Service Integration - Anti-virus

The use of anti-virus products on both desktop and server computers tends to be an important part of a corporate information security policy. Because a MOVEit Transfer server is typically placed in a network segment that is exposed to the Internet, the use of a well-maintained anti-virus product on the server is generally recommended. However, there are a few points to keep in mind when setting up an anti-virus product on a server running MOVEit Transfer. This section provides MOVEit Transfer operators with information and recommended configurations regarding the use of anti-virus products on a MOVEit Transfer server.

Note: See Feature Focus - Content Scanning - Anti-virus.

Uses and Limitations of Anti-virus

Because MOVEit Transfer is a secure file transfer and storage system, there are two main reasons why an operator would want to run anti-virus on the host server:

1. Protect the server itself from viruses that could reduce performance, compromise security, or even disable the system entirely.
2. Inspect the files being transferred through the system to ensure virus-infected files are not allowed into or out of the internal network.

Protecting the host server from virus infection is certainly important in making sure that the system runs reliably, and we recommend the installation and use of a suitable anti-virus program to do so. Inspecting the files being stored on and transferred through the MOVEit Transfer application, however, is not possible due to the security model of the application.

Anti-virus and the MOVEit Security Model

MOVEit Transfer encrypts files before writing them to disk. As a result, the unencrypted file data is never available on disk, and therefore never available to disk-checking anti-virus programs. For maximum security, most files are not stored in memory in their entirety, but are instead read and written in smaller chunks. This makes most files unavailable to memory-checking anti-virus programs as well.

In addition to the fact that an anti-virus program should never be able to identify an actual virus in a file that is encrypted by MOVEit Transfer, the nature of file encryption makes false positives a possibility as well. It is possible that the process of encrypting a file can generate inside that file a sequence of bytes that anti-virus programs may read as a virus signature. Therefore, it is recommended that anti-virus programs be configured to ignore the MOVEit Transfer encrypted file store entirely.

In order to verify that files transferred through a MOVEit Transfer server are virus-free, the best place to install anti-virus software is on an internal MOVEit Automation or other platform where the complete, unencrypted files are placed for further processing. In fact, virus detection, quarantining, and/or cleaning actions performed by most real-time anti-virus packages will be logged in the MOVEit Automation transaction log.

Recommendations

When installing and configuring an anti-virus program on a MOVEit Transfer server, there are a few points which should be kept in mind:

• Most MOVEit Transfer servers are placed in an isolated network segment, often called a DMZ (DeMilitarized Zone). Such servers tend to be independent from the rest of the network, and are usually not added as members of a Domain or Active Directory tree. For the same reasons, centrally-managed anti-virus programs tend to have a harder time accessing and maintaining installed instances on MOVEit Transfer servers. Therefore, anti-virus programs are usually installed in independent or stand-alone mode on MOVEit Transfer servers, and thus will require independent configuration, virus updating, and event checking.
• To avoid possible false positive virus matches, and to prevent an anti-virus program from quarantining or even deleting files from the MOVEit Transfer store, the anti-virus program should be configured to ignore the MOVEit Transfer store location. Encrypted files are stored in the Files subdirectory of the MOVEit Transfer non-web directory (typically D:\MOVEitDMZ). Therefore, for a typical installation, the anti-virus program should be configured to ignore D:\MOVEitDMZ\Files.
• It is also a good idea to configure the anti-virus program to ignore the MOVEit Transfer database files, since they could possibly contain binary data that might be interpreted as a virus signature (several fields in the database are stored encrypted). If your database is MySQL, data files are typically stored in the Data subdirectory of the MySQL installation directory (typically D:\MySQL). Therefore, for a typical installation, the anti-virus program should be configured to ignore D:\MySQL\Data. If your database is Microsoft SQL Server, the files are typically stored in a directory like: C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data.