Proxy-side antivirus scanning — различия между версиями

Материал из wiki.drweb.com
Перейти к: навигация, поиск
м (Minor type corrections)
м (cleanup / grammar)
Строка 1: Строка 1:
 
==Proxy-side antivirus scanning of HTTP-traffic==
 
==Proxy-side antivirus scanning of HTTP-traffic==
  
There exists three ways to filter out infected files transferred through HTTP:
+
There are three ways to filter out infected files carried by HTTP protocol:
*server-side: files are removed or cured on the server when administrator (or cron task) starts local scanning, OR access is blocked, when there is request to serve infected file;
+
*server-side: the files are removed or cured on the server when an administrator (or cron task) starts local scanning, OR the access is blocked when there is a request to serve the infected file;
*proxy-side: access to infected file is blocked when it is passed through HTTP-proxy;
+
*proxy-side: the access to the infected file is blocked when it is going through a HTTP-proxy;
*client-side: access to file is blocked when the file arrives to client and local antivirus finds it infected.
+
*client-side: the access to the file is blocked when the file arrives to the client's computer and the antivirus decides that it infected.
  
Here we will not discuss server-side filtering.
+
Here we will not discuss the server-side filtering.
  
Client-side scanning is useful for private customers and very tiny networks, since it requires installation of antivirus software and update of virus database separately for every desktop. When the customer is even small network, where administrator wants to minimize HTTP-traffic, it is convenient to use HTTP-proxy, which may cache requests to the same URL from different clients and block some URLs if they contain undesirable content.
+
The client-side scanning is useful for private customers and very tiny networks, since it requires installation of the antivirus software and update of the virus database separately for every desktop computer. Even when the customer is small network the administrator could want to minimize the HTTP-traffic. Besides, it is enough convenient to use the HTTP-proxy, which may cache requests to the same URL from the different clients and block some URLs if they contain undesirable content.
  
HTTP-proxy is a common solution for small offices/home offices (SOHO), where the LAN is connected to the Internet via gateway, since the gateway is the bottle-neck of HTTP-traffic passed to the LAN. When one client requests infected file from the Internet, it is put to the cache and can be served to other clients even if it is removed or replaced on the origin server. So if HTTP-proxy cannot filter out infected files, administrator needs to have antivirus installed on every workstation to prevent local epidemies.
+
The HTTP-proxy is a common solution for a small offices/home offices (SOHO), where the LAN is connected to the Internet via a gateway, since the gateway is the bottle-neck of HTTP-traffic going to the LAN. When one client is requesting infected file from the Internet the file would be put to the cache and might be sent to the other clients even it will be removed or replaced on the source server. So when the HTTP-proxy cannot filter out the infected files, the administrator have to install the antivirus on every workstation to prevent a local epidemic.
  
[http://www.i-cap.org Internet Content Adaptation Protocol] (ICAP) is aimed to filter HTTP-traffic based on its content, and one of its applications is antivirus scanning of web content requested by users. When the client requests a URL, HTTP-proxy first asks ICAP-daemon, whether this URL can be saved to the cache (and further sent to the requesting client). If antivirus/ICAP-daemon rejects the file, it is not saved to the cache and the client gets a page saying, that requested URL is blocked due to infected object(s) in it. This scheme implies that there is no need to install antivirus on every workstation, as only one bottle-neck for HTTP-traffic exists.
+
[http://www.i-cap.org Internet Content Adaptation Protocol (ICAP)] is aimed to filter HTTP-traffic based on its content, and one of its applications is antivirus scanning of the web content requested by users. When the client requests a URL, HTTP-proxy first asks ICAP-daemon, whether this URL can be saved to the cache (and further sent to the requesting client). If antivirus/ICAP-daemon rejects the file, it is not saved to the cache and the client gets a page saying, that requested URL is blocked due to infected object(s) in it. This scheme implies that there is no need to install antivirus on every workstation, as only one bottle-neck for HTTP-traffic exists.
  
 
So these major advantages of ICAP-daemon for HTTP-traffic scanning exist:
 
So these major advantages of ICAP-daemon for HTTP-traffic scanning exist:

Версия 18:12, 10 июня 2006

Proxy-side antivirus scanning of HTTP-traffic

There are three ways to filter out infected files carried by HTTP protocol:

  • server-side: the files are removed or cured on the server when an administrator (or cron task) starts local scanning, OR the access is blocked when there is a request to serve the infected file;
  • proxy-side: the access to the infected file is blocked when it is going through a HTTP-proxy;
  • client-side: the access to the file is blocked when the file arrives to the client's computer and the antivirus decides that it infected.

Here we will not discuss the server-side filtering.

The client-side scanning is useful for private customers and very tiny networks, since it requires installation of the antivirus software and update of the virus database separately for every desktop computer. Even when the customer is small network the administrator could want to minimize the HTTP-traffic. Besides, it is enough convenient to use the HTTP-proxy, which may cache requests to the same URL from the different clients and block some URLs if they contain undesirable content.

The HTTP-proxy is a common solution for a small offices/home offices (SOHO), where the LAN is connected to the Internet via a gateway, since the gateway is the bottle-neck of HTTP-traffic going to the LAN. When one client is requesting infected file from the Internet the file would be put to the cache and might be sent to the other clients even it will be removed or replaced on the source server. So when the HTTP-proxy cannot filter out the infected files, the administrator have to install the antivirus on every workstation to prevent a local epidemic.

Internet Content Adaptation Protocol (ICAP) is aimed to filter HTTP-traffic based on its content, and one of its applications is antivirus scanning of the web content requested by users. When the client requests a URL, HTTP-proxy first asks ICAP-daemon, whether this URL can be saved to the cache (and further sent to the requesting client). If antivirus/ICAP-daemon rejects the file, it is not saved to the cache and the client gets a page saying, that requested URL is blocked due to infected object(s) in it. This scheme implies that there is no need to install antivirus on every workstation, as only one bottle-neck for HTTP-traffic exists.

So these major advantages of ICAP-daemon for HTTP-traffic scanning exist:

  • you need only one antivirus;
  • you need to update virus databases in one and only place;
  • once the URL is found to be infected, substitute page with antivirus alert will be transferred to all clients requesting that URL; no virus appears in the local area network;
  • all infected objects can be stored in one quarantine, so system administrator doesn't need to frequent every distinct quarantine on clients' desktops.