

• Application Control

Other global settings

• Guest accounts are disabled

• IWSVA uses IP address as the User ID method

• The Quarantine folder located at /var/iwss/Quarantine

Application Control

• Enabled by default

• Has 24 logic groups of protocols

• Default action is "Allow" for all protocols.

HTTPS Decryption

• HTTPS decryption policy is disabled

HTTP Inspection

• HTTP Scanning is disabled by default

• HTTP Inspection has six default filters

• All filters' default action is "Allow (Scan)"

HTTP virus scanning

• HTTP Scanning is enabled

• No files are blocked

• All files are scanned

• Block compressed files with more than 50,000 files when expanded

• Block compressed files that will be larger than 200 MB when expanded

• Block compressed files with more than 10 layers of compression

• IWSVA handles large files as follows:

• Skip files larger than 10 MB (ignore; do not scan)

• Pre-deliver files larger than 64 KB (start delivering files before scanning is complete)

• Web Reputation is enabled

• Anti-phishing detection is enabled

• Anti-pharming detection is enabled

• Application Control is enabled

• No application is blocked in the global policy.

• The allow and block logs are disabled.

• The block log interval is five minutes.

Virus scanning actions

• Clean virus-infected files

• Delete harmful files that cannot be cleaned, for example worms, and Trojans

• Pass (ignore) password-protected files

• Ignore files containing macros

• Encrypt quarantined files

• Ignore spyware/grayware

Java scanning (Malicious Mobile Code (MMC) module)

• Valid signature, trusted certificate: Pass applet

• Valid signature, flagged certificate: Block applet

• No signature: Open applet and examine code

• Invalid signature: Block applet

• IWSVA validates an applet signature by checking the expiration date of all certificates in the chain

• IWSVA strips certificates that it cannot verify (trust)

• IWSVA allows to connect back to the originating server

• It does not allow an applet to write or read data on a local disk, or to bind to a local port

Additional behaviors:

• Applets cannot create new thread groups

• Applets cannot create unlimited threads (maximum 8)

• Applets cannot create unlimited active windows (maximum 5)

• Applets are left unsigned after instrumentation

ActiveX security rules and settings

• For the .cab file type IWSVA will block flagged and invalid signatures

• For these file types (.exe, .ocx) IWSVA will block invalid signatures

• Check the expiration date of the signing certificate

• Check the revocation status of the certificate

• If unable to check the revocation status, set status to valid

URL filtering policies

• URL filtering is enabled

• If you select the "block w/override" action, the default password is blank. You must enter a password.

• If you select the "time limit" action, the default time limit is 0 minutes.

• Global and guest policies block the following sites (under the company prohibited rule):  

• Known "Dialer" sites,

• Disease vectors

• Known virus accomplice content

• Illegal drug content

• Violence , hate, and racism content

• Adult/matured content

• Nudity, Intimate Apparel/Swimsuit

• Sex Education

• Pornography

• The setting of Safe Search is off for each search engine

URL Access Control

• URL blocking is enabled

FTP scanning

• FTP scanning is enabled (uploads and downloads)

• No file are blocked

• All files are scanned

• Block compressed files with more than 50,000 files when expanded

• Block compressed files that will be larger than 200 MB when expanded

• Block compressed files with more than 10 layers of compression

• IWSVA handles large files as follows:

• Skip files larger than 10 MB (ignore; do not scan)

• Pre-deliver files larger than 64 KB (start delivering files before scanning is complete)

Virus scanning actions

• Clean virus-infected files

• Encrypts quarantined files

• Does not scan spyware/grayware

• Deletes harmful files that cannot be cleaned (such as worms and Trojans)

• Quarantines password-protected files

• Ignores files that contain a macro

Reports and Logs

• Stores report logs to database, purges those older than 30 days

• Includes performance data

• Purges logs older than five days

Updates

• Checks hourly for bot pattern, Smart Scan Agent pattern, Protocol Information Extraction pattern, virus, spyware, and IntelliTrap, IntelliTrap exception updates

• Checks weekly for scan engine, Advanced Threat Scan Engine, and URL filtering engine updates

Notifications

• By default, email notification is enabled for:

• HTTP/HTTPS scanning and blocked file type

• FTP scanning and blocked file type

• Pattern file updates

• URL filtering and scan engine updates

• Notifications are not sent for the following:

• Malicious Java applet and ActiveX events