F-Secure
`Anti-Virus for
`Firewalls 6.20
`Windows version
`
`Administrator's Guide
`
`PALO ALTO NETWORKS Exhibit 1019 Page 1
`
`

`
`1.
`
`Introduction
`
`1.1 About this Guide
`Chapter 1. Introduction – gives general information about F-Secure Content Scanner Server and
`F-Secure Anti-Virus Mail Server and Gateway products.
`Chapter 2. Deployment – describes how to set up your network environment before you can install
`F-Secure Anti-Virus for Firewalls.
`Chapter 3. Installing F-Secure Anti-Virus for Firewalls on Windows – describes how to install and set up
`F-Secure Anti-Virus for Firewalls.
` NOTE:NOTE:
`
`
`F-Secure Anti-Virus for Firewalls is part of F-Secure Anti-Virus Mail Server and Gateway product line that
`has a common backend – F-Secure Content Scanner Server. Therefore some chapters mention F-Secure
`Content Scanner Server, although this manual is Administrator’s Guide for F-Secure Anti-Virus for
`Firewalls.
`Chapter 4. Administering F-Secure Anti-Virus for Firewalls in Centralized Administration Mode –
`describes how to administer F-Secure Content Scanner Server and F-Secure Anti-Virus for Firewalls. The
`chapter explains all the settings and statistics of the program.
`Chapter 5. Administering F-Secure Anti-Virus for Firewalls in Stand-alone Mode – describes how to
`administer F-Secure Content Scanner Server and F-Secure Anti-Virus for Firewalls using the local user
`interface.
`
`1
`
`PALO ALTO NETWORKS Exhibit 1019 Page 2
`
`

`
`Overview
`
`Section 1.2
`
`Chapter 6. Configuring Firewalls – describes how to set Firewalls to work with F-Secure Anti-Virus for
`Firewalls. This chapter includes sample settings for several firewalls.
`Chapter 7. Updating Virus Databases – gives instructions how to update the virus definition database.
`Chapter 8. Troubleshooting – solves some common problems.
`Appendix A. Warning Messages – lists variables that can be included in virus warning messages.
`Appendix B. Alerts – lists all error messages and appropriate actions to be taken.
`See the F-Secure Policy Manager Administrator’s Guide for detailed information about installing and
`using the F-Secure Policy Manager components:
`F-Secure Policy Manager Console, the tool for administering F-Secure Anti-Virus for Firewalls.
`•
`F-Secure Policy Manager Server, which enables communication between F-Secure Policy
`•
`Manager Console and the managed systems.
`
`1.2 Overview
`Malicious code, such as computer viruses, is one of the main threats for companies today. In the past,
`these spread mainly via disks and the most common viruses were those that infected disk boot sectors.
`When users began to use office applications – such as Microsoft Office – with macro capabilities to write
`documents and distribute them via mail and groupware servers, macro viruses started spreading rapidly.
`Nowadays the virus problem has another new dimension: e-mail. Modern viruses can even use e-mail to
`spread themselves without any user intervention and that is why e-mail worm outbreaks, like Klez and
`BadTrans, have caused a lot of damage around the world.
`
`2
`
`PALO ALTO NETWORKS Exhibit 1019 Page 3
`
`

`
`Chapter 1
`
`Introduction
`
`F-Secure Anti-Virus Mail Server and Gateway products are designed to protect your company's mail,
`groupware, database or document servers. The protection can be implemented on the firewall level to
`screen all incoming and outgoing e-mail (SMTP), web surfing (HTTP) or file transfer (FTP) traffic. It can
`also be implemented on the mail server level so that it does not only protect inbound and outbound traffic
`but also internal mail traffic and public sources, such as public folders on Microsoft Exchange server.
`Providing the protection already on the gateway level has plenty of advantages. The protection is easy and
`fast to set up and install compared to rolling out anti-virus protection on hundreds or thousands of
`workstations. The protection is also totally invisible to the end users, thus ensuring that the system cannot
`be by-passed and it is easy to maintain. Of course, protecting the gateway level alone is not enough to
`provide a complete anti-virus solution; file server and workstation level protection is needed, also.
`
`3
`
`PALO ALTO NETWORKS Exhibit 1019 Page 4
`
`

`
`How F-Secure Anti-Virus for Firewalls Works
`
`Section 1.3
`
`1.3 How F-Secure Anti-Virus for Firewalls Works
`F-Secure Anti-Virus for Firewalls is designed to detect and disinfect viruses and other malicious code from
`data transmissions through all CVP compliant firewalls. The scanning is done in real time as the data is
`transmitted through the firewall.
`F-Secure Anti-Virus for Firewalls is based on agent and server technology. However, F-Secure Anti-Virus
`for Firewalls does not employ a separate F-Secure Anti-Virus Agent. The firewall itself acts as the CVP
`agent and sends data streams passing through it to inspection and F-Secure Anti-Virus for Firewalls acts
`as a CVP server. The data traffic that needs to be scanned can be redirected to the product from the rule
`base of the firewall itself.
`If the data transmitted by the CVP agent contains malicious code, F-Secure Anti-Virus for Firewalls can be
`configured to disinfect or drop the content. If the data is disinfected, it is sent back to the firewall that sends
`it to the original recipient. Any malicious code found during the scan process can be placed in the
`quarantine, where it can be further examined. For example, an infected attachment in an e-mail message
`can be removed and replaced with a disinfected attachment.
`F-Secure Anti-Virus for Firewalls has extensive alerting functions: information, warning, and security alerts
`can be sent to the local log file, Windows NT application event log, F-Secure Policy Manager Console or to
`the administrator's e-mail address via SMTP. The administrator can also specify the recipient inside the
`company network to be notified about an infection found in the data content.
`F-Secure Anti-Virus for Firewalls can be installed on a dedicated Windows NT, Windows 2000 or Linux
`server. Any additional software does not have to be installed on the firewall itself, so the firewall can be on
`any platform.
`
`4
`
`PALO ALTO NETWORKS Exhibit 1019 Page 5
`
`

`
`Chapter 1
`
`Introduction
`
`1.4 Features and Capabilities
`F-Secure Anti-Virus for Firewalls uses three top quality scanning engines to ensure the highest possible
`detection rate and disinfection capability. The daily F-Secure Anti-Virus signature database updates
`provide F-Secure Mail Server and Gateway products with the protection capability that is always
`up-to-date.
`F-Secure Anti-Virus scanning engines consistently rank at the top when compared to competing products.
`Our team of dedicated virus researchers is on call 24-hours a day responding to new and emerging
`threats. In fact, F-Secure is one of the only companies to release tested virus definition updates on a daily
`basis to make sure our customers receive the highest quality service and protection every day.
`F-Secure Policy Manager provides a scalable way to manage the security of multiple applications on
`multiple operating systems, from one central location. The power of the F-Secure Policy Manager lays in
`the distributed management architecture, which provides massive scalability for a widely distributed,
`mobile workforce.
`
`5
`
`PALO ALTO NETWORKS Exhibit 1019 Page 6
`
`

`
`Features and Capabilities
`
`Section 1.4
`
`The F-Secure Policy Manager is comprised of two components: the F-Secure Policy Manager Console
`and F-Secure Policy Manager Server. They provide the upper layers on the management architecture and
`are seamlessly integrated with the F-Secure Management Agents that handle all management functions
`on local hosts.
`In standalone mode, F-Secure Anti-Virus for Firewalls is managed with the local user interface. In centrally
`managed mode, F-Secure Anti-Virus for Firewalls is managed with F-Secure Policy Manager Console.
`F-Secure Policy Manager Console has a graphical user interface that provides a centralized view of the
`domains and hosts in your network and lets you configure the security policies for all the F-Secure
`components. F-Secure Policy Manager Console receives status information from F-Secure Content
`Scanner Server.
`F-Secure Policy Manager Server is the server side component that handles communication between
`F-Secure Anti-Virus for Firewalls and F-Secure Policy Manager console. It exchanges security policies,
`software updates, status information, statistics, alerts, and other information between F-Secure Policy
`Manager console and all managed systems. The three-tier architecture used by F-Secure Policy Manager
`makes it possible to collect and consolidate status information, alerts, and reports. Moreover, it allows the
`administrator to view the information from any workstation in the network.
`Key Features
`F-Secure Anti-Virus for Firewalls provides the following features and capabilities.
`Superior Protection
`•
`High level of protection with low maintenance costs.
`• Multiple scan engines: F-PROT, AVP and Orion.
`•
`Unparalleled malicious code detection and disinfection.
`•
`Heuristic scanning also detects unknown Windows and macro viruses.
`•
`Recursive scanning of ARJ, BZ2, CAB, GZ, JAR, LZH, RAR and ZIP archive files.
`•
`Automatic daily virus signature database updates.
`•
`Suspicious and unsafe attachments can be stripped away from e-mails.
`•
`Password protected archives can be treated as unsafe.
`•
`Checking for malformed headers and suspicious content
`
`6
`
`PALO ALTO NETWORKS Exhibit 1019 Page 7
`
`

`
`Chapter 1
`
`Introduction
`
`•
`
`Performance and Reliability
`•
`Recent Transaction Results Cache allows for faster processing of frequently accessed Web pages
`and mails sent to mailing lists.
`Self recovery. The product is capable to automatically restart a crashed component or scanning
`engine.
`Transparency and Scalability
`•
`Viruses are intercepted before they can enter the network and spread out on workstations.
`•
`Real-time scanning of FTP, HTTP and SMTP data traffic.
`•
`Total transparency to end-users. Users cannot bypass the system, which means that messages
`and documents cannot be exchanged without scanning.
`Policy Based Management
`•
`Controlling and monitoring the behavior of the products remotely.
`• Monitoring statistics provided by the products.
`•
`Starting predefined operations remotely.
`
`1.5 F-Secure Anti-Virus for Mail Server and
`Gateway Products
`The F-Secure Anti-Virus product line consists of workstation, file server, mail server and gateway products.
`Mail server and gateway products, also known as Content Scanner products, are based on agent and
`server technology. This means that the products work with F-Secure Content Scanner Server that is a
`common backend for all F-Secure Content Scanner products.
`F-Secure Anti-Virus for Firewalls, Windows version provides unsurpassed detection and
`•
`disinfection for Internet-borne viruses and malicious code passing through CVP-compliant
`firewalls. By automatically scanning HTTP, FTP and SMTP for malicious code as the data comes
`through the firewall from the Internet, F-Secure Anti-Virus for Firewalls stops viruses before they
`can compromise corporate security. A separate agent program is not necessary, as the firewall
`itself can be configured to connect directly to F-Secure Content Scanner Server.
`
`7
`
`PALO ALTO NETWORKS Exhibit 1019 Page 8
`
`

`
`F-Secure Anti-Virus for Mail Server and Gateway Products
`
`Section 1.5
`
`•
`
`•
`
`•
`
`•
`
`F-Secure Anti-Virus for Firewalls, Linux version provides unsurpassed detection and
`disinfection for Internet-borne viruses and malicious code passing through CVP-compliant
`firewalls.
`F-Secure Anti-Virus for Microsoft Exchange is a comprehensive solution that protects your
`Microsoft Exchange users from malicious code contained within files they receive in mail
`messages and documents they open from shared databases. Malicious code is also stopped in
`outbound messages and in notes being posted on public folders. The product operates
`transparently and scans files in Exchange Server Information Store in real-time. Manual scanning
`of user mailboxes and public folders is supported, also.
`F-Secure Anti-Virus for Internet Mail is in principle an SMTP proxy that protects your site
`against virus attack by monitoring incoming and outgoing SMTP traffic. Malicious code is
`automatically detected and eliminated in the e-mail and attachments. The product can be
`configured to work with any SMTP or groupware gateway.
`F-Secure Anti-Virus for MIMEsweeper provides a powerful anti-virus scanning solution that
`tightly integrates with Content Technologies' MAILsweeper product. F-Secure provides top-class
`anti-virus software with fast and simple integration to MAILsweeper, giving the corporation the
`powerful combination of complete content security.
`
`8
`
`PALO ALTO NETWORKS Exhibit 1019 Page 9
`
`

`
`4. Administering F-Secure Anti-Virus
`for Firewalls in Centralized
`Administration Mode
`
`4.1 Using F-Secure Policy Manager Console
`F-Secure Policy Manager Console is used to create policies for F-Secure Anti-Virus for Firewalls
`installations that are running on selected hosts or groups of hosts. Policies are created by assigning values
`to variables shown on the Policy tab of the Properties pane in F-Secure Policy Manager console. To assign
`a value, select a variable – marked by the leaf icon – in the Properties pane (the middle pane) and enter
`the value in the Editor pane (the right pane).
`After a policy is created, it must be distributed to hosts by choosing Distribute from the File menu.
` TIP:
`For testing purposes you may also want to change the polling intervals. To do that, select the domain in
`F-Secure Policy Manager console and set the Incoming Packages Polling Interval and Outgoing Packages
`Update Interval variables to 30-45 seconds. The variables are located under each of the two trees in the
`F-Secure Management Agent/Settings/Communications branch. Note that since the default polling interval
`is 10 minutes, it might take up to 10 minutes for the new setting to take effect.
`Alternatively, you can use the Poll the server now button in F-Secure Management Agent.
`
`30
`
`PALO ALTO NETWORKS Exhibit 1019 Page 10
`
`

`
`Chapter 4
`
`Administering F-Secure Anti-Virus for Firewalls in Centralized Administration Mode
`
`After changing the settings and distributing the policy, you have to wait for F-Secure Content Scanner
`Server to poll the policy or restart the program in order to activate new settings. See the section Starting
`and Stopping F-Secure Anti-Virus for Firewalls, on page 66 for instructions.
`The Status tab of the Properties pane shows statistics and the settings that were configured during the
`installation of F-Secure Anti-Virus for Firewalls. Statistics are updated periodically and can be reset by
`choosing Reset Statistics on the Policy tab of the Properties pane.
`For a better view, you can enlarge a pane by dragging its borders.
`Modify settings by assigning new values to the basic leaf node variables (marked by the leaf icons) shown
`in the Policy tab of the Properties pane. Initially, every variable has a default value, which is displayed in
`gray. Some settings may require the use of the Final check box in order to be configured properly.
`Select the variable from the Properties pane and enter the new value in the Editor pane to change it. You
`can either type the new value or select it from a list box. If you enter an invalid value, it will be displayed in
`red in the Properties pane. Click the Clear button to revert to the default value or the Undo button to
`cancel the most recent change that has not been distributed.
`For detailed information on installing and using F-Secure Policy Manager console, see the F-Secure Policy
`Manager Administrator’s Guide.
`
`4.2 Settings
`To view or to modify scanning options and settings for content providers, click the Policy tab in the
`Properties pane and then expand the Settings branch under F-Secure Content Scanner Server. Use the
`variables under the F-Secure Anti-Virus for Firewalls/Settings branch to modify scanning options for
`different data transfer protocols.
` NOTE:NOTE:
`
`
`You can also modify the settings from the XML tabs in F-Secure Policy Manager Console. For more
`information about using F-Secure Policy Manager Console, consult the F-Secure Policy Manager manual.
`
`F-Secure Content Scanner Server Settings
`Use the variables under the F-Secure Content Scanner Server / Settings / branch to define the settings for
`content providers and to general change content scanning options.
`
`31
`
`PALO ALTO NETWORKS Exhibit 1019 Page 11
`
`

`
`Settings
`
`Section 4.2
`
`Language
`
`Content Providers
`
`Processors
`
`Scanning
`
`Virus Definition Database Updates
`
`Quarantine
`
`Advanced
`
`Specify the language used in reports, alerts and warning
`messages and in quarantine information. Currently the only
`supported language is English (ENG).
`
`Specify how F-Secure Content Scanner Server should
`communicate with the content provider. For more information,
`see “Content Providers” on page 33.
`
`Specify the starting method of different processor types,
`whether they are started automatically or manually. The
`default startup option is automatic. The manual startup is not
`recommended and should be used only for troubleshooting.
`
`Specify the scanning engines to be used when F-Secure
`Content Scanner Server scans files for viruses, and the files
`that should be scanned. For more information, see
`“Scanning” on page 37.
`
`Specify how you want to keep the virus definition databases
`up-to-date. For more information, see “Virus Definition
`Database Update” on page 39.
`
`Specify the location and the minimum size of the Quarantine
`directory. For more information, see “Quarantine” on page 40.
`
`Specify the location and the minimum size of the Working
`directory. For more information, see “Advanced” on page 42.
`
`32
`
`PALO ALTO NETWORKS Exhibit 1019 Page 12
`
`

`
`Chapter 4
`
`Administering F-Secure Anti-Virus for Firewalls in Centralized Administration Mode
`
`Content Providers
`
`Generic CVP Provider
`
`FNP/SCIP Provider
`
`OPSEC CVP Provider
`
`Specify these content provider settings if you use a
`CVP-compliant firewall other than Check Point FireWall-1. For
`more information, see “Generic CVP Provider” on page 34.
`
`The FNP Provider settings are not relevant for F-Secure
`Anti-Virus for Firewalls, thus changing them has no effect on
`the product.
`
`Specify these content provider settings if your firewall is
`Check Point FireWall-1. For more information, see “OPSEC
`CVP Provider” on page 35.
`
`33
`
`PALO ALTO NETWORKS Exhibit 1019 Page 13
`
`

`
`Settings
`
`Generic CVP Provider
`
`Section 4.2
`
`Port
`
`Service IP Address
`
`Allow Connections
`
`Specify the TCP port used by the generic CVP protocol. The
`port number must be the same in here and in the firewall, so if
`the port number is changed, the same change must be made
`in the CVP settings in the firewall. If you cannot change the
`port number of the firewall, the default port should be used.
`The default port number is 18181.
`
`If both the generic CVP provider and the OPSEC CVP
`provider are installed on the same computer, make sure that
`they use different port numbers.
`
`Specify the service listen address if the server has multiple
`network interface cards or IP addresses. Specify the listen
`address according to intended client.
`
`Enter valid agent IP addresses and separate each address by
`a space or a comma.
`
`Define whether the service will accept connections only from
`the configured CVP agents or from everyone. The accepted
`agents can be specified with the Configured Agents setting.
`By default, connections are accepted from everyone.
`
`34
`
`PALO ALTO NETWORKS Exhibit 1019 Page 14
`
`

`
`Chapter 4
`
`Administering F-Secure Anti-Virus for Firewalls in Centralized Administration Mode
`
`Configured Agents
`
`Max Connections
`
`Max Connections per host
`
`OPSEC CVP Provider
`
`Lists agents that are allowed to connect the server when the
`Allow Connections setting is Configured Agents. This setting
`can be used to restrict connections to the CVP service and to
`avoid possible denial of service attacks.
`
`Set the maximum number of simultaneous connections the
`content provider can have.
`
`Set the maximum number of simultaneous connections to
`allow to the content provider from a single host.
`
`Port
`
`Specify the TCP port used by the OPSEC CVP protocol. The
`port number must be the same in here and in the firewall, so if
`the port number is changed, the same change must be made
`in the CVP settings in the firewall. If you cannot change the
`port number of the firewall, the default port should be used.
`The default port number is 18181.
`
`35
`
`PALO ALTO NETWORKS Exhibit 1019 Page 15
`
`

`
`Settings
`
`Section 4.2
`
`Service IP Address
`
`Allow Connections
`
`Configured Agents
`
`Authenticated Connections
`
`Data Trickling
`
`If both the generic CVP provider and the OPSEC CVP
`provider are installed on the same computer, make sure that
`they use different port numbers.
`
`Specify the service listen address if the server has multiple
`network interface cards or IP addresses. Specify the listen
`address according to intended client.
`
`Define whether the service will accept connections only from
`the configured CVP agents or from everyone. The accepted
`agents can be specified with the Configured Agents setting.
`By default, connections are accepted from everyone.
`
`Lists agents that are allowed to connect the server when the
`Allow Connections setting is Configured Agents. This setting
`can be used to restrict connections to the CVP service and to
`avoid possible denial of service attacks.
`
`Enter valid agent IP addresses and separate each address by
`a space or a comma.
`
`Define whether the authenticated connection method is used
`between F-Secure Content Scanner Server and the firewall.
`The firewall must be configured to use authenticated
`connections before this setting can be changed. For more
`information, see “Defining the CVP-Authenticated
`Connections for Check Point FireWall-1” on page 94.
`
`F-Secure Content Scanner Server can be set to start sending
`the original content back to the firewall, even if the scan is not
`yet finished. You can prevent timeouts on HTTP and FTP data
`transfers by enabling data tricking and properly configuring
`the trickle interval and packet size.
`
`The firewall must be configured accordingly before this setting
`can be changed. For more information, see “Data Trickling”
`on page 92. By default, data tricking is disabled.
`
`36
`
`PALO ALTO NETWORKS Exhibit 1019 Page 16
`
`

`
`Chapter 4
`
`Administering F-Secure Anti-Virus for Firewalls in Centralized Administration Mode
`
` NOTE:NOTE:
`
`
`If you enable data trickling and an infection is discovered after a part of the file has been sent already, the
`part that was sent cannot be automatically deleted. You should use data trickling with caution.
`
`Trickle Interval
`
`Trickle Packet Size
`
`Specify the time that F-Secure Content Scanner Server waits
`before it sends the next TCP packet of the original content to
`the firewall. When the content has been completely checked
`and found safe, it is sent to the firewall immediately. The
`default interval is 5 minutes
`
`Specify the amount of bytes of the original content that
`F-Secure Content Scanner Server sends to the firewall before
`it has finished scanning. When the content has been
`completely checked and found safe, it is sent to the firewall
`immediately. A value zero (0) value means that no bytes are
`sent to the firewall until the whole content has been
`processed. The default packet size is 1.
`
`Scanning
`Select the scanning engines to be used and the files that should be excluded from the Scan Engines table.
`
`37
`
`PALO ALTO NETWORKS Exhibit 1019 Page 17
`
`

`
`Settings
`
`Scan Engines
`
`Scan Inside Archives
`
`Section 4.2
`
`Scan engines can be enabled or disabled. If you want to
`disable the scanning just for certain files, enter the
`appropriate file extensions to Excluded extensions field and
`separate each extension with a space. The Excluded
`extensions field supports * and ? wildcards.
`
`Specify whether files inside compressed archive files should
`be scanned for viruses, if they are not excluded from
`scanning.
`
` NOTE:NOTE:
`
`
`Scanning inside archives takes time. Disabling scanning inside archives improves performance, but it also
`means that the network users need to use up-to-date virus protection on their workstations.
`
`Max Levels in Nested Archives
`
`If Scan Inside Archives is enabled, F-Secure Content
`Scanner Server can scan files inside archives that may exist
`inside of other archives. Furthermore, these nested archives
`can contain other archives.
`
`Specify the number of levels F-Secure Content Scanner
`Server goes through before the action selected in Suspect
`Max Nested Archives takes place. The default setting is 3.
`
` NOTE:NOTE:
`
`
`Increasing the value increases the load on the system and thus decreases the overall system
`performance. This means that the system becomes more vulnerable for denial of service attacks.
`
`Suspect Max Nested Archives
`
`If the amount of nested archives exceeds the value specified
`in the Max Levels in Nested Archives, the file is stopped if
`Treat as Unsafe is selected. If Treat as Safe is selected, the
`archive file is sent to the user.
`
`38
`
`PALO ALTO NETWORKS Exhibit 1019 Page 18
`
`

`
`Chapter 4
`
`Administering F-Secure Anti-Virus for Firewalls in Centralized Administration Mode
`
`Suspect Password Protected
`Archives
`
`Compressed archive files can be protected with passwords.
`These archives can be opened only with a valid password, so
`F-Secure Content Scanner Server cannot scan their content.
`Password protected archives can be stopped by selecting
`Treat as Unsafe. If Treat as Safe is selected, password
`protected archives are delivered to recipient.
`
`Scan Extensions Inside Archives
`
`Enter all the extensions you want to scan inside archives.
`
`Max Scan Timeout
`
`Specify the maximum time that one scanning task can last.
`The Max Scan Timeout is 10 minutes by default.
`Virus Definition Database Update
`
`Poll Automatically
`
`Specify whether F-Secure Content Scanner Server should
`automatically connect to F-Secure Policy Manager Server or
`Communication Directory to download the latest virus
`definition database updates.
`
`The polling interval can be changed from F-Secure
`Management Agent / Settings / Communications /Protocols /
`<X> / Incoming Packages Polling Interval, where <X> is either
`HTTP (F-Secure Policy Manager Server) or File Sharing
`(Communication Directory), based on the selected
`communication method.
`
`39
`
`PALO ALTO NETWORKS Exhibit 1019 Page 19
`
`

`
`Settings
`
`Section 4.2
`
`Notify When Databases Become Old Specify whether F-Secure Content Scanner Server should
`notify the administrator if virus definition databases have not
`been updated recently.
`
`Notify When Databases Older Than
`
`Specify the time (in days) how old virus definition databases
`can be before F-Secure Content Scanner Server sends the
`notification to the administrator.
`
`Quarantine
`
`Quarantine Directory
`
`Specify the location of Quarantine directory.
`
`Blocked, infected and suspicious files are placed in the
`Quarantine directory. F-Secure Content Scanner Server
`creates three subfolders under the Quarantine directory.
`
`uncert - Contains blocked and unknown files.
`
`infect - Contains infected files.
`
`suspect - Contains suspicious files.
`
`Quarantined files are named using the following formula:
`FSAVS<YYYY><MM><DD><CNT>.[<EXT>]
`
`Where:
`
`40
`
`PALO ALTO NETWORKS Exhibit 1019 Page 20
`
`

`
`Chapter 4
`
`Administering F-Secure Anti-Virus for Firewalls in Centralized Administration Mode
`
`YYYY - The current year.
`
`MM - The current month.
`
`DD - The current day.
`
`CNT - Counter.
`
`EXT - The original file extension.
`
`For example, if an infected doc-file is put into quarantine, it
`can have a filename: FSAVS20010223000001A.[DOC].
`
` NOTE:NOTE:
`
`
`During the setup, access rights are adjusted so that only the operating system and the local administrator
`can access files in Quarantine Directory. If you make changes to the Quarantine directory settings, make
`sure that the new directory has the same rights.
`
`Delete Files Older Than
`
`Quarantine Size Threshold
`
`Quarantine Mass Worms
`
`Set the number of days after which a quarantined file is
`deleted from the quarantine directory.
`
`Set the minimum safe value of the Quarantine directory. If the
`amount of free space in the Quarantine directory is lower than
`the specified value, F-Secure Content Scanner Server sends
`an alert to the administrator.
`
`Specify whether F-Secure Content Scanner Server should
`quarantine files infected with mass-mailer worms such as
`Klez or Badtrans.
`
`41
`
`PALO ALTO NETWORKS Exhibit 1019 Page 21
`
`

`
`Settings
`
`Advanced
`
`Section 4.2
`
`Working Directory
`
`Specify where temporary files are stored. The Working
`directory should be on a local hard disk for the best
`performance. Make sure that there is enough free disk space
`for a temporary files.
`
` NOTE:NOTE:
`
`
`During the setup, access rights are adjusted so that only the operating system and the local administrator
`can access files in the Working directory. If you make changes to Working Directory settings, make sure
`that the new directory has the same rights.
`
`Working Directory Clean Interval
`
`Free Space Threshold
`
`Specify the time after which the inactive temporary files in the
`Working directory are deleted. The default clean interval is 15
`minutes.
`
`Specify when F-Secure Content Scanner Server should send
`a low disk space alert to the administrator. The default setting
`is 100 megabytes.
`
`42
`
`PALO ALTO NETWORKS Exhibit 1019 Page 22
`
`

`
`Chapter 4
`
`Administering F-Secure Anti-Virus for Firewalls in Centralized Administration Mode
`
`4.3 F-Secure Anti-Virus for Firewalls Settings
`Use the variables under the F-Secure Anti-Virus for Firewalls / Settings/ branch to modify scanning options
`for different data transfer protocols.
`If you have several hosts running F-Secure Anti-Virus for Firewalls, you should configure and distribute
`settings to these hosts separately.
`
`Common
`
`Agents
`
`Set common options for all firewalls protected by F-Secure
`Anti-Virus for Firewalls. For more information, see “Common”
`on page 44.
`
`Specify the customized settings for each specific firewall. If
`there are no custom settings for a particular agent, F-Secure
`Anti-Virus for Firewalls uses the Common settings.
`
`If F-Secure Anti-Virus for Firewalls is configured to scan
`content from multiple firewalls, you can set customized
`options for each firewall in Agents table.
`
`To add a new customized setting, click Add in the Editor
`pane. The default values for each HTTP, FTP, and SMTP
`variable will appear in a row. Double-click on the first cell in
`the row and type the IP address of the firewall.
`
`To edit the value of a variable, double-click on the setting in
`the row and enter the new value. Another way to edit a value
`is to click on the value and then click Edit. For information on
`HTTP, FTP, SMTP and Advanced variables, see “Common”
`on page 44.
`
`43
`
`PALO ALTO NETWORKS Exhibit 1019 Page 23
`
`

`
`F-Secure Anti-Virus for Firewalls Settings
`
`Section 4.3
`
`Logging
`
`Advanced
`
`Common
`
`HTTP
`
`FTP
`
`SMTP
`
`To remove customized settings for one firewall, select the
`row, and click Clear Row. Click Yes when prompted for
`confirmation. To delete all customized settings, click Clear
`All.
`
`To edit customized settings in the other way, you can also
`select the Agent in the Settings/Agents/ branch. All variables
`will be shown in a branch. To edit a variable, select it in the
`Properties pane and enter the value in the Editor pane.
`
`Specify whether you want to keep a log of all mails passing
`through the F-Secure Anti-Virus for Firewalls. For more
`information, see “Logging” on page 55.
`
`Specify the cache size and the maximum number of
`concurrent transactions. For more information, see
`“Advanced” on page 56.
`
`Define the scanning settings that should be used with HTTP
`transactions. For more information, see “HTTP” on page 45.
`
`Define the scanning settings that should be used with FTP
`transactions. For more information, see “FTP” on page 48.
`
`Define the scanning settings that should be used with SMTP
`transactions. For more information, see “SMTP” on page 50.
`
`44
`
`PALO ALTO NETWORKS Exhibit 1019 Page 24
`
`

`
`Chapter 4
`
`Administering F-Secure Anti-Virus for Firewalls in Centralized Administration Mode
`
`HTTP
`
`HTTP Scanning
`
`Define the scanning of HTTP transactions
`
`All Files with Included Extensions - Scans only files with extensions
`specified in Included Extensions setting.
`
`All Files except Excluded Extensions - Scans all files except those
`with extensions specified in Excluded Extensions setting.
`
`All Files - Scans all files f