Skip to main content
Skyhigh Security

Sample Routine: Anti_Malware_Rules

The Anti_Malware_Rules routine is for blocking files and other web objects that are malware-infected.

It includes a block rule, but also rules for exempting web objects from anti-malware filtering based on several criteria.

Reviewing this routine in the code view and reading what is explained here about it, should improve your understanding of how an individual routine works.

You can access the code view for this routine from the Web Policy — Anti-Malware page, which belongs to the Threat Protection branch of the policy tree.
 

Initial part

This part of the routine includes the usual ROUTINE term, routine name, processing cycles during which the routine is run, and enabling information.

ROUTINE Anti_Malware_Rules ON (Web.Request, Web.Response, EmbeddedObject) [enabled="true"]


Variable setting

There are seven variables set in this part for use later in the routine.

  • Three of them serve the purpose of enabling or disabling a particular rule of the routine.

Example:

BOOLEAN skipGAMByUrls = TRUE

This variable is evaluated when the rule that allows web objects to skip anti-malware filtering is processed. Processing only continues for the rule if the value of this variable is TRUE.

  • The remaining four variables serve other purposes.

Example:

NUMBER transferSizeLimit = 209715200

This variable is evaluated when the rule that allows web objects to skip anti-malware filtering depending on their size is processed.

These variables can also be set using options on the normal user interface.

IF-THEN statements

This part includes six IF-THEN statements (rules).

  • There is a rule for blocking infected web objects. It is only visible and accessible in the code view.
  • Three rules are for allowing web objects to skip anti-malware filtering based on various criteria, for example, user agents or domains. These rules have corresponding options on the normal user interface.
    ​​​For example, the rule that allows web objects to skip anti-malware filtering based on URLs can also be enabled or disabled using a checkbox on the user interface. It relies on a list of web objects, which you enter in the list on the normal user interface.
  • Two rules serve other purposes. Like the block rule, they are only visible and accessible in the code view.

The order in which these rules follow each other in the code is important.

The block rule is in last position. If anti-malware filtering is skipped for a web object because any of the rules that go before this rule requires this, the filtering process stops. This means the block rule is not processed anymore.

In the following, some of these rules are explained in more detail. The rules are referred to by rule names, which are taken from the comment lines in the code.

  • Block If Virus Was Found — This rule is the key rule in this routine. It blocks files and other web objects if they are found to be infected by viruses and other malware.

It is also one of the most important rules in the web policy that is implemented under MVISION Unified Cloud Edge, as protection against malware is one of the most important reasons for installing this solution.

Regardless of its importance, the structure of this rule is rather simple.

// Block If Virus Was Found
IF MWG.BodyInfected (gam) THEN {
        MWG.Block (Malware_found, "Block If Virus Was Found", "Gateway Anti-Malware")
}

Code items are used here as follows.

  • There is one condition.
IF MWG.BodyInfected (gam)

Is a web object that was received as the body of a request or response infected by malware? If it is, then this condition is met, and the procedure in the THEN clause is executed.

The MWG.BodyInfected function is run to find out whether a web object is infected. It is supported by the Anti-Malware for GAM feature, which runs with a setting that involves the Gateway Anti-Malware (GAM) scanning engine in the filtering process. It is this engine that performs the scanning of the web object.

In the code, the feature setting appears in parentheses next to the function.

MWG.BodyInfected (gam)

The setting is specified shortly here as gam. In the variable setting part of the routine, gam is set as the name of the current setting for the Anti-Malware for GAM feature and identified as the Gateway_AntiMalware setting. This setting or configuration is also accessible over the normal user interface.

MWG.AntimalwareSetting gam = Gateway_AntiMalware

On the Web Policy — Anti-Malware page of the user interface, which is also the page that provides access to this routine, it is indicated when the Anti-Malware for GAM feature is in use and what its current configuration is.

  • If the condition matches, the MWG.Block procedure is executed to block the infected web object. Depending on the setting of the procedure, a block message is also sent to the user who requested access to this web object.
THEN {
MWG.Block (Malware_found, "Block If Virus Was Found", "Gateway Anti-Malware"
}

The procedure has parameters, which specify the following:

  • Block reason: Malware_found
  • Name of the blocking rule: "Block If Virus Was Found"
  • Setting name: "Gateway Anti-Malware"

 

  • Bypass Gateway Anti-Malware for Gateway Anti-Malware Bypass URLs — This rule allows web objects with URLs that are on a bypass list to skip anti-malware filtering.
// Bypass Gateway Anti-Malware for Gateway Anti-Malware Bypass URL
IF skipGAMByUrls AND MWG.Url.SmartMatch (bypassGAMURLs) THEN {
    END
}

Code elements are used here as follows.

  • There are two conditions.
IF skipGAMByUrls AND MWG.Url.SmartMatch (bypassGAMURLs)

The first of them is met if the value of skipGAMByUrls is TRUE. It means this rule, which lets web objects skip anti-malware filtering, is enabled. The variable is set in the variable setting part of the routine. It can also be set using an option of the user interface.

The second condition matches if the MWG.Url.SmartMatch (bypassGAMURLs) function returns that the URL of the web object matches with an entry in the bypassGAMURLs list.

  • If both conditions match, the THEN clause applies. Because this is a bypass rule that lets web objects skip anti-malware filtering, nothing is done here. No procedure is executed, so THEN is followed by END.
     
  • Bypass Based on Size — This rule allows web objects with a size that exceeds a given limit to skip anti-malware filtering. This is done to save time and resources.
// Bypass Based on Size (default 200 MB)
IF skipBigSize AND MWG.CycleName == "Response" AND MWG.BodySize > transferSizeLimit THEN {
    END
}

Code elements are used here as follows.

  • There are three conditions.
IF skipBigSize AND MWG.CycleName == "Response" AND MWG.BodySize >transferSizeLimit

The first of them is met if the value of skipBigSize is TRUE. It means this rule, which lets web objects skip anti-malware filtering if they are too big, is enabled. The variable is set in the variable setting part of the routine. It can also be set using an option of the user interface.

The second condition is met if the MWG.Cycle.Name function returns "Response", which means the routine is currently running in the response cycle of the filtering process.

Large files and other large web objects can be received from web sites in response to requests from users. This is why the routine is run in the response cycle.

The third condition is the key condition of this bypass rule. It is about what the bypassing is based on. It is met if the size of a web object, which the MWG.Body.Size function delivers as its return value, is higher than the value of the transferSizeLimit variable. This variable is set in the variable setting part of the routine or using an option on the user interface.

  • If all three conditions are met, the THEN clause applies. Because the purpose of this rule is to let web objects skip anti-malware filtering, nothing is done here. No procedure is executed, so THEN is followed by END.
  • Was this article helpful?