Service Integration - Antivirus

The use of antivirus products on both desktop and server computers tends to be an important part of a corporate information security policy. Since a MOVEit DMZ server is typically placed in a network segment that is exposed to the Internet, the use of a well-maintained antivirus product on the server is generally recommended. However, there are a few points to keep in mind when setting up an antivirus product on a server running MOVEit DMZ. This section is intended to provide MOVEit DMZ operators with information and recommended configurations regarding the use of antivirus products on a MOVEit DMZ server.

Note: See Feature Focus - Content Scanning.

Uses and Limitations of Antivirus

Since MOVEit DMZ is a secure file transfer and storage system, there are two main reasons why an operator would want to run antivirus on the host server:

1. Protect the server itself from viruses that could reduce performance, compromise security, or even disable the system entirely.
2. Inspect the files being transferred through the system to ensure virus-infected files are not allowed into or out of the internal network.

Protecting the host server from virus infection is certainly important in making sure that the system runs reliably, and we recommend the installation and use of a suitable antivirus program to do so. Inspecting the files being stored on and transferred through the MOVEit DMZ application, however, is not possible due to the security model of the application.

Antivirus and the MOVEit Security Model

One of MOVEit DMZ's hallmark features is that it encrypts files before writing them out to disk. As a result, the unencrypted file data is never available on disk, and therefore never available to disk-checking antivirus programs. For maximum security, most files are not even stored in memory in their entirety, but are instead read and written in smaller chunks. This makes most files unavailable to memory-checking antivirus programs as well.

In addition to the fact that an antivirus program should never be able to identify an actual virus in a MOVEit-DMZ-encrypted file, the nature of file encryption makes false positives a possibility as well. It is possible that the process of encrypting a file can generate inside that file a sequence of bytes that antivirus programs may read as a virus signature. Therefore, it is recommended that antivirus programs be configured to ignore the MOVEit DMZ encrypted file store entirely.

In order to verify that files transferred through a MOVEit DMZ server are virus-free, the best place to install antivirus software is on an internal MOVEit Central or other platform where the complete, unencrypted files are placed for further processing. In fact, virus detection, quarantining, and/or cleaning actions performed by most realtime antivirus packages will be logged in MOVEit Central's transaction log.

Recommendations

When installing and configuring an antivirus program on a MOVEit DMZ server, there are a few points which should be kept in mind:

• Most MOVEit DMZ servers are placed in an isolated network segment, often called a DMZ (DeMilitarized Zone). Such servers tend to be independent from the rest of the network, and are usually not added as members of a Domain or Active Directory tree. For the same reasons, centrally-managed antivirus programs tend to have a harder time accessing and maintaining installed instances on DMZ servers. Therefore, antivirus programs are usually installed in independent or stand-alone mode on DMZ servers, and thus will require independent configuration, virus updating, and event checking.
• To avoid possible false positive virus matches, and to prevent an antivirus program from quarantining or even deleting files from the MOVEit DMZ store, the antivirus program should be configured to ignore the DMZ store location. Encrypted files are stored in the Files subdirectory of the MOVEit DMZ non-web directory (typically D:\MOVEitDMZ). Therefore, for a typical installation, the antivirus program should be configured to ignore D:\MOVEitDMZ\Files.
• It is also a good idea to configure the antivirus program to ignore MOVEit DMZ's database files, since they could possibly contain binary data that might be interpreted as a virus signature (several fields in the database are stored encrypted). If your database is MySQL, data files are typically stored in the Data subdirectory of the MySQL installation directory (typically D:\MySQL). Therefore, for a typical installation, the antivirus program should be configured to ignore D:\MySQL\Data. If your database is Microsoft SQL Server, the files are typically stored in a directory like: C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data.