-
Products
-
SonicPlatform
SonicPlatform is the cybersecurity platform purpose-built for MSPs, making managing complex security environments among multiple tenants easy and streamlined.
Discover More
-
-
Solutions
-
Federal
Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn MoreFederalProtect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn More - Industries
- Use Cases
-
-
Partners
-
Partner Portal
Access to deal registration, MDF, sales and marketing tools, training and more
Learn MorePartner PortalAccess to deal registration, MDF, sales and marketing tools, training and more
Learn More - SonicWall Partners
- Partner Resources
-
-
Support
-
Support Portal
Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn MoreSupport PortalFind answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn More - Support
- Resources
- Capture Labs
-
- Company
- Contact Us
How SonicWall Gateway Anti-Spyware Handles Protocol Inspections and Actions
03/26/2020 
27 People found this article helpful
485,492 Views
Description
SonicOS: How SonicWall Gateway Anti-Spyware Handles Protocol Inspections and Actions?
Resolution
The following describes the protocol handling capabilities of SonicWall Anti-Spyware for the supported protocols:
NOTE: 8-bit encoding is handled natively for all e-mail based protocols (SMTP, POP3, and IMAP) since no decoding is required for each encoding scheme.
HTTP
Capabilities: zip (including archives), gzip and deflate decompression. Deflate decompression method is not supported when HTTP response is Chunk Encoded. All HTTP traffic is inspected, not just TCP port 80. Suppresses the use of HTTP Byte-Range requests to prevent the sectional retrieval and reassembly of potentially malicious content.
NOTE: Suppression of HTTP Byte-Range requests may inhibit the use of certain download accelerator programs that attempt to retrieve files as multiple simultaneous requests.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious payload.
FTP
Capabilities: zip (including archives) and gzip decompression. FTP stateful code follows data port negotiations, allowing FTP data to be inspected across any operating TCP port. Suppresses the use of the FTP 'REST' (restart) request to prevent the sectional retrieval and reassembly of potentially malicious content, "The suppression of the 'REST' request can be overridden from the /diag.html page with the option 'Enable FTP 'REST' requests with Gateway AV”.
Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious payload.
IMAP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The connection is terminated, preventing the user from downloading the mail containing the violation. The user must manually mark the mail deleted and purge it from the server.
SMTP
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the head of the sent queue, thus preventing it from being resent, via 552 SMTP response and the connection is terminated.
POP3
Capabilities: base64 decoding, zip (including archives) and gzip decompression.
Prevention Mechanism: The message which contains the virus is removed from the POP3 server via 'DELE' command and the connection is terminated. Continuation of message downloads following termination requires the user to re-initiate the download process on their POP3 client in order to download the rest of the messages from the POP3 server.
- Disable Anti-Spyware POP3 Auto Deletion - When a POP3 client is identified as Outlook Express, DELE (delete) message sequencing is tailored to Outlook Express' behavior. This setting can resolve problems caused by misidentification that are encountered during the deletion of virus-infected e-mails.
- Disable Anti-Spyware POP3 UIDL Rewriting - Certain Netscape POP3 clients have difficulty with the UIDL (unique ID listing - RFC1939) command. When a POP3 client is recognized as Netscape, UIDL messages are suppressed, which is allowable because they are optional. This setting can resolve problems caused by misidentification that are encountered during the message retrieval process.
POP3 client behavior varies from one client to the next. SonicWall Anti-Spyware attempts to determine the type of POP3 client being used, and to compensate for behavioral differences. In rare cases, some clients may require special Anti-Spyware settings - these settings have been made available in the / diag.html page.
Enabling Inbound Inspection
Within the context of SonicWall Anti-Spyware, the Enable Inbound Inspection protocol traffic handling
refers to the following:
• Non-SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to any Zone.
• Non-SMTP traffic from a Public Zone destined to an Untrusted Zone.
• SMTP traffic initiating from a non-Trusted Zone destined to a Trusted, Wireless, Encrypted, or Public Zone.
• SMTP traffic initiating from a Trusted, Wireless, or Encrypted Zone destined to a Trusted, Wireless, or Encrypted Zone.
The Enable Inbound Inspection protocol traffic handling represented as a table:
Enabling Inspection of Outbound Spyware Communication
The Enable Inspection of Outbound Spyware Communication feature is available for scanning outbound traffic for spyware communication.
Related Articles
- How to Block Google QUIC Protocol on SonicOSX 7.0?
- How to block certain Keywords on SonicOSX 7.0?
- How internal Interfaces can obtain Global IPv6 Addresses using DHCPv6 Prefix Delegation
Categories
- Firewalls > TZ Series
- Firewalls > SonicWall SuperMassive E10000 Series
- Firewalls > SonicWall SuperMassive 9000 Series
- Firewalls > SonicWall NSA Series
YES
NO