Transition Antivirus Profiles Safely to Best Practices
Table of Contents
Expand all | Collapse all
-
- What Is a Best Practice Internet Gateway Security Policy?
- Why Do I Need a Best Practice Internet Gateway Security Policy?
- How Do I Deploy a Best Practice Internet Gateway Security Policy?
- Create User Groups for Access to Allowed Applications
- Decrypt Traffic for Full Visibility and Threat Inspection
-
- Transition Vulnerability Protection Profiles Safely to Best Practices
- Transition Anti-Spyware Profiles Safely to Best Practices
- Transition Antivirus Profiles Safely to Best Practices
- Transition WildFire Profiles Safely to Best Practices
- Transition URL Filtering Profiles Safely to Best Practices
- Transition File Blocking Profiles Safely to Best Practices
- Create Best Practice Security Profiles for the Internet Gateway
- Monitor and Fine-Tune the Policy Rulebase
- Remove the Temporary Rules
- Maintain the Rulebase
Transition Antivirus Profiles Safely to Best Practices
Apply Antivirus profiles to allow rules to protect against
viruses and malware without risking application availability.
The following guidance helps determine whether to start with block or alert actions
when you clone the default Antivirus profile and modify it to define the
initial profiles and begin the transition to best practice profiles.
Antivirus requires an Advanced Threat Prevention or active legacy Threat Prevention
subscription.
To identify and prevent threats,
the firewall must have visibility into application traffic. Decrypt as much traffic
as local regulations, business considerations, privacy considerations,
and technical ability allow. If you don’t decrypt traffic, the firewall
can’t analyze encrypted headers and payload information.
In
addition, follow Threats Content Update best
practices to ensure that your Security profile signatures are up
to date.
-
Business-critical applications—Set the initial action to alert to ensure application availability. However, in some situations you can block Antivirus signatures from the start. For example, when you’re already protecting similar applications with an Antivirus profile and you’re confident the profile meets your business and security needs, you can use a similar profile to protect similar applications because you already understand what you’re blocking.The alert action enables you to analyze Threat logs (MonitorLogsThreat) and create exceptions when necessary before moving to a block action. Alerting and monitoring before moving to blocking gives you confidence that:
-
The profile won’t block business-critical applications when you deploy it.
-
You create necessary exceptions as you transition to the blocking state to maintain application availability.
Keep the length of time you maintain the initial alert action to a minimum to reduce the chance of a security incident. Transition to the best practice state as soon as you’re comfortable you’ve identified any exceptions you need to make and configure the profile accordingly. -
- Critical and high severity signatures—It’s safe to deploy best practices Antivirus profiles to block malicious traffic for applications that aren’t critical to your business right away because false positive rates are rare, so unnecessary blocking rarely occurs.
- If you treat internal applications differently than external applications, you might need an Antivirus profile for internet-facing traffic and another Antivirus profile for internal traffic.
-
Enable real-time signature lookup globally on the device and in the Antivirus profile to hold files until the firewall receives the latest real-time antivirus signature from the cloud:
-
Enable globally—DeviceSetupContent-IDContent-ID SettingsRealtime Signature Lookup, enable Hold for WildFire Real Time Signature Look Up, and set the Action On Real Time Signature Timeout to Reset Both. You must enable real-time signature lookup globally to enable in Antivirus profiles.
-
Enable in Antivirus profile—ObjectsSecurity ProfilesAntivirus and enable Hold for WildFire Real Time Signature Look Up.
Holding files to ensure that WildFire gets the latest antivirus signatures protects you from zero-day malware and outdated antivirus signatures that you might be exposed to if you forward files without holding them for the latest signatures. -
- WildFire Action settings in the Antivirus profile might impact traffic if the traffic generates a WildFire signature that results in a reset or drop action.
When you have the initial profiles in place, monitor the Threat logs for enough time to gain
confidence that you understand whether any business-critical applications cause alerts
or blocks. Also monitor the WildFire Submissions logs (MonitorLogsWildFire Submissions) for enough time to gain confidence that you understand whether any
business-critical applications cause alerts or blocks due to the Antivirus profile
WildFire Action. Create exceptions (open a support ticket if necessary) in each profile
as needed to remediate any confirmed false positives before you implement full
best-practice Antivirus profiles. The speed of your transition to best practices
profiles depends on your business, applications, and comfort level—be aware that some
applications are only used weekly, monthly, quarterly, or yearly for audits, periodic
events and meetings, etc.