Proxy-side antivirus scanning
Proxy-side antivirus scanning of HTTP-traffic
There are three ways to filter out infected files carried by HTTP protocol:
- server-side: the files are removed or cured on the server when an administrator (or cron task) starts local scanning, OR the access is blocked when there is a request to serve the infected file;
- proxy-side: the access to the infected file is being blocked when it is going through a HTTP-proxy;
- client-side: the access to the file is being blocked when the file arrives to the client's computer and the antivirus decides that it infected.
Here we will not discuss the server-side filtering.
The client-side scanning is useful for private customers and very tiny networks, since it requires installation of the antivirus software and update of the virus database separately for every desktop computer. Even when the customer is small network the administrator could want to minimize the HTTP-traffic. Besides, it is enough convenient to use the HTTP-proxy, which may cache requests to the same URL from the different clients and block some URLs if they contain undesirable content.
The HTTP-proxy is a common solution for a small offices/home offices (SOHO), where the LAN is connected to the Internet via a gateway, since the gateway is the bottle-neck of HTTP-traffic going to the LAN. When one client is requesting infected file from the Internet the file would be put to the cache and might be sent to the other clients even it will be removed or replaced on the source server. So when the HTTP-proxy cannot filter out the infected files, the administrator have to install the antivirus on every workstation to prevent a local epidemic.
Internet Content Adaptation Protocol (ICAP) is aimed to filter HTTP-traffic based on its content, and one of its applications is antivirus scanning of the web content requested by users. When the client requests a URL, HTTP-proxy first asks ICAP-daemon, whether this URL can be saved to the cache (and further sent to the requesting client). If antivirus/ICAP-daemon rejects the file, it is not saved to the cache and the client gets a page saying, that requested URL is blocked due to infected object(s) in it. This scheme implies that there is no need to install antivirus on every workstation, as only one bottle-neck for HTTP-traffic exists.
So these major advantages of ICAP-daemon for HTTP-traffic scanning exist:
- you need only one antivirus;
- you need to update virus databases in one and only place;
- once the URL is found to be infected, substitute page with antivirus alert will be transferred to all clients requesting that URL; no virus appears in the local area network;
- use malware scan
- all infected objects can be stored in one quarantine, so system administrator doesn't need to frequent every distinct quarantine on clients' desktops.