how can a firewall box handle virus?

how can a firewall box handle virus?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Networking Firewalls    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
how can a firewall box handle virus? peter 11-12-2007
Posted by peter on November 12, 2007, 4:17 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Some new firewall boxes advertised DPI and virus protection (e.g. sonicwall
tz180). Sounds attractive. But how does it work?

Let's say I'm downloading a pop3 email. Does the firewall stores the entire
email and attachment, scan it for virus, then forward it on if it's clean?
And if the attachment has a virus, can it strip out the attachment only and
forward the rest of the email? This sounds too good to be true. And wouldn't
this require a hard drive for the firewall?

Similar question for how it handles spyware, trojans, etc.



Posted by Gerald Vogt on November 12, 2007, 6:04 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
> Some new firewall boxes advertised DPI and virus protection (e.g. sonicwall
> tz180). Sounds attractive. But how does it work?
>
> Let's say I'm downloading a pop3 email. Does the firewall stores the entire
> email and attachment, scan it for virus, then forward it on if it's clean?

No. It just inspects it while it is downloading just like any other
antivirus software does. They start at the beginning and end at the
end. You only need a small buffer for that.

But it also does not work miracles. It does not forward anything "if
it's clean". It only recognizes for what it has signatures. It won't
recognize the newest malware until the signatures have it. It won't
recognize very rare malware. It will also recognize things which are
not bad. It will also recognize malware which is actually not
dangerous on your computer because your computer is not vulnerable.

So basically, it may find a few things but it is still and always you
who has to decide what's clean or not.

Gerald


Posted by Juergen Nieveler on November 13, 2007, 3:49 am
If you were  Registered and logged in, you could reply and use other advanced thread options

> That's why yo use your own email server and then block attachments by
> mime type - and then you block anything that could be malicious by file
> type (mime type).

While this sorts out 99% of the crap, there's enough worms out there
that send themselves as ZIP (encrypted, even...).

Virus scanners on mailservers usually try to unpack the archive files
and remove those files from the content that still look dangerous. But
even that is growing more and more difficult - the latest bugs in
Acrobat mean that every PDF could be a problem :-(

Juergen Nieveler
--
A man is only a man, but a good bicycle is a ride.

Posted by Leythos on November 13, 2007, 7:23 am
If you were  Registered and logged in, you could reply and use other advanced thread options
juergen.nieveler.nospam@arcor.de says...
>
> > That's why yo use your own email server and then block attachments by
> > mime type - and then you block anything that could be malicious by file
> > type (mime type).
>
> While this sorts out 99% of the crap, there's enough worms out there
> that send themselves as ZIP (encrypted, even...).
>
> Virus scanners on mailservers usually try to unpack the archive files
> and remove those files from the content that still look dangerous. But
> even that is growing more and more difficult - the latest bugs in
> Acrobat mean that every PDF could be a problem :-(

Yep, we actually block Zip files except from a specific user account
that only admins can reach. In addition to blocking at the firewall
based on mime type we also use SMTP aware scanners that scan before the
email/attachment reaches the mail server itself. Nothing is perfect,
but we've never had a compromised client in more than 20 years.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Posted by mak on November 13, 2007, 9:14 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Juergen Nieveler wrote:
> But
> even that is growing more and more difficult - the latest bugs in
> Acrobat mean that every PDF could be a problem :-(
>

yeah I have been seeing these spammails with pdf atachments,what's the
bug/exploit ?

any hints appreciated

M



Similar ThreadsPosted
Cisco Security Manager, how does the policy manager handle precedence? September 18, 2007, 12:34 pm
Norton Anti Virus vs XP firewall. March 20, 2005, 4:59 pm
Good anti virus & firewall solution February 14, 2005, 2:07 pm
Firewall, anti-virus, and port forwarding February 24, 2005, 7:42 pm
Kaspersky anti-virus undermines firewall December 13, 2006, 12:53 pm
Disabling Windows xp firewall to allow for new Norton Anti Virus Installation May 18, 2005, 4:04 am
freeware 'Internet Security' (firewall+anti virus) pack home version, Windows XP September 26, 2006, 3:20 pm
Virus Scanners April 20, 2005, 3:39 pm
Is There a Virus that Breaks DNS? August 24, 2005, 7:46 am
spyware/virus or other May 31, 2006, 12:49 pm

The site map in XML format XML site map

Contact Us | Privacy Policy