Frequently Asked Questions on Anti-Malware

► What malware detection methods are used during inspection?

Secure Web Gateway uses several malware detection methods during inspection, such as its Gateway Anti-Malware (GAM) engine with virus signatures and proactive behavior analysis methods to control viruses and filter malware. You can configure the Anti-Malware (AM) settings in your web policy with any of the following options for anti-malware filtering based on your license. For details, see Configure the Scanning Engines.

Option	Description	Malware Detection Engine(s)	Malware Detection Method(s)	Supported License(s)
Full Skyhigh Security coverage: The recommended high-performance configuration	Use this Skyhigh-recommended configuration for high performance and comprehensive protection against malware.	Trellix AM, Skyhigh Security GAM	Proactive Behavior Analysis Methods Virus Signatures	Skyhigh Security Secure Web Gateway Secure Web Gateway GAM
Layered coverage: Full Skyhigh Security coverage plus specific Avira engine features — minor performance impact	Use this configuration for a combination of full Skyhigh Security coverage, and Avira engine features that provides additional protection against zero-day threats.	Trellix AM, Skyhigh Security GAM Avira	Proactive Behavior Analysis Methods Virus Signatures Third-party engine functions	Skyhigh Security Secure Web Gateway Secure Web Gateway GAM
Duplicate coverage: Full Skyhigh Security coverage and Avira engine — less performance and more false positives	Use this configuration for redundant protection by using both the Trellix AM engine and the Avira engine.	Trellix AM, Skyhigh Security GAM Avira	Proactive Behavior Analysis Methods Virus signatures Third-party engine functions	Skyhigh Security Secure Web Gateway Secure Web Gateway GAM
Skyhigh Security Anti-Malware without mobile code scanning and emulation	Use this configuration for basic malware protection that uses virus signatures to detect and block known threats.	Trellix AM	Virus Signatures	Skyhigh Security Secure Web Gateway
Avira only: Only uses Avira engine — not recommended	Use this configuration for minimal protection that only uses the Avira engine to scan web objects.	Avira	Third-party engine functions	Avira
Skyhigh Security Advanced Threat Defense only: Send files to an MATD appliance for deep analysis through sandboxing	Use this configuration for a cloud-based sandbox solution that provides deep analysis of files to detect malware that may not be detected by traditional signatures.	Advanced Threat Defense	Sandboxing	Skyhigh Security Advanced Threat Defense
Stop virus scanning right after an engine detected a virus	Use this configuration to disable all engines from scanning web objects after one engine detects a virus or other malware.	N/A	N/A	N/A

► What is the maximum file size that Secure Web Gateway can inspect?

Secure Web Gateway enables you to configure limits such as maximum file sizes, inspection duration, and unpack depth to mitigate potential threats such as Denial-of-Service (DDoS) attacks. Secure Web Gateway evaluates various parameters such as file type, operating system (OS), and hardware constraints to determine the appropriate file handling limits.

► How much disk space is required on the /opt partition for extracting files to temporary space during an unarchive and scan job for all files?

The disk space required on the /opt partition for extracting files to temporary space during an unarchive and scan job for all files is determined based on the size of the unpacked archive.

► What is the typical inspection duration for files?

The average duration to inspect files by Secure Web Gateway can vary based on several factors such as file type, number of CPUs, available memory, and the current workload of SWG.

► How much volume of data is extracted from a file during malware inspection?

The extraction volume is determined by the number of extracted files.

► What are the recommended environmental dimensions to inspect 10,000 files of 50 GB per day? Additionally, should this setup be configured as a forward proxy or an ICAP server for optimal performance?

Our SEs use an online sizing calculator to determine this.

► What are the advanced settings in Secure Web Gateway that address the above-mentioned questions?

Skyhigh Security Secure Web Gateway provides the following configuration settings that address the above-mentioned questions:

Enable Opener Rule Set. The Enable Opener rule set in your web policy allows you to specify the supported file formats that Secure Web Gateway can extract and set the maximum level of nested ZIPs. By default, Secure Web Gateway extracts up to 100 levels of nested ZIPs, with the maximum size of extracted data as 4GB. For details, see File Opening.
Rules to Bypass Enable Opener Rule Set. Determine if there are any rules configured to bypass the Enable Opener rule set in your web policy based on the file size of the extracted data. By default, the Enable Opener rule set is configured to bypass the scanning of files larger than 100 MiB.
Gateway Anti-Malware Configuration. In the Gateway Anti-Malware rule set of your web policy, a default setting allows you to bypass the scanning of files larger than 200 MiB. For details, see Configure Anti-malware Filtering.
Anti-Malware Daemons Configuration. The Global Anti-Malware Settings in Secure Web Gateway allocates 25 AV threads per appliance for scan jobs. These threads operate sequentially, with each thread assigned to scan one archive. Additionally, all extracted files are assigned one AV thread to monitor and detect malware within an archive file.
File Download Size Limit. This setting allows you to limit the maximum file download size per appliance, per session. You can configure the default download size limit of 10 GiB per connection, especially for appliances configured as ICAP servers tasked with scanning significantly large files.