6. Procedure – Enabling virus filtering for uploads

Purpose: 

In case your security policies require it, you can enable virus filtering for files that your users upload to external servers. This is also required when protecting a server to which files can be uploaded from outside. To achieve this, you have to modify the HttpVirusProxy created in Procedure 5, Enabling virus filtering in HTTP. Complete the following steps.

Note

If enabled in ZCV, then trickling is performed in this case as well, but this time towards the server in order to avoid server-side time outs.

The HTTP proxy will pass not only the data, but the HTTP headers as well to the stacking provider, so it can use them for the MIME decapsulation. The virus-filtering modules are is able to decode MIME encoded content.

Steps: 

  1. Select Zorp > Proxies, then select the HttpVirusProxy proxy class.

    Selecting a proxy class

    Figure 13. Selecting a proxy class

  2. Add the self.request_stack attribute to the Changed config attributes panel.

  3. Select this new attribute, then click Edit > New.

  4. Enter the * (asterisk) character, then click OK.

  5. Click on the text in the Type field, then select type_http_stk_mime. (When uploading files via HTTP, the files have to be sent MIME-encoded, while this is not required for downloading. MIME encoding is important only when uploading multiple files. The headers are needed for the MIME decapsulation.)

  6. Click Edit, then select the second row of the appearing panel (the one having zorp_stack in its Type field). Click Edit.

    Selecting when to stack

    Figure 14. Selecting when to stack

  7. Configure the proxy to send the incoming data to ZCV.

    1. Select Stacking type > Stacking provider.

    2. In the Provider field, select the stacking provider policy (for example, zcv) created in Procedure 4, Making ZCV available for Zorp services.

    3. In the Rulegroup field, select the rulegroup (for example, http) created in Procedure 4, Making ZCV available for Zorp services.

    4. Click OK.

    Python: Modify the HttpProxy class which stacks ZCV to inspect the uploaded data.

    self.request_stack["*"]=(HTTP_STK_MIME, (Z_STACK_PROVIDER, "ZCV", "http"))
  8. Optional Step: Note that with the configuration set in the previous steps, every HTTP response and request is scanned for viruses, if it contains data. (For example, according to the RFC, HEAD responses and GET requests do not have data parts.) To filter only the POST requests, complete the following steps.

    1. On the Proxies tab, select HttpVirusProxy, then select self.request_stack, and click Edit.

    2. Select the * key, then click Edit key. Type POST, then click OK.

      Python:

      self.request_stack["POST"]=(HTTP_STK_MIME, (Z_STACK_PROVIDER, "ZCV", "http"))
  9. Optional Step: It is even possible to specify different proxy classes for the different request/response types. To accomplish this, you will need to add two values to the self.response_stack attribute. The first one will specify which virus filtering proxy to use for POST responses, the second one for GET responses. That way it is possible to use different scanpaths or different virus-filtering modules for the different response types. For example, you can examine the downloaded data with a rulegroup that uses the clamav and nod32 engines, but use only one module to examine the uploaded data. To accomplish this, complete the following steps.

    1. Navigate to the Content vectoring ZMC module, and create a new scanpath and a new rulegroup that will be used to examine HTTP GET requests (for example, name this rulegroup http_get).

    2. Navigate to the Zorp ZMC module, select Proxies > HttpVirusProxy > self.response_stack, then click Edit.

    3. Select the POST key, then click Edit. Select the row containing zorp_stack, then click Edit.

    4. Select the rulegroup you want to use to filter POST requests (for example, http).

      Python:

      self.request_stack["POST"]=(HTTP_STK_MIME, (Z_STACK_PROVIDER, "ZCV", "http"))
    5. Add a new key to the self.responce_stack attribute. Enter GET as the key value.

    6. Click on the text in the Type field, then select type_http_stk_data. Select the rulegroup you want to use to filter GET requests (for example, http_get).

      Python:

      self.response_stack["GET"]=(HTTP_STK_DATA, (Z_STACK_PROVIDER, "ZCV", "http_get"))