Transition Antivirus Profiles Safely to Best Practices

Apply Antivirus profiles to allow rules to protect against viruses and malware without risking application availability.
Use the following guidance to help determine whether to start with block or alert actions as you define the initial Antivirus profiles and begin the transition to best practice profiles.
Antivirus requires a Threat Prevention subscription.
  • It’s safe to deploy the best practice Antivirus profiles for applications that aren’t critical to your business right away because false positive rates are rare.
  • For business-critical applications, it’s usually best to set the initial action to alert to ensure application availability. However, in some situations you can block Antivirus signatures from the start. For example, when you’re already protecting similar applications with an Antivirus profile and you’re confident the profile meets your business and security needs, you can use a similar profile to protect similar applications.
    The alert action enables you to analyze Threat logs (
    Monitor
    Logs
    Threat
    ) and create exceptions when necessary before moving to a block action. Alerting and monitoring before moving to blocking gives you confidence the profile won’t block business-critical applications when you deploy the initial profile and that you’ll maintain application availability by creating necessary exceptions as you transition to the best practice blocking state. Keep the length of time you maintain the initial alert action to a minimum to reduce the chance of a security breach. Transition to the best practice state as soon as you’re comfortable you’ve identified any exceptions you need to make and configure the profile accordingly.
  • WildFire Action settings in the Antivirus profile may impact traffic if the traffic generates a WildFire signature that results in a reset or drop action.
When you have the initial profiles in place, monitor the Threat logs for enough time to gain confidence you understand whether any business-critical applications cause alerts or blocks. Also monitor the WildFire Submissions logs (
Monitor
Logs
WildFire Submissions
) for enough time to gain confidence you understand whether any business-critical applications cause alerts or blocks due to the Antivirus profile WildFire Action. Create exceptions (open a support ticket if necessary) in each profile as needed to remediate any confirmed false positives before you implement full best-practice Antivirus profiles for the internet gateway or for the data center.

Related Documentation