Eric Scopinho wrote:
But if I do that, some side effects could happen like:
- I'll need free space to store the file.
- The infected packets may get in while I store the next packets to scan.
- I have to download the whole file before send it to the end-user.
How else could you catch a virus whose signature happens to cross packet
boundaries?
I assume you are talking about snort-inline plus the ClamAV
preprocessor? As such you should be asking them. To be honest this isn't
a problem the ClamAV people can help you with - it's not their fault
your viruses don't arrive in nice 1500 byte chunks ;-)
However, I think you'll be out of luck. The only "network virus
scanners" I know of are big beasts - because they effectively have to
inline translate packets back to specific protocols (such as SMB/CIFS),
pull the data content out, then run real AV over the fully formed files
(or at least some largish data window). How they do that inline and
manage to drop the session (i.e. killing the virus download) is a bit
beyond me - I guess they rely on a RSET on the last packet being enough
to cause the entire transfer to fail?
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
