Configuring vGW Series AntiVirus On-Access Scanning

This topic explains how to configure a vGW AntiVirus On-Access scanner configuration using the AntiVirus module Scanner Config tab. The On-Access scan protects VMs against malicious content and virus infections that can occur whenever a file is read from or written to disk. If On-Access scanning is configured, vGW AntiVirus intercedes and checks the file against the signature database to ensure that the content does not contain malware or a virus. By blocking an infected file, On-Access scanning protects the network from malicious attacks at the source, before damage is done.

Before you configure a vGW AntiVirus On-Access scan, you must perform prerequisite tasks. These tasks configure other parts of the system that allow vGW AntiVirus to quarantine an entire VM with the Quarantine policy when the VM is compromised by a virus. They also initiate communication with the vGW Endpoint:

When you configure a custom On-Access scan, you can specify types of files and files at certain locations to be scanned, and you can exclude certain types of files and files at certain locations from the scan. You can combine these options, for example, to scan all file types but only in a certain directory or to exclude certain types of files in a certain directory.

Consider the following characteristics, when you configure custom On-Access scans:

The vGW Endpoint captures file accesses and forwards them to the vGW Security VM for analysis. The vGW Endpoint driver caches the results of the scan. You cannot control how much of a file is transferred to the vGW Security Design VM. However, the file transfer, which is controlled internally, is efficient, based on its match against the AntiVirus signatures. Only as much of the file as is necessary to determine if it is malicious is forwarded.

Note: Because the scan is performed on the vGW Security VM, it is not necessary to re-configure a VM after an On-Access scan.

To create an On-Access vGW AntiVirus configuration or add a new one:

  1. Select the AntiVirus module Scanner Config page.

    The AV Scanner Configuration table is displayed showing information about existing AV scanner configurations. The table shows the scanner configuration name, the scope of VMs that the scan covers, and the type of scan: On-Access, On-Demand, or both.

  2. Click Add.
  3. Specify a name for the AntiVirus scanner configuration.
  4. (Optional). Give a brief description of the scanner configuration so that it is quickly recognizable.
  5. In the Scope box, identify the VM groups whose VM members are to be scanned.

    For a VM to be protected by vGW AntiVirus, it must belong to a VM group that you include in the scan scope.

    To select the scope, click Select. A pop-up dialog box is displayed that shows all VMs groups on the left side. Click on the name of a group and move it to the Selected Groups section on the right. Click Apply.

    After a scan is defined, it is added to the list of configurations in the AV Scanner Configuration table.

    Note: If a VM group is a member of more than one scanner configuration, the topmost scan definition that it belongs to is used to protect it. You can manipulate the order of the scanner configurations in the table by selecting the row for the scanner configuration and clicking either Move Up or Move Down.

  6. In the Step 1 Scan Options pane, select the On-Access Scanning check box. By default, both types of scans are selected. In this case, clear the check box for On-Demand Scanning.

    Note: Step 2 in the scanner configuration page is required for On-Demand scans only, so it is not included in this procedure.

  7. In the Step 3 Configure Scanning Engine pane, select the type of scan to perform. Under On-Access file types/extensions scanning selection, select either Typical Scan or Custom Scan. For this example, select the Typical Scan check box.
  8. In the Step 4 Action pane, specify one or more actions to take when the scan detects a virus:
    • Alert when a virus is detected—The Virus Alerts tab displays information on the VMs or files that are infected.
    • Quarantine VM—You can specify that the infected VM is to be included in a quarantine policy group.

      You use the Quarantine page on the Main module to view a list of VMs quarantined as a result of an AntiVirus scan. From the Main module Quarantine page, you can remove a VM from quarantine by selecting the VM and clicking Un-Quarantine VM.

    • Quarantine infected files—You can specify that infected files be quarantined.

      Use the Quarantine Files page on the AntiVirus module to display a list of files that are quarantined and take action.

      The Quarantine Files page lets you delete an infected file, remove it from quarantine, or fetch it to remediate it according to your own process.

    • Suspend the VM—You can suspend the VM entirely.

    Use the Quarantine Files page on the AntiVirus module to display a list of files that are quarantined and take action. See Understanding Quarantined VMs and Files Resulting from a vGW AntiVirus On-Access Scan.

To create a custom scan that allows you to specify the files to be scanned:

  1. In the Step 3 Scan Engine Configuration pane, under the On-Access file types/extensions scanning selection, select the Custom Scan option button.
  2. Select the files to scan.

    Note: The file types and the file locations that you specify in this pane work together to clearly identify the files to scan. For example, if you select Scan All File Types and Scan Only–for example to scan only specific locations such as c:\user\share–then all the files at that location are scanned, but only those files.

    1. Select the Scan Archives check box to scan all files archived in various formats.

      Note: For improved performance, do not scan archive files.

    2. Select the types of files to scan. Select one of the following options:
      • Scan All File Types—Scans all types of files, delimited by the selected file location.
      • Scan Only—Scans only specified file types, delimited by the selected file locations. You can delete file types from the provided list to exclude them from the scan.
      • Ignore only—Scans all types of files except the specified types.
    3. Select the locations where the files to scan reside.

      For On-Access scans, when scanning files based on location, vGW Series takes into account the drive letter of the directory. For example, given the file location C:\Program, an On-Access scan scans files only in that directory. It does not scan files in the D:\Program directory, although the directory names are the same, because it acknowledges that the drive letters are different. You must specify the drive when you specify the location of files to scan for custom On-Access scans.

      • Scan All Locations—Scans files in all locations, delimited by the selected types of files to scan.
      • Scan only—Scans files only at the specified location, delimited by the selected types of files to scan.
      • Ignore only—Scans all files except those that reside at the specified locations.

Related Documentation