Anti-malware scanning overview

Anti-malware scanning is a resource-intensive activity and is practical mainly in branch-office-type settings, where the physical setup is as simple as possible with little equipment onsite.

Anti-malware scanning is needed when there is Internet connectivity at the site (instead of VPN connectivity to a central site where traffic can be scanned centrally).

The scanner can inspect IPv4 traffic. The supported protocols in anti-malware inspection are FTP, HTTP, HTTPS, IMAP, POP3, and SMTP. If the scanner detects infected files, it strips them out. If an email attachment is filtered out, a message is added to the email notifying the recipient.

In branch-office-type environments without skilled administrators, a centrally managed anti-malware scanning solution on the same hardware as Forcepoint NGFW makes maintenance easier than having separate equipment.

Limitations

Firewall, IPS, and Layer 2 Firewall clusters can be used for anti-malware scanning. However, some restrictions apply. Since the data being inspected is not synchronized between the nodes, connections that are undergoing anti-malware scanning at the time of a failover are dropped. The applications must reopen the connections.

Scanning directly on the Forcepoint NGFW is not practical in high-traffic environments. The amount of data gathered for scanning is large, since files must be inspected as a whole to block all infected content. Storing and scanning files significantly increases the demand for resources as the volume of traffic grows. Redirecting traffic to a proxy service for external inspection is a more economical and flexible solution.