HTTP Virus Scan

[Guest]

[inteq]

Hello

I have a weird problem.
Latest Endian installed and working like a dream except:
Testing for EICAR virus file with Firefox gives me no warning and lets me download the file
Testing for EICAR virus file with Internet Explorer gives me the warning and forbids me from downloading the file
This from the same machine, without any proxy setup in either browser.
The proxy on Endian is set as transparent.

Any clue why this is happening?

[ajohn]

Hello

I have efw2.3

Mine problem is if i open eicar file from http with any browser then i have the message that this is virus.
But if i try to open eicar file from https then i can download the file and take the virus!!!!

The proxy is in transparent mode.

Is there a setting to fix that?

---For your problem inteq maybe you choose by mistake https from firefox and http from explorer?

Thanks
John

[Steve]

There is nothing to fix.
By it's nature, https is a secure connection and should not be intercepted between the source and the destination.
Therefore, there is no way for an anti-virus program (located between the source and the destination) to detect the existence of a virus signature within the data stream.
To do this would break the SSL/TLS protocol which provides the encryption and secure identification .

The only way to find out if a virus is present during an https connection is to install a virus scanner on the client machine that is receiving the data stream.

If you use the eicar test site, the standard (http) protocol viruses should be detected by the firewall and the secure (https) protocol viruses should be detected by your antivirus software you have installed on your workstation.

ps.
Remember to flush your cache (and temporary internet files) when you are using these tests. Stale cache will give you strange results.

[ajohn]

Hi
and thanks Steve.

So we have problem.
Is there a way to protect computers behind endian from viruses on https conections?
I mean without virus scanning software on the clients, something similar to http behavior of endian.

Thanks
John

[magu]

There is no such way to do so. HTTPS connections CANNOT be intercepted by design. To do so would be a security breach.

Use anti-virus software on the clients.

[gyp_the_cat]

I always thought that was the case too, and for most uses I agree, HTTPS/SSL is secure end point to end point thats the beauty of it.

However, was at a conference the other month with these guys:

http://www.ironport.com/products/web_security_appliances.html

And they were saying they can decrypt and scan HTTPS traffic just like normal HTTP traffic, does make you think a bit.  Hmmm.

[whoiam55]

The whole idea behind HTTPS is that it resists man-in-the-middle attacks. Putting a proxy between the session endpoints is the same as a man-in-the-middle attack just done for a different reason, so you are trying to use two opposing technologies.

[Steve]

I remember reading a few years ago that Cisco, HP, IBM and a few others IT manufacturers have devices that can do this because they are bound by US regulations that they must provide surveillance abilities and back door access 'in the name of national security'. In that respect it would be possible for these devices to transparently intercept HTTPS connections.
Actually, as I remember it's not a condition per se, it only applies to equipment that is to be used by the US DOD and other US Federal departments in special situations.
The issue was quiet controversial because manufacturers were promoting their products as extremely secure to the general public while being asked by the US government to create pinholes. So technically, it can be done.

That said, one wonders if any HTTPS connections are truly secure and private as these devices could theoretically be located at your ISP or anywhere along the data path.

[gyp_the_cat]

Completely off the original top sorry inteq

@Steve, I think things like ISO27001 and the like only consider SSL to be an opportunist cipher as opposed to a secure one.  Again as whoiam suggested it's a prevention of man in the middle attacks and packet sniffing I suppose.  I would dare guess that 90% of SSL traffic isn't secured in a secure form on the server anyway (SMTP TLS anyone?).  I guess we'll have to trust our ISPs with our encrypted traffic from now on 

But sorry Inteq, I don't believe that this is functionality that Endian provides (as yet/if ever?).  The HTTPS traffic doesn't appear to be treated in the same way as HTTP traffic