RE: [squid-users] What Virus Scanning software runs "nicely" with Squid?

From: Dr. Michael Weller <[email protected]>
Date: Thu, 24 Oct 2002 18:17:57 +0200 (MESZ)

On 24 Oct 2002, Michael Hayder wrote:

> > You can download a 30 day evaluation and test it out that is what we
> > did, and the pricing is not that expensive if you consider the downside.
>
> I see only a solaris and NT Version you told me linux ... is this
> correct. I could not find the correct version.
> Can u send me a product link please please .... I know its much work.
> Plz

Huh? Are you real? Try:

http://www.trendmicro.com/en/products/gateway/isvw/evaluate/trial.htm

On the first 'multiple choice button menu', select Interscan VirusWall for
Linux. Sorry, I can't give a direct download link, since you have to fill
out a 'registration form' on above link first.

Other than that I can second the good experience with this product on
Linux in several installations.

They usually list it for RedHat distribs only, but I used it on several
distribs. Only some tweaking of startup/installations scripts might be
required, on ancient distribs you might even need to have cp,mv,sort in
/usr/bin not /bin and similar trivialities.

Recent VirusWall installation scripts have options for several
distributions, but they don't necessarily work even for those
distributions they have been made for.

Well.. I know this doesn't sound very promising, but apart from that it
works really nicely.

Note that the evaluation copy will cease to work after 30 days and
silently! (ok, you get a few warnings by mail if you are lucky). You can
continue to surf and email but there is no more protection. You also need
to reinstall with the bought license key. It doesn't suffice to add it to
the config of the evaluation instalation. (but you can reinstall the
evaluation copy just with that key. You don't have to use the, usually
older, version they ship you on a CD.)

I never got to work the 'outbound email virus' protection though. I guess,
if it works at all, it will only work for email send from the 'proxy host
itself by /usr/lib/sendmail'. It doesn't work if you just use VirusWall as
an SMTP relay though (because all mail (even the outbound one) is relayed
back to your main SMTP server). Also the anti-relay protection of
VirusWall does not cover all SMTP-envelope attacks. You should only
understand it as an extension of the anti-relay protection of your SMTP
server.

Good luck,
Michael.

P.S.

> > Do you use this stuff in a production environment ???
Yep.

> > Any lost of performance ???

Well.. probably. You can't get security/virus protection for free. I can't
give you exact figures, but it's certainly ok for production. You just
need some CPU-power for scanning (which also unpacks compressed downloads)
and big temporary file space for Viruswall since it keeps temporary
file copies while downloading.

I recommend 1-1 trickle setting (1024 bytes trickle for 1K download) in
advanced http setup for your Joe Blow Users though, which means you get
'nearly' the actual download speed. Otherwise (default settings) Viruswall
first scans the file (and you get VERY slow download in your browser), but
once done you get the whole file at once (so the overall download time is
the same, but Joe Blow User has hit reload, phoned and yelled at you a
million of times inbetween). Of course, the downside is, in case of an
infected file, you get a large portion of it (but aborted, hence truncated
and hence typically unusable) on the client.

Sorry for this only 'mildly' squid related msg in this list, but you asked
for it. To get it back to squid:

Some Viruswall for Linux / IE browser combinations have problems with
https: connections. Since 'https:' officially cannot be scanned for
virusses anyway (which I BTW doubt as a mathematician if you sacrifice the
authenticity check in the browser and us the proxy as a 'man in the
middle'), I recommend to use squid in front of VirusWall to:

a) apply a 'white list' of definitely needed and well trusted 'https:'
   sites for a small set of users (start with empty list and add by
   request of users (they won't dare to ask you for their private
   web banking and xxx https sites).

b) instruct squid to bypass Viruswall for the allowed https: connections.

Without such a 'https' policy, I would discourage use of Viruswall, at
least as YOUR SOLE bastion agains virusses:

It seems to simple to me for a malevolent person to redirect your
companies surfers to an https: site which uploads virus/trojan code to
their machines. The 'you enter/leave a secure connection' warning is
ignored by your typical surfer and they esp. don't realize it means you
get neither squid-cached nor virus scanned web content.
Received on Thu Oct 24 2002 - 10:18:03 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:10:54 MST