Re: Aladdin response regarding eSafe

From: Aleksandar Milivojevic (amilivojevic_at_pbl.ca)
Date: 07/30/04

Next message: CoKi: "Citadel/UX Remote DoS Vulnerability"

Previous message: Mandrake Linux Security Team: "MDKSA-2004:077 - Updated wv packages fix vulnerability"
In reply to: 3APA3A: "Re: Aladdin response regarding eSafe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 30 Jul 2004 09:06:57 -0500
To: bugtraq@securityfocus.com

3APA3A wrote:
> I know this problem it not eSafe specific. In fact, I don't know
> antiviral engine capable to catch signature in the stream of data
> immediately after signature is arrived in the stream. All antiviral
> engines I tested (KAV, ClamAV and others) are file-oriented. It makes it
> impossible to code good antiviral protection for proxy server with this
> engines.

Hm. What about option of sending one byte of data to the client every
minute (with configurable limit that not more than xx% of file can be
transffered before scanning, just in case you stummble accross site that
is actually that slow ;-) ), instead of just feeding him up to 80% of
the file in advance of file being scanned? For those that prefer a bit
more security over interactivity. This would prevent client from timing
out, 99.99% (number from the back of my head) of files would take less
than a minute to download (and therefore would be scanned even before
first byte is transferred to the client). For normal HTML pages, client
wouldn't see any significant latency (nothing he couldn't live with,
anyhow), because those are small and AV proxy should be able to fetch
them in second or two. The problem would be very large files over slow
links (CD images, for example), but than when downloading something that
large, nobody expects interactivity (and if you know there's AV
somewhere in between, you just learn to live with progress bar that
stays at 0%, and than jumps to 100%). Or you just implement status page
on AV proxy where client could check actual status of his downloads...

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

Next message: CoKi: "Citadel/UX Remote DoS Vulnerability"

Previous message: Mandrake Linux Security Team: "MDKSA-2004:077 - Updated wv packages fix vulnerability"
In reply to: 3APA3A: "Re: Aladdin response regarding eSafe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]