In the main menu of the Open Single Management Platform Console, go to the Application & Services → NGFW section.
Select the Objects tab, then select Security profiles → Anti-Virus.
In the upper part of the workspace, click the Create button.
This opens the Anti-Virus profile creation window. By default, the General tab is selected.
In the Name field, enter a name for the new profile.
The name of the profile must be unique among all profiles. The maximum length is 128 characters.
If necessary, in the Description field, enter an arbitrary description of the profile.
The maximum length is 256 characters.
If necessary, enable security event logging using the Logging toggle switch.
If logging is enabled, then when an attempt is made to visit a malicious web resource, an event is logged in the Anti-Virus security event log in the SIEM system. If logging is disabled, no events are generated or saved.
Under Protocols & actions, for each protocol, select the action to be performed when malicious objects are detected in TCP traffic or when an attempt is made to gain access to a URL from the list of compromised URLs:
Allow to allow access to the web resource.
Show blocking page to block access to the web resource and display a text explaining the error and recommending further actions (for example, suggesting contacting the system administrator).
This action is available only for the HTTP protocol.
Block to block access to the web resource. No explanatory message is displayed.
Reset both to block access to the web resource and send TCP RST to the client side and to the server side for TCP sessions. No informational message is displayed.
The listed protocols also include their encrypted versions. To scan encrypted traffic, enable encrypted connection scanning.
On the File Anti-Virus tab, configure the scanning of objects detected on pages visited by the user:
If you want to scan objects detected in traffic using not only the local database, but also the cloud service, set the Look up objects in KSN toggle switch to On.
If you want to prevent partial downloading of files via HTTP, set the Block partial file downloads toggle switch to On.
Files downloaded in parts across multiple sessions may bypass the scan by Anti-Virus profiles. If partial downloading is blocked, Kaspersky NGFW blocks HTTP Range requests, and a file can be transferred and scanned only in its entirety. This can reduce the potential risk of non-detection of malware.
If you want to scan objects detected in traffic based on their hash values, enable the Stream Anti-Virus toggle switch.
Stream Anti-Virus looks up the hash of the object in the lists of cloud services only if this hash is not found in the local databases.
If you want to scan objects detected in traffic for malware, enable the Object Anti-Virus toggle switch.
When enabling Object Anti-Virus, you can manage its settings:
If you want to send files being scanned to Kaspersky Anti Targeted Attack Platform (hereinafter referred to as KATA) for scanning, set the Send objects to KATA toggle switch to On.
A previously unknown file detected for the first time may be skipped by Kaspersky NGFW without waiting for analysis by KATA. If the analysis finds this file to be malicious, it is blocked when it is observed again. This is done to prevent delays in traffic processing because analyzing new objects can take a significant time.
In the Maximum file size to scan (MB) field, specify the maximum size of files that must be processed by Object Anti-Virus. Files larger than the specified size are ignored. Possible values: from 1 to 100; the default value is 10.
If you want to send scanned files for scanning to DLP systems, set the Send objects to ICAP toggle switch to On
On the URL reputation checker tab, configure the matching of traffic against the list of compromised URLs:
If you want to scan traffic using not only the local database, but also address lists from the cloud service, set the Look up objects in KSN toggle switch to On.
If you need addresses to be additionally scanned for belonging to advertising URLs or IP addresses, set the URL adware toggle switch to On.
If you need addresses to be additionally scanned for belonging to URLs not otherwise categorized, set the Other URL toggle switch to On.
If necessary, on the URL exclusions tab, add URLs, URL masks or IP addresses that you want to exclude from Anti-Virus scanning when using this profile:
If you want to add a new address to the list of exclusions, click the Create button and in the field that appears, enter a value for the URL, mask, or IP address.
The new item is added to the table.
If you want to delete a previously created exclusion, select the exclusion in the table and click the Delete button.
If you want an event to be recorded in the security event log when the profile is applied and access is gained to an address in the list of exclusions, set the Logging toggle switch to On.
Click the Create button to save the new Anti-Virus profile.
The created profile is added to the list of Anti-Virus profiles.
Apply the OSMP policy changes by clicking the Commit and push button.