v4.38 / Memory Warning / AV Cloud Query Bypass ???

2

All Replies

  • WMelonMan
    WMelonMan Posts: 10
    First Anniversary Friend Collector First Comment
    OK, I'll have a look sometime later then. Thanks!
  • USG_User
    USG_User Posts: 369  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited June 2020
    Hi WMelonMan,

    "ZyWALL USG series supports Express Mode with advanced Cloud Query technology which has 30 billion of file ID in Zyxel security cloud’s database and constantly adapts new malware data every minute via Threat Intelligence Machine Learning. This innovative design improves the anti-malware detection efficiency, enables it to verify the file ID within seconds to get the most optimal threat detection, so that the ZyWALL USG series can gain higher throughput performance."

    I will give it a try now ...

    edit: Now I've tried to activate the Express Mode in AV. Unfortunately this offers additional Advanced Settings where particular file extensions can be choosen. But will only these file extensions be scanned by AV engine, or are they excluded from scanning, or what does it mean? No description available. :/
  • WMelonMan
    WMelonMan Posts: 10
    First Anniversary Friend Collector First Comment
    USG_User said:
    [...] Express Mode in AV. [...] offers additional Advanced Settings where particular file extensions can be choosen. But will only these file extensions be scanned by AV engine, or are they excluded from scanning, or what does it mean? No description available. :/
    That made me scratch my head, too. Zyxel to the rescue, please!
    And thanks @USG_User for sharing this little feature description.
  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    @WMelonMan &@USG_User
    The description of express mode and stream mode
    Express Mode
    In this mode you can define which types of files are scanned using the File Type For Scan fields. The Zyxel Device then scans files by sending each file’s hash value to a cloud database using cloud query. This is the fastest scan mode.

    Stream Mode
    In this mode the Zyxel Device scans all files for viruses using anti-malware signatures to detect known virus pattens, and Threat Intelligence Machine Learning. Threat Intelligence Machine Learning is a master cloud database containing malware patterns learned from all Zyxel Devices. This is the deepest scan mode.

    The advance feature of express mode is cloud query
    File Type For Scan
    Just select the File types that will be checked are listed on Applied File Types field. If you don’t want a file type to be checked, click this file type and then click the left arrow button.(Available File Types)
  • WMelonMan
    WMelonMan Posts: 10
    First Anniversary Friend Collector First Comment
    @Zyxel_Charlie: Thank you.
  • USG_User
    USG_User Posts: 369  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    ...
    The advance feature of express mode is cloud query

    File Type For Scan
    Just select the File types that will be checked are listed on Applied File Types field. If you don’t want a file type to be checked, click this file type and then click the left arrow button.(Available File Types)
    Does it mean that I have to decide between fast or deep scan? But what I should take, I would prefer a fast AND deep scan.

    Further, what happens, when activating the Express mode, but without choosing any file types from the "Applied files table" (because this setting is "hidden" in advanced settings)? Will nothing being scanned in that case?

    Finally, I'm not sure choosing of which file types makes sense and which not. I don't know what files will be downloaded by colleagues or what kind of attachments will be received in future.
    From your experience in collecting of virus signatures, have you got any recommendadtions for the "Applied file table"?

  • USG_User
    USG_User Posts: 369  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Thanks Charlie, for test purposes I've changed now our settings to Express Mode with some file extension allocations. Will see whether the very frequent appearing alert notes about A/V bypass will gone.
  • USG_User
    USG_User Posts: 369  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Short update: Even with changed A/V settings (switch from stream mode to express mode) at least one memory warning still appears every day where the A/V cloud query is bypassed for about 5 minutes.
  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    @USG_User
    This is Zyxel memory protection design, and both Stream and express mode will consume memory. Each ZyWALL USG model has a limited amount of memory to be shared by all features. If all of that memory is in use, system operations can be affected in unexpected ways.
    Therefore, we have adjusted the threshold to avoid this behavior occur by the latest firmware. Please check private message.

Security Highlight