Secure Computing SSL Scanner User Manual

USER’S GUIDE

Webwasher

SSL Scanner

Version 6.5

www.securecomputing.com

Part Number: 86-0946643-A
All Rights Reserved, Published and Printed in Germany

©2007 Secure Computing Corporation. This document may not, in whole or in part, be copied, photocopied,

reproduced, translated, or reduced to any electronic medium or machine-readable form without prior consent
in writing from Secure Computing Corporation. Every effort has been made to ensure the accuracy of this
manual. However, Secure Computing Corporation makes no warranties with respect to this documentation
and disclaims any implied warranties of merchantability and fitness for a particular purpose. Secure Comput­ing Corporation shall not be liable for any error or for incidental or consequential damages in connection with
the furnishing, performance, or use of this manual or the examples herein. The information in this document
is subject to change without notice. Webwasher, MethodMix, AV PreScan, Live Reporting, Content Reporter,
ContentReporter, Real-Time Classifier are all trademarks or registered trademarks of Secure Computing Cor­porationin Germany and/or other countries. Microsoft, Windows NT,Windows 2000 are registered trademarks
of Microsoft Corporation in the United States and/or other countries . McAfee is a business unit of Network
Associates, Inc. CheckPoint, OPSEC, and FireWall-1 are trademarks or registered trademarks of CheckPoint
Software Technologies Ltd. or its affiliates. Sun and Solaris are trademarks or registered trademarks of Sun
Microsystems, Inc. in the United States and other countries. Squidis copyrighted by the University of Califor­nia, S an Diego. Squid uses some code developed by others. Squid is Free Software, licensed under the terms
of the GNU General Public License. The Mozilla SpiderMonkey and NSPR libraries distributed with Webwasher
are built from the original Mozilla source code, without modifications (MPL section 1.9). The source code is
available under the terms of the Mozilla Public License, Version 1.1. NetCache is a registered trademark of
Network Appliances, Inc. in the United States and other countries. Linux is a registered trademark of Linus
Torvalds. Other product names mentioned in this guide may be trademarks o r registered trademarks of their
respective companies and are the sole property of their respective manufacturers.

Secure Computing Corporation
Webwasher – A Secure Computing Brand

Vattmannstrasse 3, 33100 Paderborn, Germany
Phone: +49 (0) 5251 50054-0
Fax: +49 (0) 5251 50054-11

info@webwasher.com
www.webwasher.com
www.securecomputing.com

European Hotline

Phone: +49 (0) 5251 50054-460

US Hotline

Phone: +1 800 700 8328, +1 651 628 1500

Contents

Chapter 1 Introduction ....................................................................................... 1– 1

1.1 About This Guide

1.2 What Else Will You Find in T his Introduction?

1.3 Using Webwasher

1.3.1 First Level Tabs

1.3.2 Configuring a Sample Setting

1.3.3 General Features of the Web Interface

1.4 Other Documents

1.4.1 Documentation on Main Products

1.4.2 Documentation on Special Products

1.5 The Webwasher Web Gateway Security Products

........................................................................... 1– 2

...................................... 1– 2

.......................................................................... 1– 3

............................................................................. 1– 4

........................................................... 1– 5

............................................... 1– 7

.......................................................................... 1–11

...................................................... 1–12

.................................................. 1–13

................................ 1–14

Chapter 2 Home

2.1 Overview

2.2 Dashboard

2.2.1 Executive Summary

2.2.2 Traffic Volume

2.2.3 System

2.3 Overview (Feature)

2.3.1 Overview (Feature)

2.4 Support

2.4.1 Support

2.5 TrustedSource

2.5.1 TrustedSource

2.5.2 Malware Feedback Black List

2.5.3 Feedback

2.6 Manuals

2.6.1 Documentation on Main Products

2.6.2 Documentation on Special Products

2.6.3 Additional Documentation

2.7 Preferences

2.7.1 Preferences

2.8 License

2.8.1 Information

2.8.2 Notification

.................................................................................................. 2– 1

..................................................................................... 2– 2

................................................................................... 2– 2

....................................................................... 2– 8

............................................................................... 2–11

........................................................................................ 2–13

........................................................................ 2–18

........................................................................ 2–19

....................................................................................... 2–23

....................................................................................... 2–23

.............................................................................. 2–24

.............................................................................. 2–25

..................................................................................... 2–33

....................................................................................... 2–34

.................................................................................. 2–40

.................................................................................. 2–40

........................................................................................ 2–44

................................................................................... 2–45

................................................................................... 2–48

........................................................... 2–30

...................................................... 2–35

.................................................. 2–37

................................................................ 2–39

Chapter 3 Common

3.1 Overview

3.2 Quick Snapshot

3.2.1 Quick Snapshot

3.3 Media Type Filters

3.3.1 Actions

3.3.2 Media Type Black List

3.3.3 Media Type White List

........................................................................................ 3– 9

............................................................................................. 3– 1

..................................................................................... 3– 2

............................................................................. 3– 3

............................................................................. 3– 4

......................................................................... 3– 8

..................................................................... 3–13

.................................................................... 3–16

i

User’s Guide

3.4 Document Inspector....................................................................... 3–19

3.4.1 Document Inspector

3.5 Archive Handler

3.5.1 Archive Handler

3.6 Generic Header Filter

3.6.1 Generic Header Filter

3.7 Generic Body Filter

3.7.1 Generic Body Filter

3.8 Advertising Filters

3.8.1 Settings

3.8.2 Link Filter List

3.8.3 Dimension Filter List

3.9 Privacy Filters

3.9.1 Settings

3.9.2 Cookie Filter List

3.10 Text Categorization

3.10.1 Settings

3.10.2 Categorization List

3.11 HTTP Method Filter List

3.11.1 HTTP Method Filter List

3.12 FTP Command Filter List

3.12.1 FTP Command Filter List

3.13 Welcome Page

3.13.1 Welcome Page

3.14 White List

3.14.1 White List

3.15 User Defined Categories

3.15.1 User Defined Categories

3.16 Media Type Catalog

3.16.1 Media Type Catalog

....................................................................... 3–20

............................................................................. 3–26

............................................................................. 3–27

..................................................................... 3–29

..................................................................... 3–30

........................................................................ 3–32

........................................................................ 3–33

.......................................................................... 3–35

....................................................................................... 3–36

............................................................................... 3–44

....................................................................... 3–47

............................................................................... 3–50

....................................................................................... 3–51

............................................................................ 3–56

........................................................................ 3–58

....................................................................................... 3–59

......................................................................... 3–61

.................................................................. 3–64

.................................................................. 3–65

................................................................. 3–68

................................................................. 3–69

.............................................................................. 3–73

.............................................................................. 3–74

..................................................................................... 3–78

..................................................................................... 3–79

................................................................. 3–83

................................................................. 3–83

....................................................................... 3–85

....................................................................... 3–86

Chapter 4 SSL Scanner

4.1 Overview

4.2 Quick Snapshot

4.2.1 Quick Snapshot

4.3 Certificate Verification

4.3.1 Certificate Verification

4.4 Scan Encrypted Traffic

4.4.1 Scan Encrypted Traffic

4.5 Certificate List

4.5.1 Certificate List

4.6 Trusted Certificate Authorities

4.6.1 Trusted Certificate Authorities

4.7 Global Certificate List

4.7.1 Global Certificate List

4.8 Global Trusted Certificate Authorities

4.8.1 Global Trusted Certificate Authorities

4.9 Incident Manager

4.9.1 Incident Manager

....................................................................................... 4– 1

..................................................................................... 4– 2

............................................................................. 4– 2

............................................................................. 4– 4

..................................................................... 4– 5

..................................................................... 4– 6

.................................................................... 4– 8

.................................................................... 4– 9

............................................................................... 4–13

............................................................................... 4–14

..................................................................... 4–22

..................................................................... 4–22

........................................................................... 4–28

........................................................................... 4–29

........................................................... 4–17

........................................................... 4–18

................................................. 4–26

................................................. 4–26

ii

Introduction

Welcome to the User’s Guide Webwasher® SSL Scanner. It provides you
with the information needed to configure and use the Webwasher SSL Scan­ner,which is one of the Web Gateway Security products developed by Secure
Computing.

The Webwasher SSL Scanner enables you to extend your existing Web usage
and security policies to the HTTPS protocol and to prevent certificate misuse.

SSL-encrypted content, including viruses, spyware, MP3s, pornography, and
confidential company files, is beyond the reach of any Anti-Virus scanner and
content filter.

The SSL Scanner allows you to manage this encrypted content in the same
way as HTTP content and thus to prevent policy evasion, while it is also scan­ning Web traffic for all kinds of threats to your network.

Chapter 1

1–1

Introduction

1.1
About This Guide

The following overview lists the chapters of this guide and explains briefly what
they are about:

User’s Guide – Webwasher SSL Scanner

Introduction Provides introductory information.
Home Describes basic features that are common to the SSL Scanner and

Common Describes filtering features that are common to the SSL Scanner

SSL Scanner Describes the filtering features that are specific to the SSL Scanner.

other Webwasher Web Gateway Security products.

and other Webwasher Web Gateway Security products.

1.2
What Else Will You Fin

In addition to the overview that was given in the previous section, this intro­duction also:

• Explains how to h
washer, see 1

• Informs you about the other documents that are provided for users of Web­washer, see 1

• Provides a list of the Webwasher Web Gateway Security products and
gives a brief description for each of them, see 1

andle the Web interface that is provided for using Web-

.3.

.4.

d in This Introduction?

.

1.3
Using Webwasher

A user-friendly, task-oriented Web interface has been designed for handling
the Webwasher features. It looks like this:

Introduction

The following sections provide some information to mak
interface. These sections:

• List the first level tabs of this interface and explain their meanings, see

1

.3.1.

• Describe a sample procedure showing how a setting is configured for a
Webwasher feature, see 1

• Explain more about the general features of this

.3.2.

e you familiar with this

interface, see 1

.3.3.

1–3

Introduction

1.3.1
First Level Tabs

The Web interface displays a number of tabs and sections for configuring the
Webwasher features. On the topmost level, there are these ten tabs:

• Home, Common, URL Filter, Anti Malware, Anti Spam, SSL Scanner, User
Management, Reporting, Proxies, and Configuration

Their meaning is as follows:

Home, Common – These tabs are for configuring basic and filtering features

that are used not only by the SSL Scanner,but also by other Webwasher Web
Gateway Security products.

Among these features are system alerts, licensing features, media type filters,
etc.

SSL Scanner – This is the top level tab for configuring the features that are

specific to the SSL Scanner.
The tabs mentioned in the following are not described in this document:

URL Filter, Anti Malware, Anti Spam – These are tabs for configuring the

features of other Webwasher Web Gateway Security products.
Note that the Anti Malware tab is used for both the Webwasher Anti-Virus

and the Webwasher Anti-Malware product.
For a description of these tabs, see the corresponding User’s Guides.

User Management, Reporting, Proxies, Configuration – These are tabs

for configuring features that adapt Webwasher to the
running in.

For their description, see the System Configuration Guide.

system environment it is

1–4

1.3.2
Configuring a Sample Setting

This section explains how to configure a sample setting of a Webwasher fea­ture. The feature chosen here for explanation is the Animation Filter.

In order to avoid the download of bandwidth-consuming animated images, this
filter detects and modifies or removes them.

For this sample setting, just suppose you want to enable the filter and let it
removeany suchimages from the filtered objects. Youalsowant thesesettings
to be part of your default filtering policy.

The following overview shows the main steps you need to complete in order to
configure the feature in this way:

Configuring the Animation Filte r – Overview

Step 1 Navigate to the section.

Introduction

2 Configure settings.
3 Make settings effective.

In more detail, these steps include the following activities:

1. Navigate to the section
a. Select the Common tab:

b. In the navigatio
located under Policy:

nareaontheleft,selectAdvertising Filters,whichis

1–5

Introduction

defaultis selected in the line below Policy, whichmeans that the settings

you are going to configure now will be valid under your default filtering
policy. So, leave this selection as it is.

Otherwise,you couldselect adifferent filtering policy,usingthe drop-down
list provided here.

c. EnableAdvertising Filters. To do this, mark the checkbox next to the
inscription.

You need to do this because all features that are placed under this main
feature (like the Animation Filter) will only work if it is enabled.

d. From the tabs provided for configuring the Advertising Filters op­tions, select the Settings tab:

The Animation Filter section is located on this tab:

2. Configure settings
a. Enable the feature. To do this, mark the checkbox next to the sec

heading.
b. Check the radio button labeled Remove all animated images.

Note: To get help information on these settings, click on

mark in the top right corner of the section.
The section should now look like this:

the question

tion

1–6

3. Make settings effective
Click on the Apply Changes button:

This completes the sample configuration.

1.3.3
General Features of the Web Interface

This section explains more about the features that are provided in the Web
interface for solving general tasks, e. g. applying changes to the Webwasher
settings or searching for a term on the tabs of the interface.

The following features are explained here:

• Apply Changes

Introduction

• Click History

• Information Update

• Logout

• Main Feature Enabling

• Search

• Session Length

• System Information

Apply Changes

After modifying the settings in one or more of the sections on a tab, you need to
click on the Apply Changes button to make effective what you have modified.

The Apply Changes button is located in the top right corner of the Web inter­face area:

When modifying settings that belong only to a particular filtering policy,you can
make the modified settings apply to all policies nevertheless.

An arrow is displayed next to the Apply Changes button on each tab where
policy-dependent settings can be configured:

1–7

Introduction

Clicking on this arrow will display a button, which you can use to apply changes
to all policies.

After clicking on this button, your modifications will be valid for settings of all
policies.

When you are attempting to leave a tab after modifying its settings, but without
clicking on Apply Changes , an alert is displayed to remind you to save your
changes:

Answerthe alert by clicking Yes or No according to what you intendto do about
your changes. This will take you to the tab you invoked before the alert was
displayed.

Clicking on Cancel will make the alert disappear, so you can continue your
configuration activities on the current tab.

Click History

The tabs you visited while configuring settings are recorded on t
corner of the Web interface area. They are recorded together with the paths
leading to them.

The current tab and path are always visible in the displa

Clicking on the arrow to the right of the path display will show the “click history”,
i. e. a list of the tabs you visited prior to this one:

y field, e. g.:

he top left

1–8

Clicking on any of the entries displayed in the list will take you to the corre­sponding tab.

Introduction

The click history is only recorded for the current session, i. e. until you log out.
After logging in for a new session, the recording of tabs and paths will start all
over again.

Information Update

Some parts of the information that is provided on the tabs of the Web interface
willchange from time to time. In these cases, theinformation display is updated
automatically every three seconds by Webwasher.

So, e. g. you might have performed a manual update of the anti-virus engines.
This means that the information provided in the Current Status and Log File

Content sections on the corresponding AV Engine tab will begin to change

continuously over a certain period of time until the update is completed.
These sections are then updated automatically every three seconds to reflect

the status of the update process.

Logout

To logout from a Webwasher session, click on the logout link, which is located
in middle position at the top of the Web interface area.

After logging out, the login page is displayed, where you can login again and
start a new session.

Main Feature Enabling

There are Webwasher settings that cannot only be modified if a corresponding
main feature is disabled. So, e. g. if you want to modify the settings of the

Phishing Filter sectionontheSettings tab under Anti-Spam > Message
Filters, you need to make sure the Message Filter feature itself is also en-

abled.
If you attempt to modify settings while the corresponding main feature is not

enabled, an alert is displayed to make you aware of this situation:

1–9

Introduction

Search

A Search input field and button are located in the top right corner of the Web
interface area.

Using these, you can start keyword queries of the entire Web interface by en­tering a search term in the input field and clicking on the Search button:

The search output will be presented in a separate window, which displays a
list of the tabs the search term was found on and the paths leading to them:

Clicking on any of the entries displayed in the list will take you to the corre­sponding tab.

Note: In order to be able to use the search function, make sure JavaScript is

enabled.

Session Length

When working with the Web interface, you need to mind the session length.
This interval can be configured in the Session Options section of the Ses-

sions tab under Configuration > Web Interfaces.

1–10

Introduction

After modifying the interval specified there, click on Apply Changes to make
the modification effective.

When a session has timed out, the following notification is displayed:

Click OK to acknowledge the notification. After clicking o n a tab or button of
the Web interface, the login window opens, where you can login again and
start a new session.

System Information

At the top of the Web interface area, system information is provided on the
current Webwasher session. This information includes:

• Version and build of the Webwasher software

• Name of the system Webwasher is running on

• Name of the user logged in for the current session, e. g. Admin

• Role assigned to this user, e. g. Super Administrator

• Permissions granted to this user, e. g. read/write

1.4
Other Documents

This guide belongs to a series of documents provided for users of the
Webwasher Web Gateway Security products. The following sections give an
overview of them.

The Webwasher user documentation can be viewed after navigating to the

Manuals tab of the Web interface.

Itcan also be viewed onthe WebwasherExtranet and inthe SecureComputing
Resource Center.

1–11

Introduction

The following is provided in this section for the Webwasher Web Gateway Se­curity products:

• An overview of the documents on the main products, see 1

• An overview of the documents on products for special tasks and environ­ments, see 1

.4.2

1.4.1
Documentation on Main Products

This section introduces the user documentation on the main Webwasher Web
Gateway Security products.

Document Group Document Name What about?

General Documents Deployment Planning Guide Is Webwasher suited to my environ-

Installation Guide How to install Webwasher?
Quick Configuration Guide First steps to get Webwasher

System Configuration Guide Features for configuring Webwasher

.4.1

ment?

running.

within the system environment.

Advanced Configuration
Guide

Upgrade Guide What should I know when upgrading

Product Documents User’s Guide U RL Filter Features for configuring URL filtering

User’s Guide Anti-Virus Features for configuring anti-virus

User’s Guide Anti-Malware Features for configuring

User’s Guide Anti-Spam Features for configuring anti-spam

User’s Guide SSL Scanner

– this document

Reference Docu­ment

Reference Guide Items concerning more than product,

More sophisticated configuration
tasks.

to a new Webwasher release?

policies.

filtering policies.

anti-malware filtering policies.

filtering policies.
Features for configuring

SSL-encrypted traffic filtering
policies.

e. g. features for customizing actions
or log files.

1–12

1.4.2
Documentation on Special Products

This section introduces the user documentation on the Webwasher Web Gate­way Security products for special tasks and environments.

Document Group Document Name What about?

Introduction

Content Reporter
Documents

Instant Message
Filter Documents

Special Environment
Documents

Content Reporter Installation
and Configuration Guide

Content Reporter User’s
Guide for Reporting

Instant Message Filter
Installation and Configuration
Guide

User’s Guide Instant
Message Filter

Setting Up Webwasher on
Microsoft ISA Server

Setting Up Webwasher with
Blue Coat

Setting Up NetCache with
ICAP

Installing and configuring the
Webwasher Content Reporter, which
is done separately from the main
products.

Creating reports.

Installing and configuring the
Webwasher Instant Message Filter,
which is done separately from the
main products.

Description of features.

Setting up Webwasher or a
product running with it in a special
environment.

See above.

See above.

Appliances
Documents

NTML Agent Set-up Guide Setting up an additional Webwasher

product to enable authentication
using the NTLM method on platforms
other than Windows.

HSM Agent Set-up Guide Setting up an additional Webwasher

product to enable use of a HSM
(High Security Module) device.

Appliances Installation and
Configuration Guide

Appliances Upgrade Guide What should I know when upgrading

Installing and configuring the
Webwasher appliances.

to a new release of the Webwasher
appliances?

1–13

Introduction

1.5
The Webwasher Web Gateway Security Products

The Webwasher Web Gateway Security products provide an optimal solution
for all your needs in the field of Web gateway security.

They are unique in that they offer best-of-breed security solutions for individual
threats and at the same time a fully integrated architecture that affords in-depth
security and cost/time savings through inter-operability.

A brief description of these products is given in the following.

Webwasher®
URL Filter

Webwasher®
Anti-Virus

Webwasher®
Anti-Malware

Webwasher®
Anti-Spam

Helps you boost productivity by reducing non-business related
surfing to a minimum, thus curbing your IT costs. Suppresses
offensive sites and prevents downloads of inappropriate files, thus
minimizing risks of legal liabilities.

Combines the strength of multiple anti-virus eng ines concurrently
scanning all Web and e-mail traffic. The Proactive Scanning
filtering technology additionally detects and blocks unknown
malicious code, not relying on time-delayed virus pattern updates.
This combination provides in-depth security against a multitude of
threats while offering unmatched performance through use of the
Anti-Virus PreScan technology.

Offers in-depth security against all kinds of malicious code , such
as aggressive viruses, potentially unwanted programs, spyware,
day-zero attacks and blended threats not covered by traditional
anti-virus and firewall solutions. The highly efficient anti-malware
engine is used in combination with the Proactive Scanning fil te r ing
technology.

Offers complete protection of the central Internet gateway. The
highly accurate spam detection filters stem the flood of unwanted
spam mail before it reaches the user’s desktop. Your systems
will not be impaired, the availability of valuable internal mail
infrastructures, such as group servers, is thus maintained.

1–14

Webwasher®
SSL Scanner

–this
product

Helps you protect your network against attacks via the HTTPS
protocol and prevents the disclosure of confidential corporate data,
as well as infringements of Internet us age policies, thus ensuring
that no one is illicitly sharing sensitive corporate materials.

See next page

Introduction

These two products have their own user interfaces, which are described in the
corresponding documents:

Webwasher®
Content
Reporter

Webwasher®
Instant
MessageFilter

Features a library of rich, customizable reports base d on built-in
cache, streaming media, e-mail activity, Internet access and
content filtering queries, all supported by unmatched convenience
and performance features.

Detects, reports and selectively blocks the unauthorized use
of high-risk and evasive P2P and IM f rom enterprise networks
and scans network traffic for characteristics that match the
corresponding protocol signatures.

1–15

Home

The features that are described in this chapter are accessible over the Home
tab of the Web interface:

These are basic features that are common to the SSL Scanner and other Web­washer products, e. g. system alerts, contacting the support, licensing fea­tures, etc.

Theupcoming sectionsdescribe howto handlethese features. The description
begins with an overview.

Chapter 2

2–1

Home

2.1
Overview

The following overview shows the sections that are in this chapter:

User’s Guide – Webwasher SSL Scanner

Introduction

Home Overview –thissection

Dashboard, see 2.2
Overview (Feature), see 2.3

Support, see 2.4
TrustedSource, see 2.5
Manuals, see 2.6
Preferences, see 2.7

Common
SSL Scanner

2.2
Dashboard

The dashboard is invoked b

Home:

After invoking the dashboard, the number and quality of system alerts is dis­played on the left side of the interface area:

License, see 2.8

y clicking on the corresponding button under

2–2

Clicking on each of the alert lines takes you to the Overview tab, where the
meaning of the alerts is explained and what to do about them, see also 2

.3.1.

The dashboard provides the following tabs:

They are described in the upcoming sections:

Home

• Executive Summary, see 2

• Traffic Volume, see 2.2.2

• System, see 2.2.3

Before this is done, however, the following subsection provides some general
information on the dashboard.

Handling the Dashboard

The dashboard allows you to view summary information on a number of Web­washer and system parameters at a glance. This information is in most cases
displayed with regard to a particular time interval, e. g. the number of URLs
that were filtered by Webwasher over the last three hours.

If percentages were calculated for a group of related parameter values, they
are shown by means of a pie chart on the left side of the corresponding tab
section:

.2.1

By hovering over the sections of the pie chart wit
display the individual percentages:

h the mouse cursor, you can

2–3

Home

On the right side of a section, parameter values are shown as they developed
in time, using either a line or a stacked mode, see also further below:

Moreinformation aboutthe valuesthat aremeasured anddisplayed is provided
in the upcoming sections.

The following activities can be performed for most of the dashboard values:

• Selecting categories
You can select the categories you want to have values displayed for with

regard to a particular parameter. To do this, just mark or clear the check­boxes next to the categories:

In the above example, only the values (numbers in th
were “good”, i. e. passed all filtering, are selected for display, together
with those that were blocked by the URL Filter,but omitting those that were
blocked by an anti-virus engine or by Proactive

After selecting or deselecting a category, it is immediately displayed or re­moved from display.

is case) of URLs that

Scanning.

2–4

Home

Note that the color of a category in the selection list is also used when the
category is displayed in proportion to other categories by means of a pie
chart.

Furthermore, this color is used to represent the category in stacked or line
mode:

There is a limit to the display of some parameters. There may be values in
more than six categories for these parameters, but only six categories and
their values are shown at the same time.

By default, these are the categories with the top six values. You can, how­ever, select other categories for display, using the drop-down lists, which
are provided with the categories, but not mor

If you have made your own selection of categories, a click on the button
labeled Select top 6 average values will again display the six top value
categories.

e than six:

2–5

Home

Since only the categories are shown that yielded the top six values or the
categories you selected on your own, values that may have occurred in
other categories are ignored here.

To get a representation of the total amount of values, you need to select

Others as a category:

The values for five selected categories will then be shown, together with

Others, which means that actually all categories and their values are cov-

ered.

• Selecting a time interval
You can select the time interval you want to view values for.
Use the Show last drop-down list provided in the corresponding t

tion to do this:

The time scale and values displayed for the categories are immediately
adapted according to the selected time interval.

ab sec-

2–6

Home

• Selecting stacked or line mode
You can have parameter values displayed in stacked or line mode:
— In line mode, lines aredisplayed torepresent the development of values

within a given time interval:

— In stacked mode, filled-out areas are displayed to represent the de-

velopment of values within a given time interval, but with value areas
“stacked” one on top of the other.

This means that you are always shown sums of values in this mode:

For this reason, the value scale changes when switching from line to
stackedmode since ittakes more of a scale to display values in stacked
than in line mode.

To select either stacked orline mode, check the corresponding radio button
in a tab section:

The mode of display is immediately adapted according to what you se­lected.

2–7

Home

2.2.1
Executive Summary

The Executive Summary tab looks like this:

2–8

There are three sections on this tab:

• URL Executive Summary

• Mail Executive Summary

• Number of Feedbacks Sent

They are described in the following.

Home

URL Executive Summary

The URL Executive Summary section displays the number of URLs that
wereprocessed by the Webwasher filters within a given time intervaland either
passed without restrictions or were blocked by one of these filters.

Values are shown for the following action categories:

• Good
This category is for URLs that passed the Webwasher filters without any

restrictions.

• Blocked by AV Engine
Thiscategory is forURLs that were blocked byone of theanti-virus engines

implemented within Webwasher.

• Blocked by Proactive
This category is for URLs that were blocked due to the configuration of the

Webwasher Proactive Scanning Filter.

• Blocked by URL Filter
This category is for URLs that were blocked due to the configuration of the

Webwasher URL Filter.

Mail Executive Summary

The Mail Executive Summary section displays the number of e-mails that
were processed by the Webwasher filters within a given time interval.

The section is only displayed, however, if Webwasher is configured as an
e-mail gateway. The corresponding option is enabled under Proxies, see also
the System Configuration Guide Webwasher Web Gateway Security.

Values are shown for the following e-mail categories:

• Malware
This category is for e-mails that were found to contain malware.

• Spam level high
This category is for e-mails that were classified as high-level spam.

• Spam level medium
This category is for e-mails that were classified as medium-level spam.

2–9

Home

• Spam level low
This category is for e-mails that were classified as low-level spam.

Number of Feedbacks Sent

The Number of Feedbacks Sent section displays the number of feedbacks
that were sent to Webwasher by customers within a given time interval.

Customers can send these feedbacksusing the link provided in the URL Filter

Database Feedback sectionontheFeedback tab under Home > Trust-
edSource.

Values are shown for the following feedback categories:

• Malware
This category is for feedbacks submitting samples of malware.

• False Positives
This category is for feedbacks concerning e-mails that were incorrectly

marked as spam by Webwasher.

• False Negatives
This category is for feedbacks concerning spam e-mails that were not

marked by Webwasher as such.

• URLs
This category is for feedbacks concerning URLs.

2–10

2.2.2
Traffic Volume

The Traffic Volume tab looks like this:

Home

There are two sections on this tab:

• Traffic Volume per Policy

• Traffic Volume per Protocol

They are described in the following.

Traffic Volume per Policy

The Traffic Volume per Policy section displa
see also the Prefix List at the end of this subsection) for the various policies
that have been configured under Webwasher. These may be the default poli­cies, but also policies that you have set u
displayed as they occurred within a given time interval.

Note that not more than six volumes for different policies are shown at the
same time. For more information abo
subsection labeled H

Values for the following policies are shown by default:

andling the Dashboard at the beginning of 2.2.

ut how to have volumes shown, see the

ys the traffic volume (in bytes,

p yourself. Volumes for policies are

• AVonly

• default

2–11

Home

• Emergency

Prefix List

The list below shows the prefixes that are used for multiples of bytes, with byte
valuescalculated inbinary mode, tomeasure anddisplay,e. g. trafficvolumes.

Italso shows the use ofthese prefixes with regard tomultiples of 10to measure
and display other values, e. g. numbers of hits.

Prefix List

Symbol Name ByteSymbol Byte Unit Binary Value Decimal Value

– – B Byte 2
K Kilo KB Kilobyte 2

M Mega MB Megabyte 2

G Giga GB Gigabyte 2

T Tera TB Terabyte 2
P Peta PB Petabyte 2
E Exa EB Exabyte 2

Z Zetta ZB Zettabyte 2
Y Yotta YB Yottabyte 2

0

10

20

30

40

50

60

70

80

10
10
10
10
10

10
10
10
10

0

3

6

9

12

15

18

21

24

Traffic Volume per Protocol

The Traffic Volume per Protocol section displays the traffic volume (in
bytes) that occurred on the connections used by Webwasher under the dif­ferent protocols within a given time interval.

Values are shown for the following protocols:

• HTTP

• HTTPS

• FTP

• Mail

2–12

2.2.3
System

Home

The System tab is shown here in two parts because of its size. The upper
part of the tab looks like this:

2–13

Home

The lower part looks like this:

There are seven sections on this tab:

• Update Status

• Open Ports

• CPU Utilization

• Memory Usage

• Swap Utilization

• Filesystem Utilization

• Network Utilization

They are described in the following.

2–14

Home

Update Status

TheUpdate Status section displays the status of several Webwasher filtering
features, e. g. SmartFilter, Secure A nti Malware, etc., which can be updated
to ensure that the latest filtering rules, methods, signatures, etc. are used by
Webwasher.

The following information is displayed for each feature:

• Feature
Name of the feature

• Version
Version of the feature

• Last Update
Time when the feature was last updated

Open Ports

The Open Ports (Webwasher Listener) section displays the various ports
that are currently open, with Webwasher listening for requests sent over these
ports.

The following information is displayed for each port:

• Interface

IP address of site communicating with Webwasher over the port

• Port

Port number

• Protocol

The protocol under which communication is going on over the port

• Service

The service Webwasher delivers over the port, e. g. acting as HTTP proxy

• Status

The status Webwasher has with regard to the port, e. g. listening

2–15

Home

CPU Utilization

The CPU Utilization (All CPUs) section shows to what extent the CPUs of
the system Webwasher is running on have been used. within a given time
interval.

Values are shown for the following categories of CPU utilization:

• System

The percentage of the CPU utilization caused by the system

• Idle

The percentage of idle time

• Webwasher

The percentage of the CPU utilization caused by Webwasher

Memory Utilization

The Memory Utilization (Physical Memory) section displays the percent­ages and absolute values (in bytes) of free and used physical memory of the
system Webwasher is running on within a given time interval.

Values are shown for the following categories of memory utilization:

• Free
Amount of physical memory that was free

• Used
Amount of physical memory that was used

Swap Utilization

The Swap Utilization (Virtual Memory) section displays the percentages
and absolute values (in bytes) of free and used swap memory of the system
Webwasher is running on within a given time interval.

2–16

Values are shown for the following categories of swap utilization:

• Free
Amount of swap memory that was free

Home

• Used
Amount of swap memory that was used

Filesystem Utilization (Used Capacity)

The Filesystem (Used Capacity) section displays the percentages of used
memory on the file systems where the various Webwasher folders reside.
Memory values are shown as they occurred within a given time interval.

They are shown for the following folders:

• Webwasher temp Folder

• Webwasher log Folder

• Webwasher mail Folder

• Webwasher conf Folder

• Webwasher info Folder

Network Utilization

The Network Utilization (All Interfaces) section displays the percentages
and absolute values (in bytes) of network utilization for requests that were re­ceived or sent by Webwasher over all its interfaces within a given time interval.

Values are shown for the following request categories:

• Received

Requests received over the network

• Sent

Requests sent over the network

2–17

Home

2.3
Overview (Feature)

The O verview options are invoked by clicking on the corresponding button
under Home:

The options are arranged under the following tab:

They are described in the upcoming section:

•

2.3.1
Overview (Feature)

The Overview tab looks like this:

Home

There are four sections on this tab:

• System Alerts

• System Summary

• One-Click Lockdown

• Version Information

They are described in the following.

2–19

Home

System Alerts

The System Alerts section looks like this:

This section displays alerts to make you aware of any problems concerning the
system status. The function underlying these alerts is also known as “Security
Configurator”.

To the left of each alert text, a field in red, orange, or yellow color indi
relative importance of the alert.

To the right of each alert text, a link is displayed. Click on this link to navigate
to a tab where you can configure the relevant settings as a mea
the problem that caused the alert.

So, e. g., the warning There has been no Anti Virus update check for at

least 3 days is followed by a link labeled Check Update Mana

Clicking on that link will take you to the AV Engine tab, where an update of
the kind requested by the alert can be performed.

An alert is repeated on tab or tabs dealing with the
So,e.g.thewarningThere has been no Anti Virus update check for at

least 3 days, is repeated on the General Settings tab, which is provided for

configuring the general settings of virus

scanning.

topic in question.

cates the

sure against

ger.

2–20

System Summary

The System Summary section looks like this:

This section displays information on the system status.

Home

Information is provided on the user who is currently logged in and on the anti
virus engines that are installed showing also their current versions.

Furthermore, the last updates of the databases containing th
URLs, viruses and spam are displayed, as well as the version of the certificate
revocation list.

Clicking on the links that are provided here, e. g. on the Pro

Database link, will take you to the corresponding Update Manager tabs,

where you can configure and manually perform updates of the databases.

One-Click Lockdown

The One-Click Lockdown section looks like this:

e rules for filtering

active Scanning

Using this section, you can enable an emergency mode to apply a single strict
policy overruling all other polic

This might be useful in a situation when, e. g. a new virus emerges. You may
then want to replace all policies that were configured for different users and
user groups by one single poli

ies.

cy, which is rather strict and binding for all.

2–21

Home

To enable the emergency mode:

• Click on the Activate emergency mode button.

This button is a toggle switch. After enabling the emergency mode, the inscrip­tion on it will read Back to normal mode.

To disable the emergency mode:

• Click on the Back to normal mode button.

When the emergency mode is enabled, there is also an alert in the System

Alerts section of this tab to remind you it is enabled:

Itis recommended to turn the emergency modeoff when itis no longerneeded.
To select the policy that will be used under the emergency mode, go to the

Mapping Process section on the Web Mapping tab under User Manage­ment > Policy Management.

The default policy to be applied under the emergency mode is a policy named

Emergency. You may also retain this policy and its settings or modify them

according to your requirements.

Version Information

The Version Information section looks like this:

2–22

This section displays information on the product v ersion and also some related
information, such as the current software build or the operating system Web­washer is running on.

To see if there is a newer version of the software available, click on the Check

for New Versions button.

2.4
Support

The Support options are invoked by clicking on the corresponding button un­der Home:

The options are arranged under the following tab:

They are described in the upcoming section:

Home

2.4.1
Support

• Support, see 2

The Support tab looks like this:

.4.1

There is one section on this tab:

• Assistance

It is described in the following.

2–23

Home

Assistance

TheAssistance section provides a link to contact the Secure Computing tech­nical support team.

A click on this link takes you to the Welcome Page of this team.
Please read the information on this page and complete the activities described

there in order to get the support you require.

2.5
TrustedSource

TheTrustedSource options are invoked by clicking onthe corresponding but­ton under Home:

The options are arranged under the following tabs:

They are described in the upcoming section:

• TrustedSource, see 2

• Malware Feedback Black List, see 2.5.2

• Feedback, see 2.5.3

.5.1

2–24

2.5.1
TrustedSource

The TrustedSource tab l ooks like this:

Home

There are four sections on this tab:

• Spam False Positives Feedback Queue

• Spam False Negatives Feedback Queue

• Malware Feedback Queue

• URL Feedback

They are described in the following.

Spam False Positives Feedback Queue

The Spam False Positives Feedback Queue section looks like this:

Using this section, you can configure the sending of feedback i n order to im­prove the spam filter.

2–25

Home

E-mails that were released from a queue after receiving a digest e-mail will be
copied to the false positives queue and sent from there to Secure Computing.

This feature is not enabled by default. If you would like to help improve the
spam filter, please mark the checkbox next to the section heading.

After specifying this setting and other settings in this section, click on Apply

Changes to make these settings effective.

Use the following items to configure the false positives feedback:

• SMTP queue to use
From this drop-down list, select an e-mail queue. After being released

from another queue, e-mails will be copied to this queue and later be sent
to Secure Computing.

The queue should be used for no other purpose than that of collecting false
positives since it will be cleared after e-mails have been sent off.

To see the e-mails that are in this queue, click on the See Content of

Queue link next to the drop-down list.

• Send interval in . . . minutes
In the input field provided here, enter a time interval (in minutes) to specify

the time that is to elapse between sending e-mails.
The default interval is 240 minutes. Entering 0 here means that no e-mails

will be sent automatically.
E-mails can be sent manually, however, using the Queue Management

page, which is launched after clicking on the See Content of Queue link
next to the drop-down list.

On this page, click on the button labeled Send All to SecureLabs now
to send the e-mails.

• E-mail address
In this input field, enter an e-mail address. All e-mails received by Web-

washercontaining this address will bemoved to the queue specifiedabove.

2–26

The default address is FalseNegativesFeedback@WillBeCaughtBy-

Webwasher.com.

Home

Spam False Negatives Feedback Queue

The Spam False Negatives Feedback Queue section looks like this:

Using this section, you can configure the sending of feedback i n order to im­prove the spam filter.

You can send e-mails that have erroneously not been classified as spam to an
address that is configured in this section. After e-mails with this address have
been received in the inbound queue of your Webwasher instance, they will be
moved from there to the false negatives queue and later be sent to Secure
Computing.

This feature is not enabled by default. If you would like to help improve the
spam filter, please mark the checkbox next to the section heading.

After specifying this setting and other settings of this section, click on Apply

Changes to make these settings effective.

Use the following items to configure the false negatives feedback:

• SMTP queue to use
From this drop-down list, select an e-mail queue. After being received

in the inbound queue, an e-mail with the address specified further below
will be moved to this queue as false negative and later be sent to Secure
Computing.

The queue should be used for no other purpose than that of collecting false
negatives since it will be cleared after e-mails have been sent off.

To see the e-mails that are in this queue, click on the See Content of

Queue link next to the drop-down list.

• Send interval in . . . minutes
In the input field provided here, enter a time interval (in minutes) to specify

the time that is to elapse between sending e-mails.
The default interval is 240 minutes. Entering 0 here means that no e-mails

will be sent automatically.

2–27

Home

E-mails can be sent manually, however, using the Queue Management
page, which is launched after clicking on the See Content of Queue link
next to the drop-down list.

On this page, click on the button labeled Send All to SecureLabs now to
send the e-mails.

• E-mail address
In this input field, enter an e-mail address. All e-mails received by Web-

washercontaining this address will bemoved to the queue specifiedabove.
The default address is FalseNegativesFeedback@WillBeCaughtBy-

Webwasher.com.

Malware Feedback Queue

The Malware Feedback Queue section looks like this:

Using this s ection, you can configure the sending of feedback i
prove the malware filter.

An e-mail that was classified as spam and contains an attachment where no
virus was found, will be copied to the malware queue an
cure Computing. Small downloads will also be copied to this queue if at least
one of the Anti Virus engines or the Proactive Scanning filter detected a virus,
but not all engines came to the same result.

This feature is not enabled by default. If you would like to help improve the
malware filter, please mark the checkbox next to the section heading.

After specifying this setting and other set

Changes to make these settings effective.

Use the following items to configure the malware feedback:

• SMTP queue to use
From this drop-down list, select an e-mail queue. E-mails and small down-

loads matching the criteria explained above will be moved to this queue as
malware and later be sent to Secure Co

tings in this section, click on Apply

mputing.

d later be sent to Se-

n order to im-

2–28

Home

The queue should be used for no other purpose than that of collecting
malware since it will be cleared after e-mails and downloads have been
sent off.

To see the e-mails that are in this queue, click on the See Content of

Queue link next to the drop-down list.

• Send interval in . . . minutes
In the input field provided here, enter a time interval (in minutes) to specify

the time that is to elapse between sending e-mails.
The default interval is 240 minutes. Entering 0 here means that no e-mails

will be sent automatically.
E-mails can be sent manually, however, using the Queue Management

page, which is launched after clicking on the See Content of Queue link
next to the drop-down list.

On this page, click on the button labeled Send All to SecureLabs now
to send the e-mails.

URL Feedback

The URL Feedback section looks like this:

Using this section, you can configure the sending of feedback i n order to im­prove the URL Filter.

URLs that have not yet been included and categorized in URL Filter Database,
can be submitted to the URL Filter Database feedback service, using the link
provided on the Feedback tab under Home > TrustedSource.

The time interval for sending feedback is configured here.
This feature is not enabled by default. If you would like to help improve the

URL filter, please mark the checkbox next to the section heading.
After specifying this setting and the setting for the send interval, click on Apply

Changes to make these settings effective.

2–29

Home

2.5.2

Use the following item to configure the URL feedback:

• Send interval in . . . minutes
In the input field provided here, enter a time interval (in minutes) to specify

the time that is to elapse between sending e-mails.
The default interval is 240 minutes. Entering 0 here means that no e-mails

will be sent automatically.
E-mails can be sent manually, however, using the Queue Management

page, which is launched after clicking on the See Content of Queue link
next to the drop-down list.

On this page, click on the button labeled Send All to SecureLabs now
to send the e-mails.

Malware Feedback Black List

The Malware Feedback Black List tab looks like this:

2–30

There is one section on this tab:

• Malware Feedback Media Type Black List

It is described in the following.

Home

Malware Feedback Media Type Black List

The Malware Feedback Media Type Black List section looks like this:

Using this section, you can add a media type to the Media Type Black List for
malware feedback. Objects belonging to the media types on this list
entered in the malware feedback queue.

To add a media type to the black list, use the area labeled:

• Select media type from catalog
Select the media type you want to have blacklisted from the drop-down list

provided here, e. g. application/ace.
Furthermore, use the following items when adding a

— Description

Input in this field is optional. You may enter a description of the media
type here.

— Add to Malware Feedback Media Type Black List

After selecting a media type, click on this button to add it to the list.
The Feedback Media Type Black List is display
To display only a particular number of list entries at a time, type this number

in the input field labeled Number of entries per page and enter it using the

Enter key of your keyboard.

ed at the bottom of this section.

media type:

will not be

If the number of entries is higher than this number, the remaining entries are
shown on successive pages. A page indicator is then displayed, where you
can select a particular page by cli

cking on the appropriate arrow symbols.

2–31

Home

To sort the list in ascending or descending order, click on the symbol next to
the Media Type or Description column heading.

To edit an entry, type the appropriate text in the input field of the Description
column and enable or disable the following options:

• Ignore in media type filter
If this option is enabled the media type in question will be ignored when the

Media Type Filter is applied to Web and e-mail downloads.

• Ignore ignore in web upload filter
If this option is enabled the media type in question will be ignored when the

Web Upload Filter is applied to outbound user-originating files via HTTP,
HTTPS and FTP.

Then click on Apply Changes to make these settings effective. You can edit
more than one entry and make the changes effective in one go.

Use the following items to perform other activities relating to the list:

• Filter
Typeafilter expression in the input field of the Media Type or Description

column or in both and enter this using the Enter key of your keyboard. The
list will then display only entries matching the filter.

• Delete Selected
Select the entry you wish to delete by marking the Select checkbox next

to it and click on this button. You can delete more than one entry in one go.
To delete all entries, mark the Select all checkbox and click on this button.

2–32

2.5.3
Feedback

The Feedback tab looks like this:

Home

There are two sections on this tab:

• Feedback E-Mail Address

• URL Filter Database Feedback

They are described in the following.

Feedback E-Mail Address

The Feedback E-Mail Add ress section looks like this:

Using this section, you can send feedback concerning the Webwasher prod­ucts to Secure Computing.

To send your feedback, click on the features@securecomputing.com link
provided in this section.

This will open an e-mail message sheet, which you can fill in and send off.

2–33

Home

URL Filter Database Feedback

The URL Filter Database Feedback section looks like this:

Using this section, you can submit uncategorized or incorrectly categorized
URLs to Secure Computing.

To do this, click on the URL Filter Database feedback link provided in this
section.

This will launch the login page for accessing the Webwasher Extranet. After
successfullylogging in there, a Welcome Pageis displayed. On thispage, click
on the option labeled Feedback system for URL Filter categorization.

Then follow the instructions given on the URL Filter Feedback page.

2.6
Manuals

The Manuals options are invoked by clicking on the corresponding button un­der Home:

The options are arranged under the following tabs:

They are described in the upcoming sections:

• DocumentationonMainProducts,see 2

• Documentation on Special Products, see 2.6.2

• Additional Documentation, see 2.6.3

.6.1

2–34

2.6.1
Documentation on Main Products

The DocumentationonMainProductstab looks like this:

Home

There are three sections on this tab:

• General Documents

• Product Documents

• Reference Document

They are described in the following.

General Documents

The General Documents section looks like thi

s:

This section allows you to view user documentation on planning, installing and
configuring Webwasher in general.

2–35

Home

To view any of the documents listed here, click on the PDF link in the same
line. This will open a .pdf format version of the document.

Product Documents

The Product Documents section looks like this:

This section allows you to view user documentation on individual Webwasher
products.

To view any of the documents listed here, click on the PDF link in the same
line. This will open a .pdf format version of the document.

Reference Document

The Reference Document section looks like this:

This section allows you to view the Webwasher Reference Guide.
To view it, click on the PDF link in the same line. This will open a .pdf format

version of the document.

2–36

2.6.2
Documentation on Special Products

The Documentation on Special Products tab looks like this:

Home

There are four sections on this tab:

• Content Reporter Documents

• Instant Message Filter Documents

• Special Environment Documents

• Appliance Documents

They are described in the following.

Content Reporter Documents

The Content Reporter Documents section looks like this:

This section allows you to view user documentation on the Webwasher report­ing tool.

To view any of the documents listed here, click on the PDF link in the same
line. This will open a .pdf format version of the document.

2–37

Home

Instant Message Filter Documents

The Instant Message Filter Documents section looks like this:

This section allows you to view user documentation on the Webwasher instant
message filtering tool.

To view any of the documents listed here, click on the PDF link in the same
line. This will open a .pdf format version of the document.

Special Environment Documents

The Special Environment Documents section looks like this:

This section allows you to view user documentation on setting up Webwasher
or products running with it in a special environment.

To view any of the documents listed here, click on the PDF link in the same
line. This will open a .pdf format version of the document.

Appliance Documents

The Appliance Documents section looks like this:

This section allows you to view user
ance.

documentation on the Webwasher appli-

.

2–38

To view any of the documents listed here, click on the PDF link in the same
line. This will open a .pdf format version of the document.

2.6.3
Additional Documentation

The Additional Documentation tab looks like this:

Home

There is one section on this tab:

• Release Notes

It is described in the following.

Release Notes

The Release Notes section looks like this:

This section allows you to view release notes and other documents containing
the latest information on the Webwasher products.

To view any of the documents listed here, click on the TXT link in the same
line. This will open a .txt format version of the document.

2–39

Home

2.7
Preferences

The Preferences options are invoked by clicking on the corresponding button
under Home:

The options are arranged under the following tab:

They are described in the upcoming section:

• Preferences, see 2

2.7.1
Preferences

The Preferences tab looks like this:

.7.1

2–40

There are three sections on this tab:

• Change Password

• View Options

• Access Permissions

Home

They are described in the following.

Change Password

The Change Password section looks like this:

Using this section, you can change the password you are using for access to
Webwasher.

After specifying the appropriate input here, click on Apply Changes to make
the new password effective.

Use the following input fields to change your password:

• Current Password
Enter your current Webwasher password here.

• Password
Enter the new password here.

• Retype password
Enter the new password here a second time to confirm it.

View Options

The View Options section looks like this:

Using this section, you can configure what you would like the Web interface to
display or not.

2–41

Home

If you are only interested in viewing and configuring settings for Web traffic,
you can hide the e-mail related settings and vice versa.

Furthermore, you can configure the change warner dialog and the configura­tion hash to be displayed or not.

After specifying the appropriate settings, click on Apply Changes to make
them effective.

Use the following checkboxes to configure view options:

• View web related settings
Make sure this checkbox is marked if you want to view the Web related

settings.

• View web mail related settings
Make sure this checkbox is marked if you want to view the e-mail related

settings.

• Show change warner dialog
Make sure this checkbox is marked if you want the change warner dialog to

appearwhenever you are attempting to leave a tab without saving changed
settings.

• Show configuration hash
Mark this checkbox to have the configuration hash displayed at the top of

the Web interface area.

Access Permissions

The Access Permissions section looks like this:

2–42

Using this section, you can configure permissions to control access to Web­washer. While you are logged in as administrator, other administrators, i. e.
other users in administrator roles, might also try to log in.

You can allow their simultaneous access, restrict it to read-only or even deny
it completely.

Home

To what extent you are allowed to configure access permissions for other ad­ministrators, depends on your seniority level. This is measured by a value
between 0 and 100. You can only configure permissions for administrators
with seniority levels lower than your own.

On the other hand, you may find your right to access Webwasher restricted or
denied when trying to log in because an administrator with an equal or higher
seniority level is currently logged in and has configured the corresponding set­tings.

So, if your seniority level is e. g. 80 and you have configured read-only access
for other administrators while you are logged in, this will apply to all adminis­trators with a seniority level of 80 or below.

If an administrator with a level of e. g. 60 logs in, a window will open providing
access in read-only mode. At the same time, the number of sessions is dis­played that are currently active, as well as the number of sessions where the
seniority level is equal to or higher than that of the administrator who is trying
to log in.

Furthermore, the number of sessions is displayed where this administrator is
allowedto modify access permissions. Inthis case, there are no such sessions
because someone with an equal or higher seniority level, i. e. you, has already
configured the corresponding settings in a particular way.

This administrator now has the choice of logging in with read-only access or
not.

On the other hand, if an administrator with a seniority level of e. g. 100 logs in,
this administrator is entitled to modify what you configured since your senior­ity level is only 80. This modification will also apply to sessions where other
administrators are already logged in.

The seniority level is configured on the Role Definition tab under User Man-

agement > Administrators.ClickontheEdit Role Permissions button

there to open a window, where you can configure a value for the seniority level.
After specifying the appropriate settings here, click on Apply Changes to

make them effective.
Use the following radio buttons to configure access permissions:

• Allow simultaneous access
Make sure this radio button is checked if you want to allow simultaneous

access. Furthermore, specify what kind of simultaneous access should be
allowed:

— Allow read/write access

Make sure this radio button is checked if you want to allow read/write
access.

2–43

Home

2.8
License

The License options are invoked by clicking on the corresponding button un­der Home:

The options are arranged under the following tabs:

— Allow read only access

Check this radio button to allow read only access.

• Deny simultaneous access
Check this radio button to deny simultaneous access.

They are described in the upcoming sections:

• Information, see 2

• Notification, see 2.8.2

.8.1

2–44

2.8.1
Information

The Information tablookslikethis:

Home

There are four sections on this tab:

• License Information

• Webwasher End User License Agreement

• Import License

• Licensed Products

They are described in the following.

2–45

Home

License Information

The License Information section looks like this:

This section displays information regarding the license of the Webwasher soft­ware.

Information is provided on the company that purchased the license, the time
interval during w hich the license is valid and other licensing issues.

Webwasher End User License Agreement

The Webwasher End User License Agreement section looks like this:

This section allows you to view the most recent version of the Webwasher end
user license agreement.

To view the agreement, click on the link that is provided here.

Import License

The Import License section looks like this:

2–46

Using this section, you can import

a license for the Webwasher software.

Home

To import a license, proceed as follows:

1. Click on the Browse button provided here and browse for the license file
you want to import.

Before you can import it, you will have to accept the end user license
agreement. To read it, click on the end user licencse agreement link
provided here.

2. If you accept the agreement, mark the checkbox labeled Ihaveread...

This will turn the button saying You have to accept the EULA first into
one saying Activate License.

3. Click on this button to import the license.

Licensed Products

The Licensed Products section looks like this:

This section displays the Webwasher products and provides information as to
whether they are c overed by your license.

For an overview of these products, see 1.5.

2–47

Home

2.8.2
Notification

The Notification tab looks like this:

There are two sections on this tab:

• System Notifications

• Too Many Clients

They are described in the following.

System Notifications

The System Notifications section looks like this:

2–48

Using this section, you can configure e-mail notifications on license issues.
These will be sent to the e-mail address of the recipient you specify here.

Home

After specifying the appropriate information, click on Apply Changes to make
your settings effective.

Use the following items to configure the system notifications:

• Send notification upon license expiry
Make sure the checkbox provided here is marked if you want to use this

option, and enter the recipient of the notificationin theRecipient input field.

• Send notification if number of licensed clients will soon be ex-

ceeded

Make sure the checkbox provided here is marked if you want to use this
option.

The recipient of this notification will be the one entered in the Recipient
input field above.

To configure the settings for the server used to process the notifications, click
on the button labeled Edit Notification Mail Server.

This will open a window where you can specify the appropriate settings:

After specifying the settings, click OK to make them effective.
Furthermore, there is a button labeled Send Test Messages in this section.

Click on this button to test your settings.

Too Many Clients

The Too Many Clients section looks like this:

2–49

Home

Using this section, you can configure messages to be written to the system log
if connections were refused due to heavy work load or license exhaustion.

After specifying the appropriate settings, click on Apply Changes to make
them effective.

Use the following items to configure log messages:

• Enable message to be written to system log
Mark this checkbox if you want log messages to be written to the system

log.
— Message text

In this input field, enter the message text. The default text is:

%d (generated %t by %o)

You can use the variable log file parameters appearing in the default
text to set up your own message text. Furthermore, you can use an
event name and a severity parameter.

The following table l ists these parameters and their meanings:

%e Short name of the event that caused the log file message to be written
%d Description of the event
%s Severity of the event
%t Local time and timezone of the host tha t generated the log file message
%o FQDN name of the host

2–50

Common

The features that are described in this chapter are accessible over the Com-

mon tab of the Web interface:

These are filtering features that are common to the SSL Scanner and other
Webwasher products, e. g. media type filters, the document inspector, the
white list, etc.

Theupcoming sectionsdescribe howto handlethese features. The description
begins with an overview.

Chapter 3

3–1

Common

3.1
Overview

The following overview shows the sections that are in this chapter:

User’s Guide – Webwasher SSL Scanner

Introduction
Home

Common Overview –thissection

Quick Snapshot, see 3.2

Policy Settings MediaTypeFilters,see3.3

Document Inspector, see 3.4
Archive Handler, see 3.5
Generic Header Filter, see 3.6

SSL Scanner

Settings

GenericBodyFilter,see3.7
Advertising Filters, see 3.8
Privacy Filters, see 3.9
Text Categorization, see 3.10
HTTP Method Filter List, see 3.11
FTP Command Filter List, see 3.12
Welcome Page, see 3.13
White List, see 3.14

User-Defined Categories, see 3.15Policy-Independent
Media Type Catalog, see 3

.16

3–2

3.2
Quick Snapshot

The Quick Snapshot for the common filtering functions is invoked by clicking
on the corresponding button under Common:

The following tab is then provided:

It is described in the upcoming section:

Common

• Quick Snapshot, see 3

.2.1

3–3

Common

3.2.1
Quick Snapshot

The Quick Snapshot tab looks like this:

3–4

There are four sections on this tab:

• Frequent Media Types by Hits

• Frequent Media Types by Volume

• Media Types by Hits

• Media Types by Volume

Common

They are described in the following.
Before this is done, however, the following subsection provides some general

information on the quick snapshot features.

Handling the Quick Snapshot

The quick snapshot features on this tab allow you to view summary information
about several media type filtering parameters at a glance. For two of them,
information is displayed with regard to a particular time interval, e. g. the
number of media that were processed by the Media Type Filter over the last
three hours, categorized and grouped according to the media type.

Percentages are calculated for the individual categories, which are shown by
means of a pie chart on the left side of the corresponding tab section.

On the right side of a section, parameter values are shown as they developed
in time, using either a stacked or a line mode.

The pie chart and the representation in stacked or line mode are handled in
the same way as on the Webwasher dashboard.

You can:

• Select and deselect categories for display by marking and clearing the cor­responding checkboxes:

• Select a time interval for display, using the Show last

• Select stacked or linemode for displayby checking the corresponding radio
button:

For a more detailed description of these activities, see the subsection labeled

andling the Dashboard in 2.2

H

drop-down list:

3–5

Common

There is, however,a property of the quick snapshot features that is not present
on the dashboard tabs. It is described in the following:

• Resetting top value lists
Forthe Media Types by Hits and Media Types by Volume parameters,

top value lists are displayed, usingthe length of bars to indicate the number
of hits or the amount of bytes for various media types:

You can choose to view the top 10, 25, etc., using a drop-down list:

The top value lists can be reset with a reset button:

After clicking on this button, all values in a list are set to zero, so the mea­surement of values can start all over again.

A timestamp is also displayed, indicating date and time of the last reset.

Frequent Media Types by Hits

The Frequent Media Types by Hits section displays the media types, e. g.

text/html, text/plain, image/jpeg, etc. that were most often processed by

the Media Type Filter within a given time interval.

Frequent Media Types by Volume

The Frequent Media Types by Volume section displays the media types,
e. g. text/html, text/plain, image/jpeg, etc. that were processed by the
Media Type Filter and consumed the greatest bandwidth volume (in bytes).

3–6

Common

Media Types by Hits

The Media Types by Hits section displays a list of the top media types, i.
e. the media types that were most often processsed by the Media Type Filter,
showing the number of hits for each of them. Hit numbers are accumulated
until the section is reset.

The following information is displayed for each media type:

• Media type
Name of the media type, e. g. text/html, text/plain, image/jpeg,etc.

• Hits
Number of times that this media type was processed by the Media Type

Filter.

Media Types by Volume

The Media Types by Hits section displays a list of the top media types that
were processed by the Media TypeFilter, according to the bandwidth (in bytes)
consumedby each ofthem. Volumesareaccumulated untilthe sectionisreset.

The following information is displayed for each media type:

• Media type
Name of the media type, e. g. text/html, text/plain, image/jpeg,etc.

• Bytes transferred
Number of bytes transferred for the media type.

3–7

Common

3.3
MediaTypeFilters

The Media Type Filters options are invoked by clicking on the corresponding
button under Common:

If you want to enable any of these options, make s ure the checkbox on this
button is also marked. The checkbox is marked by default.

After modifying the setting of this checkbox, click on Apply Changes to make
the modification effective.

These are policy-dependent options, i. e. they are configured for a particular
policy. When you are configuring these options, you need to specify this policy.

To do this, select a policy from the drop-down list labeled Policy, which is lo­cated above the Media Type Filters button:

The options are arranged under the following tabs:

They are described in the upcoming sections:

• Actions, see 3

• Media Type Black List, see 3.3.2

• Media Type White List, see 3.3.3

.3.1

3–8

3.3.1
Actions

Common

The Actions tablookslikethis:

There are two sections on this tab:

• Media Type Filter

• Web Upload Filter

They are described in the following.

3–9

Common

Media Type Filter

The Media Type Filter section looks like this:

Using this section, you can configure actions, e. g. Block, Block, log and

notify, Allow, etc., for the Media Type Filter.

This filter manages the flow of incoming media types for HTTP and FTP down­loads, as well as for SMTP.

A media (content) type is a general category of data content, such as an ap­plication, audio content, a text message, an image, a video stream, etc. The
media type tells the application that receives the data what kind of application
is needed to process the content, e. g. Real Audio is to play the audio content
for a user. Each of these media types also have subtypes, e. g. t
type has four subtypes: plain, rich text, enriched, and tab-separated values.

The actions that you configure here will be executed according to the result
achieved by the Media Type Filter for a filtered object.

You can also configure different actions for Web and e-mail traffic.
After specifying the appropriate settings here, click on Apply Changes to

make them effective.
Usethe drop-down lists providedhere to configure actions in the following way:

• Default action for unlisted media types
Should this filter find a media type that is not

Type White List or Black List, this is what will happen to it.

• Entry found in Media Type Black List

currently listed in the Media

he text media

3–10

The actions configured here will be execu
intheMediaTypeBlackList.

• Entry found in Media Type White List
The actions configured here will bee

in the Media Type White List.

xecuted for media types that are found

ted for media types that are found

Common

• Non-rectifiable media types with magic bytes mismatch
The actions configured here will be executed when content types do not

match their magic byte sequence.
So, e. g., a JPEG image namedas a GIF file wouldbe affected by a filtering

action, even though each of these media types are acceptable.

• Response without Content-Type header
The actions configured here will be executed when media type information

is contained in a response header..

Web Upload Filter

The WebUploadFiltersection looks like this:

Using this section, you can configure actions, e. g.

notify, Allow, etc., for the Web Upload Filter.

This filter protects corporate privacy and sensitive data by filtering what em­ployees send out, e. g. FTP uploads or file att
HTTP-based Web mail services, such as Hotmail or GMX.

Youcan limit the size that uploads may have or even forbid uploads of all H TTP
and FTP files.

The actions that you configure here will be executed according to the result
achieved by the Media Type Filter for a filtered object.

You can also configure different acti
After specifying the appropriate settings here, click on Apply Changes to

make them effective.

ons for Web and e-mail traffic.

achments sent through common

Block, Block, log and

3–11

Common

Furthermore, you need to enable an option on the REQMOD Settings tab to
use this filter. To do this, click on the REQMOD Settings link provided at the
bottom of this section. The option in question is labeled Apply configured

filters on uploaded and posted data.

Use the drop-down lists provided here to configure actions for the Web Upload
Filter:

• Maximal size of uploa ded parameter . . . kb
In the input field provided here, enter a value to limit the size limit (in KB)

of uploads.

• Forbid uploads of all files (HTTP)
Mark this checkbox, to forbid uploads of all HTTP files.

• Forbid uploads of all files (FTP)
Mark this checkbox, to forbid uploads of all FTP files.

• Default action for unlisted media types
Should this filter find a media type that is not currently listed in the Media

Type White List or Black List, this is what will happen to it.

• Entry found in Media Type Black List
The actions configured here will beexecuted for media types that are found

intheMediaTypeBlackList.

• Entry found in Media Type White List
The actions configured here will beexecuted for media types that are found

in the Media Type White List.

• Content not validated by magic bytes
The actions configured here will be executed when content types do not

match their magic byte sequence.
So, e. g., a JPEG image namedas a GIF file wouldbe affected by a filtering

action, even though each of these media types are acceptable.

3–12

3.3.2
Media Type Black List

The Media Type Black List tablookslikethis:

Common

There is one section on this tab:

• Media Type Black List

It is described in the following.

3–13

Common

Media Type Black List

The Media Type Black List section looks like this:

Using this section, you can add a media type to the Media Type Black List.
Objects belonging to the media types on this list will be blocked.

To add a media type to the black list, use the area labeled:

• Service Name
In this input field, enter the service name.
Select the media type you want to have blacklisted from the drop-down list

provided here, e. g. application/ace.
Furthermore, use the following items when adding a media type:

— Description

Input in this field is optional. You may enter a description of the media
type here.

— Ignore in Media Type Filter

Ifthis option is enabled, the media type inquestion will be ignoredwhen
the Media Type Filter is applied to Web and e-mail downloads.

— Ignore in Web Upload Filter

3–14

Ifthis option is enabled, the media type inquestion will be ignoredwhen
the Web Upload Filter is applied to outbound user-originating files via
HTTP, HTTPS and FTP.

Common

— Add to Media Type Black List

After selecting a media type, click on this button to add it to the list.
This addition will be valid only under the policy you are currently con-

figuring.
To add a media type to the black list for all policies, mark the checkbox

labeled Add to all policies before clicking on the button.
The Media Type Black List is displayed at the bottom of this section.
To display only a particular number of list entries at a time, type this number

in the input field labeled Number of entries per page and enter it using the

Enter key of your keyboard.

If the number of entries is higher than this number, the remaining entries are
shown on successive pages. A page indicator is then displayed, where you
can select a particular page by clicking on the appropriate arrow symbols.

To sort the list in ascending or descending order, click on the symbol next to
the Media Type or Description column heading.

To edit an entry, type the appropriate text in the input field of the Description
column and enable or disable the Ignore in media type filter and Ignore

in media type filter options.

Then click on Apply Changes to make these settings effective. You can edit
more than one entry and make the changes effective in one go.

Use the following items to perform other activities relating to the list:

• Filter
Typeafilter expression in the input field of the Media Type or Description

column or in both and enter this using the Enter key of your keyboard. The
list will then display only entries matching the filter.

• Delete Selected
Select the entry you wish to delete by marking the Select checkbox next

to it and click on this button. You can delete more than one entry in one go.
To delete all entries, mark the Select all checkbox and click on this button.

3–15

Common

3.3.3
Media Type White List

The Media Type White List tab looks like this:

There is one section on this tab:

• Media Type White List

It is described in the following.

3–16

Media Type White List

The Media Type White List section looks like this:

Common

Using this section, you can add a media type to the Media Type White List.
Objects belonging to the media types on this list will be allowed.

To add a media type to the white list, use the area labeled:

• Select media type from catalog
Select the media type you want to include in the white list f

down list provided here, e. g. application/ace.
Furthermore, use the following items when adding a media type:

— Description

Input in this field is optional. You may enter a description of the media
type here.

— Ignore in Media Type Filter

Ifthis option is enabled, the media type inquestion will be ignoredwhen
the Media Type Filter is applied to Web and e-mail downloads.

— Ignore in Web Upload Filter

Ifthis option is enabled, the media type inquestion will be ignoredwhen
the Web Upload Filter is applied to outbound user-originating files via
HTTP, HTTPS and FTP.

rom the drop-

3–17

Common

— Add to Media Type White List

After selecting a media type, click on this button to add it to the list.
This addition will be valid only under the policy you are currently con-

figuring.
To add a media type to the white list for all policies, mark the checkbox

labeled Add to all policies before clicking on the button.
The Media Type White List is displayed at the bottom of this section.
To display only a particular number of list entries at a time, type this number

in the input field labeled Number of entries per page and enter it using the

Enter key of your keyboard.

If the number of entries is higher than this number, the remaining entries are
shown on successive pages. A page indicator is then displayed, where you
can select a particular page by clicking on the appropriate arrow symbols.

To sort the list in ascending or descending order, click on the symbol next to
the Media Type or Description column heading.

To edit an entry, type the appropriate text in the input field of the Description
column and enable or disable the Ignore in media type filter and Ignore

in media type filter options.

Then click on Apply Changes to make these settings effective. You can edit
more than one entry and make the changes effective in one go.

Use the following items to perform other activities relating to the list:

• Filter
Typeafilter expression in the input field of the Media Type or Description

column or in both and enter this using the Enter key of your keyboard. The
list will then display only entries matching the filter.

• Delete Selected
Select the entry you wish to delete by marking the Select checkbox next

to it and click on this button. You can delete more than one entry in one go.

3–18

To delete all entries, mark the Select all checkbox and click on this button.

3.4
Document Inspector

TheDocument Inspector options are invoked by clicking on the correspond­ing button under Common:

If you want to enable any of these options, make s ure the checkbox on this
button is also marked. The checkbox is marked by default.

After modifying the setting of this checkbox, click on Apply Changes to make
the modification effective.

These are policy-dependent options, i. e. they are configured for a particular
policy. When you are configuring these options, you need to specify this policy.

To do this, select a policy from the drop-down list labeled Policy, which is lo­cated above the Media Type Filters button:

Common

The options are arranged under the following tab:

They are described in the upcoming section:

• Document Inspector, see 3

.4.1

3–19

Common

3.4.1
Document Inspector

The Document Inspector tab looks like this:

There are five sections on this tab:

• Document Download Filter

• Document Upload Filter

• Document Mail Filter

• Document Types

• General Options

They are described in the following.

3–20

Common

Document Download Filter

The Document Download Filter section looks like this:

Using this section, you can configure actions for inbound office documents that
may enter your corporate network from the Web and are potentially malicious.

The document formats that can be filtered include Microsoft Word 97-2003, Mi­crosoft Excel 95-2003, Microsoft PowerPoint 95-2003 and all known versions
of Adobe Portable D ocument Format (PDF).

Furthermore, they include the following open document formats: Generic XML,
Microsoft OpenXML, Oasis Open Document Format, and the Simple Object
Access Protocol (SOAP), which is an XML-based communications protocol for
applications.

These documents may contain “active” content. Word, Excel, PowerPoint and
Microsoft Open XML support ActiveX controls and macros, while PDF and the
Oasis Open Document Format support embedded JavaScript.

This active content may be hostile rather than friendly, so for full protection
against files that are embedded into Microsoft Office, PDF or open format doc­uments, you should use the filter provided by the Document Inspector to in­spect these documents and block malicious content from entering your corpo­rate network.

In addition to this filter, you can apply text categorization to these documents.
Ifyou wantto usethis filter,makesure thecheckbox nextto thesection heading

is marked. The checkbox is marked by default.
After specifying the appropriate settings, click on Apply Changes to make

them effective.
Use the following items to configure actions for office documents:

• Encrypted document found
From the drop-down list provided here, select an action, e. g. Block or

Allow. This action will be taken if the filter detects an inbound office docu-

ment that is potentially malicious.

• Apply Text Categorization
Mark the checkbox provided here, to apply text categorization actions to

inbound office documents.

3–21

Common

To view ormodify the actions that arecurrently configured forthese actions,
click on the Text Categorization link in the checkbox inscription.

This will take you to the Text Categorization tab, where you have access
to the corresponding settings.

Document Upload Filter

The Document Upload Filter section looks like this:

Using this section, you can configure actions for outbound user-originating of­fice documents that are potentially malicious.

The document formats that can be filtered include Microsoft Word 97-2003, Mi­crosoft Excel 95-2003, Microsoft PowerPoint 95-2003 and all known versions
of Adobe Portable D ocument Format (PDF).

Furthermore, they include the following open document formats: Generic XML,
Microsoft OpenXML, Oasis Open Document Format, and the Simple Object
Access Protocol (SOAP), which is an XML-based communications protocol for
applications.

These documents may contain “active” content. Word, Excel, PowerPoint and
Microsoft Open XML support ActiveX controls and macros, while PDF and the
Oasis Open Document Format support embedded JavaScript.

This active content may be hostile rather than friendly, so for full protection
against files that are embedded in Microsoft Office, PDF or open format docu­ments, you should use the filter provided by the Document Inspector to inspect
thesedocuments and blockmalicious contentfrom entering yourcorporate net­work.

Ifyou wantto usethis filter,makesure thecheckbox nextto thesection heading
is marked. The checkbox is marked by default.

After specifying the appropriate settings, click on Apply Changes to make
them effective.

Use the following drop-down list to configure actions for office documents:

3–22

• Encrypted document found
Select an action here, e. g. Block or Allow. This action will be taken if the

filter detects an inbound office document that is potentially malicious.

Common

Document Mail Filter

The Document Mail Filter section looks like this:

Using this section, you can configure actions for office documents that are
attached to e-mails, e. g. a .pdf format document.

The document formats that can be filtered include Microsoft Word 97-2003, Mi­crosoft Excel 95-2003, Microsoft PowerPoint 95-2003 and all known versions
of Adobe Portable D ocument Format (PDF).

Furthermore, they include the following open document formats: Generic XML,
Microsoft OpenXML, Oasis Open Document Format, and the Simple Object
Access Protocol (SOAP), which is an XML-based communications protocol for
applications.

These documents may contain “active” content. Word, Excel, PowerPoint and
Microsoft Open XML support ActiveX controls and macros, while PDF and the
Oasis Open Document Format support embedded JavaScript.

This active content may be hostile rather than friendly, so for full protection
against files that are embedded in Microsoft Office, PDF or open f
ments, you should use the filter provided by the Document Inspector to inspect
thesedocuments and blockmalicious contentfrom entering yourcorporate net­work.

Ifyou wantto usethis filter,makesure thecheckbox nextto thesection heading
is marked. The checkbox is marked by default.

After specifying the appropriate settings, click on
them effective.

Use the following items to configure actions for office documents:

• Encrypted document found
From the drop-down list provided here, select an action, e. g. Drop, Drop

and Quarantine or Allow.

Apply Changes to make

ormat docu-

This action will be taken if the filter det
an e-mail that is potentially malicious.

ects an office document attached to

3–23

Common

Document Types

The Document Types section looks like this:

Using this section, you can configure which of the filters that are accessible
over the other sections of this tab should be applied to which document for­mats.

The document formats that can be filtered include Microsoft Word 97-2003, Mi­crosoft Excel 95-2003, Microsoft PowerPoint 95-2003 and all known versions
of Adobe Portable D ocument Format (PDF).

Furthermore, they include the following open document formats: Generic XM
Microsoft OpenXML, Oasis Open Document Format, and the Simple Object
Access Protocol (SOAP), which is an XML-based communications protocol for
applications.

These documents may contain “active” content. Word, Excel, PowerPoint and
Microsoft Open XML support ActiveX controls and macros, while PDF and the
Oasis Open Document Format support embedded JavaScript.

This active content may be hostile rather than friendly, so for full protection
against files that are embedded in Microsoft Office, PDF or open format docu­ments, you should use the filter provided by the Doc
thesedocuments and blockmalicious contentfrom entering yourcorporate net­work.

By default, all filters are configured to ap
After modifying these settings, click on Apply Changes to make the modifi-

cation effective.
Note that in order to use the filters for doc

Oasis Open Document Format, you need to enable the Archive Handler, see

3

.5.

ply to all formats.

uments in Microsoft Open XML or

ument Inspector to inspect

L,

3–24

Common

Use the following checkboxes to modify the assignment of filters to document
formats:

• Download Filter
Mark or clear the checkboxes in this line to have the download filter apply

to the corresponding document formats.

• Upload Filter
Mark or clear the checkboxes in this line to have the upload filter apply to

the corresponding document formats.

• Mail Filter
Mark or clear the checkboxes in this line to have the mail filter apply to the

corresponding document formats.

General Options

The General Options section looks like this:

Using this section, you can configure filtering conditi
documents that will apply to all the filters made accessible over the other sec­tions of this tab.

You can configure different actions for documen
After specifying the appropriate settings, click on Apply Changes to make

them effective.
Use the following items to configure filtering

• Word 95 document format not readable

conditions and actions:

ons and actions for office

ts in Web and e-mail traffic.

From the drop-down lists provided here, select actions for documents in
Web and e-mail traffic, e. g. Block or Allow

These are required because this format is not supported by the Document
Inspector,which means the documents in question are unreadable for this
filter.

.

3–25

Common

• Structured Storage document, like Visio or MSI, not readable
From the drop-down lists provided here, select actions for documents in

Web and e-mail traffic, e. g. Block or Allow.
These actions will be executed if a structured storage document is unread-

able.

• Office document not readable
From the drop-down lists provided here, select actions for documents in

Web and e-mail traffic, e. g. Block or Allow.
These actions will be executed for any type of office documents that are

unreadable, perhaps due to encryption.

• Library not loadable or failed
From the drop-down lists provided here, select actions for documents in

Web and e-mail traffic, e. g. Block or Allow.
These actions will be executed if the Document Inspector library could not

be loaded.

3.5
Archive Handler

The Archive Handler options are invoked by clicking on the corresponding
button under Common:

If you want to enable any of these options, make s ure the checkbox on this
button is also marked. The checkbox is marked by default.

After modifying the setting of this checkbox, click on
the modification effective.

These are policy-dependent options, i. e. they are configured for a particular
policy. When you are configuring these options, you

Apply Changes to make

need to specify this policy.

3–26

To do this, select a policy from the drop-down list labeled Policy, which is lo­cated above the Media Type Filters button:

The options are arranged under the following tab:

They are described in the upcoming section:

Common

• Archive Handler, see 3

3.5.1
Archive Handler

The Archive Handler tab looks like this:

.5.1

There are two sections on this tab:

• Archive Handling

• Archive Handling Options

They are described in the following.

3–27

Common

Archive Handling

The Archive Handling section looks like this:

Using this section, you can configure blocking and other actions for encrypted,
corrupted, multi-part archives, archives containing mail bombs (an archive is
a mail bomb if its content size exceeds the limit set by the user), and archiv
exceeding the maximum recursion level, i. e. how deep archives are nested
within each other.

es

The size and recursion level limits are configured in the Archive Handl

Options section, which is also provided on this tab.

If a virus is contained within an archive that is compressed, the virus cannot
be detected and prevented from downloading.

The Archive Handler decompresses the members of an archive one-by-one,
andpasses them on to thevirus scanner. Whenthe archivemember containing
the virus is decompressed, virus scanner detects t
be blocked.

You can configure different actions for archives in Web and e-mail traffic.
After selecting these actions from the drop-down

Apply Changes to make your settings effective.

Archive Handling Options

The Archive Handling Options section looks like this:

he virus, so the archive can

lists provided here, click on

ing

3–28

Using this section, you can configure limits for archive sizes and recursion
levels.

After specifying the appropriate settings click on Apply Changes to make
them effective.

Use the following input fields to configure limits for archives:

• Maximum size of unpacked archive
Enter the maximum size (in MB) here that should be allowed for an archive.

• Maximum recursion level
Enter the maximum number of recursion levels here that should be allowed

for an archive.

3.6
Generic Header Filter

Common

TheGeneric Header Filter options areinvoked by clickingon thecorrespond­ing button under Common:

If you want to enable any of these options, mark the checkbox that is on this
button.

Then click on Apply Changes to make this setting effective.
These are policy-dependent options, i. e. they are configured for a particular

policy. When you are configuring these options, you need to specify this policy.
To do this, select a policy from the drop-down list labeled Poli

cated above the Media Type Filters button:

The options are arranged under the following tab:

cy, which is lo-

They are described in the upcoming section:

• Generic Header Filter, see 3

.6.1

3–29

Common

3.6.1
Generic Header Filter

The Generic Header Filter tab looks like this:

There is one section on this tab:

• Header Filter List

It is described in the following.

3–30