Internet Related/Filtering/Firewall Thread, Gateway antivirus in Technical; Hello my educationally minded friends!
I'm looking for a bit of feedback, if you don't mind.
Gateway antivirus - particularly ...
16th February 2010, 10:25 AM #1
Hello my educationally minded friends!
I'm looking for a bit of feedback, if you don't mind.
Gateway antivirus - particularly AV of incoming web traffic. Interested to know your thoughts in general, preferably here, in-thread, but if you have specific in-depth thinkings, I would love to hear them by PM, email or phone.
Is it worth having?
Does your current vendor provide it?
What does/should it cost?
What are the issues you find?
What do you think of these "new generation" behavioural AV engines?
Also on the menu: AV for outgoing HTTP. AV for SMTP. AV for IM. AV for FTP. Any ramblings on those subjects also deemed extremely valuable
Last edited by tom_newton; 16th February 2010 at 10:32 AM.
16th February 2010, 12:22 PM #2
Ive ran clamAV on my "smoothy then endian" box for 4-5 years now, just doing http AVing. Its great for what it is but you've got to balence performance against the added security it provides. Viruses dont tend to be embedded in websites so much no more, or not the ones i visit. They tend more to be trogens, and as such can get past the AV due to the large file size on the host app - striking a balence between silly processing time on large files against just passing the file unchecked.
Last edited by j17sparky; 16th February 2010 at 12:26 PM.
16th February 2010, 12:24 PM #3
i think ours is done by our lea(atomwide), but i am not sure, its def not done here we just have a proxy that forwards onto there proxy
16th February 2010, 12:28 PM #4
We do it using our Sonciwall Firewall. I am trying to get it onto Smoothwall Express but not much luck.
16th February 2010, 12:40 PM #5
Viruses are less of a problem these days. It's websites containing Spyware, Malware and Rootkits which are more problematic, but you're just as well to block these sites altogether.
I believe scanning all incoming traffic with AV Software will inevitably slow down browsing as can web filtering. Workstations should be running AV software anyway as that can catch viruses through the internet and removable media, such as USB sticks.
16th February 2010, 12:40 PM #6
Another vote for Sonicwall here (4000 UTM) can't fault it as it does catch some rubbish.
16th February 2010, 12:43 PM #7
I have it enabled on SW because I like defense in depth. However, the frequency of false positives for "broken executable" detections needs reducing (yeah, a clamav problem). We recently had an issue where an automated update process pulled about 600GB of traffic over a weekend because SW was flagging a 2MB patch as broken when it was perfectly fine and the app kept retrying. Nagios started paging me mid-weekend because the wierdness threshold was tripped.
I'd also like much better detection of fake av - it's slipping through SW and hitting desktop av a bit too often for my liking.
Last edited by pete; 16th February 2010 at 02:52 PM.
16th February 2010, 12:48 PM #8
This is my point exactly. Malware or fake AV as you phrase it is a lot more of a nuisance. Even Edugeek themselves were experiencing problems recently through one of their ad campaigns (it appears).
I'd also like much better detection of fake av
We're professionals, we can tell the differences between real and fake, but the not so experienced user can very easily be fooled they're infected.
16th February 2010, 12:59 PM #9
Just had a look on our SWG-708 and it says 'Web anti-virus engine' : Stopped. I don't think it's ever been enabled. That wasn't a decision we made so it's either not included in this version or it's turned off by default.
16th February 2010, 03:46 PM #10
@pete, @Michael - would you consider a worthy addition to your security arsenal gateway AV which detected more malware, fakeav etc. and did not pick up "broken executable" - what I am saying really, is, if SmoothWall offered a top quality AV/AM engine on HTTP traffic - would that be considered beneficial?
16th February 2010, 04:16 PM #11
Yes I'd say that would be more beneficial.
if SmoothWall offered a top quality AV/AM engine on HTTP traffic - would that be considered beneficial?
17th February 2010, 11:40 AM #12
Thanks to those who have replied/voted so far. Very interesting. Personally, I think gateway av/anti-malware is an important component - so I will be using your feedback to directly influence development. Would welcome any particular tales of AV woe/entertainment still
17th February 2010, 12:05 PM #13
Originally Posted by tom_newton
(my message is too short)
18th February 2010, 01:31 PM #14
Turns out FTP AV looks relatively doable
Any of you folks tried the FTP proxy? (I know Zerohour has) and of those, who would like to see AV added?
19th February 2010, 10:45 AM #15
We are using UTM-1000 (firewall only) + 2 x NG08 (content filter) and do not run the clamAV on our smoothwall systems. The reason for this is performance as we can have a 1000 users browsing the internet at any given time.
By marvin in forum Windows
Last Post: 11th November 2009, 07:31 AM
By speckytecky in forum Network and Classroom Management
Last Post: 3rd March 2009, 05:03 PM
By gshaw in forum Windows
Last Post: 29th April 2008, 03:41 PM
By deano in forum Network and Classroom Management
Last Post: 10th January 2008, 12:36 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)