General

Up and Running Innoculate Your Network: AVStripper—continued

The AVStripper's home page serves as the unit's "dashboard" (right). Ethernet and TCP connection counters let you see whether traffic is flowing through the unit as intended. Stats also show the number of files (payloads) scanned, along with a running virus hit count for each protocol.

To verify antivirus protection, Ositis suggests visiting EICAR to download a few pseudo-viruses that are posted there. These harmless test files are recognized by antivirus scanners as viruses, even though they are not true live viruses. Any antivirus scanner worth its salt will pass the EICAR test. AVStripper found all four test viruses, replacing "infected" HTTP responses with text indicating that a virus had been found (below).

Before subjecting our AVStripper to lab testing with live viruses, we let it run unobtrusively in our office network for two weeks. After all, this product is supposed to be transparent. And it pretty much was. We scarcely noticed that a new box had been inserted into our network. Browsing, downloads, and e-mail all continued without noticeable delay. Secure Shell and VPN client traffic that should not be scanned passed through the AVStripper unaffected.

By the end of our "quiet period", there had been three minor incidents where AVStripper made its presence known: one website was noticeably sluggish, another site's home page would not load, and we could not post to a third site's message board. All three were anomalies that occurred only when using IE6, and only when the HTTP passed through AVStripper. Anyone that has deployed a web cache or proxy knows to expect a few odd sites, so these did really not surprise us. To avoid scanning a site, add its IP address to AVStripper's Trusted Sites list (left). However, bear in mind the virus risk associated with that site.

Virus Scanning Options
The AVStripper also blocked several live viruses while sitting in front of our production network. Our unit was configured to scan all supported protocol types: HTTP, FTP, SMTP, POP3, IMAP, and NNTP, and SOCKS (below). Ositis has since added support for Exchange servers and made all ports configurable (e.g., HTTP no longer must be on port 80). In networks that use a web or SOCKS proxy, AVStripper must be configured to relay traffic through the proxy.

The AVStripper can be configured to skip or discard files with specified extensions. For example, .vbs attachments often carry malware, so if you have no business reason to expect these scripts, you can automatically delete them. On the other hand, you might speed up web access by presuming that .gifs are harmless.

The AVStripper can also skip checking a file if it exceeds a specified length or scan duration. These thresholds avoid long-file DoS attacks against your AVStripper. They also illustrate why network antivirus systems should always be deployed in conjunction with desktop antivirus solutions.

Network antivirus systems strip most viruses before they can penetrate your network. On the other hand, desktop antivirus solutions prevent viruses from being propagated internally—for example, the employee who "shares" a macro virus with co-workers by posting an infected document on the departmental file server. In both cases, stopping the attack at the earliest possible point is the most cost effective solution that results in the least collateral damage.

Furthermore, if one antivirus tier fails to neutralize a virus, the next tier can still do the job. If a large file passes through AVStripper without being scanned, the destination desktop still has final say. If a desktop overlooks outgoing mail generated by Klez, worm propagation can still be defeated at the network edge. Consider unprotected visitor laptops and resident desktops with disabled, mis-configured, or obsolete antivirus software. AVStripper checks with Trend Micro every hour for pattern file updates—can you say the same for every desktop in your network?

Join us next week we'll take a look at how AVStripper responds when viruses happen, how it keeps network administrators informed during an event, along with other performance considerations. As usual, we'll wrap up our lab work with details about pricing and support, and give you the bottom line on our overall experience with AVStripper.

Innoculate Your Network
AVStripper (Part I)	When Viruses Happen (Part II)
Installation and Setup	Keeping Admin Informed
Up and Running	Performance Considerations
Virus scanning options	Pricing and Support
	The Bottom Line

Related articles:
	[May 17, 2002]	The Plague Upon Us
	[Feb. 15, 2002]	Battening Down SNMP
	[Dec. 13, 2001]	The Anti-Virus Can Of Worms