[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Sheflug] Antivirus measures

To: <shef-lug [at] xxxxxxxxxxxxxxxxxxx>
Subject: RE: [Sheflug] Antivirus measures
From: "Chris Johnson" <chris [at] xxxxxxxxxxxxx>
Date: Fri, 21 May 2004 14:07:59 +0100
Delivered-to: shef-lug [at] list.sheflug.org.uk
Importance: Normal
List-help: <mailto:shef-lug-request [at] list.sheflug.org.uk?subject=help>
List-id: Sheflug <shef-lug.list.sheflug.org.uk>
List-post: <mailto:shef-lug [at] list.sheflug.org.uk>
List-subscribe: <http://community.uklinux.net/mailman/listinfo/shef-lug>,<mailto:shef-lug-request [at] list.sheflug.org.uk?subject=subscribe>
List-unsubscribe: <http://community.uklinux.net/mailman/listinfo/shef-lug>,<mailto:shef-lug-request [at] list.sheflug.org.uk?subject=unsubscribe>
Reply-to: shef-lug [at] xxxxxxxxxxxxxxxxxxx
Sender: shef-lug-admin [at] xxxxxxxxxxxxxxxxxxx

> One assumes that because the http and ftp content is only passing
> through the IPCop firewall on a packet by packet basis, AV scanning
> would be difficult to impossible to implement. You'd have to have
> something that was capable of checking at the packet level rather than
> the file level. If it were looking for dodgy content in http, 
> if you're
> running squid on the IPCop box, the AV solution would be capable of
> detecting any virii in the cached content, but by then, it's 
> already on
> the client. In other words, you'd be better off with s/w on 
> the clients.
> DansGuardian is checking URLs so is working at a different level.
> 
> It's a different kettle of fish with mail. Because your mail server
> stores messages for later retrieval, it gets all the content before
> passing it on elsewhere therefore it's able to scan the file properly.
> 
> Of course, I could be wrong (it wouldn't be the first time :-)
> 
> -- 
> David Morris
> 
> ___________________________________________________________________
 David
There is the issue of downloading it all first which will inevitably
introduce some delay.  The method seems to be to cache the file fully in
squid then virus check it before releasing it to the client.  As this might
lead to timeouts the developer seems to have implemented a trickle feed to
the cleint PC where a small amount of data from the downloaded file is
released to the client every minute to prevent timeout whilst the rest is
still being downloaded.  Not sure how this would cope with 700MB CD images
(especially in 64MB RAM!) 

And dans guardian does check URLS from its black lists but, and this is an
important but as this is where it differs from squid guard which IIRC ONLY
checks urls, DG also checks actual content based on weighted word and
phrases and regular expressions.

We do have AV software on the clients but no matter which we choose there
will always be some virus that gets through.  As we can only run one AV
package on each client PC having an extra level of extra checking on the
"proxy" should minimise the virus risk to beyond that worth worrying about.

Is anyone else running AV on a 'proxy' server?

Chris 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.688 / Virus Database: 449 - Release Date: 18/05/2004

<<attachment: winmail.dat>>

References:
- RE: [Sheflug] Antivirus measures
  - From: Morris, David (Allvac, UK)

Prev by Date: RE: [Sheflug] Antivirus measures
Next by Date: RE: [Sheflug] Antivirus measures
Previous by thread: RE: [Sheflug] Antivirus measures
Next by thread: RE: [Sheflug] Antivirus measures
Index(es):
- Date
- Thread