HTTP Proxy and Securepoint Antivirus

From Securepoint Wiki


+2| Letzte Anpassung: | Last update:}}






Freely definable rule name











De.png
En.png
Fr.png


Configuration of a UTM when using a HHTP proxy and Securepoint Antivirus Pro

Letzte Anpassung: 06.2019


Preamble

Securepoint Antivirus Pro regularly checks an update server for new updates. The updates themselves are then downloaded by update mirrors.

If a Windows client is directly connected to the Internet, this does not pose a problem, since there are usually no rules that regulate web page views. In a network environment, workstations usually do not have direct access to the Internet, but the data traffic is filtered via port filters and proxies in order to provide as little attack surface as possible for malware.

A good firewall configuration is characterized by the fact that each client only gets the shares it really needs.

In the following documentation we present three scenarios that allow the Antivirus Pro Update via the HTTP proxy of a Securepoint NextGen UTM firewall and the web filter.

Scenario 1: Standard proxy without authentication

Webfilter

In this case, the HTTP proxy is used in transparent Mode. In 'Webfilter only the web pages required for communication will be released. A new ruleset will be added here to release the update servers for Securepoint AntiVirus Pro. These are entered under → Applications →Webfilter Add ruleset as follows:

Name

No matching rule found: block 

In section Rules
*.ikarus.at/*
*.mailsecurity.at/*

+ Add URL

Please note that * is used as wildcard at this point (no Regex format!).

This rule set must be saved.
For the rule set to be applied, the rule set must be assigned to a profile that contains the corresponding computer!

Virus scanner of the UTM

The virus scanner of the HTTP proxy checks the packages that are routed through the proxy.

In order for the download of updates to work without problems, exceptions in Regex-Format] must be created in the virus scanner.
In the menu → Applications →HTTP-Proxy } Virus Scanner Section Webpage-Whitelist a rule with + Regex is added:

^[^:]*://[^\.]*\.ikarus\.at/
^[^:]*://[^\.]*\.mailsecurity\.at/


Scenario 2: Standard proxy with authentication

To increase security, the Securepoint NextGen UTM firewall can be configured under → Applications →HTTP-Proxy in the General tab → Applications →HTTP-Proxy }. section ╭╴General╶╮} a Authentication method:
Basic  , NTLM/Kerberos  , Radius 

Authentication exception

Since the Securepoint antivirus client cannot authenticate itself against the proxy with NTLM, additional 'authentication exceptions are required.
The called URLs have to be defined again in Regex-Format]:
.*\.ikarus\.at
.*\.mailsecurity\.at
Since the HTTP or HTTPS protocol is not relevant at this point, these expressions are somewhat shorter than with the virus scanner.

For the Webfilter and the Virus scanner exceptions are configured as in scenario 1. 


Scenario 3: Standard proxy with authentication via NTLM and use of SSL interception

SSL-Interception

If in menu → Applications →HTTP-Proxy SSL-Interception SSL-Interception is used to check the encrypted data packets for malware, the servers must also be stored here as ╭╴Exceptions for SSL-Interception╶╮}.
The same expressions are used as for the authentication exception.

.*\.ikarus\.at
.*\.mailsecurity\.at

For the Webfilter and the Virus scanner exceptions are configured in the same way as in scenarios 1 and 2.

Transparent SSL Interception

If → Applications →HTTP-Proxy in the Transparent Mode Transparent Mode has been activated to also check the encrypted data packets for malware, the IP addresses of the servers must be stored here as exceptions for the SSL interception. The entire network of update servers is released for this purpose.

.*91\.212\.136\..*