3. Procedure – Configuring ZCV

Purpose: 

To filter HTTP traffic for viruses in Zorp, first ZCV has to be configured. The following configuration will use mostly default options, but it will enable the trickling option (by default, trickling is disabled). A size limit for the files to be inspected will also be set, that is, an action will be set for files that are considered too large and will not be inspected for viruses. Complete the following steps.

The configurations, including the default configuration options can be set without using ZMC by editing the configuration files of ZCV. The exact configurations are shown at the end of this tutorial.

Steps: 

1. If you have not already done, add the Content Vectoring component to the host that will be used for content vectoring. For details, see Procedure 3.2.1.3.1, Adding new configuration components to host in Zorp Professional 7 Administrator Guide.

2. Create a new module instance of a virus-filtering module.

   

   Figure 1. Creating a new module instance

   1. Select Content vectoring > Modules > New file module instance.

   2. Enter a name for the instance.

   3. Select the virus-filtering module (for example, clamav) you want to use to scan the traffic in the Module field.

   4. Click OK.

3. Configure a new scanpath.

   

   Figure 2. Creating a new scanpath

   1. Select Configuration > New scanpath, and enter a name for the new scanpath (for example, http).

   2. Select the Bypass scanning large files option.

   3. Set the Oversize action option to Accept.

   4. Optional Step: Adjust the Oversize threshold option.

      The size of the largest object to scan is specified in bytes in the Oversize threshold parameter (the default value is 10485760, that is, 10MB). It might be useful to set it to a lower value: remaining by the above bandwidth example, downloading a 10MB file takes ~5 minutes. However, from a security point of view, there is only slight difference between filtering files up to 10MB, 5MB or 2MB. The vast majority of viruses spreads in files under 1MB. Naturally, if the threshold is higher, less data is allowed to pass without scanning, but viruses and other malicious contents are typically only 50-200KB. If the size limit is only 2 MB, large files are trickled only for ~1 minute, so the user has to wait much less. Set Oversize threshold to either 2097152 (2MB) or 5242880 (5MB).

4. Select General tab > Add file module, and select the module created in Step Step 2 (for example, clamav), then click Select.

5. Select the Trickle > Percent option to enable trickling, then click OK.

6. Select Configuration > New rulegroup, and enter a name for the new rulegroup (for example, http).

   

   Figure 3. Creating a new rulegroup

7. Select the scanpath created in Step Step 3 in the Target scanpath field.

8. Select the Global tab, and configure how ZCV accepts connections from Zorp.

   • If Zorp and ZCV are running on the same host, select the Local option.

   • Otherwise specify the IP address where ZCV should bind to.

   

   Figure 4. Configuring Zorp-ZCV communication