Proxy-side antivirus scanning
Proxy-side antivirus scanning of HTTP-traffic
There exists three ways to filter out infected files transferred through HTTP:
- server-side: files are removed or cured on the server when administrator (or cron task) starts local scanning, OR access is blocked, when there is request to serve infected file;
- proxy-side: access to infected file is blocked when it is passed through HTTP-proxy;
- client-side: access to file is blocked when the file arrives to client and local antivirus finds it infected.
Here we will not discuss server-side filtering.
Client-side scanning is useful for private customers and very tiny networks, since it requires installation of antivirus software and update of virus database separately for every desktop. When the customer is even small network, where administrator wants to minimize HTTP-traffic, it is convenient to use HTTP-proxy, which may cache requests to the same URL from different clients and block some URLs if they contain undesirable content.
HTTP-proxy is a common solution for small offices/home offices (SOHO), where the LAN is connected to the Internet via gateway, since the gateway is the bottle-neck of HTTP-traffic passed to the LAN. When one client requests infected file from the Internet, it is put to the cache and can be served to other clients even if it is removed or replaced on the origin server. So if HTTP-proxy cannot filter out infected files, administrator needs to have antivirus installed on every workstation to prevent local epidemies.
Internet Content Adaptation Protocol (ICAP) is aimed to filter HTTP-traffic based on its content, and one of its applications is antivirus scanning of web content requested by users. When the client requests a URL, HTTP-proxy first asks ICAP-daemon, whether this URL can be saved to the cache (and further sent to the requesting client). If antivirus/ICAP-daemon rejects the file, it is not saved to the cache and the client gets a page saying, that requested URL is blocked due to infected object(s) in it. This scheme implies that there is no need to install antivirus on every workstation, as only one bottle-neck for HTTP-traffic exists.
So these major advantages of ICAP-daemon for HTTP-traffic scanning exist:
- you need only one antivirus;
- you need to update virus databases in one and only place;
- once the URL is found to be infected, substitute page with antivirus alert will be transferred to all clients requesting that URL; no virus appears in the local area network;
- all infected objects can be stored in one quarantine, so system administrator doesn't need to frequent every distinct quarantine on clients' desktops.