Welcome, Guest. Please login or register.
Did you miss your activation email?
Saturday 30 November 2024, 12:21:34 pm

Login with username, password and session length

CLICK HERE for the The official Endian Roadmap and Issue tracker
14261 Posts in 4377 Topics by 6517 Members
Latest Member: Sandro
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  EFW SMTP, HTTP, SIP, FTP Proxy Support
| | |-+  HTTP Virus Scan
0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: HTTP Virus Scan  (Read 24196 times)
inteq
Full Member
***
Offline Offline

Posts: 12


« on: Thursday 18 February 2010, 05:24:24 am »

Hello

I have a weird problem.
Latest Endian installed and working like a dream except:
Testing for EICAR virus file with Firefox gives me no warning and lets me download the file
Testing for EICAR virus file with Internet Explorer gives me the warning and forbids me from downloading the file
This from the same machine, without any proxy setup in either browser.
The proxy on Endian is set as transparent.

Any clue why this is happening?
Logged
ajohn
Jr. Member
*
Offline Offline

Posts: 4


« Reply #1 on: Sunday 28 February 2010, 07:57:42 am »

Hello

I have efw2.3

Mine problem is if i open eicar file from http with any browser then i have the message that this is virus.
But if i try to open eicar file from https then i can download the file and take the virus!!!!

The proxy is in transparent mode.

Is there a setting to fix that?

---For your problem inteq maybe you choose by mistake https from firefox and http from explorer?

Thanks
John
Logged
Steve
Sr. Member
****
Offline Offline

Posts: 108



WWW
« Reply #2 on: Sunday 28 February 2010, 10:21:41 am »

There is nothing to fix.
By it's nature, https is a secure connection and should not be intercepted between the source and the destination.
Therefore, there is no way for an anti-virus program (located between the source and the destination) to detect the existence of a virus signature within the data stream.
To do this would break the SSL/TLS protocol which provides the encryption and secure identification .

The only way to find out if a virus is present during an https connection is to install a virus scanner on the client machine that is receiving the data stream.

If you use the eicar test site, the standard (http) protocol viruses should be detected by the firewall and the secure (https) protocol viruses should be detected by your antivirus software you have installed on your workstation.

ps.
Remember to flush your cache (and temporary internet files) when you are using these tests. Stale cache will give you strange results.
Logged

                          
ajohn
Jr. Member
*
Offline Offline

Posts: 4


« Reply #3 on: Monday 15 March 2010, 08:17:41 am »

Hi
and thanks Steve.

So we have problem.
Is there a way to protect computers behind endian from viruses on https conections?
I mean without virus scanning software on the clients, something similar to http behavior of endian.

Thanks
John
Logged
magu
Full Member
***
Offline Offline

Posts: 10


« Reply #4 on: Tuesday 23 March 2010, 06:04:31 pm »

There is no such way to do so. HTTPS connections CANNOT be intercepted by design. To do so would be a security breach.

Use anti-virus software on the clients.
Logged
gyp_the_cat
Full Member
***
Offline Offline

Posts: 81



WWW
« Reply #5 on: Tuesday 30 March 2010, 09:22:44 pm »

I always thought that was the case too, and for most uses I agree, HTTPS/SSL is secure end point to end point thats the beauty of it.

However, was at a conference the other month with these guys:

http://www.ironport.com/products/web_security_appliances.html

And they were saying they can decrypt and scan HTTPS traffic just like normal HTTP traffic, does make you think a bit.  Hmmm.
Logged
whoiam55
Full Member
***
Offline Offline

Posts: 71



WWW
« Reply #6 on: Tuesday 30 March 2010, 10:12:51 pm »

The whole idea behind HTTPS is that it resists man-in-the-middle attacks. Putting a proxy between the session endpoints is the same as a man-in-the-middle attack just done for a different reason, so you are trying to use two opposing technologies.
Logged

सत्यमेव जयते!
Steve
Sr. Member
****
Offline Offline

Posts: 108



WWW
« Reply #7 on: Tuesday 30 March 2010, 10:13:52 pm »

I remember reading a few years ago that Cisco, HP, IBM and a few others IT manufacturers have devices that can do this because they are bound by US regulations that they must provide surveillance abilities and back door access 'in the name of national security'. In that respect it would be possible for these devices to transparently intercept HTTPS connections.
Actually, as I remember it's not a condition per se, it only applies to equipment that is to be used by the US DOD and other US Federal departments in special situations.
The issue was quiet controversial because manufacturers were promoting their products as extremely secure to the general public while being asked by the US government to create pinholes. So technically, it can be done.

That said, one wonders if any HTTPS connections are truly secure and private as these devices could theoretically be located at your ISP or anywhere along the data path.
Logged

                          
gyp_the_cat
Full Member
***
Offline Offline

Posts: 81



WWW
« Reply #8 on: Wednesday 31 March 2010, 02:57:43 am »

Completely off the original top sorry inteq Sad

@Steve, I think things like ISO27001 and the like only consider SSL to be an opportunist cipher as opposed to a secure one.  Again as whoiam suggested it's a prevention of man in the middle attacks and packet sniffing I suppose.  I would dare guess that 90% of SSL traffic isn't secured in a secure form on the server anyway (SMTP TLS anyone?).  I guess we'll have to trust our ISPs with our encrypted traffic from now on  Grin

But sorry Inteq, I don't believe that this is functionality that Endian provides (as yet/if ever?).  The HTTPS traffic doesn't appear to be treated in the same way as HTTP traffic Sad
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.156 seconds with 19 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com