Welcome to ISAserver.org

3rd party antivirus on ISA scanning uploads?

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA 2006 Firewall] >> General >> 3rd party antivirus on ISA scanning uploads?

Page: [1]

Message

<< Older Topic Newer Topic >>

3rd party antivirus on ISA scanning uploads? - 13.Feb.2008 1:05:04 PM

brim30

Posts: 5
Joined: 13.Feb.2008
Status: offline

For those who want to know the root of my question without any of the detail:

I want to know if any 3rd party antivirus products for ISA can be configured to block infected files from being uploaded, not just downloaded.

Here's a general description of our setup and challenge:

We have a IIS 6.0 web server and also have another server running ISA 2006. The ISA 2006 server is configured as a reverse proxy. External users establish SSL connections with the ISA server. The ISA server has a filter that passes the traffic to the web server. I have installed Kaspersky Antivirus for ISA and it appears to be running correctly.

When a client connects and uploads a known infected file*, it passes untouched through ISA, but when the client tries to download the same file it is blocked. While that's great for protecting clients, my goal is to stop the file from ever being uploaded.

I have downloaded every AV gateway for ISA that I could find on this site and I will try testing them, but if anyone else has been down this road and can point me in the right direction, I'd be much obliged.

* For testing purposes, I used the Eicar AV test file.

Thanks for reading and any responses. I am happy to provide more details if it would be helpful.

David

Post #: 1

Featured Links*

RE: 3rd party antivirus on ISA scanning uploads? - 15.Feb.2008 5:43:14 AM

vuilverwerking

Posts: 26
Joined: 29.Dec.2006
Status: offline

Hi David,

ISA 2006 with McAfee SecurityShield 1.0 Patch 5 blocked a FTP upload of the EICAR.COM test file.
Keep in mind that SecurityShield does not support HTTPS/SSL (Only HTTP,FTP,SMTP)

http://www.mcafee.com/us/enterprise/products/anti_virus/internet_gateway/securityshield_microsoft_isa_server.html

If you want more info, let me know.

Greetings

< Message edited by vuilverwerking -- 15.Feb.2008 6:19:31 AM >

(in reply to brim30)

Post #: 2

RE: 3rd party antivirus on ISA scanning uploads? - 15.Feb.2008 1:31:11 PM

jmilito

Posts: 321
Joined: 10.Oct.2006
From: MICHIGAN, US
Status: offline

You can get a third-party utility such as Collective Software's ClearTunnel which will allow HTTPS scanning. SSH will not work with it but I have had some success with GFI.

(in reply to brim30)

Post #: 3

RE: 3rd party antivirus on ISA scanning uploads? - 15.Feb.2008 3:32:52 PM

brim30

Posts: 5
Joined: 13.Feb.2008
Status: offline

quote:

ORIGINAL: vuilverwerking

Hi David,

ISA 2006 with McAfee SecurityShield 1.0 Patch 5 blocked a FTP upload of the EICAR.COM test file.
Keep in mind that SecurityShield does not support HTTPS/SSL (Only HTTP,FTP,SMTP)

http://www.mcafee.com/us/enterprise/products/anti_virus/internet_gateway/securityshield_microsoft_isa_server.html

If you want more info, let me know.

Greetings

None of the AV products that I have tested supported SSL. In order to get it to work, I created two listeners on the same ISA machine.

The first listener terminated the SSL session and outputted clear HTTP on port 80 in to another filter on the same ISA machine. Since it received it in the clear, the AV products that I have tested were able to scan it. I suspect that the McAfee product would work the same way.

What I wonder is whether or not it would look for files being uploaded through HTTP as opposed to FTP. If I can get a demo copy, I may check it out.

Thanks for the reply!

(in reply to vuilverwerking)

Post #: 4

RE: 3rd party antivirus on ISA scanning uploads? - 15.Feb.2008 3:37:42 PM

brim30

Posts: 5
Joined: 13.Feb.2008
Status: offline

Update:

I have tested Trend Micro's IWSA (appliance) and verified that while it does not virus scan SSL (no virus scanners seem to do this), it will scan files uploaded through HTTP. This is the first product that I have found that will do this. The size of box I need would have about a $20K - $25K price tag.

Trend Micro also makes an ISA AV plug-in and if I can get a test machine with at least 512 MB of RAM, I'll try it out.

I'll be testing BlueCoat's Proxy AV next week.

(in reply to brim30)

Post #: 5

RE: 3rd party antivirus on ISA scanning uploads? - 15.Feb.2008 3:46:48 PM

brim30

Posts: 5
Joined: 13.Feb.2008
Status: offline

quote:

ORIGINAL: jmilito

You can get a third-party utility such as Collective Software's ClearTunnel which will allow HTTPS scanning. SSH will not work with it but I have had some success with GFI.

I took a look at ClearTunnel. Unforunately, examining SSL traffic is not the challenge that I am trying to overcome. I am looking for a an AV product that is capable of scanning HTTP uploads. Since I am in a reverse-proxy setup, I am free to terminate the SSL connection in front of the web server, scan it, then forward it.

(in reply to jmilito)

Post #: 6

RE: 3rd party antivirus on ISA scanning uploads? - 21.Feb.2008 1:02:59 PM

brim30

Posts: 5
Joined: 13.Feb.2008
Status: offline

Update:

Trend Micro InterScan WebProtect for ISA will scan both uploaded and downloaded files for viruses. It only works on clear traffic (no SSL), but that can be worked around by decrypting the SSL traffic at ISA and sending it back to another listener on the same host (127.0.0.1) as clear traffic where it is then scanned. At that point, the traffic can be forwarded in the clear or re-encrypted for the rest of the trip to the web host.

(in reply to brim30)

Post #: 7