[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    Re: Re: Virus Scanner
From:       Jerry Huyghe <jerry () eliashim ! com>
Date:       1997-07-28 8:50:31
[Download RAW message or body]

One of my favorite subjects too, see below:

Basil Mccrea Wrote:

>Check Point's FW-1 Ver3.0 includes CVP (Content Vectoring Protocoll) which
allows
>it to communicate with a virus scanner which also support CVP. We have
been trying
>to use such a virus scanner. 
Which one are you using? 

>It works and is fine for email or maybe even command
>line base ftp but in a browser environment we have problems. What happens
is; the
>users clicks on his link and gets an hour glass and then nothing more
happens until
>the scanner is completely finished scanning, which with larger files can
take some time
>and most users disconnect 

This problem can be fixed in 2 ways: 1)a more powerful CVP server (the
anti-virus CVP machine should always be independent from the firewall
machine, and should have at least 64 MB RAM and Pentium 200+ processor for
good performance. In this setup, the user sees NO noticeable difference.

>
>When I talk to Checkpoint's reseller in germany I get the feeling that we
are the only
>ones who consider internet viruses to be a problem.

Maybe your reseller should try to become more informed on viruses. The
latest NCSA report showed that 80% of virus infections result from
internet-borne viruses. As people concentrate on floppies, they are
ignoring the largest point of entry for viruses..the firewall. Think about
it,...where are your virus infections coming from?

pferguso@cisco.com wrote:

>The former is commonly done by people sending attachments,
>generally with an infected (macro virus) Microsoft document
>to an unwitting recipient, who subsequently opens the document
>and infects their PC.
Right, and some of these are known to then send documents by email to third
parties without the user's knowledge, format the hard drive, etc...Macro
viruses are not the most destructive to data files, but are the most
destructive to data security and business. 

>Of course, more insidious viruses could
>be used to infect attachments which yielded binary executables,
>but empirical evidence bears out that the former case is far
>more pervasive than the latter.

Right, because the rate of document sharing is far higher than that of
binary executable sharing...good thing or the Internet would be bogged down
by 5MB email attachments..

>I would suggest that this is an inappropriate combining
>of functions.

I disagree..If the firewall's purpose is to protect a network from
malicious outsiders, and to control internal activity, then virus checking
is very appropriate. Viruses are the single costliest threat to data
security. Viruses are a very easy way for a malicious outsider to cause
damage to your network, and even retrieve information from it undetected. 

Someone could very easily write a macro virus that looks for all excel
spreadsheets on your drive, zips them, and emails them without your
knowledge to an outside address. All they would have to do is send it to a
CFO or Marketing director, and the consequences would be horrific.

>
>I am of the school of thought that virus detection should be
>an application which resides on the workstation, not on the
>firewall. 

Of course! Checking for viruses at the firewall is by no means a
replacement for desktop and server virus protection. It is merely a way to
close a security hole. Checking for viruses at the firewall and not the
desktop is just as ridiculous as checking for viruses at the desktop and
Not the firewall.

 There are a couple of reasons for this:
>
> o Virus checking at a firewall choke point introduces an
>   unacceptable amount of performance degradation into
>   the data forwarding path.

If you are talking about an anti-virus gateway through which all traffic
must pass, such as McAfee WebShield, you are absolutely right. 

With FW-1 and CVP-compliant virus programs, however, only infectable files
pass through the virus scanning machine. Most traffic (html code, graphics,
data files) never passes through the virus scanner is remains completely
unaffected. 

This is the reason it is important to specify file extensions for scanning
in the FW-1 rule base. If you don't, then all files will go through the
scanner- an unnecessary delay for most files.

>   - Too many new, or modified, viruses are introduced
>     every day/week/month. By the time you have implemented
>     a particular virus detection mechanism, it is already
>     obsolete.
Partially right, but this is a bit like saying that since there is no cure
for Ebola, you might as well not vaccinate your children from most other
diseases.

Also, modern virus scanners include heuristic capabilities and polymorphic
detection engines that help combat this threat. 


>   - Simply too may encoding/compression/encryption/pick one
>     schemes for a virus detection mechanism to be compatible
>     with.
Yes, but the vast majority are UUencoded, MIME- encoded, and/or ZIPed. When
was the last time you got a BIN-HEX encoded Word document compressed with
lha as an attachment?

Any comments?

Best Regards,

Jerry Huyghe
Product Manager

eSafe Technologies 			http://www.esafe.com
A division of EliaShim Inc        	http://www.eliashim.com
----------------Intelligent Computer Security-----------------
1 SW 129th Ave, Suite 105  		Phone : 800.477.5177 Ext 18
Pembroke Pines, FL  33027  		Fax   : 954.450.9612	
==============================================================

[prev in list] [next in list] [prev in thread] [next in thread]