RE: [squid-users] What Virus Scanning software runs "nicely" with Squid?

From: Michael Hayder <[email protected]>
Date: 26 Oct 2002 21:45:04 +0200

Am Don, 2002-10-24 um 18.17 schrieb Dr. Michael Weller:
> On 24 Oct 2002, Michael Hayder wrote:
>
> > > You can download a 30 day evaluation and test it out that is what we
> > > did, and the pricing is not that expensive if you consider the downside.
> >
> > I see only a solaris and NT Version you told me linux ... is this
> > correct. I could not find the correct version.
> > Can u send me a product link please please .... I know its much work.
> > Plz
>
> Huh? Are you real? Try:
>
> http://www.trendmicro.com/en/products/gateway/isvw/evaluate/trial.htm

Thx a lot .... I am real. I guess I walk blind thru the world :->

>
> On the first 'multiple choice button menu', select Interscan VirusWall for
> Linux. Sorry, I can't give a direct download link, since you have to fill
> out a 'registration form' on above link first.
>
> Other than that I can second the good experience with this product on
> Linux in several installations.
>
> They usually list it for RedHat distribs only, but I used it on several
> distribs. Only some tweaking of startup/installations scripts might be
> required, on ancient distribs you might even need to have cp,mv,sort in
> /usr/bin not /bin and similar trivialities.
>
> Recent VirusWall installation scripts have options for several
> distributions, but they don't necessarily work even for those
> distributions they have been made for.
>
> Well.. I know this doesn't sound very promising, but apart from that it
> works really nicely.
>
> Note that the evaluation copy will cease to work after 30 days and
> silently! (ok, you get a few warnings by mail if you are lucky). You can
> continue to surf and email but there is no more protection. You also need
> to reinstall with the bought license key. It doesn't suffice to add it to
> the config of the evaluation instalation. (but you can reinstall the
> evaluation copy just with that key. You don't have to use the, usually
> older, version they ship you on a CD.)
>
> I never got to work the 'outbound email virus' protection though. I guess,
> if it works at all, it will only work for email send from the 'proxy host
> itself by /usr/lib/sendmail'. It doesn't work if you just use VirusWall as
> an SMTP relay though (because all mail (even the outbound one) is relayed
> back to your main SMTP server). Also the anti-relay protection of
> VirusWall does not cover all SMTP-envelope attacks. You should only
> understand it as an extension of the anti-relay protection of your SMTP
> server.

Thx also I just want to use only the http features and for me is totally
clear that ssl could not be scanned. That is not nessesary.

Off Topic:
Thanx for your help .... but smtp could be scanned with f-prot
in my house .... and a special script for qmail.
If you want to konw more just contact me.

>
> Good luck,
> Michael.
>
> P.S.
>
> > > Do you use this stuff in a production environment ???
> Yep.
>
> > > Any lost of performance ???
>
> Well.. probably. You can't get security/virus protection for free. I can't
> give you exact figures, but it's certainly ok for production. You just
> need some CPU-power for scanning (which also unpacks compressed downloads)
> and big temporary file space for Viruswall since it keeps temporary
> file copies while downloading.
>
> I recommend 1-1 trickle setting (1024 bytes trickle for 1K download) in
> advanced http setup for your Joe Blow Users though, which means you get
> 'nearly' the actual download speed. Otherwise (default settings) Viruswall
> first scans the file (and you get VERY slow download in your browser), but
> once done you get the whole file at once (so the overall download time is
> the same, but Joe Blow User has hit reload, phoned and yelled at you a
> million of times inbetween). Of course, the downside is, in case of an
> infected file, you get a large portion of it (but aborted, hence truncated
> and hence typically unusable) on the client.
>
> Sorry for this only 'mildly' squid related msg in this list, but you asked
> for it. To get it back to squid:
>
> Some Viruswall for Linux / IE browser combinations have problems with
> https: connections. Since 'https:' officially cannot be scanned for
> virusses anyway (which I BTW doubt as a mathematician if you sacrifice the
> authenticity check in the browser and us the proxy as a 'man in the
> middle'), I recommend to use squid in front of VirusWall to:
>
> a) apply a 'white list' of definitely needed and well trusted 'https:'
> sites for a small set of users (start with empty list and add by
> request of users (they won't dare to ask you for their private
> web banking and xxx https sites).
>
> b) instruct squid to bypass Viruswall for the allowed https: connections.

All traffic thru ssl is forbidden... in my config (some sites are allow
only)

>
> Without such a 'https' policy, I would discourage use of Viruswall, at
> least as YOUR SOLE bastion agains virusses:

Clear.

>
> It seems to simple to me for a malevolent person to redirect your
> companies surfers to an https: site which uploads virus/trojan code to
> their machines. The 'you enter/leave a secure connection' warning is
> ignored by your typical surfer and they esp. don't realize it means you
> get neither squid-cached nor virus scanned web content.
>
>

Thanx for Your help again .... I was looking many hours for that stupid
progi ... and I could not find it.
Greets
mic
Received on Sat Oct 26 2002 - 13:45:11 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:10:55 MST