How to Configure Custom Policies for SonicWall Enforced Client

03/26/2020 12 12729

DESCRIPTION:

SonicWall Enforced Kaspersky Client Anti-Virus and Anti-Spyware provides comprehensive end-point protection for desktops and laptops. The automated anti-virus and anti-spyware deployment keeps administrative overhead to a minimum, while also enforcing policy and making sure that each endpoint is protected before connecting. Kaspersky Client Anti-Virus and Anti-Spyware has the following features:

• Protects Desktops/Laptops from viruses.
• Automatically updates clients
• Enforces virus protection
• Centrally manages reporting
• Central manages policy-enforcement.
• Includes on-demand scanning

This article illustrates how to create Enforced Client AV (ECAV) policies.

RESOLUTION:

The following steps are involved in creating a new ECAV policy:

1. Accessing the Enforced Client Anti-Virus Policy & Reporting Server.

• Login the SonicWall Management GUI.
• Navigate to the Security Services | Client AV Enforcement page.
• Click on the link under the Kaspersky Client AV Status box.

Login using the MySonicWall.com username and password or using the appliance Authentication Code. In the SonicWall EPRS page, click on Policies.

About the Default Policy

The Policies page contains a default policy called Default Policy. The Default Policy is configured to be moderately strict, and is suitable for use with most ECAV clients. It cannot be edited or deleted. All clients and client groups are assigned the default policy. To view the Default Policy settings, navigate to the ECAV | Policies page and click the View icon under Configure in the Default Policy row.

The Edit Policy window opens. The General tab displays the Name and Comment fields for the Default Policy.

On the Kaspersky AV tab, under Agent Version Settings, the Agent Version is set to Stable Release. The Default Policy does not use the Latest Release or any particular release.

Under Scans, four different Scans are configured for the Default Policy:

• OnAccess These scan settings include configuration for the File Monitor, Web Monitor and Mail Monitor. These monitors are used for real time scanning. Scan settings, inclusions, exclusions, and trusted processes are configured.
• Manual These scan settings are used when the client specifically requests a scan, and includes configuration to scan containers within one level of compression, and for a set period of time. Manual scan also scans mail messages and databases, and packed files. Scan settings, exclusions, and critical areas are configured.
• Scheduled File A scheduled file scan for all fixed drives on the client machine that runs a single time at 12:00 midnight after the policy is applied to the client.
• Scheduled Critical Areas A scheduled file scan for critical areas on the client file system that runs once a day at 11:00 PM.

Default OnAccess Scan Settings

Settings Tab

On the Settings tab, the File Scan Settings are shown.

For the Default Policy, the File Scan Settings are set as follows:

• Heuristics Level The Heuristics Level is set to Low. The advanced heuristic code analyzer is on, and the scanning level will be shallow. This setting is appropriate for both on-demand scanning and Real Time monitoring.
• Cleaning Mode Currently, Clean and Delete is the only option for handling detected threats.
• Working Mode The Working Mode is set to Smart. In this mode, file access attempts are intercepted by using a special "smart" algorithm that guarantees a reasonable security level, but does not significantly affect the system performance.
• Scan Within Containers This checkbox is not selected, meaning that no scanning of the contents of container files, such as ZIP or CAB files, is performed. The Max Archive File Size is not used in this mode.
• Timeout The maximum number of seconds that a file will be scanned is set to 3 seconds.

Exclusions Tab

On the Exclusions tab, filters are configured to exclude .txt and .log files from scanning.

Inclusions Tab

On the Inclusions tab, no filters are configured to include certain files or folders when scanning.

Processes Tab

On the Processes tab, no applications are configured as trusted applications with defined behaviors.

Default Manual Scan Settings

Settings Tab

On the Settings tab of the Manual Scan Settings window, the File Scan Settings are shown.

For the Default Policy, the File Scan Settings for Manual Scan are set as follows:

• Heuristics Level The Heuristics Level is set to Medium. The advanced heuristic code analyzer is on, with medium scanning level. For a manual scan that only occurs when requested by the user, the Medium setting is fine and will not impact system performance.
• Cleaning Mode Currently, Clean and Delete is the only option for handling detected threats.
• Scan Within Containers This checkbox is selected to open and scan the contents of container files, such as ZIP or CAB files. The Max Container Scan Depth is set to 1, indicating that only the first level of container will be scanned, and no containers within the container are scanned.
• Timeout The maximum number of seconds that a file will be scanned is set to 300 seconds.
• Scan Mail Messages This checkbox is selected to scan email messages.
• Scan Mail Databases This checkbox is selected to scan email databases.

Exclusions Tab

On the Exclusions tab, no filters are configured to exclude any files from scanning.

Critical Areas Tab

The Critical Areas Settings are the same as the File Scan Settings on the Settings tab, and, in the Default Policy, are configured with the same values.

Default Scheduled File Scan Settings

Settings Tab

On the Settings tab of the Scheduled Scan Settings window for the File scan type, the File Scan Settings are shown.

For the Default Policy, the File Scan Settings for Scheduled File Scan are set as follows:

• Heuristics Level The Heuristics Level is set to Medium. The advanced heuristic code analyzer is on, with medium scanning level. For a manual scan that only occurs when requested by the user, the Medium setting is fine and will not impact system performance.
• Cleaning Mode Currently, Clean and Delete is the only option for handling detected threats.
• Scan Within Containers This checkbox is selected to open and scan the contents of container files, such as ZIP or CAB files. The Max Container Scan Depth is set to 1, indicating that only the first level of container will be scanned, and no containers within the container are scanned.
• Timeout The maximum number of seconds that a file will be scanned is set to 300 seconds.
• Scan Mail Messages This checkbox is selected to scan email messages.
• Scan Mail Databases This checkbox is not selected, so no email databases will be scanned.

Exclusions Tab

On the Exclusions tab, filters are configured to exclude .txt and .log files from scanning.

Inclusions Tab

On the Inclusions tab, a filter for All fixed disks is configured to include all hard drives on the computer for scanning. Because an inclusion filter is specified, only the items defined by the inclusion file filters are scanned and everything else is excluded.

Schedule Tab

On the Schedule tab, a time based schedule is configured for the scan.

This fixed disk scan is configured to run once, at midnight on January 1^st.

Default Scheduled Critical Areas Scan Settings

Critical Areas Tab

On the Critical Areas tab of the Scheduled Scan Settings window for the Critical Areas scan type, the Critical Areas Settings are shown.

For the Default Policy, the Critical Areas Settings are set as follows:

• Heuristics Level The Heuristics Level is set to Medium. The advanced heuristic code analyzer is on, with medium scanning level. For a manual scan that only occurs when requested by the user, the Medium setting is fine and will not impact system performance.
• Cleaning Mode Currently, Clean and Delete is the only option for handling detected threats.
• Scan Within Containers This checkbox is selected to open and scan the contents of container files, such as ZIP or CAB files. The Max Container Scan Depth is set to 1, indicating that only the first level of container will be scanned, and no containers within the container are scanned.
• Boot Sector This checkbox is selected to scan the boot sector of the hard disk.
• System Memory This checkbox is selected to scan system memory.
• Startup Objects This checkbox is selected to scan files that run at system startup. If selected, you can select Qscan.
• Scan Mail Messages This checkbox is selected to scan email messages.
• Scan Mail Databases This checkbox is not selected, so no email databases will be scanned.

Schedule Tab

On the Schedule tab, a time based schedule is configured for the Critical Areas scheduled scan.

This critical areas scan is configured to run Daily, at 11:00 PM.

Adding a New Policy

A new policy can be created by either clicking on Add New Policy or cloning the default policy. To clone, click on the Clone button at the far end of the default policy.

In either method, the Add Policy window will pop-up with General and Kaspersky AV tabs.

General tab

Name: Enter a name for the policy.
Comment: Descriptive information about the policy.

Kaspersky AV tab

Agent Version: Stable Release
OnAccess: Pre-installed scan type to always monitor the system in the background for malware. Cannot be deleted
Manual: Pre-installed scan type to scan files, folders and removable disks when prompted to do so. Cannot be deleted
Add New Scheduled Scan: User created scan type to scan the system at a scheduled time.

2. OnAccess Scan

• Comment: Descriptive information.
• Disable: Disables OnAccess Scan
• Settings
• Exclusions
• Inclusions
• Processes

Settings

Heuristic Level: Off / Low / Medium /High. Default = Medium Cleaning Mode: Clean and Delete. Working Mode: Smart / File Open / File Execute / Both File Read and Write. Default = Smart Scan Within Containers: Contents of ZIP / CAB etc will be opened and scanned. Default = Unchecked. Max Archive File Size: Applicable if above is checked. Default is 8 MB. 0 means no maximum size. Timeout = Default = 3 Seconds. 0 = No timeout.

Exclusions

Select Type:  File / Folder Location: Custom Path Fixed and removable Disks All fixed disks All removable disks OS installed drive Documents and Settings folder Program Files folder Windows directory Windows system directory Extension List: List of extensions that will be matched when searching for files to filter. Do not precede the extension with "." or "*." Wildcards are permitted at the end of an extension such as DOC XL* PPT.

Inclusions

Location: Custom Path Fixed and removable Disks All fixed disks All removable disks OS installed drive Documents and Settings folder Program Files folder Windows directory Windows system directory Extension List: List of extensions that will be matched when searching for files to filter. Do not precede the extension with "." or "*." Wildcards are permitted at the end of an extension such as DOC XL* PPT.

Processes

Process Location: Allow to Open Files: Analyze Behavior: Allow Registry Use: Allow Network Use: SSL Only:

Manual scan

• Comment: Descriptive information.
• Settings
• Exclusions
• Critical Areas

Settings

Heuristic Level: Off / Low / Medium /High. Default = Medium Cleaning Mode: Clean and Delete. Scan Within Containers: Contents of ZIP / CAB etc will be opened and scanned.Default = checked. Max Container Scan Depth: Max level of containers within containers. For example, ZIP inside of a RAR inside of a TAR. Can be set from 1 to 10. 0 = No depth. Default = 1. Timeout = Default = 300 Seconds. 0 = No timeout. Scan Mail Messages:      Scan Mail Databases:

Exclusions

Select Type:  File / Folder Location: Custom Path Fixed and removable Disks All fixed disks All removable disks OS installed drive Documents and Settings folder Program Files folder Windows directory Windows system directory Extension List: List of extensions that will be matched when searching for files to filter. Do not precede the extension with "." or "*." Wildcards are permitted at the end of an extension such as DOC XL* PPT.

Critical Areas

Heuristic Level: Off / Low / Medium /High. Default = Medium Cleaning Mode: Clean and Delete. Scan Within Containers: Contents of ZIP / CAB etc will be opened and scanned.Default = checked. Max Container Scan Depth: Max level of containers within containers. For example, ZIP inside of a RAR inside of a TAR. Can be set from 1 to 10. 0 = No depth. Default = 1. Timeout: Default = 300 Seconds. 0 = No timeout. Scan Mail Messages:      Scan Mail Databases:

Add New Scheduled Scan

Comment: Descriptive information.
Scheduled Scan Type:  File / Critical Areas. Default = File

• Settings
• Exclusions
• Inclusions
• Schedule

Settings

Heuristic Level: Off / Low / Medium /High. Default = Medium Cleaning Mode: Clean and Delete. Scan Within Containers: Contents of ZIP / CAB etc will be opened and scanned.Default = checked. Max Container Scan Depth: Max level of containers within containers. For example, ZIP inside of a RAR inside of a TAR. Can be set from 1 to 10. 0 = No depth. Default = 1. Timeout = Default = 300 Seconds. 0 = No timeout. Scan Mail Messages:      Scan Mail Databases:

Exclusions

Exclusion File Filter Settings Select Type:  File / Folder Location: Custom Path Fixed and removable Disks All fixed disks All removable disks OS installed drive Documents and Settings folder Program Files folder Windows directory Windows system directory Extension List: List of extensions that will be matched when searching for files to filter. Do not precede the extension with "." or "*." Wildcards are permitted at the end of an extension such as DOC XL* PPT.

Inclusions

Select Type:  File / Folder Location: Custom Path Fixed and removable Disks All fixed disks All removable disks OS installed drive Documents and Settings folder Program Files folder Windows directory Windows system directory Extension List: List of extensions that will be matched when searching for files to filter. Do not precede the extension with "." or "*." Wildcards are permitted at the end of an extension such as DOC XL* PPT.