Internet applications, malware, and URL filtering blocking behavior

Article:HOWTO54160  |  Created: 2011-06-08  |  Updated: 2011-06-08  |  Article URL http://www.symantec.com/docs/HOWTO54160
Article Type
How To


Environment

Subject


Internet applications, malware, and URL filtering blocking behavior

You can configure blocking in the following types of policies:

Application control policy

Allow, block, or monitor Internet access for applications with the application control policy settings.

See Configuring policies for Internet applications.

Malware policy

Block malware, which includes spyware, viruses, worms, Trojan horses, botnets, keyloggers, and so on.

See Configuring policies for malware.

URL filtering policy

Block, monitor, or allow access to categories of Web sites. To block categories of Web sites, you must have the URL filtering license.

See Configuring URL filtering policies for Web sites.

See Preinstallation checklist.

Blacklist

Block file downloads by file extension using the blacklist.

See Blocking or monitoring file transfers using the blacklist.

Symantec Web Gateway can block file transfers, Internet applications, malware phone home attempts, and Web pages. The method that Symantec Web Gateway uses to block these activities depends on the source, action, and the policy that applies.

Table: Blocking methods describes these blocking methods.

Table: Blocking methods

Blocking method

Description

Examples

End user blocking page

For downloads and the URL access that a user initiates in a Web browser.

Symantec Web Gateway displays an end user blocking page to block access. The requested action does not occur and the blocking page is displayed instead.

A user's computer is part of a malware policy. The user attempts to download a file using a Web browser. Symantec Web Gateway detects a virus in the file. Symantec Web Gateway displays a blocking page instead of allowing the file download.

File corruption

For file uploads in a Web browser and file downloads not in a Web browser. Symantec Web Gateway also enters text into the binary to identify it blocked the file.

The default text is as follows:

Malware has been detected by Symantec Web Gateway.

A user's computer is part of a malware policy. The user attempts to download a file using FTP. Symantec Web Gateway detects a virus in the file. The download proceeds. However, Symantec Web Gateway corrupts the contents of the file to disable the virus.

Interrupted connection

For malware phone home attempts, application control, and IM file transfers.

Symantec Web Gateway interrupts the connection to block access.

A user attempts to use a peer-to-peer file sharing application that is blocked in an application control policy. The peer-to-peer file sharing application does not work for the user. The peer-to-peer file sharing application may display an error.

If you configure Symantec Web Gateway in the port span/tap network configuration, it cannot provide the same level of blocking as the inline network configuration.

See About Symantec Web Gateway network configurations.

Table: Blocking behavior for policies describes the blocking behavior for each type of policy.

Table: Blocking behavior for policies

Policy

Application

Application action

Browser patience page

Blocking method

Supported network configurations

Antivirus scan from malware policy

Web browsers

Download .exe, .zip, .rar, .dll, and .cab files that are over 50,000 bytes

Yes

End user blocking page

Inline, proxy, and inline plus proxy

Antivirus scan from malware policy

Web browsers

Download file

No

End user blocking page

Inline, proxy, and inline plus proxy

Blacklist block by file extension

Web browsers

Download file

No

Interrupt connection only for port span/tap

Inline, proxy, inline plus proxy, and port span/tap

Antivirus scan from malware policy

Web browsers

Upload file

No

Corrupts the file

Inline, proxy, and inline plus proxy

Blacklist block by file extension

Web browsers

Upload file

No

Interrupt connection

Inline, proxy, inline plus proxy, and port span/tap

Malware or URL filtering

Web browsers

Browse to URL

No

End user blocking page

Inline, proxy, inline plus proxy, and port span/tap

Antivirus scan from malware policy

FTP

Upload file or download file

No

Corrupts the file

FTP command line (inline mode only) error message:

226 Spyware Blkd

Inline, proxy, and inline plus proxy

Malware

Malware phone home

Any network activity

No

Interrupts connection

Inline, proxy, inline plus proxy, and port span/tap

Application control

Applications available for application control

Any network activity

No

Interrupts connection

Inline, proxy, inline plus proxy, and port span/tap

Some limitations for port span/tap as noted in Web GUI

Application control

IM applications

Upload file or download file

No

Interrupts connection

Inline and port span/tap

Some limitations for port span/tap as noted in Web GUI

Antivirus scan from malware policy

IM applications

Upload file or download file

No

Corrupts the file

Inline, proxy, and inline plus proxy

Antivirus scan from malware policy

Applications that access the Internet, such as for software updates

Download file

No

Corrupts the file

Inline, proxy, and inline plus proxy

Antivirus scan from malware policy

Unknown Web browser applications

Download file

No

Corrupts the file

Inline, proxy, and inline plus proxy

See About policies.


Legacy ID



v29516519_v58977240


Article URL http://www.symantec.com/docs/HOWTO54160


Terms of use for this information are found in Legal Notices