[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    RE: Re: Virus Scanner
From:       Jerry Huyghe <jerry () eliashim ! com>
Date:       1997-07-28 17:29:20
[Download RAW message or body]

At 04:44 PM 7/28/97 -0400, Russ wrote:
>>firewall should NEVER replace desktop protection. It is just much safer
>and
>>more efficient to clean a virus at the point of entry than to wait
>until it
>>has infected 50 workstations (as in an infected attachment emailed to
>50
>>people)
>
>I don't see how its safer, assuming you are using desktop virus
>scanning.

Because most anti-virus products have no safeguard against users disabling
or reconfiguring their desktop anti-virus.

>Efficiency is only gained if the there are a statistically significant
>number of Internet originating messages containing attachments of
>possible virus-bearing file types that are destined for more than one
>internal recipient. 

Evene in the admittedly much more common 1-1 situation, the delay of a
fraction of a second doesn't matter. One of our customers has a 2000 user
LAN where he tested ViruSafe FireWall with FW-1 . With virus protection, it
took only 2 seconds *more* to process 400 incoming messages. Personally, I
would rather take the extra 2 seconds and potentially save myself 2 minutes
in support calls when users get a virus.

>(do your products somehow know when a file type has been scanned at the
>Firewall so the desktop scanning doesn't need to be performed again, or
>will a desktop scanner just treat it like any other new file and scan it
>again anyway?)
No, but good point! This is the kind of input that helps us create superior
products, I have forwarded this suggestion to our developers.
	
>Sorry to burst this bubble, but if a Firewall company cannot come up
>with new ways to leverage their customers into buying new products, then
>their IPO is going to be very short lived.

Yes, but the good companies give the customers what they want, and many of
your conterparts want more virus protection.

>
>Yeah, I'll take a white paper.

I'll send it to you separately.

>>There are no legal issues..
>
>What? None? Me thinks you haven't thought out who all might be using
>Firewalls. 

Yea, but methinks that there are more legal issues in redirecting email
going to certain addresses, scanning for undesirable content, and spying on
employees' web activities. I don't see how denying access to a
virus-infected file until it is cleaned would cause legal trouble. We have
been in the AV business for 11 years, and have not heard of anything
remotely similar.

>
>>The software cleans it and send it into the network to its appropriate
>>location (as long as it passes the other firewall rules.)
>
>And if this cleaning destroys the contents? or the contents can't be
>cleaned?

There are options for non-cleanable files, such as quarantine or remove
attachment.



>
>The problem is the time it might take to disinfect, or notify someone
>that a particular file is infected beyond recovery. If I do it at the
>desktop, the person waiting for the information knows right away of the
>problem. How your product works is not known to me, so I was asking what
>happens when an attachment cannot be processed?

In FW-1, and I would venture to say in all other firewalls, that which is
not specifically permitted is automatically rejected. If the file fails to
be scanned, it is rejected. If is not cleanable, it can be saved into a
quarantine directory, removed, or whatever you like. There is no reason to
alert an administrator in real-time when a virus is found at the firewall.
It does not require assistance.

>Definitely. Connectivity is one thing, content can be an entirely
>different thing altogether. I may have a central authority for
>connectivity, but allow (or demand) departments dictate their own
>policies for content. Again, this is where the attachment, that's been
>deemed to be infected, cannot be cleaned. If that attachment goes to
>anyone other than the original recipient, its possible that content is
>being disclosed which should not be disclosed.

Then set it to reject infected attachments (delete them). Then the user
gets a warning that "the attachment was infected by a virus and was
removed" . You can also allow it in, and have a log of where the virus came
from(which I wouldn't recommend). The other option is to quarantine it and
scan it manually. If you shouldn't be reading content, then don't read it,
just scan the file with a virus scanner and see what you can do. 


Best Regards,

Jerry Huyghe
Product Manager

eSafe Technologies 			http://www.esafe.com
A division of EliaShim Inc        	http://www.eliashim.com
----------------Intelligent Computer Security-----------------
1 SW 129th Ave, Suite 105  		Phone : 800.477.5177 Ext 18
Pembroke Pines, FL  33027  		Fax   : 954.450.9612	
==============================================================

[prev in list] [next in list] [prev in thread] [next in thread]