Filtering files in network traffic

Kaspersky NGFW allows filtering files contained in network traffic or transmitted from websites to block certain files even before sending them for scanning by the Anti-Virus security engine. Kaspersky NGFW supports file filtering in HTTP, HTTPS (after SSL decryption), and FTP traffic.

File filtering in network traffic is based on the following parameters:

• Based on the MIME types of files specified in the Content-Type HTTP header in the request and response: for example, Text for text files, Audio for audio files, Video for video files, and Application for application data.
• Based on the file name specified in the Content-Disposition object in the filename parameter or in an ASCII-encoded form in the URL.

You can configure file filtering using the following commands from the security antivirus family of commands on the command line:

• The mime-type-filter commands configure filtering by MIME types.
• The file-name-filter commands configure filtering by file name.

For a description of command families and a link to the complete list of Kaspersky NGFW configuration commands, see the Managing Kaspersky NGFW using the command line document.

On the command line, you can enable file filtering by just the MIME type, by just the file name, or both. You can create security rules to filter files (up to 10,000 for each filtering method) based on case-insensitive regular expressions in ECMAScript 3 format. One of the following filtering actions is applied to files detected in network traffic or transmitted from websites: allow the file (allow) and let it through to be scanned later or block the file (block). By default, the allow action is set for both filtering methods. You can change the default actions if necessary.

Security rules for file filtering are applied before the file is sent to be scanned by the Anti-Virus security engine only if the following conditions are met:

• The Anti-Virus profile is used in the filtering rule applied to the traffic.
• The Object Anti-Virus and traffic analysis are enabled for the Anti-Virus security engine for at least one of the following protocols: HTTP, HTTPS (after SSL decryption), FTP.

The algorithm for filtering files in network traffic involves the following steps:

1. Looking for a matching security rule for filtering by file name (if enabled):
   • If such a rule is found, the action from the rule is applied.
   • If no such rule is found or the file name cannot be determined, the default action for this filtering method is applied.

   If the action is block, the file is blocked. If the allow action was applied, the file is sent for the next scan (by MIME type, if enabled, or to the Anti-Virus).

2. Looking for a matching security rule for filtering by file MIME type (if enabled):
   • If such a rule is found, the action from the rule is applied.
   • If no such rule is found or the MIME type cannot be determined, the default action for this filtering method is applied.

   If the action is block, the file is blocked. If the allow action was applied, the file is sent to Anti-Virus for scanning.

For each filtering method, Kaspersky NGFW looks for a match among enabled rules only and checks these in order of priority. The search stops at the first matching rule. As soon as the block action is applied to a file, all checks are stopped, the file is blocked and is not sent for scanning to the Anti-Virus security engine. If, after all checks, only the allow action is applied to the file, the file is sent for scanning by the Anti-Virus security engine.

If event logging is enabled for the Anti-Virus security engine, information about files blocked by file filtering is recorded in the Stream and Object Anti-Virus log.

Page top