Gateway antivirus

[tom_newton]

Hello my educationally minded friends!

I'm looking for a bit of feedback, if you don't mind.

Gateway antivirus - particularly AV of incoming web traffic. Interested to know your thoughts in general, preferably here, in-thread, but if you have specific in-depth thinkings, I would love to hear them by PM, email or phone.

Is it worth having?
Does your current vendor provide it?
What does/should it cost?
What are the issues you find?
What do you think of these "new generation" behavioural AV engines?

Also on the menu: AV for outgoing HTTP. AV for SMTP. AV for IM. AV for FTP. Any ramblings on those subjects also deemed extremely valuable

[j17sparky]

Ive ran clamAV on my "smoothy then endian" box for 4-5 years now, just doing http AVing. Its great for what it is but you've got to balence performance against the added security it provides. Viruses dont tend to be embedded in websites so much no more, or not the ones i visit. They tend more to be trogens, and as such can get past the AV due to the large file size on the host app - striking a balence between silly processing time on large files against just passing the file unchecked.

[glennda]

i think ours is done by our lea(atomwide), but i am not sure, its def not done here we just have a proxy that forwards onto there proxy

[FN-GM]

We do it using our Sonciwall Firewall. I am trying to get it onto Smoothwall Express but not much luck.

Z

[Michael]

Viruses are less of a problem these days. It's websites containing Spyware, Malware and Rootkits which are more problematic, but you're just as well to block these sites altogether.

I believe scanning all incoming traffic with AV Software will inevitably slow down browsing as can web filtering. Workstations should be running AV software anyway as that can catch viruses through the internet and removable media, such as USB sticks.

[ICTNUT]

Another vote for Sonicwall here (4000 UTM) can't fault it as it does catch some rubbish.

[pete]

I have it enabled on SW because I like defense in depth. However, the frequency of false positives for "broken executable" detections needs reducing (yeah, a clamav problem). We recently had an issue where an automated update process pulled about 600GB of traffic over a weekend because SW was flagging a 2MB patch as broken when it was perfectly fine and the app kept retrying. Nagios started paging me mid-weekend because the wierdness threshold was tripped.

I'd also like much better detection of fake av - it's slipping through SW and hitting desktop av a bit too often for my liking.

[Michael]

I'd also like much better detection of fake av

This is my point exactly. Malware or fake AV as you phrase it is a lot more of a nuisance. Even Edugeek themselves were experiencing problems recently through one of their ad campaigns (it appears).
We're professionals, we can tell the differences between real and fake, but the not so experienced user can very easily be fooled they're infected.

[cookie_monster]

Just had a look on our SWG-708 and it says 'Web anti-virus engine' : Stopped. I don't think it's ever been enabled. That wasn't a decision we made so it's either not included in this version or it's turned off by default.

[tom_newton]

@pete, @Michael - would you consider a worthy addition to your security arsenal gateway AV which detected more malware, fakeav etc. and did not pick up "broken executable" - what I am saying really, is, if SmoothWall offered a top quality AV/AM engine on HTTP traffic - would that be considered beneficial?

[Michael]

if SmoothWall offered a top quality AV/AM engine on HTTP traffic - would that be considered beneficial?

Yes I'd say that would be more beneficial.

[tom_newton]

Thanks to those who have replied/voted so far. Very interesting. Personally, I think gateway av/anti-malware is an important component - so I will be using your feedback to directly influence development. Would welcome any particular tales of AV woe/entertainment still

[pete]

, if SmoothWall offered a top quality AV/AM engine on HTTP traffic - would that be considered beneficial?

Yes.

(my message is too short)

[tom_newton]

Turns out FTP AV looks relatively doable
Any of you folks tried the FTP proxy? (I know Zerohour has) and of those, who would like to see AV added?

[ezzauk]

We are using UTM-1000 (firewall only) + 2 x NG08 (content filter) and do not run the clamAV on our smoothwall systems. The reason for this is performance as we can have a 1000 users browsing the internet at any given time.

Eric