Email scanning, 4 email scanning – Kerio Tech KERIO WINROUTE FIREWALL 6 User Manual

Chapter 13

Antivirus control

176

If the object does not match with any rule, it will be scanned automatically. If only selected

object types are to be scanned, a rule disabling scanning of any URL or MIME type must be

added to the end of the list (the Skip all other files rule is predefined for this purpose).

13.4 Email scanning

SMTP and POP3 protocols scanning settings are defined through this tab. If scanning is enabled

for at least one of these protocols, all attachments of transmitted messages are scanned.

Individual attachments of transmitted messages are saved in a temporary directory on the

local disk. When downloaded completely, the files are scanned for viruses. If no virus is

found, the attachment is added to the message again. If a virus is detected, the attachment is

replaced by a notice informing about the virus found.

Note: Warning messages can also be sent to specified email addresses (e.g. to network admin-

istrators) when a virus is detected. For details, refer to chapter

19.4

.

Warning

1.

Antivirus control within WinRoute can only detect and block infected attachments. At-

tached files cannot be healed by this control!

2.

Within antivirus scanning, it is possible to remove only infected attachments, entire email

messages cannot be dropped. This is caused by the fact that the firewall cannot handle

email messages like mailservers do. It only maintains network traffic coming through. In

most cases, removal of an entire message would lead to a failure in communication with

the server and the client might attempt to send/download the message once again. Thus,

one infected message might block sending/reception of any other (legitimate) mail.

3.

In case of SMTP protocol, only incoming traffic is checked (i.e. traffic from the Internet to

the local network — incoming email at the local SMTP server). Checks of outgoing SMTP

traffic (i.e. from the local network to the Internet) might cause problems with temporarily

undeliverable email (for example in cases where the destination SMTP server uses so called

greylisting).

To check also outgoing traffic (e.g. when local clients connect to an SMTP server without

the local network), define a corresponding traffic rule using the SMTP protocol inspector.

For details, see chapter

13.2

.

Advanced parameters and actions that will be taken when a virus is detected can be set in the

Email scanning tab.

In the Specify an action which will be taken with attachments... section, the following actions

can be set for messages considered by the antivirus as infected:

•

Move message to quarantine — untrustworthy messages will be moved to a special

directory on the WinRoute host. The WinRoute administrator can try to heal infected

files and later send them to their original addressees.