During normal operation, the ProxyAV CPU spikes to 100% utilization
Proxy AV's AlertLogFile.log show scanned of Microsoft patches downloading from Windows Windows Update, SWF flash files, or others applications updates.
1. The Proxy AV Appliance can take a very long time to scan Windows Update files. As such, we recommend not to scan this information through the Proxy AV Appliance.
The Proxy SG Appliance will not forward Windows update traffic to Proxy AV with following CPL.:
define condition WindowsUpdate
url.domain=update.microsoft.com
url.domain=windowsupdate.microsoft.com
url.domain=download.windowsupdate.com
url.domain=download.microsoft.com
end
condition=WindowsUpdate response.icap_service(no)
2. Install and configure The Proxy AV best practice policy to achieve maximum performance
- To achieve the best performance on the ProxyAV, enable Heuristics (ProxyAV Management Console > Antivirus > Scanning Behaviour)
- On the ProxySG, configure policy to skip MIME content types: image, audio, application, x-director video, and PDF multipart with the following best practice CPL policy installed in the local policy file, (not in a VPM CPL layer):
; -------------ICAP Best Practices----------------------------------------------
;;; The actual ICAP respmod rule should already be defined, these actions will
;;; reset it back to (no) upon an attempt to scan a streaming object or an object
;;; that shouldn't be scanned
delete_on_abandonment(yes)
url.scheme=http condition=NOICAP response.icap_service(no)
request.header.User-Agent="ProxyAV" patience_page(no)
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; This condition will match if the content length is greater than
;; 99,999,999 bytes, or no content length is provided. Both of
;; these are signs that this may tie up a thread on the AV for too long.
define condition NO_or_LARGE_CONTENT_LENGTH
response.header.Content-Length=!""
response.header.Content-Length=!"^[0-9]{1,8}$"
end condition NO_or_LARGE_CONTENT_LENGTH
;; Here are some common infinite stream media types, these will
;; also block some threads on the AV.
define condition MEDIA_MIME_TYPES
response.header.Content-Type="video/"
response.header.Content-Type="application/streamingmedia"
response.header.Content-Type="application/x-streamingmedia"
response.header.Content-Type="application/vnd.rn"
response.header.Content-Type="application/ogg"
response.header.Content-Type="application/x-ogg"
response.header.Content-Type="audio/"
response.header.Content-Type="multipart/x-mixed-replace"
end condition MEDIA_MIME_TYPES
;; None of these exist right now
define condition Misbehaving_Modern_UserAgents
; Add modern user-agents known to misbehave to this condition
; and remove the comment character (semicolon) before Rule 3 above.
; request.header.User-Agent=""
end condition Misbehaving_Modern_UserAgents
define condition VIDEO_AUDIO_with_NO_or_LARGE_CONTENT_LENGTH
condition=NO_or_LARGE_CONTENT_LENGTH condition=MEDIA_MIME_TYPES
end condition VIDEO_AUDIO_with_NO_or_LARGE_CONTENT_LENGTH
define condition UserAgents_with_NO_or_LARGE_CONTENT_LENGTH
condition=NO_or_LARGE_CONTENT_LENGTH
condition=Misbehaving_Modern_UserAgents
end condition UserAgents_with_NO_or_LARGE_CONTENT_LENGTH
define condition Misbehaving_Old_UserAgents
request.header.User-Agent="Winamp"
request.header.User-Agent="NSPlayer"
request.header.User-Agent="RMA"
request.header.User-Agent="ultravox"
request.header.User-Agent="itunes"
request.header.User-Agent="forest"
request.header.User-Agent="Scottrader"
request.header.User-Agent="SVN"
end condition Misbehaving_Old_UserAgents
define condition HTTPv0.9_UserAgents
http.response.version=0.9 condition=Misbehaving_Old_UserAgents
end condition HTTPv0.9_UserAgents
define condition NOICAP
condition=VIDEO_AUDIO_with_NO_or_LARGE_CONTENT_LENGTH
condition=HTTPv0.9_UserAgents
condition=UserAgents_with_NO_or_LARGE_CONTENT_LENGTH
; Yahoos stock ticker problem -15sep06
url.domain=//streamerapi.finance.yahoo.com
url.domain=//stream.aol.com
url.domain=//finance.google.com
; Other streaming media exceptions
url.domain=//youtube.com
url.domain=//pandora.com
end condition NOICAP
; -------------End ICAP Best Practices-------------------------
The most up to date ProxyAV best practices policy can be found here, in section 9 Configuration Best Practices.