Transition Antivirus Profiles Safely to Best Practices
Apply Antivirus profiles to allow rules to protect against
viruses and malware without risking application availability.
Use the following guidance to help determine
whether to start with block or alert actions as you define the initial
Antivirus profiles and begin the transition to best practice profiles.
Antivirus requires a Threat Prevention subscription.
It’s safe to deploy the best practice Antivirus profiles
for applications that aren’t critical to your business right away
because false positive rates are rare.
For business-critical applications, it’s usually best to
set the initial action to alert to ensure application availability.
However, in some situations you can block Antivirus signatures from
the start. For example, when you’re already protecting similar applications
with an Antivirus profile and you’re confident the profile meets
your business and security needs, you can use a similar profile
to protect similar applications.
The alert action enables
you to analyze Threat logs (
and create exceptions when necessary before moving to a block action.
Alerting and monitoring before moving to blocking gives you confidence
the profile won’t block business-critical applications when you
deploy the initial profile and that you’ll maintain application
availability by creating necessary exceptions as you transition
to the best practice blocking state. Keep the length of time you
maintain the initial alert action to a minimum to reduce the chance
of a security breach. Transition to the best practice state as soon
as you’re comfortable you’ve identified any exceptions you need
to make and configure the profile accordingly.
WildFire Action settings in the Antivirus profile may impact
traffic if the traffic generates a WildFire signature that results
in a reset or drop action.
When you have the initial profiles in place, monitor the Threat
logs for enough time to gain confidence you understand whether any
business-critical applications cause alerts or blocks. Also monitor
the WildFire Submissions logs (
for enough time to gain confidence you understand whether any business-critical
applications cause alerts or blocks due to the Antivirus profile WildFire
Action. Create exceptions (open a support ticket if necessary) in
each profile as needed to remediate any confirmed false positives
before you implement full best-practice Antivirus profiles for the internet gateway or for
the data center.