Anti-malware scanning overview

Anti-malware scanning is a resource-intensive activity and is practical mainly in branch-office-type settings, where the physical setup is as simple as possible with little equipment onsite.

Anti-malware scanning is needed when there is Internet connectivity at the site (instead of VPN connectivity to a central site where traffic can be scanned centrally).

The scanner can inspect IPv4 traffic. The supported protocols are HTTP, HTTPS, IMAP, POP3, and SMTP. If the scanner detects infected files, it strips them out. If an email attachment is filtered out, a message is added to the email notifying the recipient.

In branch-office-type environments without skilled administrators, a centrally managed anti-malware scanning solution on the same hardware as Forcepoint NGFW makes maintenance easier than having separate equipment.


Firewall, IPS, and Layer 2 Firewall clusters can be used for anti-malware scanning. However, some restrictions apply. Since the data being inspected is not synchronized between the nodes, connections that are undergoing anti-malware scanning at the time of a failover are dropped. The applications must reopen the connections.

Scanning directly on the Forcepoint NGFW is not practical in high-traffic environments. The amount of data gathered for scanning is large, since files must be inspected as a whole to block all infected content. Storing and scanning files significantly increases the demand for resources as the volume of traffic grows. Redirecting traffic to a proxy service for external inspection is a more economical and flexible solution.