[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    re: Virus Scanner
From:       harley () icrf ! icnet ! uk
Date:       1997-07-26 14:30:40
[Download RAW message or body]

> What happens is; the users clicks on his link and gets an hour 
> glass and then nothing more happens until
> the scanner is completely finished scanning, which with larger 
> files can take some time
> and most users disconnect (or even worse tried again) before they get 
> the menu to save.
> 
The advantage of virus checking at the firewall or viruswall is 
administrative: you aren't totally reliant on the users' keeping
their desktops properly protected. There are two large disadvantages,
though: one is that this approach leaves several other entry points
uncovered, so it has to be supplementary, rather than your only defence.
The other is that effective filtering for viruses entails a lot of 
processing. If your hardware/network isn't beefy enough to cope with
the overhead, the latency problem is likely to outweigh the advantage.

> When I talk to Checkpoint's reseller in germany I get the feeling 
> that we are the only
> ones who consider internet viruses to be a problem. 

Not the only ones. But there's a question of definitions, here.
Leaving aside the question of the Internet Virus, which most 
people prefer to call a worm, there's some question as to what
constitutes an internet virus. When most vendors talk about this,
they seem to mean viruses which are transmissable over networks
rather than Internet-specific viruses. This largely excludes PC 
boot-sector viruses (which can be transmitted over networks as
part of a disk image, but can't -infect- over networks in a formal
sense -- obviously, it doesn't mean such a disk image can't be a
transmission vector). It -can- include multipartite PC viruses
and file infectors (irrespective of platform). File infectors can
obviously include viruses which infect executables as well as macro
viruses, which in a sense infect data files. In fact, many vendors
seem to use macro virus and internet virus interchangeably, but
the problem with infectable program files hasn't gone away: it's
just proportionally smaller.

> My question is; has anyone else 
> made any attempts to check for internet viruses and if so how do you do it?
> 
Lots of people. Scanning at the firewall, scanning with a separate 
viruswall, scanning servers inside the firewall, on-demand scanning
at the desktop, realtime/on-access scanning at the desktop. [There
are some fairly esoteric generic strategies which I'm going to 
pass on right now.] Realtime scanning with a Windows VxD or something
equivalent is the most effective in terms of the range of entry-points 
protected, but it's harder to administer, because you have to keep
every desktop scanner updated, instead of just updating server-hosted
scanners.

> How serious a problem are viruses in internet?

Over-hyped, but serious enough. Macro viruses are well into four figures,
now, and can be transmitted over networks or the Internet in a number of 
ways.Infected programs and Word files aren't that often found on ftp or
web servers, but it certainly happens. Just about anything can be e-mailed
as an attachment, and frequently is: file viruses, macro viruses, trojans, 
cheese sandwiches........ You'd be ill-advised to ignore the problem.

-- 
David Harley                  |              alt.comp.virus FAQ
D.Harley@icrf.icnet.uk        |           & Anti-Virus Web Page
Support & Security Analyst    |    Folk London On-Line gig-list
Imperial Cancer Research Fund | http://webworlds.co.uk/dharley/

[prev in list] [next in list] [prev in thread] [next in thread]